Default, Help Net Security newsletter issue #1, Friday 20th August 1999 TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Vulnerabilities reported in last week c) Site News d) Defaced Pages III. Y2K: As the millenium approaches IV. A look into basic cryptography V. Internet privacy: What are the issues? VI. Telecommunications 101 VII. Macintosh Security: How to set up a gateway and firewall VIII. Computing: A closer look at hard- and software IX. Linux Firewalls X. Infection and vaccination XI. More from the ACPO front XII. Freedom of speech - related incidents XIIV. Intrusion and detection XIV. Guest column * Due to our editor D. Muths' absence (vacation) we haven't received work from him to add regarding the virus/spam sections, we hope to be able to add his contribution next week. ** Due to unexpected (though very much appreciated :) user-contributions and some deadline problems the "Meet the underground" column will be postponed for a week, but will be back next week. I. Editorial ------------ Hi, it's us again. In front of you, you have the second edition of Default, our weekly newsletter. Our thanks go out to all people who helped us to keep up the quality and improve it in some fields and thank you for all the kind words we got from you, the readers, because you are what it's all about for us. As you can see there have been some changes on our site (http://default.net-security.org), most visible in the fact we ditched the html-version for online reading. We got a lot of comments and complaints on that so it's gone unless someone gives us some ideas on how we should handle that section of the site. The discussion forum is up too, but we don't like it much so we're in the process of changing that, it's been very hectic around here for a couple of days so please be patient. we'll try to have it up in a day or two. We got some request regarding the mirroring of our content too. You are allowed to mirror complete issues without permission as long as no credits are removed. When you want to use specific articles for other ways of publication then Default, you have to contact the editor/writer in question. Ok, that's settled then :) Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org ------------------------ IN MEMORIAM: We have the sad duty to inform you of the too early passing of deutron, member of our close friends and associates at ech0 security, who committed suicide. Last respects to deutron who left us too early in his 16th year Rest in peace man, HNS crew ------------------------ II. Last weeks news on Help Net Security ---------------------------------------- a) Help Net Security news headlines - Friday 13th August 1999: Interview with Eric Raymond Microsoft and AOL Default issue #1 - Saturday 14th August 1999: Hacker mythology Outside help isn't wanted Israel and piracy Ireland intends to criminalize e-signature fraud Software reverse engineering allowed in australia Government faces security skills shortage Trinux 0.62 released Hackers it consultants embrace free security tool Infoseek hacked Linuxppc crack-contest finished Freshmeat.net bought - Sunday 15th August 1999: Japan clears wiretap bill 15-year-old admits hacking into TCS Wireless crime-fighting Detecting intruders in Linux - Monday 16th August 1999: Projectgamma back online Hacker launches grudge-attack against former employer - Tuesday 17th August 1999: Surf anonymous for $5 GISB will use pgp Y2k problems 19 arrested on child pornography charges Y2k the movie Packetstorm Security Identity-theft E-commerce and privacy Two charged with promoting date-rape drug on the net MS re-releases malformed http request header patch NA/McAfee releases new virus service Last respects to deutron ReDaTtAcK charged anyways The music industries' "cyber-sherrif" Security through obscurity vs full disclosure Telnet.exe heap overflow - Wednesday 18th August 1999: Bugs from Bugtraq No y2k problems on the internet Mitnick not able to follow kosher diet MSN messenger exposes passwords Linux death-match Malicious attack on linux-kernel mailinglist More cyber-war threats - Thursday 19th August 1999: MS audio format almost instantly cracked New virus to destroy computers on Dec. 25th? AOL hacking IM users? Total digital privacy on the horizon? Chinese sites told to cut links with foreign sites Canadian security agency warns against cyber-attacks Troubles in ukraine New fix from microsoft - Friday 20th August 1999: Are you surfing at your own risk? Software makers look to keep home networks safe Carding in newcastle Watching workers Indonesia responds to cyber-war threats Homophobic web site "stolen" by hackers? Intel extends online privacy ad ban Belgian bank compromised ABC compromised b) Vulnerabilities reported in last week (our thanks goes out to BugTraq for this list) 13-08 Ircd hybrid-6 Buffer Overflow Vulnerability 16-08 SuSE identd Denial of Service Attack 16-08 Microsoft Windows 9x IE5/Telnet Heap Overflow Vulnerability 16-08 Oracle Intelligent Agent Vulnerability 16-08 Multiple Vendor 8.3 Filename Vulnerability 16-08 xmonisdn IFS/PATH Vulnerability 16-08 Microsoft IIS And PWS 8.3 Directory Name Vulnerability 18-08 Mini SQL w3-msql Vulnerability 18-08 AIX Source Code Browser Buffer Overflow Vulnerability 18-08 BSDI Symmetric Multiprocessing (SMP) Vulnerability 18-08 Redhat Linux tgetent() Buffer Overflow 19-08 Linux in.telnetd Denial of Service Vulnerability 19-08 QMS 2060 Printer Passwordless Root Vulnerability c) Help Net Security site news * Not applicable this week * d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: GO Network (infoseek.go.com) Mirror: http://default.net-security.org/2/infoseek.go.com.htm Site: Fat Kid (www.fatkid.net) Mirror: http://default.net-security.org/2/www.fatkid.net.htm Site: FX Networks (www.fxinteractive.com) Mirror: http://default.net-security.org/2/www.fxinteractive.com.htm Site: Mendesgans (www.mendesgans.nl) Mirror: http://default.net-security.org/2/www.mendesgans.nl.htm Site: City of Naperville, Illinois (www.naperville.il.us) Mirror: http://default.net-security.org/2/www.naperville.il.us.htm Site: ABC (www.abc.com) Mirror: http://default.net-security.org/2/www.abc.com.htm III. Y2K: As the millenium approaches ------------------------------------- This weeks' Y2K headlines: United States Air Force created a Y2K simulation to test their systems for the new millennium. Air Force received a budget of 1 billion dollars to prepare themselves, and it looks that they are ready. Y2K Flag East, a four-day exercise that ended Thursday at Eglin and Moody Air Force Base, is one in a series the service has been conducting since January. Brig. Gen. Gary Ambrose, who is in charge of secure rollover to a new millennium without any glitches, said that there have been no catastrophic failures presented on the Y2K test and that Air Force will operate in the year 2000 no matter what happens. According to them systems are 96 percent Y2K compliant and will be 100 percent well before January 1, and that 82 percent of all evaluations have been completed. All of the assessments should be done by October 15. Small company is closing there doors because Year 2000 problem. TriMark Enginnering (http://execonn.com/doorway) published that they won't be ready for new millennium: "I am happy to announce that ALL released versions of the Doorway program are