[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 34 Volume 1 1999 Sept 19th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== __ ___ _____ __ ___ / // / | /| / / _ | / / ___ __ __/ _ \____ ___ ___ _ _____ / _ /| |/ |/ / __ |_ / _ Y _ `| \ / // / __/ / _ Y -_) |/|/ (_-< /_//_/ |__/|__/_/ |_(_)_//_|_,_/_\_\\___/_/ (_)_//_|__/|__,__/___/ http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #34 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #34 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Army to Use MacOS ............................................... 04.0 .. Phrack Issue 55 Has Been Released ............................... 05.0 .. E-Commerce Sites Still Vulnerable ............................... 06.0 .. Fakescan.c by Vortexia........................................... 07.0 .. MS get Independent Auditor for HotMail .......................... 08.0 .. US Gov to Switch From NT to Open Source ......................... 09.0 .. Sept 15th CryptoGram............................................. 10.0 .. Move over BO2k here's Donald Dick from Russia with love.......... 11.0 .. New HOTMAIL hole found........................................... 12.0 .. Security Hole Found in Security Product ......................... 13.0 .. Globalstar and FBI Are Nearing Agreement ........................ 14.0 .. Matt Drudge Defaced ............................................. 15.0 .. South Africa Stats Site Defaced ................................. 16.0 .. India And Israel BackDooring US Software ........................ 17.0 .. The Russians Are Coming, The Russians Are Coming ................ 18.0 .. Biometrics Takes Frightening New Step "I am not a number!"....... 19.0 .. NASDAQ Defaced .................................................. 20.0 .. WebTV Hole Divulges User Info ................................... 21.0 .. Bookshelf: "Hacking Exposed" Available Soon ..................... 22.0 .. Major Tech Companies Announce Security Plans .................... 23.0 .. NIST To Offer Security Awareness Workshops ...................... 24.0 .. Yet Another Firewall ............................................ 25.0 .. HNN Announces Partnership With Security Focus ................... 26.0 .. The Search for ULG Begins........................................ 27.0 .. BO2K Discontinues US Distribution................................ 28.0 .. Taiwan Increases Cyber Warfare Training ......................... 29.0 .. White House Set to Relax Crypto Export Controls ................. 30.0 .. Crypto Compromise Reached ....................................... 31.0 .. Network Solutions Screws Up ..................................... 32.0 .. Feds Approve GPS Tracking ....................................... 33.0 .. Student Sentenced to Five Weeks ................................. 34.0 .. Stupid Mistakes Worse than Viruses .............................. 35.0 .. "23"............................................................. 36.0 .. STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES....................... 37.0 .. SOPHOS: TOO MUCH VIRUS SCAREMONGERING............................ 38.0 .. CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP...................... 39.0 .. REPORT URGES TOUGH NET STALKING LAWS............................. 40.0 .. CODEBREAKERS AND PHONE-SPIES TARGET CRIME ON THE INTERNET........ 41.0 .. LAW ENFORCEMENT MAY BENEFIT FROM NEW CRYPTO POLICY............... 42.0 .. LIBELING AGAIN (ATTRITION vs ANTIONLINE)......................... 43.0 .. SECURITY A MANAGEMENT PROBLEM?................................... 44.0 .. TROJAN IN FAKE MICROSOFT Y2K MAIL................................ 45.0 .. CERT ADVISORY CA-99-11-CDE....................................... 46.0 .. HACKER PROFILER.................................................. 47.0 .. eDOCTOR GLOBAL NETWORK........................................... 48.0 .. DEFAULT ISSUE 5 OUT.............................................. 49.0 .. ANOTHER WANNABE HACKER CAUGHT.................................... 50.0 .. TROJANS - MODERN THREAT.......................................... 51.0 .. IE5 BUG LEAVES COMPUTERS OPEN TO INVASION........................ 52.0 .. US OFFERS RUSSIA TO HELP TRASH ISLAMIC MILITANT SITES............ 53.0 .. RUSSIAN HACKERS REPORTEDLY ACCESSED US MILITARY SECRETS.......... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ UNMASKING CHAT ROOM IMPOSTORS (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21754.html Ever wonder who you're really chatting with online? A new game based on the Turing test may tell whether she is really a he, and vice versa. By Kristen Philipkoski. ++ CISCO PAYS $65 MILLION FOR COCOM (BUS. 8:30 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21760.html The computer networking company buys Copenhagen's Cocom to expand its delivery of broadband access products. ++ SCREAMS OF DELIGHT AT VISIO (BUS. 8:30 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21761.html The technical drawing software company joins the Redmond empire in a US$1.3 billion stock deal. ++ MOTOROLA BUYS INTO BROADBAND (BUS. 7:35 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21759.html The cell phone and pager company agrees to spend US$11 billion in stock for set-top box supplier General Instrument. Also: FCC walks a fine line with new orders.... Seagate to trim 8,000 jobs.... American Airlines finds few New Year's passengers.... And more. ++ SPRECHEN SIE INTERNET DEUTSCH? (CULT. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/culture/story/21752.html As Germans clamor for Net access and tools like email, they leave their language behind them. German isn't what it used to be. By Carter Dougherty. ++ IS PALM LOSING ITS GRIP? (TECH. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21751.html Handspring licenses the Palm OS for its handheld, then releases a more flexible organizer. Is the Palm dynasty on shaky ground? By Leander Kahney. ++ SPARKING THE PLUG-AND-PLAY CAR (TECH. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21745.html Motorola develops a streamlined socket system for plugging info gadgets into autos. Adding wireless news, entertainment, and ads could get much simpler. By Craig Bicknell. ++ DEMOS TO PREZ: 'USE SAFE TEXT' (POL. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21744.html House Democrats want Bill Clinton to help them overturn his administration's own long-term policy restricting the export of strong encryption products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ++ OPEN ACCESS FIGHT RAGES ON (POL. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21748.html An ISP industry group tells a federal court that local governments should decide who gets access to cable networks. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* This issue is a little late, sorry 'bout that but I got a new toy * and have been spending time setting it up and playing with it, its * a PII 400 with Voodoo III 3000 and a Diamond Monster sound 3d card * with a 19" monitor and 10 gig hd plus a DVD drive and HP 8100 CDRW * all that connects to a soho 5 port CAT5 hub which goes out to the * cablemodem, my other system will be delegated to FreeBSD and the * Linux box remains untouched. FreeBSD will be bestowed with a 13G * HD and I am probably going to bring Linux 'up front' as a proxy * and shell server at some point... so yay me * * This issue has a couple of articles contributed by wyzewun of FK * (Forbidden Knowledge) a .ZA zine that sheds some light on the hack * / security scene in South Africa so read on and enjoy the issue... * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Army to Use MacOS ~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by McIntyre The US Army has migrated its web server duties off WindowsNT and onto MacOS. The site administrator has said that according the World Wide Web Consortium (W3C) MacOS is more secure and does not allow remote logins. (The reason army.mil was recently defaced was do to an application hole, not an OS problem and nothing against the W3C but when did they become security experts?) Army Link News http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html CMP Tech Web http://www.techweb.com/wire/story/TWB19990910S0017 US Army http://www.army.mil Army Link News; Web page hacker arrested, government sites becoming more secure by Sgt. 1st Class Connie E. Dickey WASHINGTON (Army News Service, Sept. 1, 1999) - Working from information provided by the U.S. Army's Criminal Investigation Command, FBI agents arrested a 19-year-old Wisconsin man Aug. 30 for malicious altering of a U.S. Army Web page. The agents identified the Green Bay man as the co-founder of a hacker organization known as "Global Hell." The arrest capped a two-month investigation led by Army CID agents, after an unidentified intruder gained illegal access to the Army Home Page June 28 and modified its contents. The intruder also gained access to an unclassified Army network and removed and modified computer files to prevent detection. Since the case is still ongoing, Christopher Unger, web site administrator for the Army Home Page, didn't want to talk about specifics of what the hacker did to the web page or what the Army is doing to protect its sites from future hackers. However, he said the Army has moved its web sites to a more secure platform. The Army had been using Windows NT and is currently using Mac OS servers running WebSTAR web server software for its home page web site. Unger said the reason for choosing this particular server and software is that according to the World Wide Web Consortium, it is more secure than its counterparts.According to the Consortium's published reports on its findings, Macintosh does not have a command shell, and because it does not allow remote logins, it is more secure than other platforms. The report also said the Consortium has found no specific security problems in either the software or the server. The Consortium is a worldwide group of representatives from more than 350 organizations that provide the infrastructure for a global interoperable World Wide Web. Membership is open to any organization. "Government networks are inviting to hackers because of their high profile," Unger said. However, the Department of Defense is laying the groundwork now for more secure Internet sites that will prevent unauthorized access to information, he said. (Editor's note: Some information was provided by the U.S. Army Criminal Investigation Command.) @HWA 04.0 Phrack Issue 55 Has Been Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Modify Phrack, the oldest continuously published underground e-zine , has released issue 55. This is the first issue in over eight months. It has all the usual goodies from Loopback and LineNoise to Phrack World News. Phrack 55 - HTML version http://www.attrition.org/~modify/texts/phrack/latest.htm Phrack.com http://www.phrack.com @HWA 05.0 E-Commerce Sites Still Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by netmask News on the various vulnerabilities with numerous shopping cart software was first announced over four months ago. MindSec security has found that most web sites are still vulnerable to these holes leaving personal information including credit card numbers at risk. Hopefully these problems will be corrected soon. MindSec Security http://www.mindsec.com/webcart/ E-Commerce.. Shouldn't Security Be Involved? By: Erik Parker E-Commerce is something that isn't getting any smaller. Hundreds of sites are popping up every day that are using E-Commerce. People are spending millions of dollars over the web, via secure servers, and online shopping applications. We have found that some of those shopping applications, commonly referred to as "Shopping Carts", may be a major downfall to the security of your credit cards and personal information being secure. Just because you are transferring your Credit Card number over a secure connection, just exactly who is it, that is going to guarantee that it is safe once it reaches its destination server? Over 6 Months ago, Joe H. Had made a report to Bugtraq (www.securityfocus.com) that many sites were insecure. Bugtraq is the most widely used, and a highly respected mailing list that the best security administrators in the world discuss possible security problems, and verified vulnerabilities. Dozens of Brands, and Hundreds of sites were vulnerable to people reading your credit card numbers, what you ordered, your home telephone number, and all the personal information you entered. Some of these carts even unknowingly let anyone who knows where the configuration program is, point their web browser to it, and change the site, the prices, the tax, and even make their own orders at whatever price they want. After 6 months some of these sites still remain remain vulnerable. It is almost as if the manufacturers didn't notify their customers of the problem. Many of the customers either were never informed, or just didn't take the time to pursue fixing their sites. Perhaps people hoped the problem would go away or be forgotten. In Joe's first post to Bugtraq, he noted that c|net would be running an article on E-Commerce Security. He did not disclose who the manufacturers of these products were. However, when he got dozens of E-mails with people asking him who they were, he went ahead and posted a second post, which lists several companies that were vulnerable. Then other people started looking into these, and Bo Elkjaer posted a followup listing another company, Mountain Network Systems. Joe then checked out their products and in his follow up post he determined it was also vulnerable. Mind Security has taken interest in the shopping cart problems, to make E-Commerce a little more safer, and a bit more trusted, as a good majority of people are still hesitant to shop online. E-Commerce is a great way of shopping and purchasing things over the web. With E-Commerce you do not have to be bothered by a sales man or be pressured, and yet you can still find all the information on products that you want without the help of a salesman who just wants to get his commission. The other reason we took interest, is because we were asked to investigate a recent hack by a group called HiP (Hackers In Paradise), who had hit a Web site that sells Adult Items. The web site owner had requested for us to look into it, and advise them on what they should do. After investigating and obtaining the logs we determined that the hackers never gained access to the machine, under the Administrator account. There were hundreds of web sites hosted on that machine, and several that were more high profile. Also looking at their track record, many of these sites they had taken credit for ran WebCart®, or other shopping cart like programs. There was no FTP involved, and no shell access granted that we could determine. We can't say with 100% certainty that it was done via the webcart®. It does have an html update utility, and has such a bad track record, we had to strongly consider this as as being the point of entry for the hackers. The product also doesn't log any of its usage. People can upload, update, and if they aren't logged via the web server, then they were never logged. When we went to yahoo.com and put "webcart AND mountain" in the search engine, we came up with dozens of matches We did a quick investigation and found more than 70% were vulnerable. We read an E-mail earlier from someone at Mountain-Net, which claims that if the user properly configures their web servers and read the install file, this wouldn't be a problem. I beg to differ, a good product ships with its own built-in security measures, and does not rely on other programs being setup, like Apaches htaccess feature, which lets you grant and refuse access by username and password and even by hostname is you wish. Mind Security made a follow up post to Bugtraq on September 9th, concerning this, and the fact that no one had fixed it, and it was just kind of forgotten about. The post named off of a couple of sample vulnerable sites, as well as the correct paths to check for these problems. If you would like to check your site for this vulnerability, we worked with Renaud Deraison who runs The Nessus Project. The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use and remote security scanner. They have included a way to search for these vulnerabilities within their scanner. If you download their most current version from their CVS repository, you will be able to scan your site for it with that. If you can not get it from their repository, it will be included in their nessus-0.98.2 release. Thanks go to: Brian Martin Benjamin DeLong, Research Lead, ZOT Group L0pht Heavy Industries The Attrition.org Staff The Nessus Project @HWA 06.0 Fakescan.c by Vortexia ~~~~~~~~~~~~~~~~~~~~~~ Read the comments in the source, its self explanitory, Vort tells me he initiated quite a stir in .za with this program with half the country thinking they were being scanned by the other half etc... fun. anyways check it out...and shouts to Forbidden Knowledge, Vort and Wyze1 -=- [09:54] Cruciphux did I give you fakescan.c? [09:54] no [09:55] this one is evil :) [09:55] me to me to [09:55] ok [09:55] it really caused some ppl in the industry to go loco [09:55] hehe [09:56] cause suddenly half the world was scanning half the world [09:56] you been causing shit again? [09:56] hahaha [09:56] Cruciphux :) read what it does [09:56] ok [09:56] its a braindead port scan spoofer that looks exactly like an nmap scan but is far easier to use to do mass scans and requires no brains to use :) [09:57] vort: u giving him the ver with the fixed tcp/ip sequencing [09:58] ? [09:58] damnit, now he's making a phonecall ;) [09:58] wyze1 its got almost perfect seq'ing [09:58] hehe [09:58] no greets to HWA yet huh? [09:58] :-/ [09:58] its large enough to be realistic [09:58] *g* [09:58] Cruciphux ack I forgot [09:58] add em in there yourself :) [09:58] hahaha [09:58] nah [09:59] i'm not THAT lame [09:59] hehehe [09:59] there is pr0ps to HWA in the new FK No we're not THAT lame but just lame enough to include the irc log of me aquiring this copy of fakescan ;-) ,,, enjoy -=- /* * Fakescan.c (c) 1999 Vortexia / Andrew Alston andrew@idle.za.org * * Ok... more crap code from me... thats yes... entirely useless other than as a * proof of case. I wrote this quickly while trying to prove the case that * logging portscans that are syn/fin based is entirely useless. * * What the code does: It reads in a list of hosts to spoof from a spoof host, * and sends fake fin or syn scans to a list of hosts found in the victims * file. Sorry there is no dns resolve on hosts in those files, it was a * quick job while I was bored and I found better things to do while coding * it so I didnt get around to adding it. * * The code is once again written for BSD and compiles with no warnings under * fbsd 3.2 - I hate linux - Dont expect a linux port from me, someone else - * feel free to make one * * If you wanna use my code, as always, feel free but I expect credit where * credit is due, I.E you use my code, you put my name in your code. * * Greets and Shoutouts.. * * Mithrandi - Thanks for your help Ultima - For everything you've helped me * with in the past Van - What can I say, HI TimeWiz - Thanks for help in * times past, and for ideas for upcoming projects Sniper - My partner in * crime - You have and always will rock Opium - HI Hotmetal - A general * greet DrSmoke - HI jus - My social engineering partner - lets continue to * mindfuck together OPCODE - Thanks for the help - you rock gr1p and all the * people at b4b0 - Keep rocking guys To all the people at Forbidden * knowledge - Good going - Keep it up To everyone else on all the networks * and channels I hang on, a general greet and thanks - I couldnt keep doing * what I do without you guys. * * Fuckoffs, Curses and the likes: * * To Sunflower - If you cant handle an insult in a piece of code - and think * thats worth of an akill - GROW UP AND GO FUCK YOURSELF To Gaspode - May * you die a slow and painful death, and may the fleas of 10000 camels infest * your armpits To the person who said coding stuff like this was for script * kiddies - GET A CLUE you know who you are To anyone else I dont like - * FUCK YOU To anyone else who doesnt like me - FUCK YOU * */ #define __FAVOR_BSD #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct viclist { struct in_addr victim; struct viclist *link; }; struct slist { struct in_addr spoof; struct slist *link; }; int main(int argc, char *argv[]) { int i = 0; int sock; int on = 1; struct sockaddr_in sockstruct; struct ip *iphead; struct tcphdr *tcphead; char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)]; int seq, ack; FILE *victimfile; FILE *spooffile; char buffer[256]; struct viclist *vcur, *vfirst; struct slist *scur, *sfirst; bzero(evilpacket, sizeof(evilpacket)); vfirst = malloc(sizeof(struct viclist)); vcur = vfirst; vcur->link = NULL; sfirst = malloc(sizeof(struct slist)); scur = sfirst; scur->link = NULL; if (argc < 4) { printf("Usage: %s scan_type ((S)yn/(F)in) spoof_file victim_file\n" "Example: %s S spooffile victimfile\n", argv[0], argv[0]); exit(-1); }; if ((strncmp(argv[1], "S", 1)) && (strncmp(argv[1], "F", 1))) { printf("Scan type not specified\n"); exit(-1); } if ((spooffile = fopen((char *) argv[2], "r")) <= 0) { perror("fopen"); exit(-1); } else { while (fgets(buffer, 255, spooffile)) { if (!