y2k compliant. It does not read or use a date, but keeps time by counting timer ticks. Old date limted versions of the beta version of Doorway unfortunately did read the clock, so even though they have expired, they will begin working again on Jan. 1, 2000 and will work for about 89 years. Please download the latest version as these old limited versions have many bugs in them. Unfortunately the computers used in our operations are not y2k compliant. These computers were purchased and used before Windows 95, and are all old DOS systems. They are not compliant and we do not have the resouces to make them compliant" Britain warned shipowners on Monday that vessels calling at British ports could be detained if they have not ironed out Y2K problems. The Maritime and Coastguard Agency said that Y2K could start many problems on ships (from navigational equipment to all compuer guided functions of the ship). From September 1, ships that have not identified equipment that could fail or taken remedial action will be recorded in a European database and be targeted for further inspection. Y2K - The movie. Yeah right. NBC is shooting a film with the topic of Year 2000 glitches. Ofcourse you will see many catastrophic events in this movie - story of the film goes like this: the bug causes an East Coast power outage, ATM failures, airliners whose instruments don't work and other assorted calamities. Main character battles one of the biggest imagined consequences of the bug when a nuclear power plant threatens to go into meltdown. Here you can read Clinton's memo on Year 2000 (published by Newswire). MEMORANDUM FOR MEMBERS OF THE CABINET SUBJECT: Year 2000 Computer Problem The end of 1999 is less than 6 months away. Federal agencies have made significant progress in meeting the challenges posed by the Year 2000 (Y2K) computer problem since the Vice President and I discussed this issue at the Cabinet meeting in January 1998. Virtually all of the major Federal agencies have completed, or will soon complete, work on their mission-critical systems, and agencies are working aggressively to encourage compliance among their organizational partners for the delivery of key Federal services. Our efforts to solve the Y2K problem provide an important example of the Government's ability to respond to difficult management challenges, and I appreciate your commitment to this critical issue. However, your ongoing support through 1999 is essential to the Nation's ability to achieve the ultimate goal of minimizing Y2K- related failures in the public and private sectors. You should continue your outreach efforts to organizations domestically and internationally. We must encourage compliance efforts among our partners, such as State and local govern-ments helping to deliver Federal services and private sector organizations supporting the Nation's critical infrastructure. Internationally, the continued exchanges of technical infor-mation with other governments about Y2K experiences will help to limit potential Y2K problems in our trading relationships. You also should maintain your focus on contingency and back-up plans. While many systems and processes have been tested multiple times, being prepared with alternate operating plans provides an important extra layer of insurance against unexpected difficulties and will enhance our ability to respond to any challenges associated with the date change. I also encourage you to continue to work closely with my Council on Year 2000 Conversion, and with each other, as we approach January 1, 2000. If we continue our hard work on this important issue, I am confident that we will be able to oversee a successful transition to the new millennium. WILLIAM J. CLINTON Y2K TOOLS --------- TITLE: Milli2000 SIZE: 39 Kb TYPE: Shareware REQUIREMENTS: Windows 95/98/NT, Microsoft Access 97. DOWNLOAD: http://default.net-security.org/2/milliy2k.zip INFO: Milli2000 is a Microsoft Access add-in that helps make Access databases Y2K compliant by automatically adding 4-digit year input masks and formats to all date fields in forms, reports, tables, and queries. It can be run on tables, queries, forms and reports individually, or all at once. Milli2000 can also be used to quickly standardize formatting of dates throughout your entire database, by simply setting the default date format, and running the program TITLE: January2000! (16-bit) and (32-bit) SIZE: 16-bit 550 Kb & 32-bit 230kb TYPE: Shareware REQUIREMENTS: 16-bit Windows 3.1 & 32-bit Windows 95/98 DOWNLOAD: 16-bit > http://default.net-security.org/2/jan2k16x.zip 32-bit > http://default.net-security.org/2/jan16132.zip INFO: January2000! (16-bit) is a software Y2K rollover fix for PC clock hardware. If you already know you have hardware Y2K problems (the program does not perform any tests to determine this for you), you can either buy a new PC, or install a software fix. January2000! fixes the CMOS / RTC (Real Time Clock), BIOS and System Clock, even if programs are running when you enter the new millennium. No user intervention is needed, and there is no interruption to programs. January2000! is transparent to system functions, but always on guard. Note that the program does not actually fix your system until you purchase a key. BHZ Berislav Kucan bhz@net-security.org IV. A look into basic cryptography ---------------------------------- This is Iconoclast, and lets get back into some basic cryptography. Todays cipher will be slightly more difficult to crack. I am going to use this fact to teach you something else. Oftentimes you may hear that an algorithm is secure. This means that the mathematics behind the algorithm itself is secure from being reverse engineered within a given amount of time (usually 5-10 years) with current technology. This however does not mean that data encrypted with this new cryptosystem itself is secure because the implementation of the algorithm may be insecure. Here is an example of that. Okay on to the next type of cipher that my friend tried to use that was even easier to get by. I went to the page that contained the cryptosystem with Netscape and up popped a window to enter a password... I could not check the source because the java applet took control of Netscape. I then opened up my favorite html editor, Homesite, which allows you to open web page source code. I pointed Homesite to the URL and tada, I downloaded the source code for the page. Heres the actual applicable code: Now you look at this and think... wow that's a mouthful how could we get passed that? First step is to save it to your local machine so you can edit the code and reload the page from your own machine. Then, look at the way it works, if statements... plain and simple. Here's some analysis of the code: The input must equal ccup2 for access (ccup2 is encrypted way past my ability of deciphering) ccup3 is the encrypted URL of the site I'm trying to get into (again encrypted way past my ability) Name is the variable that you enter. Now here is some basic pseudo-code explaining the implementation of the cryptosystem. If the variable "name" is the same as the variable ccup2 give access and send to the URL encrypted in ccup3 if not, dont give access and yell at the user The best way of getting past this is NOT cracking the algorithm... it's too difficult to understand the cryptosystem without more data. Start playing with it... it helps to know some minor programming. Here is what you would need to have in order for it to work (hopefully) if (name !