(inet_aton(buffer, &(scur->spoof)))) printf("Invalid address found in victim file.. ignoring\n"); else { scur->link = malloc(sizeof(struct slist)); scur = scur->link; scur->link = NULL; } }; bzero(buffer, sizeof(buffer)); }; fclose(spooffile); scur = sfirst; while (scur->link != NULL) { printf("Found spoof host: %s\n", inet_ntoa(scur->spoof)); scur = scur->link; }; scur = sfirst; if ((victimfile = fopen((char *) argv[3], "r")) <= 0) { perror("fopen"); exit(-1); } else { while (fgets(buffer, 255, victimfile)) { if (!(inet_aton(buffer, &(vcur->victim)))) printf("Invalid address found in victim file.. ignoring\n"); else { vcur->link = malloc(sizeof(struct viclist)); vcur = vcur->link; vcur->link = NULL; } }; bzero(buffer, sizeof(buffer)); }; fclose(victimfile); vcur = vfirst; while (vcur->link != NULL) { printf("Found victim host: %s\n", inet_ntoa(vcur->victim)); vcur = vcur->link; }; vcur = vfirst; if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(-1); } if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) { perror("setsockopt"); exit(-1); } sockstruct.sin_family = AF_INET; iphead = (struct ip *) evilpacket; tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip)); iphead->ip_hl = 5; iphead->ip_v = 4; iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr); iphead->ip_id = htons(getpid()); iphead->ip_ttl = 255; iphead->ip_p = IPPROTO_TCP; iphead->ip_sum = 0; iphead->ip_tos = 0; iphead->ip_off = 0; tcphead->th_win = htons(512); if (!(strncmp(argv[1], "S", 1))) tcphead->th_flags = TH_SYN; else tcphead->th_flags = TH_FIN; tcphead->th_off = 0x50; while (vcur->link != NULL) { iphead->ip_dst = vcur->victim; sleep(1); while (scur->link != NULL) { seq = rand() % time(NULL); ack = rand() % time(NULL); tcphead->th_sport = htons(rand() % time(NULL)); sockstruct.sin_port = htons(rand() % time(NULL)); iphead->ip_src = scur->spoof; sockstruct.sin_addr = scur->spoof; sleep(1); for (i = 1; i <= 1024; i++) { seq += (rand() %10)+250; ack += (rand() %10)+250; srand(getpid()); tcphead->th_seq = htonl(seq); tcphead->th_ack = htonl(ack); tcphead->th_dport = htons(i); sendto(sock, &evilpacket, sizeof(evilpacket), 0x0, (struct sockaddr *) & sockstruct, sizeof(sockstruct)); } scur = scur->link; } scur = sfirst; vcur = vcur->link; } return (1); }; @HWA 07.0 MS get Independent Auditor for HotMail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond After prompting from industry watch dog groups Microsoft has agree to hire a third party auditing firm to review the recent HotMail incident. Microsoft has not released the name of the company and it is unlikely the resulting report will be made public. Wired http://www.wired.com/news/news/technology/story/21691.html All Eyes on Hotmail Audit by Chris Oakes 4:00 p.m. 10.Sep.99.PDT Can the Internet industry spank itself? Some are watching the outcome of the latest major Web breakdown to see. Microsoft has chosen an undisclosed independent auditor to give Hotmail a security once-over. As it does so, the company, industry watchdog Truste, and privacy advocates cast the audit as a testament to -- or failure of -- effective self-regulation. Following a recommendation last week by Truste, Microsoft went about choosing an independent auditing firm this week to test the security of its free Hotmail email service. "We're doing an independent review or audit of the Hotmail incident of last week, which got lot of attention," said Microsoft spokesperson Tom Pilla. Hotmail users were confronted with an alarming security breach last week. Hackers exposed every Hotmail email account so that anyone who knew a person's username could access that account without a password. "Truste said Microsoft was in compliance and believed [the Hotmail security issue] to be resolved. But we are continuing to investigate that incident completely to ensure that the service complies with the high standards we put on consumer privacy," Pilla added. Truste spokesman Dave Steer emphasized that his organization didn't order Microsoft to hire an auditor; rather, it was a recommendation. Pilla underscored the point. "They suggested and we agreed. It's not something we had to do." So if the agreement was such a non-threatening, voluntary arrangement, does it stand up as an effective demonstration of the power of self-regulation? "Yeah, I think it [does]," Pilla said. "As soon as the incident occurred we [were] in close coordination with Truste, as we always are on these things." Last week, Truste took an initial stance that the incident was a security issue, not a privacy matter. But Steer said the organization sees the two issues as connected, and a Truste statement on the organization's Web site clarifies its position. "The statement clearly highlights the fact that there's not trust without privacy and similarly there's not privacy without reasonable security of the data being protected," Steer explained. "So in some instances, yes -- security and privacy go hand in hand." Jason Catlett, a privacy advocate who closely watches the self-regulation issue, was guardedly impressed by the sheer notion of an audit. "I don't write it off as [a] meaningless act. I'm quite pleased that they have agreed to an independent audit. It's a small window opened in the fortress Redmond," he said. But Catlett read hidden meaning in the unprecedented Microsoft decision, and doesn't see it as evidence of self-regulation's effectiveness. "Basically, [Microsoft] realize[s] that nobody believes a single word they say anymore, so they're paying an accounting firm to say things for them." The nature of this security breach -- a simple function of logging into an email account -- made it easier for Microsoft to open up Hotmail for review, Catlett said. In contrast, the company's undisclosed use of a unique identifier in Microsoft Office documents and Microsoft cookies created during user registration of Windows, had much broader implications. Thus, when an audit was badly needed, Microsoft declined. "Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog group] went to the FTC and asked them to require an audit, and Microsoft just refused." This time, "Truste suggested an audit and Microsoft agreed -- this is the coziest regulation imaginable," Catlett said. Pilla disagreed. "I think it's a very good expression of self-regulation," he said. "I think our swift response to the Hotmail incident coupled with inviting a third party review is evidence of our commitment to protecting people's online privacy." The legitimacy of the Hotmail audit will depend on the particular security issues the auditing firm is asked to test. "Management makes some assertion and the acting firm attests to that assertion. If the assertions are very limited, then the conclusion [of the] accounting firm is very limited," Catlett said. Pilla said he couldn't comment on the specifics of the audit yet. "We don't know what the process is, moving forward." He also wouldn't say whether the public would ever get to review the test conducted by the auditing firm. As to skepticism of the self-regulatory process, Truste's Steer said, "We don't dictate where the program is going to go based on the skeptics. We have to take a good hard look at what the consumer needs. ... Any reasonable person can take a look at what's going on right now and come to their own conclusion. If you ask me personally, I think this is an example that the system worked." Whatever the outcome, it will no doubt be logged into any case histories seeking to build a case for or against self-regulation. Pilla said the audit should take "not months but a fairly short amount of time." Said Catlett: "They're on a tightrope where they're trying to maintain credibility as a consumer advocacy organization while still not scaring away potential licensees with any real prospects of sanctions." @HWA 08.0 US Gov to Switch From NT to Open Source ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The National Security Council will soon create a software assessment office to evaluate different operating systems other than Windows NT including open source software. A major reason given for this switch was the susceptibility of Windows to viruses and other attacks. (The article says they are looking closely at Linux, I hope they don't forget OpenBSD.) Federal Times http://www.federaltimes.com/topstory.html The Independent Weekly September 16, 1999 Top Officials Seek Alternatives to Microsoft By Stephen Trimble FEDERAL TIMES STAFF WRITER Concerned about security and an excessive reliance on Microsoft software, senior administration officials plan to diversify the types of operating systems software purchased by the government. The National Security Council soon will create a new office to assess the ways federal agencies could make greater use of open-source, or nonproprietary, software that is freely available to anyone and has codes that are not secret. "One of the areas we are very interested in looking at is open-source code," a senior White House official told Federal Times. The effort ultimately could affect the types of software the government purchases for network servers and desktop applications. The government will buy $2 billion worth of software in 2000, according to Federal Sources Inc., of Fairfax, Va., a market research company. The initial purpose of the new software assessment office will be to identify agencies and programs that will be candidates for trials of open source software, said the White House official, who asked not to be identified. The General Services Administration and the National Institute of Standards and Technology also are involved in creating the office. Its location still is to be decided. The new office will assess the costs and benefits of using open-source software to operate many government computers. Also to be determined are the cost and technical obstacles to communication between systems using open-source and the proprietary software now in use. The White House official declined to say how extensive is the administration's plan to diversify its reliance on operating systems software. A chief reason for the effort, according to advocates, is to address concerns that Microsoft operating systems are vulnerable to malicious computer viruses and hacker attacks. This is partly because the Microsoft software is proprietary and security vulnerabilities are more difficult to find and correct, said Przemek Klosowski, a NIST physicist and leader of the Washington, D.C., Linux User's Group. "Government should be vendor-neutral, and the government should not formulate IT requirements that say only a single vendor is applicable," Klosowski said. Klosowski said Linux is used on a limited basis for computer research applications at Energy Department laboratories, NASA, NIST and the Defense Department. "I don't know of any large government Linux contracts," he added. Another purpose of adopting different types of software is to diversify the government's inventory of operating systems, so not all are vulnerable to the same viruses and attacks, the White House official said. Linux, an open-source operating system similar in functionality to Microsoft Windows, is being given serious consideration as an alternative for government computer users, the official said. Access to the Linux source code "gives us some confidence," the White House official said, adding that it simplifies patching security breeches and correcting routine errors. Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said. As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for hackers to crack, Klosowski said. Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a yearly basis, he said. Microsoft software products have been the target of numerous computer viruses. One of the best known was the Melissa virus that struck thousands of government and nongovernment computers in March by exploiting vulnerabilities in Microsoft Word 97 and Microsoft Word 2000. In June, another virus called ExploreZip targeted vulnerabilities in Microsoft Windows 95, Windows 98 and Windows NT. Microsoft officials argue their software products meet federal security standards. Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified under the federal security standard known as Federal Information Processing Standard 140-1, said Quazi Zaman, advanced technology manager for Microsoft Federal Systems of Washington, D.C. The newest version of Microsoft's server operating system, called Microsoft Windows NT 4.0, is undergoing certification and is expected to be certified "in the next three months," Zaman said. Zaman added that Microsoft has been considering making some of its software products open source for two years. "Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment." Zaman added that Microsoft likely would be willing to provide the National Security Council with its code for security inspections if it is for national security purposes. So far, he said, the NSC has not asked for access to any of Microsoft's software code. Zaman argued that government agencies are not excessively reliant on Microsoft products, adding that other software suppliers, namely, database software suppliers, have larger shares of the federal software market. The project to increase the government's use of open-source operating systems likely will present formidable challenges. The government already relies extensively on Microsoft products for desktop and, increasingly, server applications. Thus, there are sure to be communications problems between systems that use different software, said John Gilligan, the Energy Department's chief information officer. The concept also appears to run counter to the government's 3-year-old effort to concentrate on buying commercial, easy-to-use software, said Payton Smith of Federal Sources Inc. Regardless of security concerns, Smith added, a multitude of software systems within an agency often can lead to interoperability problems. "The more variations you have in the software, the more problems and the more costs you're going to have," Smith said. The White House official acknowledged that concerns over costs and interoperability issues must be settled for the project to succeed. "That's exactly the issues we're looking at," the official said. "Both costs and interoperability are critical issues." @HWA 09.0 Sept 15th CryptoGram ~~~~~~~~~~~~~~~~~~~~ To: crypto-gram@chaparraltree.com From: Bruce Schneier Subject: CRYPTO-GRAM, September 15, 1999 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" CRYPTO-GRAM September 15, 1999 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: Open Source and Security NSA Key in Microsoft Crypto API? Counterpane Systems -- Featured Research News Extra Scary News Counterpane News The Doghouse: E*Trade Factoring a 512-bit Number Comments from Readers ** *** ***** ******* *********** ************* Open Source and Security As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice. Open Source Cryptography Cryptography has been espousing open source ideals for decades, although we call it "using public algorithms and protocols." The idea is simple: cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it. This is vital in cryptography, because security has nothing to do with functionality. You can have two algorithms, one secure and the other insecure, and they both can work perfectly. They can encrypt and decrypt, they can be efficient and have a pretty user interface, they can never crash. The only way to tell good cryptography from bad cryptography is to have it examined. Even worse, it doesn't do any good to have a bunch of random people examine the code; the only way to tell good cryptography from bad cryptography is to have it examined by experts. Analyzing cryptography is hard, and there are very few people in the world who can do it competently. Before an algorithm can really be considered secure, it needs to be examined by many experts over the course of years. This argues very strongly for open source cryptographic algorithms. Since the only way to have any confidence in an algorithm's security is to have experts examine it, and the only way they will spend the time necessary to adequately examine it is to allow them to publish research papers about it, the algorithm has to be public. A proprietary algorithm, no matter who designed it and who was paid under NDA to evaluate it, is much riskier than a public algorithm. The counter-argument you sometimes hear is that secret cryptography is stronger because it is secret, and public algorithms are riskier because they are public. This sounds plausible, until you think about it for a minute. Public algorithms are designed to be secure even though they are public; that's how they're made. So there's no risk in making them public. If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument. Instead of using public algorithms, the U.S. digital cellular companies decided to create their own proprietary cryptography. Over the past few years, different algorithms have been made public. (No, the cell phone industry didn't want them made public. What generally happens is that a cryptographer receives a confidential specification in a plain brown wrapper.) And once they have been made public, they have been broken. Now the U.S. cellular industry is considering public algorithms to replace their broken proprietary ones. On the other hand, the popular e-mail encryption program PGP has always used public algorithms. And none of those algorithms has ever been broken. The same is true for the various Internet cryptographic protocols: SSL, S/MIME, IPSec, SSH, and so on. The Best Evaluation Money Can't Buy Right now the U.S. government is choosing an encryption algorithm to replace DES, called AES (the Advanced Encryption Standard). There are five contenders for the standard, and before the final one is chosen the world's best cryptographers will spend thousands of hours evaluating them. No company, no matter how rich, can afford that kind of evaluation. And since AES is free for all uses, there's no reason for a company to even bother creating its own standard. Open cryptography is not only better -- it's cheaper, too. The same reasoning that leads smart companies to use published cryptography also leads them to use published security protocols: anyone who creates his own security protocol is either a genius or a fool. Since there are more of the latter than the former, using published protocols is just smarter. Consider IPSec, the Internet IP security protocol. Beginning in 1992, it was designed in the open by committee and was the subject of considerable public scrutiny from the start. Everyone knew it was an important protocol and people spent a lot of effort trying to get it right. Security technologies were proposed, broken, and then modified. Versions were codified and analyzed. The first draft of the standard was published in 1995. Different aspects of IPSec were debated on security merits and on performance, ease of implementation, upgradability, and use. In November 1998, the committee published a slew of RFCs -- one in a series of steps to make IPSec an Internet standard. And it is still being studied. Cryptographers at the Naval Research Laboratory recently discovered a minor implementation flaw. The work continues, in public, by anyone and everyone who is interested. The result, based on years of public analysis, is a strong protocol that is trusted by many. On the other hand, Microsoft developed its own Point-to-Point Tunneling Protocol (PPTP) to do much the same thing. They invented their own authentication protocol, their own hash functions, and their own key-generation algorithm. Every one of these items was badly flawed. They used a known encryption algorithm, but they used it in such a way as to negate its security. They made implementation mistakes that weakened the system even further. But since they did all this work internally, no one knew that PPTP was weak. Microsoft fielded PPTP in Windows NT and 95, and used it in their virtual private network (VPN) products. Eventually they published their protocols, and in the summer of 1998, the company I work for, Counterpane Systems, published a paper describing the flaws we found. Once again, public scrutiny paid off. Microsoft quickly posted a series of fixes, which we evaluated this summer and found improved, but still flawed. Like algorithms, the only way to tell a good security protocol from a broken one is to have experts evaluate it. So if you need to use a security protocol, you'd be much smarter taking one that has already been evaluated. You can create your own, but what are the odds of it being as secure as one that has been evaluated over the past several years by experts? Securing Your Code The exact same reasoning leads any smart security engineer to demand open source code for anything related to security. Let's review: Security has nothing to do with functionality. Therefore, no amount of beta testing can ever uncover a security flaw. The only way to find security flaws in a piece of code -- such as in a cryptographic algorithm or security protocol -- is to evaluate it. This is true for all code, whether it is open source or proprietary. And you can't just have anyone evaluate the code, you need experts in security software evaluating the code. You need them evaluating it multiple times and from different angles, over the course of years. It's possible to hire this kind of expertise, but it is much cheaper and more effective to let the community at large do this. And the best way to make that happen is to publish the source code. But then if you want your code to truly be secure, you'll need to do more than just publish it under an open source license. There are two obvious caveats you should keep in mind. First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. So while opening up source code is a good thing, it is not a guarantee of security. I could name a dozen open source security libraries that no one has ever heard of, and no one has ever evaluated. On the other hand, the security code in Linux has been looked at by a lot of very good security engineers. Second, you need to be sure that security problems are fixed promptly when found. People will find security flaws in open source security code. This is a good thing. There's no reason to believe that open source code is, at the time of its writing, more secure than proprietary code. The point of making it open source is so that many, many people look at the code for security flaws and find them. Quickly. These then have to be fixed. So a two year-old piece of open source code is likely to have far fewer security flaws than proprietary code, simply because so many of them have been found and fixed over that time. Security flaws will also be discovered in proprietary code, but at a much slower rate. Comparing the security of Linux with that of Microsoft Windows is not very instructive. Microsoft has done such a terrible job with security that it is not really a fair comparison. But comparing Linux with Solaris, for example, is more instructive. People are finding security problems with Linux faster and they are being fixed more quickly. The result is an operating system that, even though it has only been out a few years, is much more robust than Solaris was at the same age. Secure PR One of the great benefits of the open source movement is the positive-feedback effect of publicity. Walk into any computer superstore these days, and you'll see an entire shelf of Linux-based products. People buy them because Linux's appeal is no longer limited to geeks; it's a useful tool for certain applications. The same feedback loop works in security: public algorithms and protocols gain credibility because people know them and use them, and then they become the current buzzword. Marketing people call this mindshare. It's not a perfect model, but hey, it's better than the alternative. ** *** ***** ******* *********** ************* NSA Key in Microsoft Crypto API? A few months ago, I talked about Microsoft's system for digitally signing cryptography suites that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52 Useful news article: http://www.wired.com/news/news/technology/story/21577.html ** *** ***** ******* *********** ************* Counterpane Systems -- Featured Research "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" Bruce Schneier and Mudge, CQRE, Duesseldorf, Oct 1999, to appear. The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP link. In response to [SM98], Microsoft released extensions to the PPTP authentication mechanism (MS-CHAP), called MS-CHAPv2. We present an overview of the changes in the authentication and encryption-key generation portions of MS-CHAPv2, and assess the improvements and remaining weaknesses in Microsoft's PPTP implementation. While fixing some of the more egregious errors in MS-CHAPv1, the new protocol still suffers from some of the same weaknesses. http://www.counterpane.com/pptpv2-paper.html ** *** ***** ******* *********** ************* News The Internet Auditing Project. This is REAL interesting. A group did a low-level security audit of 36 million hosts on the Internet. Just how secure is the Internet really? http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html And if that isn't scary enough, here's a more detailed audit of 2200 Internet sites. http://www.fish.com/survey/ My all-time favorite Y2K compliance statement: http://www.hartscientific.com/y2k.htm If you need more evidence that proprietary security just doesn't work, Microsoft's digital music security format is cracked within days of being released: http://www.wired.com/news/news/technology/story/21325.html http://www.news.com/News/Item/0,4,0-40672,00.html?st.ne.lh..ni http://www.msnbc.com/news/302195.asp Patent blackmail: Lawyers for someone named Leon Stambler have been sending threatening letters to security companies, claiming that SSL, PCK, FIPS 196, SET, Microsoft PPTP, Authenticode, etc. infringe on his patent. See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998. See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998. http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1& u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,793,302'.WKU.&OS=PN/5,793,302&RS= PN/5,793,302 http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1& u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,646,998'.WKU.&OS=PN/5,646,998&RS= PN/5,646,998 With all the talk about electronic voting, it's nice that someone recognizes that there are some serious security problems. The most severe, at least to me, is voter coercion. When you step into a private voting booth, you can vote as you please. No one can do anything about it. If you can vote from your computer, in your own home, with some kind of electronic security measure, then it is possible for someone to buy your vote and to ensure that you deliver on the goods. http://www.nytimes.com/library/tech/99/08/cyber/articles/14vote.html Many people asked me about my comment last issue about Windows NT needing over 300 security changes to make it secure. I queried the Usenet newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or truth, and got several answers. The consensus seemed to be that the number was somewhere between 50 and 3000, and 300 wasn't an unreasonable estimate. A good checklist is available here: http://people.hp.se/stnor/ And see also: http://www.trustedsystems.com/NSAGuide.htm The U.S. crypto export regulations has led to the development of some excellent products from non-U.S. companies. Judging from this article, though, this isn't one of them: http://www.rediff.com/computer/1999/jul/09suri.htm Two Microsoft security white papers. They're not great, but they do explain the Microsoft party line. Security basics: http://www.microsoft.com/security/resources/security101wp.asp Office 2000 Macro Security: http://officeupdate.microsoft.com/2000/downloadDetails/o2ksec.htm A flaw in Hotmail allows anyone to read anyone else's email, without a password. To me, the real interesting story is not that the flaw was discovered, but that it might have been known by the underground community long before it became public. Some of the news stories imply this. http://www.wired.com/news/news/technology/story/21503.html http://www.msnbc.com:80/news/306093.asp http://www.zdnet.com.au:80/zdnn/stories/zdnn_display/0,3440,2324361,00.html http://news.excite.com/news/zd/990901/10/the-bug-syndrome http://news.excite.com/news/zd/990901/06/how-hotmail-blew http://www.salon.com/tech/log/1999/09/02/hotmail_hack/print.html Encrypted sculpture at the CIA's headquarters in Langley, VA. http://www.npr.org/programs/atc/990826.kryptos.html Join the military and see the basements of Ft. Meade. The National Security Agency is offering free college tuition and room and board to hackers willing to work for them for five years after graduation. http://www.currents.net/newstoday/99/08/27/news3.html http://www.cnn.com/TECH/computing/9908/26/t_t/teen.hacker/index.html Nice BBC article on U.S. encryption debate: http://news.bbc.co.uk/hi/english/world/americas/newsid_430000/430384.stm Funny stuff: the real story of Alice and Bob: http://www.conceptlabs.co.uk/alicebob.html There was a really good article -- clear, complete, understandable -- in _The Sciences_ recently about quantum computing. Cryptome has put the article online, with the permission of the author. http://cryptome.org/qc-grover.htm ** *** ***** ******* *********** ************* Extra Scary News The Justice Department is planning to ask Congress for new authority allowing federal agents armed with search warrants to secretly break into homes and offices to obtain decryption keys or passwords or to implant "recovery devices" or otherwise modify computers to ensure that any encrypted messages or files can be read by the government. With this dramatic proposal, the Clinton Administration is basically saying: "If you don't give your key in advance to a third party, we will secretly enter your house to take it if we suspect criminal conduct." The full text of the Justice Department proposal, a section-by-section analysis prepared by DOJ lawyers, and related materials are available at: http://www.epic.org/crypto/legislation/cesa_release.html http://www.cdt.org/crypto/CESA http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm http://www.zdnet.com/zdnn/stories/news/0,4586,2317907,00.html http://www.techweb.com/wire/story/TWB19990820S0012 ** *** ***** ******* *********** ************* Counterpane News Bruce Schneier will be speaking at SANS Network Security 99, October 3-10, in New Orleans. See http://www.sans.org/ns99/ns99.htm for more conference details. Attack Trees: Wed, 6 Oct, 10:30-12:30 Internet Cryptography: Tue, 5 Oct, 9:00-5:00 Bruce Schneier authored the "Inside Risks" column for the Aug, Sep, and Oct 99 issues of _Communications of the ACM_. Biometrics: Uses and Abuses: http://www.counterpane.com/insiderisks1.html The Trojan Horse Race: http://www.counterpane.com/insiderisks2.html Risks of Relying on Cryptography: http://www.counterpane.com/insiderisks3.html ** *** ***** ******* *********** ************* The Doghouse: E*Trade E*Trade's password security isn't. They limit the logon password to a maximum of 6 characters, and the only choices are letters (upper and lower case are distinguished), numbers, $, and _. Whose portfolio do you want to trade today? ** *** ***** ******* *********** ************* Factoring a 512-bit Number A factoring record was broken last month, on 22 August. A group led by Herman te Riele of CWI in Amsterdam factored a 512-bit (155-digit) hard number. By "hard," I mean that it was the product of two 78-digit primes...the kind of numbers used by the RSA algorithm. About 300 fast SGI workstations and Pentium PCs did the work, mostly on nights and weekends, over the course of seven months. The algorithm used was the General Number Field Sieve. The algorithm has two parts: a sieving step and a matrix reduction step. The sieving step was the part that the 300 computers worked on: about 8000 MIPS-years over 3.7 months. (This is the step that Shamir's TWINKLE device can speed up.) The matrix reduction step took 224 CPU hours (and about 3.2 Gig of memory) on the Cray C916 at the SARA Amsterdam Academic Computer Center. If this were done over the general Internet, using resources comparable to what was used in the recent DES cracking efforts, it would take about a week calendar time. The entire effort was 50 times easier than breaking DES. Factoring e-commerce keys is definitely very practical, and will be becoming even more so in future years. It is certainly reasonable to expect 768-bit numbers to be factored within a few years, so comments from RSA Laboratories that RSA keys should be a minimum of 768 bits are much too optimistic. Certicom used the event to tout the benefits of elliptic curve public-key cryptography. Elliptic-curve algorithms, unlike algorithms like RSA, ElGamal, and DSA, are not vulnerable to the mathematical techniques that can factor these large numbers. Hence, they reason, elliptic curve algorithms are more secure than RSA and etc. There is some truth here, but only if you accept the premise that elliptic curve algorithms have fundamentally different mathematics. I wrote about this earlier; the short summary is that you should use elliptic curve cryptography if memory considerations demand it, but RSA with long keys is probably safer. This event is significant for two reasons. One, most of the Internet security protocols use 512-bit RSA. This means that non-cryptographers will take notice of this, and probably panic a bit. And two, unlike other factoring efforts, this was done by one organization in secret. Most cryptographers didn't even know this effort was going on. This shows that other organizations could already be breaking e-commerce keys regularly, and just not telling anyone. As usual, the press is getting this story wrong. They say things like: "512-bit keys are no longer safe." This completely misses the point. Like many of these cryptanalysis stories, the real news is that there is no news. The complexity of the factoring effort was no surprise; there were no mathematical advances in the work. Factoring a 512-bit number took about as much computing power as people predicted. If 512-bit keys are insecure today, they were just as insecure last month. Anyone implementing RSA should have moved to 1028-bit keys years ago, and should be thinking about 2048-bit keys today. It's tiring when people don't listen to cryptographers when they say that something is insecure, waiting instead for someone to actually demonstrate the insecurity. http://www.cwi.nl/~kik/persb-UK.html http://www.msnbc.com/news/305553.asp RSA's analysis: http://www.rsa.com/rsalabs/html/rsa155.html Certicom's rebuttal: http://www.certicom.com/press/RSA-155.htm Prominent Web