=ccup2) { (confirm("Access to this site is granted. Click [ OK ] to Proceed.")) location.href=ccup3; } else{ alert("INCORRECT PASSWORD. The password: " + name + " is not acceptable."); history.back(); } Mind you, there is a single character that needed to be changed. in most programming languages (at least in C, C++, and Java), to compare two variables you use == for equal to and != for not equal to. The changed code will accept ANY password you enter EXCEPT the correct password. Save this to your computer and open it in Netscape or IE or whatever.... enter gibberish when it asks you for a password and tada, it works. Another thing you could have done is edited it to look like this if (name =="myownpassword") { (confirm("Access to this site is granted. Click [ OK ] to Proceed.")) location.href=ccup3; } else{ alert("INCORRECT PASSWORD. The password: " + name + " is not acceptable."); history.back(); } Now this changed code will only allow access if you enter the string: "myownpassword" when it asks for a password. As I said before, open this up with your browser and tada, you're in. Okay, that is it for this issue, there is much more to come that wouldn't fit in here today. Expect more, and in the next issue, we will begin the interactive part. For the time being, if you come across ANYTHING that you think could be of use to anyone in the field of cryptography, please, drop me a line at crypt@default.net-security.org and I will probably include it in the next issue. It's been fun. -Iconoclast crypt@default.net-security.org On side-note I received no feedback last issue and because of that, I was unable to to add any reader-comments. Please, this cannot succeed without you, the reader. If you have any comments at all, please feel free to send them in. If you want anonymity just tell me, and I wont mention you or your email address. V. Internet privacy: What are the issues? ----------------------------------------- It's Saturday morning and you hop on the Net looking for some info on smoking related illnesses 'cuz your best friend's been thinking of quitting lately and you figured you'd help out with some cold, hard facts. You hit a few web sites, buy a book on the evils of tobacco, and sign up for a newsletter that delivers a "tip of the week" for people looking to kick the habit. A few months later, it's time to renew your medical insurance at work but your boss informs you that in order to qualify, you'll need to take a complete medical and chest x-ray. Why? Because your company's insurer drew the wrong conclusion after buying your profile from a marketing firm that's been tracking your online habits. Sound invasive? - it is. Right now, companies are working on new computer technology that will enable many of our household appliances to be networked through the Internet. Your microwave is on the fritz? No problem, hit a few buttons on the console, and the unit will instantly seek out the manufacturer's website through its Internet connection and download the code it needs to correct the problem. Out of eggs? Your refrigerator is also Net-ready, and through it you can email your local grocer to fill out your next food order. But as more and more of the products we use each day become Internet- connected, the personal information they collect will be fed to marketers - and bought and sold without our knowledge or consent. Those eggs your fridge has been ordering online for you - coupled with some high-fat foods and cheeses - set off a few warning bells at your insurance company which recently purchased this information. Don't be surprised to see your premiums go up next year, or when ads for cholesterol-lowering products start to appear on your PC. It's no longer possible to avoid being tracked online The potential for abuse is enormous, as false assumptions are made about us based on bits of information picked up here and there. As digital television emerges, our viewing habits will also be tracked by companies who monitor what we watch, when we watch it and what we buy. Spending a lot of time on the home-shopping channel? Be prepared for a slew of invasive marketing aimed at you for varied products and services. Tuned in to the Playboy Channel last night? Watch out for adult advertisements next time your daughter logs onto the Net from her home computer. If we don't lay down the law regarding Internet privacy while the Net is still in its infancy, we'll never be able to reclaim it..." Once your personal data is lost - spread out in 1000's of databases all over the world - you can *never* get it back. As individuals, we need the ability to "pull the blinds" online and say, "Hey, I have a right to privacy!" Jordan Socran Zero Knowledge Systems (http://www.zeroknowledge.com) VI. Telecommunications 101: Scanners and the radio spectrum ----------------------------------------------------------- My last column dealt with pager-communications, and more specifically with the POCSAG pager protocol. Now we've gained a little general knowledge on how basic (alpha-numeric) pager communications work, it's time for a little more indepth review on all the wonderfull things you could do with the signals described last week. Once again this is a completely theoretical discussion. Intercepting and decoding of radio signals is illegal in a lot of countries and neither me, nor Help Net Security takes any responsibility for your actions if you decide to put the here discussed into use. Ok, now that's out of the way, here goes :) As I mentioned before, there are several pieces of software availble on the Internet nowadays which enable you to decode radio signals. This is mostly done in combination with a scanner in place to do the actual intercepting. By plugging the scanner (on low volume) in to the "line in" port of your soundcard you can then feed these signals to your computer, after which the software will (try to) decode them. I say try to because altough the POCSAG is the most widely used (pager) protocol, it's certainly not the only one. And it's not all pager signals that's going through the air nowadays. But let's start at the beginning, todays piece will describe the scanner half of this construction. What is a scanner? How does it work? Well to understand that, we first have to take a look into what scanners tap into, the radio spectrum. A radio wave is an electromagnetic wave sent and received through an antenna. Radio waves have different frequencies, and by tuning a radio receiver to a specific frequency you can pick up a specific signal. Those frequency bands are controlled and issued by government organizations. Examples of frequency bands are AM radio (535 khz - 1.7 Mhz) and FM radio (88 - 108 Mhz). Besides these radio-frequency bands (TV has quite a few of these too btw, but we're focussing on by scanner receivable signals for a moment), a lot of other organizations and appliances have their own frequency band. For example Air Traffic Control, GPS, radio controlled toys, cell phones etc, etc. The difference between scanners and most regular radios you come across is that the latter are single-purpose radios. They can be used to listen to AM or FM radio stations for example, but that's it. Scanners on the other hand are radio receivers with a very wide frequency range. This enables you to pick up a very large number of frequencies as opposed to only AM/FM frequency bands. Typically this allows you to tune in to police, fire and emergency radio in your area or to air traffic control frequencies. Or to pager messages.. Usually you would set a scanner to scan a specific range of frequencies and stop scanning when a signal is received on one of these frequencies or you set it up to scan one particulair frequency. In our case we want it to use the pager band. In my own little playground (The Netherlands that is) pager frequencies lie between approx. 