sites that still use 512-bit RSA: Travelocity Microsoft's online store Compaq's online store Godiva's online store Dr. Koop.com Flowers N More There are lots more. You can check yourself by connecting to a site with a secure domestic version of Microsoft Internet Explorer 4.0. ** *** ***** ******* *********** ************* Comments from Readers From: Gene Spafford Subject: Re: Comments on the "NSA" key in Windows NT Well, it is always easier to believe a conspiracy theory or dark designs. However, there may be alternative explanations. For instance, I happen to know that various 3-letter agencies use a lot of Windows machines (in a sense, that should be scary all by itself). Suppose they want to load their own highly-classified, very closely-guarded version of their own crypto routines. Do you think they will send copies of their code out to Redmond to get it signed so it can be loaded? Or are they going to sign it themselves, with their own key, doing it in-house where it is "safe"? If they are going the in-house route, then either Microsoft needs to share the private key with them (bad idea), or the code needs to accommodate a second key schedule generated inside the TLA. Hmmm, that sounds familiar, doesn't it? Another explanation, that I may have read here (this issue has been discussed on many lists) is that to get the approval for export, the folks at MS needed to include a "back-up" key in case the first was compromised in some way. They would need to switch over to using the alternate key for all the systems already out there. But how would they do that unless the second key was already installed, so they could do the switch using that second key? So, if you were MS, and the NSA required you to install a backup key like this, what would you call it? Of course, it could be that MS wanted the backup key themselves, and the programmer involved in the coding decided to name it something silly. Or, there is a history of MS code being shipped with undocumented code elements, and things that MS management don't know are present. Suppose the code (involving only a few lines of code) was placed there by an agent of the intelligence services of some other country (it wouldn't be that hard to subvert an existing employee or place one at MS with good coding skills who could eventually gain access to the appropriate code). He/she names the variables with "NSA" in place in case anyone doing a code review would question it -- and includes a comment block that says "The NSA required this to be here -- do not change or ask questions." The "sinister purpose" might be correct, but you are blaming the wrong entity. Heck, maybe this is a grand design of Mr. Gates himself: after all, he's certainly having some aggravation from the U.S. Justice Department! There are other possible explanations for the name, too. These alternate explanations do not mean that the extra key does not have side-effects (such as clandestine installation and circumvention of the export controls). And of course, we will probably never know what the primary reason for this key is, nor will we know what role these side-effects may have had in the decision, despite what people eventually claim. The key thought is that there are possible scenarios for the naming of the key that do not involve nefarious activity, or do not involve such activity by the NSA. That should not be the immediate conclusion people reach. And, at the risk of starting some tirades, let me ask a (rhetorical) question: even if it was put there for purposes of clandestine monitoring, what is wrong with that? If this gets used to monitor terrorists with NBC weapons, drug cartels, or weapons labs in Iraq, isn't that what we want done? In that light, there should be some concern that this has now been exposed and possibly nullified! The history of cryptography shows -- repeatedly -- that having crypto assets makes a huge difference in times of conflict, and that getting such assets in place and working takes time. It would be naive to believe that there are no such threats looming, or that there is no such likelihood in the future. We should be clear in our discussions as to whether our concern is the presence of the code, or over who may have control of it. Is the issue really one of what controls are in place that ensure that the code isn't used against inappropriate targets (e.g., law-abiding, friendly businesses and citizens)? Unfortunately, we don't have strong assurances in this realm, and there have been some past abuses (or alleged abuses). But that may be moot if we the code was actually placed for some other group's dark design. From: "Lucky Green" Subject: More NSAKEY musings I'd like to comment on some of your public comments regarding the NSAKEY. The goal of this email is to provide you with a few data points about the mindset intelligence agencies employ when compromising systems. First, I agree with your assessment that the NSA does not /need/ to compromise CAPI to compromise the computers of those running Windows. Which is not analogous to the claim that the NSA would not seek to compromise CAPI by causing Microsoft to install the NSA's key. For the academic cryptographer, once one catastrophic flaw in a cipher has been found, the work is over. "We have a 2^16th attack. The job is done. Let's go home". Intelligence agencies don't operate this way. My work with GSM has revealed that intelligence agencies, which as we all know ultimately stand behind the GSM ciphers, take a very different approach. Intelligence agencies will compromise every single component of a crypto system they can compromise. Intelligence agencies will, given the opportunity, compromise a component just because they can, not because they need to. This appears to be a somewhat perverted manifestation of implementing multiple redundancy into a system. Which, as I am sure we all agree, is generally a good idea. In the case of GSM, we have discovered the following compromises: o Compromised key generation. The 64-bit keys have the last 10 bits of key zeroed out. (I heard rumors that some implementations only zero out the last 8 bits, but either way, this is undeniably a deliberate compromise of the entropy of the key). o Compromise of the authentication system and keygen algorithm. The GSM MoU was formally notified in 1989 (or 1990 at the latest) about the flaws in COMP128 we discovered last year. Long before GSM was widely fielded. The MoU's Security Algorithm Group of Experts (SAGE), staffed by individuals who's identities are unknown to this day, kept this discovery secret and failed to inform even the MoU's own members. As a result, intelligence agencies can clone phones and calculate the voice privacy keys used during a call. o Compromise of the stronger voice privacy algorithm A5/1. This 64 bit cipher has numerous design "flaws", resulting in a strength of at most 40 bits. It is inconceivable to me and virtually everybody I talked with that these rather obvious flaws were overlooked by A5/1's French military designers. o Compromise of the weaker voice privacy algorithm A5/2. The MoU admits that breakability was a design goal of A5/2, even thought SAGE stated in their official analysis of A5/2 that they were unaware of any cryptographic flaws in A5/2. To allow for interception and decryption of GSM traffic, it would have sufficed to compromise the effective key length. It would have sufficed to compromise the keygen. It would have sufficed to compromise the ciphers. The NSA/GCHQ did all three. Given these facts, it would not be at all unusual for the NSA to install backdoors in the Windows OS itself *and* have obtained a copy of Microsoft's signing key *and* have Microsoft install the NSA's own key. Think of it as well-designed failover redundant compromise. From: "Kevin F. Quinn" Subject: Crypto-Gram April 15 1999, and the recent "NSA" spare-key debate. In Crypto-Gram April 15 1999, you mentioned the two-key approach of Microsoft with regard its root keys for Authenticode, and that they included the two keys "presumably for if one ever gets compromised". We now know the same approach was taken for CSP. Microsoft's own announcement on the subject is interesting; the two keys are present "in case the root key is destroyed" (paraphrase). I think in your Crypto-Gram you meant "destroyed" rather than "compromised" -- Microsoft seem to be trying to guard against the possibility that the secret root key is burnt in a fire or somesuch; they're not guarding against unauthorised copies of the key being made with the two-key approach. I think it's an important distinction to make. The only good reason I can see to have two keys, is to provide security against compromise -- in which case you need to validate signatures against both keys (i.e., AND rather than OR). That way if one key is compromised, the validation will still fail as the second signature won't be valid. If both keys are stored in separate secured locations, the attacker has to break the security of both locations in order to acquire both keys, and you hope that you might notice one break-in before the second occurs. The sensible way to guard against the possibility of destruction (fire, catastrophe etc) is to have several copies, each securely stored and monitored (the same way classified documents are controlled). Microsoft claim that the two-key approach was suggested by the NSA -- I find it difficult to believe the NSA would suggest including two root keys, to guard against destruction of a root key. My pet theory is that there was a communication problem; the NSA advice went something along the lines of, "having two root keys guards against loss", meaning compromise, and Microsoft took this to mean destruction. From: Greg Guerin Subject: A new spin on the NSA-key/NT issue? In your article at , you end by saying: "This virus doesn't exist yet, but it could be written." [This is a virus that would replace the backup key in NT with a rogue key, and could trick the user into accepting malicious code as signed.] After I wrote , it occurred to me that the virus now exists, or at least all the parts of it do. It only needs to be "turned to the Dark Side" and assembled. The "construction kit" for this virus is none other than the "repair program" at: All the parts are there. The "AddDelCsp.exe" program (no source provided) is the active infecting agent. The "nsarplce.dll" and other DLL's are the "toxins". The kit even includes "TestReplacement.exe" (with source) to test whether an enterprising young kit-builder has made his changes successfully or not. I'm sorta guessing, but someone with Wintel programming skills could probably construct a virus or Trojan horse with this kit in a matter of hours. Probably the only skill they would have to sharpen is the crypto, but there's some nice starter info in the Fernandes report itself. A little reading, a little key-generating time, maybe a little patching, and presto. Try it on a local NT system, then release it to the world by mirroring the Fernandes report. Or just send it to some "friends" via Hotmail. It would certainly look authentic, and because even the original "repair" program was unsigned, and the original report says nothing about authenticating the download before running it, it could be a very well-traveled Trojan horse indeed. If this virulent "repair program" is written with a little restraint, it can spread VERY far before anyone even notices. It could even camouflage itself and name its toxic key "NSAKEY", just like Microsoft's original. That is, after "removing" itself, it's still present. How often do people even think of checking that key? If you know someone with NT programming experience, it might be interesting to have them read the Fernandes report, download the virus construction kit, er, I mean "repair" program, then give this a try. I'd guess that not even prior virus-writing skills would be needed, just above-average NT programming skills. I bet you'd have a virulent version in less than an afternoon. A fine project for a lazy Labor Day holiday, eh? From: Sam Kissetner Subject: Meganet I thought this might amuse you. The February issue of Crypto-Gram makes fun of Meganet's home page for saying: 1 million bit symmetric keys -- The market offer's [sic] 40-160 bit only!! I visited that page today. (The URL changed; it's at .) Maybe they read Crypto-Gram, because they tried to fix the grammatical error. But it was part of a graphic, so they just pasted a little white box over the apostrophe and s, leaving: 1 million bit symmetric keys -- The market offer 40-160 bit only!!! Gee, that's *much* better. From: Marcus Leech Subject: HP's crypt(1) description To be fair to HP, and crypt(1) -- HP has merely faithfully reproduced the original crypt(1) MAN page. Crypt(1) first appeared in Unix V7, back around 1978 or so -- at a time when DES was just starting to be used in certain limited areas. That an operating system had any kind of file encryption facility at all was some kind of miracle at the time. Sun has obviously lightly hacked-over the documentation to reflect current reality, while HP has taken the approach of staying faithful to the original documentation. ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 1999 by Bruce Schneier @HWA 10.0 Move over BO2k here's Donald Dick from Russia with love... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Donald Dick v1.52 was coded by Yaworsky (aka Alexander A. Yaworsky) and BAdMAN F0ReVeR (aka Alexander A. Fedenko) Yaworsky: http://redrival.com/donalddick/ay.jpg BAdMAN..: http://redrival.com/donalddick/badman.jpg From the site; http://donalddick.da.ru/ News 15 September 1999 We just have received and used new AVP update. Very funny. It found only distributive Donald Dick file and GUI/cmd.line clients ;) (old 1.5 beta3 only). It does not see real Donald Dick installation. By the way, the life for AVP will not be too easy soon - now we are implementing new 'SmartMorph' technology. The result will be that executable file will be different with each installation and will never contain any unique sequence of bytes. 13 September 1999 Almost all keyboard features are implemented into Donald Dick client 1.52 10 September 1999 We have good news for you: New Donald Dick version 1.52 is now available. Catch! Now we will produce only full version of server and it will be completely free with its current set of features (or bugs ;). Network protocol was changed. So be careful - previous and current versions are incompatible. If you already use Donald Dick in any place you must completely reinstall it. You can upload server file on target machine using previous client and run it (don't issue upgrade command); after you issue run command, connection may be immediately lost and after that you must use new client. Donald Dick server: new features: The most wishful: UNINSTALL. Don't care - it completely wipes Donald Dick server out. Hidden mode: server does not respond if the request was not actually processed Ports can be set by server; now you don't need to edit the registry manually. Pre-, Post-delay and repeat count for requests Keyboard control: issue keystroke, remap keys and save key map so it will be loaded at startup ;) keyboard input is now captured, and because the server becomes operational immediately after the shell is loaded, you can see what the user typed at login prompts. NOTE that keyboard features except keystroke simulation are available only under Windows9X. For winNT they will be available later. Chat rooms - volatile and non-volatile So you need to wait a little for updated Donald Dick GUI client. New features will be available in nearest days. Or take the power of command line right now. 6 September 1999 We radically changed design of this site. 18 August 1999 Donald Dick 1.5 beta 3 became available. -=- About Donald Dick We are not liable for any damages caused by use of software we did. And we don't advise to ride our little brothers. But if you want to do it... Let us introduce Donald Dick - another remote control system. Donald Dick is a remote control system for workstations running Windows 95, 98 or NT 4.0 (not tested on 5, we didn't steal it yet). First, it was implemented to replace well-known trojans we used to confuse dummies, and to be invisible for existing antiviruses. We used it locally since february - march of '99 till the summer. The first implementation could only open and close cdrom tray but it quickly becomes powerful remote control system. Donald Dick consists of two parts - client and server. To install server on the destination computer, you simply must launch executable file there. Since you install Donald Dick server on a computer, all of its resources becomes completely yours. You can control it with Donald Dick client via TCP or SPX network protocol. But if you are going to use Donald Dick for serious purposes then you can restrict access to the server with password. Under Windows9X Donald Dick server becomes operational immediately after shell starts up. Under WindowsNT the server is loaded as a service process but we tried to hide it in the control panel->services. Here is the list of actions you can perform: File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time of file. Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend, resume. Registry - full access: browse, create, remove keys and values; set values. System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query system info, query/set system parameters. Windows: get list of windows; query and set system colors; get screenshot or the shot for particular window; send messages to window. Hardware: read and write CMOS (does not work under Windows NT, we not implemented this feature yet). Keyboard: simulate keystrokes, remap, disable keys, view keyboard input (all features except keystroke simulation are not implemented under Windows NT yet) Jokes: open and close CD; turn monitor's power off and on; talk with dummy using message boxes; play wave files. Chat: you can chat with other guys in volatile chat room and leave important messages in non-volatile chat room Using services provided by server, GUI client offers additional services. You can: query passwords for screensaver, BIOS (Phoenix is currently supported, not tested for other BIOSes) and shared resources make folders shared (still in progress) Our to-do list: change file names of server components when it is required implement setup program to generate executable file which installs Donald Dick server with all predefined settings read/write CMOS under NT capture, disable, remap keys under NT batch request execution mixer control capture and transmit sound receive and play sound mouse control plugins support @HWA 11.0 New HOTMAIL hole found ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by AlienPlaque Just several weeks after a major Hotmail security hole left 40 million Hotmail accounts freely open to anyone on the Internet, yet another hole has been discovered. The new hole allows embedded JavaScript in the 'style' tag to "jimmy open" accounts. While it looks like the problem could easily be solved by having Hotmail disable the style tags as it does regular JavaScript, Microsoft says "This is not a security issue." ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2333253,00.html?chkpt=hpqs014 Internet News http://www.internetnews.com/bus-news/article/0,1087,3_199751,00.html ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- New Hotmail hole discovered By Steven J. Vaughan-Nichols, Sm@rt Reseller September 13, 1999 3:50 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2333253,00.html Just what the world didn't need: Another way to crack open Microsoft's beleaguered free, Web-based e-mail system, Hotmail. But, that's exactly what noted Bulgarian bugfinder Georgi Guninski claims to have found. Guninski, who has made a name for himself by finding security violations in browsers, has found that Hotmail enables Web-paged embedded Javascript code to run automatically. This makes it possible for someone to write Web programs that could do anything from steal passwords to read others' mail. While it's long been known that active Web applets, whether written in ActiveX or Java, have the potential to pry open systems from the inside, this is the first case in which someone has shown that Hotmail is vulnerable to such attacks. Not just a theoretical hole Is this a purely theoretical hole or one that can only be used by crackers to attack users? The answer, unfortunately, is the latter: Correctly written JavaScript programs can, at the least, raid users' inboxes. Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. "This is not a Hotmail security issue. We see it as an example of people encouraging users to run malicious code on the Web," a Microsoft spokesperson said. "To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not open mail from unknown people when you think it might contain JavaScript," the spokesperson added. "Microsoft is investigating ways for Hotmail users to have greater security against threats posed by malicious use of JavaScript in e-mail." The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML tag "STYLE." Java programmers and Webweavers use STYLE to insert JavaScript into HTML pages. The solution is to force Hotmail to handle STYLE in the same way it does ordinary JavaScript -- disabling it on arrival. Timing couldn't be worse The fix may be simple, but the timing for Microsoft could not be worse. The latest Hotmail security breach follows by weeks a major Hotmail security meltdown. It took Microsoft hours to fix the problem, but millions of user accounts were left unprotected in the interim. Since that initial breach, the company has brought in TrustE and another auditing firm to help it head off future Hotmail security breaches. -=- Internet News; New Security Hole in Hotmail September 13, 1999 By Brian McWilliams InternetNews.com Correspondent Business News Archives Microsoft's Hotmail service is at risk again from a new security threat. Bulgarian programmer Georgi Guninski has discovered that the Web-based email service allows embedded javascript code to be automatically executed on the computers of Hotmail users. According to Guninski, the flaw could enable a malicious person to launch password stealing programs or to secretly access the contents of a Hotmail users' account. A functional but relatively harmless demonstration of the attack was sent by Guninski to InternetNews Radio. The test message showed how embedded javascript could be used to read messages from the Hotmail user's inbox and display them in a separate window. The latest Hotmail flaw affects users of Web browsers that support cascading style sheets, such as Internet Explorer version 5 and Netscape Navigator versions 4.x. While Hotmail ordinarily detects and disables incoming messages containing javascript, according to Guninski it fails to properly handle a new HTML tag named STYLE which allows Web programmers to embed javascript in a Web page. An MSN Hotmail spokesperson said the service is investigating the report. As a temporary workaround, concerned users can disable javascript in their browsers. Last month, a separate security hole enabled outsiders to log in to others' Hotmail account without a password. Gary McGraw, vice president of corporate technology for Reliable Software Technologies, said the new discovery suggests the Hotmail service may have become a new favorite target of hackers. "As an attacker, it's a much juicier target than trying to attack every individual platform out there,"McGraw said. "These holes are like raw material, and its good when the holes are discovered by people who are honest. But you can work that raw material into many different sorts of attacks." In the wake of the earlier Hotmail attack, late last week Microsoft confirmed that it intends to hire an outside firm to audit the security of the service. @HWA 12.0 Security Hole Found in Security Product ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Simple Nomad Nomad Mobil Research Center, an HNN Affiliate, has released an advisory regarding Bindview's HackerShield scanner. During installation of the product (including the demo) a Service User with a non machine specific password is created. NMRC http://www.nmrc.org/advise/hs.txt BindView http://www.bindview.com/products/HackerShield/HS_Patch2_advisory.html NMRC; _______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome@nmrc.org] 10Sep1999 _______________________________________________________________________________ Platform : Microsoft NT 4.0 SP5 Application : Hackershield v1.1 Severity : High Synopsis -------- The HackerShield product creates a local account during installation with a password that is not machine specific. This includes the HackerShield demo product available via the Internet. Tested configuration -------------------- Testing was done with the following configuration : Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes) Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS, WinHelp hotfixes) HackerShield Product Version 1.10.1105, Package Version 11 Product Background ------------------ Hackershield (http://www.bindview.com/products/HackerShield/) -- originally developed by Netect (http://www.netect.com/), but recently purchased by Bindview (http://www.bindview.com) -- is a security scanner that scans for security flaws on Windows and Unix platforms. It is very similar and compares nicely to the feature set of ISS' Internet Security Scanner and NAI's CyberCop. It allows both manual and auto-updates of new hack signatures, called RapidFire updates, as well as automated scanning sessions which allow a system administrator to define a schedule for scanning a set of network resources. The idea is to provide an automated method of keeping your systems fairly up-to-date from a security perspective by downloading new vulnerabilities and running pre-scheduled scans. This is fairly similar to the modern anti-virus model where you set your anti-virus software to automatically download new virus signature files from the anti-virus vendor's FTP site and then run the virus scan, except the automated updates come via PGP-signed email. Bug - Service User password is recoverable ------------------------------------------ To facilitate HackerShield automation of scanning, a Service User named NetectAgentAdmin$ is installed with local Administrator privileges on the scanning computer. Unfortunately, the password can be easily recovered. Since the advent of recent patches to Microsoft NT, recovery of Service User password information is a little harder. For example, pwdump will not recover the hash for NetectAgentAdmin$, but pwdump2 will. Users of L0phtcrack will not be able to dump this user, but using pwdump2 will get the following for this user (text is wrapped): NetectAgentAdmin$:1001:7a8754eda3b21376136260cc65a99030: \ 2d6156879a7f61fdddb10c96427483d7::: Being security conscious, the HackerShield folks at least made the password 14 characters, but the password is not machine-specific. The first 12 characters are np7m4qM1M7VT while the last two are non-printing characters. Due to the non-printing characters, L0phtcrack will not brute-force crack the password using the standard choices of character sets (although it should be possible to type in the alt codes into a custom character set -- we did not try this as the characters are still non-printing), but using Paul Ashton's code (posted to NTBugtraq August 9, 1997) it can be extracted as plaintext on an NT 4 SP3 workstation or server. The implications of this should be obvious -- a service user with a known password and local administrator rights is a prime target for intruders of NT systems. Depending on where the product is loaded in your organization, you have a potential vehicle for additional password recovery, trojan horse planting, and further compromise of the NT environment. Bug Conclusions --------------- If you have loaded the HackerShield product (including the demo) then you have installed the Service User, and the two services called HackerShieldAgent and HackerShieldSniffer. If this system is not physically secure, or has Server services running, you have the potential for compromise via the Service User. Solution/Workaround ------------------- Do not install HackerShield on non-physically secured systems. If you have loaded HackerShield onto an NT host only to perform a localhost scan, it is recommended you uninstall the product using the HSUninstall.exe program once you have completed the scan. Bindview has developed a patch for the Service User password to be machine specific. It can be downloaded from http://www.bindview.com/products/HackerShield/HS_Patch2.zip. In the Readme file with the zip, Bindview has a reference to the following page: http://www.bindview.com/products/HackerShield/HS_Patch2_advisory.html. Comments -------- We'd like to commend Bindview in their response to our contact. An email was sent to them with our concerns, giving them an opportunity to respond. The email was sent at 9:30AM on August 30, 1999 to a generic support address, and a real human being replied within an hour, and confirmed our findings later that day. They stated this is a bug as they never intended to have non-unique passwords for the NetectAgentAdmin$ account. The fact that Service Users' passwords can be recovered is reason enough to upgrade to the latest patches, although Microsoft has still not addressed the pwdump2 issue. Despite the fact that you have to be a local administrator to recover the hashes, it still illustrates the danger of using Microsoft's own authentication methods when trying to deliver a secured solution to NT. For this we would like to issue our strong distaste for Microsoft's built-in authentication measures, and how they are (un) protected. We do understand why Bindview (or technically, Netect) did it -- they are in the business of delivering products to market as quickly as possible -- but when you deliver a security product you must ensure that the product itself is secure. Personally, we like the anti-virus styled model as far as security scanners go, but if you build your security application on a shaky and flawed security model then your security application is only going to be as good as that flawed model. This scenario is probably in existence in any number of other products that use Service Users. Bindview is not alone here, we just happened to look at their product. _______________________________________________________________________________ BindView; HackerShieldTM Security Advisory Features and Benefits Types of Checks RapidFire Updates ™ System Requirements View Online Demo View Press Coverage Download Eval Copy BindView Development (formerly Netect, Inc.) has been notified of a potential high risk security problem with HackerShield v1.0 and v1.1. Full details and correction actions are described below. Description of the Problem HackerShield creates the account, "NetectAgentAdmin$" during installation. This account has local administrator privileges on the machine on which HackerShield is installed and is created with a 14-character password. This password is supposed to be randomly generated for each installation. Unfortunately, due to a programming error, the HackerShield installer creates the same "random" password every time. Since the password is not unique to each machine on which HackerShield is installed, the password created for the NetectAgentAdmin$ account is the same on every machine. Thus, an attacker could crack the password from one installation of HackerShield and then have a valid username and password (with Administrator privilege) on other HackerShield machines. If those machines are accessible, either physically or via any NetBios service over the network, an attacker could use this information to gain unauthorized access to the machine on which HackerShield is installed. This problem was discovered by an external group who will shortly release their own advisory on the subject. Once the problem is made public, hackers may attempt to exploit it. It is therefore imperative that you take one of the actions described below to correct the problem. Correction Actions In order to eliminate this security problem, you need to take one (and only one) of the following corrective actions: Correction Option 1 Download and run HackerShield 1.1 - Maintenance Patch 2: http://www.bindview.com/products/HackerShield/HS_Patch2.zip This patch generates a unique password, changes the password for the NetectAgentAdmin$ account, and restarts the HackerShield services (HackerShield Agent and HackerShield Sniffer services). After you do so, your installation of HackerShield will no longer be vulnerable. Corrective Option 2 You may fix this problem manually by either changing the password to one of your choosing (remembering to also change it in the Services control panel) or by deleting the NetectAgentAdmin$ account and using a different account to provide 'Log In As' permissions to the HackerShield services. Corrective Option 3 If you have installed an evaluation copy of HackerShield 1.0 or 1.1 that is past its evaluation period, the simplest way to eliminate the problem is to uninstall HackerShield. HackerShield uses a standard uninstall procedure and may be uninstalled using the Add/Remove Programs feature in the Windows NT Control Panel. After you uninstall HackerShield, you should verify that the NetectAgentAdmin$ account has also been removed from your system. Final Note Please note that there are no reports of this problem being exploited. However, once the problem has been made public, hackers may attempt to exploit it. Therefore, you must apply Maintenance Patch 2 or take one of the other corrective actions (described above) to avoid being vulnerable. If you are interested in evaluating the latest version of HackerShield (version 1.1.1), it is available for download here: http://www.bindview.com/products/HackerShield/hs_dl.html HackerShield 1.1.1 includes Maintenance Patch 1 and 2 and RapidFire Updates 1 and 2. Support If you have any issues that require technical support, please contact BindView Support at: HSupdate@bindview.com or http://www.bindview.com/support/support.html @HWA 13.0 Globalstar and FBI Are Nearing Agreement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by AlienPlaque Globalstar, a satellite phone firm, is close to an agreement with federal law enforcement officials who had threatened to delay its service if the FBI couldn't wiretap phone conversations. Even though the company is based in Canada, it needs to win approval from the Federal Communications Commission, which has already held up a license for another company due to concerns that the FBI would not be able to wiretap and monitor its service. C|Net http://news.cnet.com/news/0-1004-200-117671.html?tag=st.ne.1002.thed.1004-200-117671 Globalstar close to pact with FBI over wiretaps By John Borland Staff Writer, CNET News.com September 13, 1999, 4:15 p.m. PT A satellite phone firm is close to an agreement with federal law enforcement officials who had threatened to delay its service if the FBI couldn't wiretap phone conversations, company officials say. Officials at the Federal Bureau of Investigation have been concerned that Globalstar and other satellite phone companies could undermine their ability to listen in on suspected criminals' telephone calls by sending the transmissions across national borders--and outside U.S. jurisdiction. The issue had threatened to hold up Globalstar's long-awaited launch date, scheduled for later this month. FBI officials had even raised the possibility that the company would have to move several of its expensive land-based transmission stations from Canada into the United States--an option that would have dramatically raised costs and delayed service for the fledgling firm. The FBI's scrutiny of the satellite phone business has proved rocky for the struggling industry. Few providers can afford to restructure their network to satisfy law enforcement concerns, and many in the industry are watching Globalstar to see if a cheap technical solution to federal demands can be found. After several months of negotiations with U.S. and Canadian officials, the company may have found a way to deal with the law as well as stay financially afloat. In a recent meeting, FBI officials and Globalstar executives agreed to pursue a technological fix that appears likely to satisfy the FBI's needs to tap into the satellite calls, company officials now say. "We have tentatively agreed on a technical solution," said Andy Radlow, a spokesman for Vodafone AirTouch, the company that is managing Globalstar's North American operations. "We don't get any indication that they intend to hold us up." An FBI spokesman confirmed that the agency is in discussions with satellite phone providers, but declined to comment specifically on negotiations with Globalstar. Aside from federal concerns, Globalstar is just the latest player to enter an industry that has seen two of its early pioneers fall by the wayside. The firm's largest competitor, Iridium, has already filed for bankruptcy protection and is undergoing a company reorganization. Another smaller competitor has also filed for bankruptcy protection. Not quite a borderless world Globalstar is run by a coalition of companies including Loral Space and Communications, Vodafone AirTouch, and Qualcomm, among others. With satellites already in orbit around earth, the company has said it plans to begin offering telephone service by the end of September. By the time its $3.9 billion satellite system is complete, the company will be able to serve customers almost anywhere on Earth. But before it can begin serving customers in the United States, it needs to win approval from the Federal Communications Commission--and that's where the trouble starts. The FCC has already held up a license for at least one smaller Canadian satellite phone company based on concerns that the FBI would not be able to tap and trace telephone calls made over the system. FCC officials say they have wanted to allow negotiations between the phone companies and the FBI to proceed before acting on the license requests. In Globalstar's case, two of the four ground stations--places where equipment sends calls to and from the satellite network--serving the United States will be located across the border in Canada. This has worried FBI officials, who don't want to have to seek approval from foreign governments when tapping telephones. Seeking permission from Canadian officials to conduct surveillance of U.S. suspects--a likely outcome if the FBI had to physically put taps in Globalstar's Canadian stations--would be a serious breach of national security, officials say. The fix that Globalstar and the FBI are reportedly discussing would allow law enforcement officials a way to tap into the satellite system without having to cross the U.S. border. The technical details are still being finalized, but Qualcomm--the company that provides the land station and handset equipment to Globalstar--has assured the Justice Department that the fix will satisfy their concerns, Radlow said. "We feel we're going to continue to have a good relationship on the federal and local level with law-enforcement," Radlow said. Once the FBI has officially signed off, Globalstar can go to the FCC for its license without much fear of delay. The company is running up against its own stated deadline to begin rolling out service this month, however. But the North American version of the service still plans a "soft launch" this November and appears likely to make this deadline despite the wiretap concerns. @HWA 14.0 Matt Drudge Defaced ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by evil wench The 'United Loan Gunmen" who recently claimed responsibility for defacing CSPAN and ABC have now replaced the home page of the political commentary site of Matt Drudge, www.drudgereport.com. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Yahoo News http://dailynews.yahoo.com/h/ap/19990913/tc/drudge_hacked_2.html CNN http://www.cnn.com/TECH/computing/9909/14/drudge.hackers.ap/index.html Nando Times http://www.techserver.com/noframes/story/0,2294,92924-147335-1037579-0,00.html Yahoo; http://dailynews.yahoo.com/h/ap/19990913/tc/drudge_hacked_2.html Hackers Vandalize Drudge Web Site By TED BRIDIS Associated Press Writer WASHINGTON (AP) - Hackers who earlier claimed responsibility for computer attacks against ABC and C-SPAN vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday. The group, calling itself ``United Loan Gunmen,'' replaced Drudge's main page with a message saying they ``take control of Mike (sic) Drudge's data stockyard to once again show the world that this is the realm of the hacker.'' Drudge could not be reached immediately for comment. Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three remarkably high-profile Web sites over a period of weeks. The ``ULG'' group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week ago. It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC. The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet. The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities. The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site. And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told others earlier this summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19. Earlier Stories -=- CNN; http://www.cnn.com/TECH/computing/9909/14/drudge.hackers.ap/index.html Hackers vandalize Web site run by Internet gossip Drudge September 14, 1999 Web posted at: 1:57 a.m. EDT (0557 GMT) WASHINGTON (AP) -- Hackers who earlier claimed responsibility for computer attacks against ABC and C-SPAN vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday. The group, calling itself "United Loan Gunmen," replaced Drudge's main page with a message saying they "take control of Mike Drudge's data stockyard to once again show the world that this is the realm of the hacker." Drudge could not be reached immediately for comment. Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three remarkably high-profile Web sites over a period of weeks. The "ULG" group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week ago. It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC. The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet. The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities. The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wisconsin, on charges that he vandalized the Army's Internet site. And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told others earlier this summer how to attack the Internet site run by the White House. Burns' sentencing was set for November 19. Copyright 1999 The Associated Press. All rights reserved. -=- Nando Times; http://www.techserver.com/noframes/story/0,2294,92924-147335-1037579-0,00.html Hackers vandalize Drudge Report Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century By TED BRIDIS WASHINGTON (September 14, 1999 6:20 a.m. EDT http://www.nandotimes.com) - Hackers who claimed responsibility for earlier attacks against ABC and C-SPAN vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday. The group, calling itself "United Loan Gunmen," replaced Drudge's main page with a message saying they "take control of Mike (sic) Drudge's data stockyard to once again show the world that this is the realm of the hacker." Drudge could not be reached immediately for comment. Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three remarkably high-profile Web sites over a period of weeks. The "ULG" group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week ago. It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC. The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet. The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities. The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site. And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told others earlier this summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19. @HWA 15.0 South Africa Stats Site Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Anonymous The official statistic web site for South Africa was defaced recently. The site is used mainly by economists looking for information such as the consumer price index, manufacturing production and gross domestic product growth. Excite News http://news.excite.com/news/r/990913/07/tech-safrica-hackers Attrition Mirror http://www.attrition.org/mirror/attrition/1999/09/11/www.statssa.gov.za/ Excite; Hackers attack S.Africa's key statistics website Click on our sponsors! Updated 7:41 AM ET September 13, 1999 JOHANNESBURG, Sept 13 (Reuters) - Cyber-hackers broke into South Africa's official statistics website on Monday, replacing details of the latest consumer price index with a slew of obscenities railing against national phone company Telkom. Visitors to the site (www.statssa.gov.za), which normally provides information on staid topics such as manufacturing production and gross domestic product growth, were met instead with a foulmouthed tirade against Telkom's alleged shortcomings. "Telkom stop your...lame-ass monopoly or we will disconnect you," the hackers warned, among other things. The page is a crucial source of information for economists tracking the country's performance. Many of Telkom's unionised workers are involved in a wage dispute with the employer and have engaged in organised go-slows. But a Telkom official said she didn't believe the defacing of the statistics website was related. Telkom's site (www.telkom.co.za) wasn't affected. An information technology expert at Statistics South Africa said it could take at least two days to get the site back to normal. @HWA 16.0 India And Israel BackDooring US Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Simple Nomad This article spreads a bit of FUD that manages to implicate Israel and India in plots to plant backdoors in U.S. systems because of the out-sourced Y2K programming efforts that utilize those country's programmers. It is of course possible that Israeli and Indian programmers might backdoor their code, but so might programmers from anywhere else. Somehow HERF guns make it into this article as well. This article is great if you are planning on preying upon the Y2K paranoid survivalist crowd. Network Fusion http://www.nwfusion.com/archive/1999/75306_09-13-1999.html (Registration Required) This story appeared on Network World Fusion at http://www.nwfusion.com/archive/1999/75306_09-13-1999.html. Threat of 'infowar' brings CIA warnings Y2K work has given foreign-born programmers 'unprecedented access' to U.S. computer systems. By ELLEN MESSMER Network World, 09/13/99 ARLINGTON, VA. - Some might call it paranoia, but the U.S. government is growing increasingly worried that foreign infiltrators are building secret trap doors into government and corporate networks with the help of foreign-born programmers doing Y2K-related work. A CIA representative last week named Israel and India as the countries most likely to be doing this because they each handle a large amount of Year 2000 software repair not done by U.S.-born workers. According to the CIA, the two countries each have plans to conduct information warfare and planting trapdoors wherever they can would be a part of that. Information warfare is a nation's concerted use of network hacking, denial-of-service attacks or computer viruses to gain access to or disrupt computer networks, now the heart of modern society in terms of banking, telecommunications and commerce. HERF guns work Though still secretive about the practice, nations are also building futuristic radio-pulse devices - popularly called High Energy Radio Frequency (HERF) guns - that can disrupt or destroy electronics in networks, cars, airplanes and other equipment by sending an energy beam at them. A homemade version of a HERF gun successfully disrupted a PC and a digital camera during a demonstration last week at a session of the Infowar conference. This conference typically draws a large crowd of government spooks and high-tech strategists from around the world. Y2K work is giving foreign programmers "unprecedented access to computer systems," Terrill Maynard, the CIA's chief of analysis and warning, said at the Infowar conference. He works at the National Information Protection Center, which is the government organization housed at the FBI that keeps a watch on threats to the U.S. cyberinfrastructure. While Maynard calls Israel and India the key suspects for planting software backdoors in American systems, Russia is also viewed as a threat because it has defensive and offensive information warfare programs underway. Cuba and Bulgaria are working on computer-virus weapons, he says. But Maynard claims Israel has already hacked its way into U.S. computer systems to steal information about the Patriot missile. With most Y2K work completed, "action options are few at this date," Maynard says. He recommends that IT departments closely examine the Y2K code that went in their systems and also run extensive checks on network security. In the 21st century, the threat of nuclear war is being displaced by that of information weapons, said another conference speaker, Igor Nemerov, general counsel of the Russian Embassy. "We can't allow the emergence of another area of confrontation," Nemerov said, adding that Russia is calling for "cyberdisarmament." The first step in the cyberdisarmament process is to get the nations of the world to discuss the issue openly, Nemerov said. Russia recently requested that the United Nations ask member countries to recognize the threat and state their views on it. The U.S. Department of Defense has complained in meetings with Congressional subcommittees that it has seen severe network-based attacks coming from Russia. Congress has become convinced there's a big problem - and not just with Russia. Rep. Curt Weldon (R-Pa.) made an appearance at the Infowar conference last week to say he thinks information warfare is a bigger threat than biological or nuclear weapons. When asked by Network World if Russia carries out network-based attacks on U.S. computer systems, Nemerov conceded that sometimes things do happen, but "it's unauthorized." Robert Garique, chief technical officer for the Canadian province of Manitoba, said he favors cyberdisarmament talk. Garique noted that new hacking tools, such as one called nmap, make it very hard to be sure where a network-based attack is originating because the tool makes it easy for the attacker to spoof his identity. Easy to make But more than traditional hacker techniques constitute infowar. A new genre of high-energy radio-pulse weapons that disable electrical flows are under development in government labs around the world. "People are spending a lot of money on cyberweapons," Garique said. But how easy is it for terrorists or other criminals to build their own homemade HERF guns? That has been a topic of much debate, but last week a California-based engineer, David Schriner, demonstrated it's not very hard. Schriner, president of Schriner Engineering and a former engineer at the Naval Air Warfare Center, hooked up a 4-foot parabolic antenna powered by ignition coils and parts from a cattle stun gun during one Infowar session. People with pacemakers were asked to exit the room. With not much more than $400 in parts, he directed a 300-MHz pulse at a computer running a program. Blasted in this manner from 10 feet away, the computer went haywire and a digital camera twice that distance away was affected. "It's high-school science, basically," says Schriner, who believes that as this kind of threat becomes better understood through research, the computer industry is going to have to sit up and take note. "It's going to cost an extra nickel or dime to put a shield in a computer where it's needed," he says. o @HWA 17.0 The Russians Are Coming, The Russians Are Coming ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Space Rogue A lot of people have been sending in a link to a recent Newsweek article and are wondering why HNN has not mentioned it. The article claims that the Russians are on our cyber back door waiting to break in. The article is written so that it appears that this is a current event. It is not. It is months old. Operation Moonlight Maze, as discussed in the article took place last spring, the DOD password change also mentioned in the article happened last month. While news outlets like Newsweek may think it is OK to report on stuff that is months old HNN tries to only report on timely events. Newsweek http://www.newsweek.com/nw-srv/printed/us/st/sr0612_5.htm Note: Page 5 of 8 Relevant section only, included POLITICS 'We're in the Middle of a Cyberwar' Russian hackers may have pulled off what could be the most damaging breach ever of U.S. computer security By Gregory Vistica It's being called "Moonlight Maze," an appropriately cryptic name for one of the most potentially damaging breaches of American computer security ever — serious enough for the Department of Defense to order all of its civilian and military employees to change their computer passwords by last month, the first time this precaution has ever been taken en masse. The suspects: crack cyberspooks from the Russian Academy of Sciences, a government-supported organization that interacts with Russia's top military labs. The targets: computer systems at the Departments of Defense and Energy, military contractors and leading civilian universities. The haul: vast quantities of data that, intelligence sources familiar with the case tell NEWSWEEK, could include classified naval codes and information on missile-guidance systems. This was, Pentagon officials say flatly, "a state-sponsored Russian intelligence effort to get U.S. technology" — as far as is known, the first such attempt ever by Russia. Washington has not yet protested to Moscow. But Deputy Secretary of Defense John Hamre, who has briefed congressional committees on the investigation, has told colleagues: "We're in the middle of a cyberwar." In a cyberwar, the offensive force picks the battlefield, and the other side may not even realize when it's under attack. Defense Department officials believe the intrusions, which they describe as "sophisticated, patient and persistent," began at a low level of access in January. Security sleuths spotted them almost immediately and "back-hacked" the source to computers in Russia. Soon, though, the attackers developed new tools that allowed them to enter undetected (although they sometimes left electronic traces that could be reconstructed later). Intelligence sources say the perpetrators even gained "root level" access to some systems, a depth usually restricted to a few administrators. After that, "we're not certain where they went," says GOP Rep. Curt Weldon, who has held classified hearings on Moonlight Maze. As a federal interagency task force begins its damage assessment, a key question is whether the Russians managed to jump from the unclassified (although non-public) systems where they made their initial penetration into the classified Defense Department network that contains the most sensitive data. Administration officials insist the "firewalls" between the networks would have prevented any such intrusion, but other sources aren't so sure. Besides, one intelligence official admitted, classified data often lurk in unclassified databases. With enough time and computer power, the Russians could sift through their mountains of pilfered information and deduce those secrets they didn't directly steal. That's one more thing to worry about, although security officials admit that they have a more pressing concern. The intruders haven't been spotted on the network since May 14. Have they given up their efforts — or burrowed so deeply into the network that they can no longer even be traced? Newsweek, September 20, 1999 @HWA 18.0 Biometrics Takes Frightening New Step "I am not a number!" ready to be barcoded? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ What I want to know is how someone gets a patent for something like this? its an IDEA I was led to beleive that an IDEA was not patentable....this is proof otherwise..