154 and the 467 khz. Scanners work very specific where it comes to frequencies, sometimes you need to be very specific in setting it up to actual receive something and frequency bands tend to differ between cities, but most of the time you can get some good results even with a bit less receiption. Another possibility is to modify a pager itself to receive multiple bands. My final and last column on the pager-subject next week will deal with this kind of manual modification of a pager. Hope you'll join me then. Xander Teunissen, aka Thejian, Help Net Security thejian@net-security.org VII. Macintosh security: How to setup an gateway and firewall ------------------------------------------------------------- MacOs is not so easy to hack on the networking stack side, the code is usualy heavy. The networking part on mac needs a external software to be modified, don't even think about changeing a line of code on MAcOs! New types of connections allow to get connected 24/24 for a cheap price and fast connection, even in Europe! Asdl, cable modem, and other type of connections allow you to stay online all the time.Always keep in mind that the internet is a wild place! Those networks are very often scanned for wingates, and trojan open ports (mainly based on wintel) and other bunch of crap. The word firewall is in most people mind a very difficult thing to build, well if you think that you're wrong. It's just ip filter, with rules allowing or refusing packets. Requirements: minimum 2 MacOs computers and an ip filtering software (ip netrouter for eg. http://www.sustworks.com/products/product_ipnr.html). The 1st computer will be our "goat", a bastion host and LAN client(s), a Internet connection, a crossover Rj-45 cable or a hub if you plan to have more than 2 clients using this connection. This software based router allow us to make several things: Share an Internet with other LAN clients(even pppconnection), make a low cost firewall editing inbound and outband rules, creating NAT (Network Address Translation). The goat computer will act as a gateway for any computer MacOs, Win9*, Unix. <----Internet----> _______________ <---IpNet Router--->_______<---Bastion Host--->___ (ppp, cable modem, T1 etc) (ip filters) (transfert cl. request) | | | ----------------- | | | | | Lan Clients(win9*-Mac-Unix) The set up are very easy to make, on the goat computer you have to select your connection interface (for ex select ethernet connection for cable modem and adsl as 1st IP interface). Then create a 2nd IP interface (ex:160.92.216.1 subnet mask 255.255.255.0). Check "bring Up" or eventualy check NAT box is you want to use ip masquerading for LAN clients. Save your configuration! You may not have to restart to use the gateway. Now on each LAN client provide set with ip: 160.92.216.2-254 mask 255.255.255.0. Make sure they all have 160.92.216.1 as gateway. If you want after that you can also add ip filters to make the gateway a real firewall. You will have to edit the inboud, outbound filters with ip, ports etc.. Read http://www.sustworks.com/products/ipnr/gettingstarted/firewall.html for more details about editing rules. It takes a few minutes to setup this firewall, and to share your Internet connexion in a safe way.The main advantage is that puting a mac as a bastion host is safer, and takes less time than setting a windows box. Plus the computer doesn't have to be very powerfull a 68030 or higher is required. Don't forget that IPNet Router is shareware ;-) deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VIII. Computing: A closer look at hard- and software ---------------------------------------------------- August, 1999, is a landmark month in the history of PC processors. For one thing, three new processors have been introduced in one week. The 600MHz Pentium III and the 500MHz Celeron were introduced on August 2 by Intel. August 3 saw an announcement that National Semiconductor was selling its Cyrix unit to VIA Technologies of Taiwan. August 4 saw a similar announcement: Integrated Device Technology (IDT) was also selling its Centaur unit (designer/manufacturer of the WinChip and WinChip 2 processors) to VIA. And today, August 9, Advanced Micro Devices (AMD), manufacturer of the K6, K6-2 and K6-III microprocessors, announced the introduction of its new, seventh-generation Athlon (nee K7) processors, at introductory speeds of 500MHz, 550MHz, 600MHz and 650MHz. The big news? Intel no longer makes the fastest x86 processors on the market. That distinction now passes to AMD, and not just because its 650MHz Athlon bests the Pentium III (and Pentium III Xeon) chips by 50MHz. On our WinScore tests, the 600MHz Athlon-powered systems beat the three 600MHz Pentium III-powered systems by an average of 14.6%. That means the 600MHz Athlon-powered systems performed like a 688MHz Pentium III -- if there were such an animal. This superiority lies not just in the area of integer performance--where AMD has long proven competent--but also in the area of floating point performance. AMD calls the Athlon a true seventh-generation processor. It's superscalar, meaning it can execute more than one instruction per clock cycle (actually, nine, compared to five for the Pentium III), and superpipelined, meaning it has multiple, parallel paths for simultaneous, out-of-order execution of instructions. The Athlon has a 128KB level 1 cache (compared with 32KB for the Pentium III), and a unique, frequency-programmable level 2 design. Initial Athlons will have 512KB of level 2 cache, matching the Pentium III, but level 2 cache can scale all the way to 8MB, four times that of Intel's Pentium III Xeon chip. With a 200MHz frontside bus (vs. 100MHz at present for the Pentium III), a new slot for the processor that is mechanically similar to Intel's Slot One (though electrically identical to Compaq's Alpha EV6 bus) and multiprocessor capability, it's easy to see that AMD is swinging for the bleachers. The Athlon also includes an "Enhanced" version of the company's 3DNow SIMD (single instruction, multiple data) instructions, with 24 new instructions. Nineteen of these instructions bring 3DNow's functionality to parity with the Pentium III's SSE instructions, and five are DSP (digital signal processor) instructions to improve the performance of soft modems, soft ADSL, MP3 and AC-3 decoding. The latest video drivers from 3dfx, Matrox and nVidia are already compatible with Enhanced 3DNow. ATI and S3 will roll their compliant drivers shortly, and you should expect compliant versions of DirectX and OpenGL in short order. AMD is introducing the Athlon with an AMD chipset, but chipsets are currently being developed by ALi, SiS and VIA. American Megatrends, Award and Phoenix are all providing BIOS support, and motherboards are being introduced by ASUS, FIC, Gigabyte and Microstar. First out of the gate with Athlon-based systems are IBM and Compaq (though Compaq's Presario 5861 won't be available to customers until September). AMD points out that nine of the top 10 worldwide PC vendors are shipping AMD-powered systems (No. 2 Dell is the lone holdout). Skeptics would point out that AMD has had problems shipping in volume with the introduction of new processors. AMD has responded to these fears by rolling out the Athlon in its proven, 0.25-micron process. The company is also trying to minimize support infrastructure problems by sticking with 100MHz SDRAM upon launch, though faster memory architectures will be introduced for the Athlon later on. In fact, though the Athlon uses different motherboards and chipsets than Pentium III systems use, this is already the case with its K6-2 and K6-III processors. All other system components are identical to existing Pentium III PCs. Intel demonstrated a 1GHz version of its Pentium III processor earlier this year, but the company is not expected to roll out its next iteration of the Pentium, code-named Coppermine, until late October. Coppermine is expected at 667MHz and 700MHz. Intel has demonstrated repeatedly its ferocious competitiveness, however, and is expected to respond to the Athlon's introduction through a series of moves to blunt the new challenge from AMD. Price cuts and early rollouts of processors and chipsets to make the Pentium III and Pentium III Xeon chips more competitive are the likeliest responses. AMD chose to introduce the new Athlon brand (rather than using the code name, K7) to mark a break with its past policy of undercutting Intel's pricing by 25%, a policy that has left the company vulnerable to aggressive pricing strategies by Intel. AMD's new pricing strategy is to "offer a superior product at a fair price." Announced pricing for the Athlon at launch (in quantities of 1,000 chips) are: 650MHz, $849; 600MHz, $615; 550MHz, $449; and 500MHz, $249. Intel's 600MHz Pentium III sells for $669 in 1,000-chip quantities. AMD plans to extend its Athlon brand with Athlon Ultra processors, aimed at enterprise server and workstation markets; Athlon Professional, aimed the enterprise high performance PC market; and Athlon Select, aimed at the value PC market. The Athlon will be produced initially at AMD's Fab 25 facility in Austin, Texas. A new plant, Fab 30, opens in Dresden, Germany, next year, and will double production capacity. With the introduction of Athlon, AMD for the first time competes with Intel across the company's entire product line of processors. Cynics will give you a dozen reasons why AMD will fail in its attempt to compete, among them the company's history of production problems, or the fact that other competitors have fallen by the wayside, or the fact that AMD has lost money for three straight years. That shouldn't detract from the stunning accomplishment Dirk Meyer and his team of designers at AMD have achieved. For the moment, AMD stands at the top of the heap in microprocessor design, and deserves credit for a job well done. AMD's CEO, Jerry Sanders, must be the type who likes to tilt at windmills. AMD had built a profitable and comfortable business selling 486 clones to (mainly) the third world when he decided, some four years ago now, to make a headlong rush to compete with giant Intel across the board. The results have been mixed. The company's first all-new design, the K5, lagged seriously behind Intel's Pentium chip, and had to be sold at fire sale prices. The 1997 launch of the K6--a chip that outperformed Intel's Pentium with MMX chip--seemed promising, but lagged behind Intel's Pentium II processor. Worse, the company's problems in mass producing the chip seriously shook confidence among system vendors in the stability of its supply. AMD surmounted that difficulty, and last year introduced the K6-2, the first mainline processor with SIMD (single instruction, multiple data) instructions for speeding 3D graphics performance--months ahead of Intel's SSE instructions, which Intel introduced with its Pentium III processors. And early this year, the company introduced the K6-III, a chip with on-chip level 2 cache, offering application performance on a par with the Pentium III at similar clock speeds. AMD began to enjoy considerable success, at least in terms of units sold. The company grabbed an important piece of the market for computers sold at retail, and even surpassed Intel's market share in that market in the fourth quarter of 1998. But this success turned out to be a Pyrrhic victory. The company has hemorrhaged money since directly taking on Intel, with average selling prices for its processors falling at an alarming rate. AMD's overall market share for x86 microprocessors is currently 15.5%, according to the company. It hopes to achieve a market share of 30% by late 2000. Intel's response to AMD has been to roll out its Celeron processors, ramping them up to higher and higher clock speeds (currently topping out at 500MHz) while aggressively cutting prices. The result: Though AMD can sell as many K6-2 and K6-III processors as it can make, it has been unable to make any money doing so. It's akin to the situation faced by Continental Airlines 15 years ago, when it was still based in Denver. The saying among locals was that while it was true Continental lost $20 every time a passenger set foot on one of its planes, the company made it up on volume. AMD isn't the only competitor losing money. Cyrix's M II processors were forced to undercut even AMD on price--with the result that the company sold itself to National Semiconductor, which in turn sold its Cyrix unit to VIA Technology of Taiwan just last week. And Centaur Technology, maker of the low-priced WinChip, sold itself to Integrated Device Technology, which in turn also sold Centaur to VIA last week. AMD hopes to reverse its fortunes with the Athlon chip, and it is obvious Jerry Sanders is betting the company on this strategy. It plans to be able to lick its production problems by staying with its proven processes at its Fab 25 plant in Austin, and introduce new production methods at its Fab 30 plant in Dresden next year. Technologically, the Athlon is a winner, outperforming the Pentium III in virtually every area. But the success of the Athlon will hinge on its ability to win customers, not just in consumer PCs, but in corporate desktops, workstations and servers. This market has proven resistant to AMD's charms so far. The added performance the Athlon offers may begin to change that. For production workstations running computer animation, for example, the 650MHz Athlon may offer performance as high as 124% of the 600MHz Pentium III. If that workstation were busy rendering, it could perform a task in 48 minutes that takes the Pentium III one full hour. Over eight hours--and this is truly a hypothetical case, since no PC would be doing that one task, full bore, for eight hours--the Athlon would save 93 minutes. That's real money, on the positive side for a change. Intel will no doubt respond with higher performance Pentium IIIs, but the Athlon has been designed from the ground up for higher and higher clock speeds. Dirk Meyer, head of the AMD design effort, came to AMD from Digital, where he participated in the design of the RISC Alpha chip, which was similarly designed for blazing clock speeds. So will AMD survive? The company deserves to survive, and the Athlon certainly will survive, either at AMD, or as intellectual property sold to some other corporation. For those of us who have always admired the Don Quixote's of the world, 'tis devoutly to be wished. And Continental Airlines, after all, is pretty profitable these days. atlienz atlienz@default.net-security.org IX. Linux firewalls (packet-type firewalls, supported by Linux kernels) ----------------------------------------------------------------------- General: If you want to set up a firewall on your Linux, you probably want to regulate access to your machine(s). This document covers the "packet filter" firewall, which is supported by Linux kernels. New, ipchains system (2.2.x kernels) will be discussed here. Tools to get: When you compile in the Firewalling support in the kernel, you will need the "ipchains" tool to configure your firewall. IP Masquerading: If you also want to set up IPmasq, a system that turns your Linux into a gateway machine, so other computers on the local network (OS-independent) can use the Internet, get "ipmasq", "ipautofw" and "ipportfw" utilities. More on this in my next article for "Default". Firewalling: Firewall decides which packets can go into your network and which cannot. There are 4 main firewall chains: input, output, forward and user-defined. For each of these categories, a separate table of rules is maintained. Firewall rule specifies criteria for a packet, and a target. Target can be ACCEPT, DENY, REJECT, MASQ, REDIR or RETURN. ACCEPT lets the packet through, DENY drops it, REJECT drops it and notifies the source of the dropped packet. Since setting up firewall rules is trivial, lets take a look: Show all rules, be verbose. If -v is omitted, rules are shown in somewhat strange order and are not listed all. > ipchains -L -v Allow all packets from 192.168.7.1 (any interface) to go outside. > ipchains -I output -j ACCEPT -s 192.168.7.1 Allow packets from 195.207.35.4 on specific (ppp0) interface to pass the firewall (to go in). > ipchains -I input -j ACCEPT -i ppp0 -s 195.207.35.4 Allow packets from all destinations and interfaces (-i is omitted) to pass the firewall (to go out, notice the "output") > ipchains -A output -j ACCEPT And the last example, > ipchains -A output -j ACCEPT -d 195.206.222.14 will allow all packets going to -d (destination, 195.206.222.14) to pass through. You can also use -I (insert) instead of -A (append). Both options require chain name: output for outgoing packets, input for incoming packets, forward for ip_masquerading system, and user defined chains. Special devices in /dev and kernel options There are some options in the kernel you can turn on, and then create corresponding devices in /dev, to get some additional features. Those include: 1) Device with major number 36. The kernel uses it to publish network related information. For "Routing messages" (kernel option), do "cd /dev/; mknod route c 36 0". Also, it is used by the firewall code to publish information about possible attacks (option "IP Firewall packet netlink device"). "cd /dev/; mknod ifn c 36 3" (ifn is an arbitrary name). If you compile the kernel with this option, first 128 bytes of each blocked packet are passed on to optional user monitoring software that can look for an attack. You need a special user program to do that, ofcourse. 2) TCP syncookie support Compile it in the kernel and add echo "1" > /proc/sys/net/ipv4/tcp_syncookies to some of your system's init scripts (rc.local). This option prevents "SYN flooding" attacks. 3) Ethertap network tap mknod /dev/tap0 c 36 16 User space program will be able to read/write raw ethernet frames from/to that special file. You can configure the device with ifconfig like any other ethernet device. However, there is usually no need for this. 4) IP: Always defragment Include this to have a more reliable firewall, but check the help page in the kernel documentation first. Next article: Setting up an IPMasquerading system on Linux servers (pronounced as: How can all my computers access the Internet via single interface on the server) dev dev@net-security.org X. Infection and vaccination ---------------------------- This week we have information on 2 new Trojans. Sorry it is really short this week. Hopefully next time we will make up for it. The first Trojan we have is BoBo. BoBo's client looks a lot like Back Orifice 1.20. Also it has most of the same Back Orifice 1.20 features with an addition of an ICQ 99a password stealer. Unlike Back Orifice 1.20 it listens on port 4321 TCP. BoBo would not infect our Windows 95 = or NT machines but here is the manual removal info if you do get infected: 1. Open regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ then remove the DirectLibrarySupport key. 2. Reboot or close the BoBo server. 3. Finally browse to c:\windows\system and remove the DllClient.exe file. The other trojan we have is Trojan Spirit 2001a. This trojan was released in a beta version and then 1.20. The beta version came with 3 different servers each had a differnt Icon and slightly different in size. It has average features with a few different password stealing ones. Here is the manual removal for the beta version: 1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ then remove the Internet key. Also remove the run=c:\windows\netip.exe in the Win.ini under the [boot]. 2. Reboot or close the Trojan Spirit 2001a server. 3. Finally browse to c:\windows\ and remove the netip.exe file. Here is the manual removal for the 1.20 version: 1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ then remove the SystemTray key. 2. Reboot or close the Trojan Spirit 2001a server. 3. Finally browse to c:\windows\ and remove the windown.exe file. zemac zemac@dark-e.com http://www.dark-e.com XI. More from the ACPO front ---------------------------- Hi again... I'm honored to be allowed to tell you a bit more about ACPO [http://www.antichildporn.org] and our future... This weekend, we will be traveling to deliver a presentation to our first political group, http://WWW.mntaxpayers.org/#Moorhead Conference. I'll fill you in on more of the details next week. BTW .. just a little note here about politics, we do not support any political group, just the stopping of child abuse and child porn on the internet.. Some people are concerned with our involvement in governments and their politics. But please tell me a way to stop this injustice without involving ourselves in politics and the law! We are just beginning to plan our first European tour--roughly in the October/November time frame. While we know the places we must visit, we are open to your suggestions, as to places we might have an opportunity to tell our story, and recruit Euro. members. Please eMail me at natasha@infovlad.net if you have suggestions or ideas. On the home front, ACPO will be attending the Techno-Security & Disaster Prevention '99 Conference. http://www.thetrainingco.com/Agenda-99.html Plans are being made to develop additional approaches in assisting law enforcement to identify and successfully prosecute child pornographers. We anticipate forming both public and private partnerships to further this cause. Thanks again to net-security.org for their support, and this forum to express ourselves, and to keep you informed. Natasha Grigori, Founder antichildporn.org thenatasha@mediaone.net XII. Freedom of speech - related incidents ------------------------------------------ ******************************************************************* Both free speech rights and property rights belong legally to individuals, but their real function is social, to benefit vast numbers of people who do not themselves exercise these rights. - Thomas Sowell ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): - 8/13-15-99: 512 bit RSA keys are no longer secure... Australia legalizes reverse engineering for software... - 8/16/99: The US government wants your keys.... Attempt #2... The assumption: Privacy is power therefore it must be regulated - 8/17/99: The coming Internet generation of Arab leaders... "But in the long-run Salama Ahmed Salama, a columnist with the Egyptian newspaper Al-Ahram, expects younger Arab leaders to introduce democratic changes because they cannot resist ideas spread through modern communications. "You cannot act like (you're still in) the 15th century," Salama said. "The new generation of leaders will be forced to adapt itself to new norms of government and democracy." An Arab League official described the newcomers and those waiting in the wings as "the internet generation," who want to open to the West and share in the wealth created by new technology." In China, 19-year-old, Wang Yingzheng, being tried behind closed doors with NO representation for writing an article... "Wang, who had just graduated from high school, was detained by police on February 26 as he attempted to copy a leaflet he had written that condemned the central government for its inability to wipe out corruption. "Many Chinese are discontented with the government's inability to squash corruption. This is largely due to a lack of opposition parties in China and a lack of press freedom," Wang reportedly wrote in his leaflet." - 8/18/99: New tech would let police see through walls... East Timor Threatens Indonesia with Cyberwar... A 100-strong team of hackers from North America and Europe are creating viruses to target the banking and military systems to launch if Indonesia's military engages in electoral fraud... Chinese web sites have been ordered to remove their links to foreign sites to prevent "invasion by hostile forces"... "The Guangzhou-based New Evening Express reported yesterday that a new department, the China Network Security Management Centre, had been set up to strengthen the mainland's defence against hackers. The paper said the Ministry of Information Technology and Telecom Industries had developed software which could "effectively shut out the hackers"." In just one week... diva aka Pasty Drone NewsTrolls, Inc. , http://www.newstrolls.com pastydrone@newstrolls.com XIIV. Intrusion and detection ----------------------------- So you think you're being attacked. You've got your intrusion detection systems running, and you've seen something in the logs that shouldn't be there. Well, what now? What is the best way to respond to an incident? This article is geared primarily toward the home user or small business. The assumption is made that the user already knows a little about system security and intrusion detection; if not, I recommend the following: http://www.technotronic.com/unix.html http://www.nwo.net/security/tools.html http://xforce.iss.net/maillists/ (the IDS mailing list) http://www.infotech.jyu.fi/~jej/nt-links.html http://www.hill.com/TechLibrary/ntsecurity.html Read up on intrusion detection, get some experience with it, and then read this. Response to an intrusion starts before the intrusion begins. The first step lies in determining what it is you're looking for, and what it is you care about -- for instance, if you know you're not running a web server, you might not care about failed connections on port 80; successful connects on port 31337, on the other hand, may be particularly interesting if you're running a Windows machine. Once you have a good idea of what's important to you, you're prepared to respond to an intrusion. Second, find out who to contact at your ISP if you're under attack. Most ISPs have an abuse mailbox; some even have a security mailbox. It's a good thing to know ahead of time who to contact at your ISP; they can often be your first line of defense. The third thing you should do is find a good place to store your logs; most intrusion detection systems come with a default log storage location. Make sure you save logs when you're under attack -- there's very little that can be done without them if you have to escalate the situation to your ISP or the attacker's. So. You've found something in your logs that doesn't look right. What now? The first step is to look at the logs and find out exactly what you see in there. What service is affected? Unix/linux users can look in /etc/services for a list of common ports and their associated services; those lists are also easily found on the web via your favorite search engine. What is the attacker trying to do...or what has he already done? If I see an entry in my logs that's unfamiliar to me, I find it easy to cut'n'paste the line into a search engine (I use http://www.altavista.com/ and http://www.google.com/) and look through what turns up. Who is the attacker? Is it coming from a bunch of different IP addresses all at once, or just one? If it's coming from many IP addresses, you're probably under a denial of service attack; contact your ISP's abuse department, if this is the case (there -are- ways to deal with a DoS yourself, but chances are if you're able to do that, you don't need me telling you how). If it's all coming from just one address, and it is not a denial of service attack, it's time to find out a little bit about who this is trying to get into your system (or who has already compromised your system). As a note -- some attacks, especially most denial of service attacks, are conducted from a spoofed source IP address; however, most actual intrusion attacks, in which someone attempts to gain access to your computer, are not run from a spoofed source; the reason for this is that attackers using denial of service attacks don't need to see the responses from the victim computer, while in most cases, actual intrusion attempts cannot be done 'blind' (without seeing the responses from the victim computer -- this -is- possible, but not common). If an attacker uses a spoofed source IP address, then when the victim computer responds to the packets the attacker sends, the responses will go to the spoofed address...not to the attacker. This is not always the case...but it's a good rule of thumb. Now to find out who's doing the attacking. The first step -- do an nslookup on the IP address, and find out who it is. If it's a dialup machine from one of the major ISPs out there, your best bet is to contact the ISP in question. I generally try to find that ISP's web page and look through it for their Acceptable Use Policy/Terms of Service/whatever; often an ISP will list an email address for abuse complaints. If it does not, I suggest mailing abuse@whoever.isp and copying support@whoever.isp. If you're sending mail to an ISP, I recommend against copying postmaster, root, hostmaster, webmaster, and every other name you can think of, unless both abuse and support bounce and you can't find the correct address on the company's web page. It tends to annoy the ISP receiving the complaint...and you want them on your side. Include your logs; the ISP can't do much without them. I would also copy your own ISP's abuse department on the mail, in case you later need their help. See below for a sample letter template when mailing an ISP. If the attacker is not an ISP's dialup user, but is coming in from a machine with its very own DNS name, such as jojo.example.com, then you have two options. The first is to send mail to your ISP and let them handle it. The second is far more interesting -- find out some information about the machine in question. Please note that this by no means implies 'hacking them back' -- generally a bad idea which is likely to get -you- in trouble. First, to give you an idea of what the attacking system is like, try doing the command 'finger @jojo.example.com'. This is not a conclusive step, but if jojo.example.com is running finger and is allowing incoming connections, it may tell you who's on the system right then. It's one piece of information to use. Another is whois -- do the command 'whois example.com' (or, on machines without a 'whois' command, go to http://www.networksolutions.com/cgi-bin/whois/whois/). That will give you contact information; more to work with. As a further step, http://www.arin.net/whois/ will give you additional information (look things up by IP address, though, not by name). Traceroute will give you their upstream provider -- do 'traceroute jojo.example.com' (or, on a Windows machine, 'tracert jojo.example.com'). At this point, I go back to the web. See if example.com has a web page -- what's it like? Are they a business? Are they a group of hax0rz bragging about their sploits? Do a search on the names you pulled off finger and whois -- get a feel for who's on the other end. Go by your gut feeling; if you mail a complaint, will the administrator of the box help you or hack you? At this point you make an educated decision: you can mail postmaster@example.com with your logs, and ask him to look into the situation...or you can mail example.com's upstream provider. Either way, copy your ISP's abuse department, just in case their help is needed later. But what if you mail postmaster@example.com, and no one replies? What if you don't trust that postmaster's going to help, but don't want to involve the upstream provider yet? What if you think that jojo.example.com has actually been hacked, and is being used as a launch point? There are a number of ways to find out what kind of system you're dealing with. Despite popular opinion, having finger running doesn't necessarily mean the machine is not secured; you can try other methods. Keep them above-board, though -- while telnetting to port 25 may get you some very interesting information, it may get -you- in trouble. Likewise with nmap scans -- they give you a lot to work with, but many administrators would view an nmap scan as an attack (or at least a prelude to an attack). I would suggest http://www.netcraft.com/ -- it's a site that scans hosts to see what kind of web server they're running. Go over there and type in example.com -- is it running an ancient default version of Apache on Linux? Then there's a very good chance that jojo.example.com is wide open, own3d, and being used as a launch for attacks. If this is the case, I'd mail postmaster@example.com once again, and at the same time notify his upstream ISP -- not to get him in trouble, but because they will have means to contact the adminstrator. When mailing your ISP or the ISP of the source of the attack on your system, be polite. As I'd said earlier, you -want- them on your side in the event of an attack. As a possible template: ---------------------------------------------------------------------------- To : postmaster@example.com Cc : abuse@your.isp,abuse@upstream.isp,support@upstream.isp Attchmnt: Subject : Unauthorized access attempt ----- Message Text ----- To whom it may concern: I noticed a number of entries in my log files starting at and lasting until . It appears that jojo.example.com has been attempting to use against my system. I have included the log files in question below in plain text format. I would appreciate any help you could give me in stopping the source of these access attempts on my system. Please contact me if I can be of assistance. ---------------------------------------------------------------------------- An attack doesn't have to be a crisis, and it shouldn't be an event that leaves you lost and panicked. There are appropriate ways to respond to intrusions and intrusion attempts. /dev/null null@fiend.enoch.org XIV. Guest Column ----------------- This weeks guest column is by Attrition.org's cult hero on, yes, Attrition.org Attrition is not just a dark and clever name, oh no. What started out as a bare bones web site receiving less than one thousand hits a month, has now blossomed into a unique and valuable archive of security information. With the recent criticism of "security portals", Attrition has continued to stay at the opposite end of the spectrum, acting as a security *content* site. Perhaps one of the most difficult aspects of maintaining a base of reference material is finding high quality reliable sites that fit your needs. Attrition strives to meet that goal. Some of the resources we offer free to the public: Security Advisory Library: Currently over 1,900 security advisories providing details on security holes, exploits, viruses and more. These range from the original CERT advisories to more recent ones by companies such as eEye, Redhat, and Microsoft. Text Archive: Modify's collection of Over 18,700 text files dating back to the early '80s. Ranging from hacking information, security texts, credit fraud, internet RFCs, cellular, e-zines and more, the files here offer information on just about any subject you can imagine. Crypto Archive: Wrlwnd's cryptography archive contains almost 2400 files and utilities covering every aspect of cryptography, cryptanalsyis and more. Essential tools to privacy such as SSH and PGP can be found here. Defacement Mirror: Headed up by McIntyre, this mirror archives the results of over 2000 web pages that have been altered by intruders over the last five years. Providing a telling portrait of 'hacker' activity, the mirror cross references related hacks, groups and more. Denial of Service Database: Perhaps the largest database of its kind, the DoS DB catalogs information on hundreds of denial attacks. Each attack is cataloged by the operating system or protocol it affects. Newbie Track: For those new to the field of security but looking to get a feel for it, the newbie track offers lessons in unix, penetration technique, and security. Each lesson is written with the beginner in mind, and builds on previous lessons. More: The resources listed above are the foundation for the Attrition project. These are by no means a complete or exhaustive list. The site caters to those interested in art, music, fiction and more. With daily updates to various sections of the site, this resource is sure to come in handy for your security needs. cult hero jericho@attrition.org