- Ed From HNN http://www.hackernews.com contributed by Weld Pond The United States Patent and Trademark Office has issued a patent for what some may find extremely disturbing. Thomas W. Heeter of Houston, TX has been awarded patent #5,878,155 for using tattoos to identify customers prior to a retail transaction. The tattoo would consist of a bar code or other design that would be electronically scanned to confirm identity. (Personally I think this is taking biometrics a little to far. Hopefully no one will actually implement this patent.) US Patent and Trademark Office http://patents.uspto.gov/cgi-bin/ifetch4?ENG+PATBIB-ALL+0+946309+0+7+25907+OF+1+1+1+PN%2f5%2c878%2c155 United States Patent 5,878,155 Heeter Mar. 2, 1999 Method for verifying human identity during electronic sale transactions Abstract A method is presented for facilitating sales transactions by electronic media. A bar code or a design is tattooed on an individual. Before the sales transaction can be consummated, the tattoo is scanned with a scanner. Characteristics about the scanned tattoo are compared to characteristics about other tattoos stored on a computer database in order to verify the identity of the buyer. Once verified, the seller may be authorized to debit the buyer's electronic bank account in order to consummate the transaction. The seller's electronic bank account may be similarly updated. Inventors: Heeter; Thomas W. (55 Lyerly, Houston, TX 77022). Appl. No.: 709,471 Filed: Sept. 5, 1996 Intl. Cl. : G06K 9/00 Current U.S. Cl.: 382/115 Field of Search: 382/115, 116, 124-127, 100, 128, 133; 348/77, 15, 161; 209/3.3, 555; 356/71; 340/825.34; 235/379, 380, 382 19.0 NASDAQ Defaced ~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by punkis At approx. 21:23 on 9.14.99, United Loan Gunmen temporarily defaced a section of the NASDAQ website. This is the same group responsible for such high-profile defacements as the ABC Network, C-SPAN, and most recently the Drudge Report Web site. Data integrity measures on the part of NASDAQ appear to have limited the impact the ULG had on the site, but the intrusion was nonetheless evident. Unfortunately we were unable to get a full mirror of the defacement due to the limited time the page remained up. Attrition Mirror http://www.attrition.org/mirror/attrition/1999/09/15/www.nasdaq-amex.com/ Late Update: 1628EST And the media frenzy begins. Associated Press - via USA Today http://www.usatoday.com/life/cyber/tech/ctg141.htm Wired http://www.wired.com/news/news/politics/story/21762.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014 Rueters - Via Yahoo News http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html Associated Press/USA Today; Nasdaq, Amex sites hacked overnight WASHINGTON (AP) - Computer hackers vandalized the Internet sites of the Nasdaq and American Stock Exchanges early Wednesday in a bold electronic affront to the world's financial markets. A group calling itself ''United Loan Gunmen,'' infiltrated the computer running the Web sites for Nasdaq and Amex just after midnight. It was highly unlikely the hackers manipulated any financial data within the exchanges. Nasdaq recently acquired the American Stock Exchange. A spokesman for the exchanges was not available immediately for comment. The hacker group left a taunting message saying it intended to ''make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on their Mercedez' that say 'Thanks ULG!''' ''Meanwhile, ULG members go back to flipping burgers at McDonalds.'' It also claimed to have briefly created for itself an e-mail account on Nasdaq's computer system, suggesting a broad breach in the system's security. ''That's a pretty serious allegation,'' said Christopher Rouland, director of a team of computer security engineers, called X-force, for Atlanta-based Internet Security Systems Inc. ''It's difficult to say if it's accurate, but once you breach the perimeter, it certainly is easier to get into the infrastructure.'' Nasdaq's Web site uses software from Microsoft Corp., called Internet Information Server, that has suffered several serious security problems during the past year. Microsoft has distributed patches in each case but relies on local computer administrators to install them correctly. ''System administrators can forget to install patches,'' Rouland said. Another expert, Russ Cooper, said it's a mistake to assume that the Internet's most popular sites are secure from hackers. ''It would be nice if we could assume that a high-profile site would have better security people on-staff,'' said Cooper, who runs the NTBugtraq discussion group on the Internet for security flaws. ''Unfortunately, my experience is that's a hope, not a reality.'' The hacker group also had claimed responsibility earlier this week for the defacement of the Internet site for Matt Drudge, the Internet gossip columnist, and electronic attacks against C-Span last week and ABC just weeks ago. All those organizations also used Microsoft's Internet Information Server to run their Web sites. Rouland said the attacks on Nasdaq and Amex were likely to cause anxiety among computer professionals on Wall Street. ''It certainly will in the financial communities,'' he said. ''People will notice, and it will cause a buzz. This is going to cause more people to pay attention to security.'' Nasdaq trading volume averages about 800 million shares a day. As global financial markets have expanded at a dizzying pace, Nasdaq has adopted an aggressive international strategy. Earlier this year, Nasdaq took over the Amex and announced plans to establish an electronic trading exchange in Japan. Nasdaq also has set up a joint Web site with Hong Kong's stock exchange that will allow U.S. investors to trade in Hong Kong securities, has signed a similar deal with the Australian Stock Exchange, and is looking into new alliances in Europe. The global expansion by the world's second-largest stock market has sharpened its competition with the largest, the New York Stock Exchange, which uses a traditional trading floor. -=- Wired http://www.wired.com/news/news/politics/story/21762.html Latest Cracker Caper: Nasdaq by Chris Oakes and Leander Kahney 11:30 a.m. 15.Sep.99.PDT Apparently following through on a threat earlier in the week, a cracking group called the United Loan Gunmen has attacked another major Web site. But was the Nasdaq-AMEX stock site really attacked? And is that really bigger than cracking The New York Times' site? Finally, to add to the intrigue, are the United Loan Gunmen the same people who called themselves Hacking for Girlies, which claimed responsibility for the Times' attack? What is known is this: a high-profile information site was attacked in some way for a few minutes late Tuesday night. It appeared to the latest in a what has become a wave of Web site-cracking. Visitors to domains hosting the news section of the Nasdaq-AMEX Web site were greeted by a mock news story boasting of the crack. The text attributed the break-in to the recently active hacker group the United Loan Gunmen. "The Elite Computer Hacking group ULG [United Loan Gunmen] uprooted the Nasdaq Stock Market Web Site," the Nasdaq front page read. "... Their goal was to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on their Mercedez [sic] that say 'Thanks ULG!'" Nasdaq denied any break-in. "There's no evidence of an intrusion," said Nasdaq spokesman Scott Peterson. The company said it wouldn't rule out the possibility until it had investigated its systems completely. The crack was first tracked by Attrition, a security information group that monitors and archives cracks and site defacement. Attrition says it captured a browser image from the Nasdaq site early Wednesday, and said the pages showed clear evidence that the site had been breached. "Nasdaq is still saying there's no evidence of intrusion -- but that's either because they don't want thousands of people who track the stock market each day to freak out or because [the crackers] are good at covering their tracks," said B.K. DeLong, a consultant and member of Attrition. He said Attrition staffers visited the several host domains of the Nasdaq-AMEX site Tuesday evening after being notified of the crack around 9 p.m. PDT. The HTML behind the hacked page showed that the location of the intruding message had to be located at the actual Web site of Nasdaq, rather than a spoof site. The motive in all these cases is almost always publicity for the group, said Peter Shipley, chief security architect for security firm KPMG. "The majority of Web hacks these days are by people trying to establish names for themselves." He said it's the easiest -- and least respected -- path to notoriety in the hacker world. "One [path] is to do something shocking, the other is publish information -- write a good article for Phrack or 2600 [two highly regarded hacker publications]. "The former is the route to quick glory rather than respect." Regardless of the motivation, DeLong said ULG's communications indicate that they are expert crackers who know how to cover their tracks. The recently established group also claimed responsibility for breaking into media-owned Web sites to post similar boasts on those homepages. Late Monday, the same group claimed it had cracked the site of self-styled gossip king Matt Drudge. The latest incident only goes to show how easy Web page hacks are, Shipley said. "You're dealing with a machine that's designed to have public access. So it's usually outside the firewall or at a co-locator's network, as opposed to one inside a secure internal network," Shipley said. The message from the ULG also cited an email address at the nasdaq.com domain for reaching the group. Shipley said a lack of appropriate security measures -- a security team, regular security audits -- are behind most site hacks. But even when security is in place, the public nature of sites make them prime targets. The Nasdaq crack lasted only a few minutes, according to the Hacker News Network. The United Loan Gunmen also praised the security news service, which distanced itself from the incident. Hacker News' editor, who calls himself Space Rogue, said following the Drudge crack that the United Loan Gunmen were reportedly planning another media-site attack that would be "bigger than NYT." A source close to the hacking community said that the United Loan Gunmen are actually the same group as Hacking For Girlies, which last fall claimed responsibility for defacing the Web site of The New York Times. "It's not ... any lame kiddie group under a new name, nor is it a new group just formed to take on the media," said the source. "The hacks were carried out by the same group in order to gain media attention." Early last week, the United Loan Gunmen defaced the home page for C-SPAN. Last month, they defaced the Web site of the ABC television network. In Monday's attack, they added headlines to the Drudge site, including "Kevin Mitnick Still In Jail." FBI officials in Maryland, where the Nasdaq site is based, couldn't be reached to confirm the possibility of an investigation. Shipley said when the FBI does investigate such cases, their work is primarily "forensic," examining site logs that would show how the intruder broke in. Many sites don't maintain proper logs, which hinders any investigation. In any case, it's highly unlikely the computers of the trading system itself would be at risk in such events. It's equally unlikely that the crackers will be caught. "It really depends on the person," Shipley said. "With proper efforts it would be very hard to catch the person. Anybody who would break in would relay their attack from various sites around the world. This causes a legal jurisdiction problem in tracing their path." -=- ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014 -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- 'United Loan Gunmen' attack again By Robert Lemos, ZDNN September 15, 1999 11:22 AM PT URL: http://inbloom.yi.org/a.out.shtml Cyber vandals who recently hit a number of high-profile Web sites attacked again late Tuesday night, defacing the Nasdaq/AMEX Web home page. The group, which calls itself the "United Loan Gunmen," posted an obviously false story on the site for a short amount of time under the headline, "United Loan Gunmen take control of Nasdaq stock market." Despite claims in the story that the cybergang had "uprooted" the Web site, the only effects of the intrusion seemed to be defacing of the home page. The Nasdaq site offers financial news and quotes. Up just a few minutes The phony page stayed up only a few minutes before Nasdaq's Web servers automatically detected and removed it, said B. K. DeLong, a staff member with security Web site Attrition.org. Reports of the defacement initially appeared on Attrition.org, which obtained a screenshot of the modified site before Nasdaq's automatic measures cut in. Nasdaq officials could not confirm the intrusion at press time. "Our sites are working perfectly," said Scott Peterson, a spokesman for Nasdaq. "We have no evidence of intrusion at this time. However, we take all such allegations very seriously and we are investigating at this time." The United Loan Gunmen is a new group that has made a name for itself in recent weeks by defacing major sites, and leaking word of the defacements to Attrition.org. The same group has claimed responsibility for hacks on sites including ABC.com, C-SPAN and -- just this last Monday -- the Drudge Report. More details to follow. -=- Rueters - Via Yahoo News http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html Wednesday September 15 5:07 PM ET Nasdaq Web Site Targeted By Hackers - Report By Jennifer Westhoven NEW YORK (Reuters) - The Web site for Nasdaq and the American Stock Exchange was reportedly attacked Wednesday by a hacker group calling itself the United Loan Gunmen, one day after the group sabotaged Internet gossip columnist Matt Drudge's Web site. The attack shortly after midnight was the latest in a recent wave of online graffiti sprayed on prominent media Web sites. It was reported by several news organizations, including Hacker News Network (http://www.hackernews.com), which monitors hacking incidents and keeps an archive of ``cracked'' sites as they appeared after being vandalized. The hacked site could be found at http://www.nasdaq.com, http://www.nasdaq-amex.com or http://www.amex.com. Nasdaq, citing security reasons, said it would not confirm or deny whether its site had been cracked. ``The Nasdaq Web site is operational and secure, and we will continue to monitor our sites,'' said Nasdaq spokesman Scott Peterson. Hacker News Network said the United Loan Gunmen, or ULG, temporarily defaced a section of the Nasdaq site. ``Data integrity measures on the part of Nasdaq appear to have limited the impact the ULG had on the site, but the intrusion was nonetheless evident,'' Hacker News Network said. The group posted a computer ``screen shot,'' or picture, of the hacked Web page. However, the picture itself does not prove the site was defaced; it is relatively easy for skilled computer users to make a copy of a page and deface the copy. In the screen shot, the group said its goal was ``to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on their Mercedez' (sic) that say 'Thanks ULG!' ``Meanwhile, ULG members go back to flipping burgers at McDonalds,'' it said. The group also claimed it set up an e-mail address on the Nasdaq site. If that claim is true, it would show a deeper level of penetration into the system than just defacing a Web site, two computer experts said. The latest media site to get hit by the United Loan Gunmen was the Drudge Report (http://www.drudgereport.com), which was sabotaged briefly Monday, according to news reports. The masthead for the Drudge site was replaced with the message: ``United Loan Gunmen take control of Mike (sic) Drudge's data stockyard to once again show the world that this is the realm of the hacker,'' according to a mirror, or duplicate of the hacked page posted by Hacker News Network. Drudge, who is based in Los Angeles and also hosts weekly shows on cable television's Fox News Channel and on ABC radio, could not be reached for comment Wednesday. The attack on the Drudge site followed similar attacks on other high-profile media sites, including C-Span (http://www.cspan.org), ABC (http://www.abc.com), Wired Online (http://www.wired.com) and ``The Jerry Springer Show'' (http://www.universalstudios.com/tv/jerryspringer). @HWA 20.0 WebTV Hole Divulges User Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond A security flaw in Microsoft's WebTV product could divulge user information such as the user ID. This information could then be used to change information about the account. WebTV accounts can only hold 150 messages, once this limit was reached bounce messages would include the customers information. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2334232,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- WebTV hole leaves users exposed By Lisa M. Bowman, ZDNN September 14, 1999 6:21 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2334232,00.html?chkpt=hpqs014 The account information of some WebTV customers could have ended up in the wrong hands, as a result of a security flaw in the set top box's software. Microsoft Corp. (Nasdaq:MSFT), which owns WebTV, said Tuesday it has taken care of the flaw, which made it possible for malicious hackers to tinker with WebTV customers' accounts. The problem occurred when an e-mail message sent to a WebTV user's mailbox was bounced back -- WebTV accounts can only hold about 150 messages and bounce back incoming e-mail messages when they are full. If the WebTV user had the spam filter activated, then the returned message would divulge the user's ID numbers to the sender -- in addition to the reason the e-mail was deflected. As a result, those who knew about the flaw could gather a WebTV customer's account information by e-mail bombing the account -- without the customer ever knowing about the invasion. Net4TV duplicated flaw The glitch was first reported by Net4TV Voice, a publication of the interactive television consulting firm Iacta Inc. Net4TV Voice publisher Laura Buddine said some users notified her of the breach last week. In addition, she came across it the flaw when some messages on the Net4TV mailing list were returned containing the user's account information. Eventually, she duplicated the problem. Microsoft said it would be difficult for hackers to alter accounts once they had the IDs because they also would have to trick the WebTV user into issuing certain commands. The security breach appears to be an iteration of a flaw that surfaced last November, when people began noticing that user ID numbers showed up in e-mails that had bounced back from WebTV accounts. The glitch became a system-wide problem a few weeks ago, when WebTV installed a new automatic spam filter, which is activated by default. After it discovered the flaw, Net4TV was urging people to turn off the spam filter. @HWA 21.0 Bookshelf: "Hacking Exposed" Available Soon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond Osborne McGraw-Hill, has published a new book by authors Stuart McClure and Joel Scambray entitled HACKING EXPOSED: Network Security Secrets and Solutions. McClure and Scambray are better known as columnists for InfoWorld's Security Watch column. This book is being billed as the ultimate resource for businesses needing a comprehensive plan to defend their network against the sneakiest hacks and latest attacks. Advanced reviews by leading security experts such as Marcus Ranum, Dr. Mudge, Simple Nomad, And Aleph One have all been extremely positive. Internet Wire http://www.internetwire.com/technews/tn/tn984175.dsl Hacking Exposed: Network Security Secrets and Solutions http://www.amazon.com/exec/obidos/ASIN/0072121270/thehackernewsnet Technology News HACKING EXPOSED Network Security Experts Debut Just Released Book at N+I ATLANTA, GA -- (INTERNET WIRE) -- 09/13/99 -- Osborne McGraw-Hill, A Division of the McGraw-Hill Companies, today announced authors Stuart McClure and Joel Scambray will be signing copies of their just released book, HACKING EXPOSED: Network Security Secrets and Solutions, at Networld + Interop 99. McClure and Scambray, Senior Manager and manager within the eSecurity Solutions Attack and Penetration Group at Ernst & Young, and columnists for InfoWorld's Security Watch column, have developed the ultimate resource for businesses needing a comprehensive plan to defend their network against the sneakiest hacks and latest attacks. With the dramatic growth of e-commerce, network security is one of the most important issues facing network administrators today-Hacking Exposed: Network Security Secrets & Solutions shows network administrators how to hack into their system in order to protect it. HACKING EXPOSED provides invaluable information on: Finding and fixing security holes in your network Implementing security, auditing, and intrusion procedures Providing the top hacks the authors use to test security systems Outlining the top 15 vulnerabilities found on common networks Don't miss the first opportunity to purchase copies of this book (not yet available elsewhere) and to meet the authors in person at their signing! DATE: Tuesday, September 14th TIME: 12pm PLACE: DigitalGuru Bookshop (Official N+I Bookstore) Contact To learn more about HACKING EXPOSED, receive a press copy, or to schedule an interview with the authors for Tuesday, September 14th, please call Jane Brownlow at 510-549-6690. Background Information The Osborne Media Group is a leading publisher of computer books that include user and reference guides; best-selling series on computer certification; high level but practical titles on networking, communication, and programming; and the hottest titles on new web development tools. With its established strategic publishing relationships with Oracle, Corel, Global Knowledge, J.D. Edwards, and Intuit, the Osborne Media Group is targeting consumer support, emerging technologies, and innovative applications for developing future computer books. For more information visit www.osborne.com. Contact: Jane Brownlow Voice: 510-549-6690 22.0 Major Tech Companies Announce Security Plans ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid Intel, IBM, Compaq, Microsoft and Entrust have announced what they are claiming is an end-to-end security network solution. The announcement was made at Networld+Interop in Atlanta. The plan calls for IPSec products for PCs and servers, optimized for MS Win2000 and chipsets from Intel which include the 82594ED network encryption processor. The UK Register http://www.theregister.co.uk/990914-000029.html Posted 14/09/99 6:46pm by Mike Magee Intel, PC giants announce network security plans Intel is announcing what it claims is an end-to-end security network solution, in conjunction with IBM, Compaq, Microsoft and Entrust. The announcement, at Network+Interop in humid Atlanta, includes IPSec (Internet Protocol Security) products for PCs and servers, optimised for MS Win2000. Compaq and IBM will also include this technology in their products, with the aim of keeping corporate networks safe. The aim is to prevent access by individuals able to monitor Lan traffic. Intel claims that firewalls are not safe enough. Part of the protection will be chipsets from Intel which include the 82594ED network encryption processor. This will be built into adaptors and other devices during the course of this year. The device is intended to thwart crime within rather than without a corporate firewall. ® @HWA 23.0 NIST To Offer Security Awareness Workshops ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid The National Institute for Standard and Technology (NIST) will be offering a series of workshops to help agencies and companies deal with the complexity of information security. The Computer System Security and Privacy Advisory Board, part of NIST, will design the workshops over the next few months with the first one to be held in the middle of next year. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0913/web-nist-09-14-99.html SEPTEMBER 14, 1999 . . . 15:45 EDT NIST to offer workshops on security issues BY DIANE FRANK (dfrank@fcw.com) A government and industry advisory group today took the first steps to develop the metrics for a series of workshops to help agencies and companies deal with the complexity of protecting their computer systems and organizations. The Computer System Security and Privacy Advisory Board, a group at the National Institute of Standards and Technology, plans to design the focus and format of the workshops over the next few months. Concepts for the workshops range from measuring the progress of an organization's security measures to measuring the return on investment for specific security practices and products to provide a business case to administrators. The first workshops will be based on subjects that everyone agrees on are needed most, and the board will develop issues that can be addressed in the future, said Fran Nielsen, a member of NIST's Computer Security Division who is heading the workshop development effort. The board has been working on the idea of metrics workshops for government and industry security professionals since NIST director Ray Kammer encouraged them last year. The first workshop is planned to be held by mid-2000. @HWA 24.0 Yet Another Firewall ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid Novell has announced the Novell FireWall for NT, a directory-enabled Internet security solution. The new firewall integrates Internet security features with network bandwidth-management tools. The combination allows IS managers from small and medium-sized companies to prioritize critical traffic during peak network usage. Info World http://www.infoworld.com/cgi-bin/displayStory.pl?990914.ennovfire.htm Novell bows toward NT with firewall solution By Katherine Bull InfoWorld Electric Posted at 9:55 AM PT, Sep 14, 1999 ATLANTA -- Continuing its push toward supporting all aspects of Windows NT, Novell announced its Novell FireWall for NT here Tuesday at Networld+Interop. A directory-enabled Internet security solution, Novell FireWall for NT integrates Internet security features with network bandwidth-management tools. The combination allows IS managers from small and medium-sized companies to prioritize critical traffic during peak network usage, officials said. "Users can do the bandwidth management and have the Internet security - all from one place in NDS," said Patti Dock, Novell's vice president of product marketing. The Novell Firewall for NT is based on technology Novell obtained through its acquisition of Ukiah Software in June 1999. Dock said the product will ship in October, and claims that it is the first directory-enabled firewall product to run on NT. Novell also announced Tuesday a partnership with IBM to provide an Internet Caching System. The partners will offer preconfigured caching appliance solutions based on the Novell Internet Caching System and IBM's Netfinity line of server hardware. The caching appliances can be plugged into existing networks to speed access to frequently requested Web pages, will be available through authorized distributors of IBM and Novell. In addition, Novell announced the availability of directory-enabled Netware Cluster Services for NetWare 5.0. Executives from Compaq, Dell, Hewlett-Packard, and IBM were on hand at the press conference to endorse the Novell strategy. Compaq announced ProLiant Clusters for NetWare; Dell said it would offer Dell PowerEdge Server with NetWare Cluster Services; HP will provide its HP NetServer Family with NetWare Cluster Services; and IBM will provide its IBM Netfinity with NetWare Cluster Services. Novell in Orem, Utah, is at www.novell.com. Katherine Bull is InfoWorld's news editor. @HWA 25.0 HNN Announces Partnership With Security Focus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Space Rogue We apologize for todays news being slightly delayed but we where busy working on a new script to bring you the latest in security files. HNN now lists the newest security related files from Security Focus. This list will be displayed in the left menu and will be dynamically updated so keep checking back for new listings. Security Focus http://www.securityfocus.com 26.0 The Search for ULG Begins ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com ULG Attacks windows2000test ULG != HFG contributed by Space Rogue With ABC, C-SPAN, Drudge, and NASDAQ behind them the ULG now has the FBI hot on their trial. NASDAQ has said that they have not found any evidence left behind from the intrusion, which will not give the FBI much to go on. The big question is will The United Loan Gunmen strike yet another high profile media site, or disappear quietly into cyberspace? The United Loan Gunmen have also claimed to have broken into two boxes on the windows2000test.com subnet last week. Windows2000test.com was established by Microsoft to invite people to test the security features of the next release of the operating system. By violating the rules set up by Microsoft ULG claims to have gotten access to two terminals servers on the same network as the target system. They say that they were then disconnected from the systems and their access was later blocked. HNN has been unable to confirm any of these allegations. (This information provided by a trusted third party who was contacted by ULG) There have been a few rumors floating around that net that the United Loan Gunmen are actually the same as Hacking For Girlies. HFG claimed responsibility for defacing the NYT web site last year. Most of the 'evidence' presented to support this rumor is purely circumstantial and in reality proves nothing. It is interesting to note that most of sites attacked by HFG were UNIX based while ULG has only attacked NT systems. While this is not concrete evidence either, it does cast doubt on these rumors. The staff of Attrition.org, in cooperation with HNN, have worked hard to create an accurate analysis and comparison of the few examples of HFG and ULG works. While this analysis is not actual proof it does make a very convincing argument that the two groups are not the same. Graphics Comparison http://www.attrition.org/news/content/proof/ulg-comp.html HTML Analysis http://www.attrition.org/news/content/proof/ulg-html.html HNN Cracked Pages Archive - abc.com, c-span.org, drudgerport.com http://www.hackernews.com/archive/crackarch.html Attrition Mirror - nasdaq-amex.com http://www.attrition.org/mirror/attrition/1999/09/15/www.nasdaq-amex.com Associated Press - via USA Today http://www.usatoday.com/life/cyber/tech/ctg141.htm Wired http://www.wired.com/news/news/politics/story/21762.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014 Reuters - Via Yahoo News http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html CBS Market Watch http://cbs.marketwatch.com/archive/19990915/news/current/nasdaq_hack.htx?source=htx/http2_mw (See section on the NASDAQ site defacement for these articles) Marketwatch; Hackers penetrate Nasdaq Web site By William L. Watts, CBS MarketWatch Last Update: 6:06 PM ET Sep 15, 1999 Net Economy Silicon Stocks WASHINGTON (CBS.MW) -- The hackers who attacked Web sites operated by C-Span and Matt Drudge struck again early Wednesday, temporarily defacing a section of the Nasdaq-Amex Web site. The group, which calls itself the "United Loan Gunmen," hacked the computer running the Nasdaq and Amex sites early Wednesday morning. The hackers attacked the news section of the sites, posting a self-congratulatory message on the successful hack. Nasdaq acquired the American Stock Exchange earlier this year. "The Nasdaq Web site is operational and secure. We will continue to monitor our Web sites to maintain their integrity," said Nasdaq spokesman Scott Peterson. He wouldn't elaborate on specifics of the attack nor whether law enforcement agencies had been called in to investigate. In their message, the hackers claimed to have set up an e-mail account on the Nasdaq computer system. If true, such a measure would represent a major violation of the system's security measures, security experts said. Peterson would neither confirm nor deny whether the hackers had established an e-mail account, repeating only that the incident had nothing to do with the exchange's trading system. In their message, the hackers said they "uprooted the Nasdaq Stock Market Web site" with the goal of making "stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on their Mercedez' (sic) that say 'Thanks ULG.'" Hacker News Network, a Web site that monitors hacking incidents, said data integrity measures put in place by Nasdaq appeared to have limited the impact of the short-lived attack. Carolyn Meinel, a computer security expert who operates the Happy Hacker Web site, said the hackers' claim to have set up an e-mail account is disturbing. If true, it would represent a serious security breach, she said. "When you see a Web site hacked, it's a good idea to assume that every single computer has been compromised," she said. The hacker group claimed responsibility for an attack earlier this week that defaced Internet gossip columnist Matt Drudge's Web site. The company also attacked C-span's site last week and the ABC site a few weeks before. William L. Watts is a reporter for CBS MarketWatch. @HWA 27.0 BO2K Discontinues US Distribution ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Netmask The 'U.S. Only' version of BO2K along with the 3DES plugin, has been discontinued. The reason for this discontinuation was given as the high cost of maintaining the U.S.-only download server. There will now only be one version of BO2K available to anyone world wide. if you want strong crypto there are numerous plug-ins available that where developed over seas and are therefore not subject to the draconian U.S. encryption export controls BO2K http://www.bo2k.com @HWA 28.0 Taiwan Increases Cyber Warfare Training ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Space Rogue A series of nine seminars focusing on on computer security and virus prevention will be given by the Taiwanese Defense Ministry in an effort to increase the military's ability regarding electronic warfare. The Defense Ministry said that this was a direct result of the increased electronic threat from mainland China. Inside China Today http://www.insidechina.com/news.php3?id=92236 Taiwan Steps Up Training For Electronic Warfare TAIPEI, Sep 14, 1999 -- (Agence France Presse) Taiwan has stepped up training of its military units to thwart any electronic warfare by rival China, officials said Tuesday. The defense ministry launched the first of nine seminars Tuesday "to beef up the military's ability regarding electronic warfare and to cope with the Chinese Communist threat," defense ministry spokesman Kung Fan-ding said. The seminars, focusing on communication security and computer virus prevention, aimed to "show the (ministry's) determination to ensure information security," said Kung. Several wargames held in China's Nanjing, Beijing and Lanzhou military districts since 1985 have focused on using electronic equipment to paralyze or destroy enemy computer and communications systems, the ministry noted. Last month Chinese computer hackers launched a cyber war to destroy the websites of several Taiwan government agencies venting their anger at Taiwan President Lee Teng-hui's provocative claim that the islands relations with Beijing were "state-to-state." Local hackers fought back posting Taiwan's national anthem and national flag on several Chinese government agencies websites. "Although the attacks by hackers did not ruin information systems here in sectors such as banking and stock market, the effect of the scare on the public might be far-reaching," warned General Tang Yao-ming, chief of the General Staff, at the opening of Tuesday's seminar. "We have to be cautious and should regard such events as the beginning of a potential electronic warfare," Tang said. Taipei-Beijing ties have hit the lowest level in the wake of Lee's remarks since 1996 when China lobbed ballistic missiles into the shipping lanes of Taiwan during the island's first direct presidential elections. Beijing has kept up a propaganda barrage against Lee describing him as a "historical sinner," trying to split the island from the motherland. Taiwan and the mainland were split in 1949 at the end of a civil war. ((c) 1999 Agence France Presse) @HWA 29.0 White House Set to Relax Crypto Export Controls ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by AlienPlague The Clinton Administration is due to release by the end of the day Thursday recommendations on encryption export controls that are expected to suggest that current restrictions be eased. While agencies like the FBI have pushed to have encryption export controls tightened, it is reported that the President's Export Council Subcommittee on Encryption has advised the President to loosen the restrictions. Info World http://www.infoworld.com/cgi-bin/displayStory.pl?990915.encrypto.htm White House set to release crypto recommendations By Nancy Weil InfoWorld Electric Posted at 11:02 AM PT, Sep 15, 1999 The Clinton Administration is due to release by the end of the day Thursday recommendations on encryption export controls that are expected to suggest that current restrictions be eased. Members of a high-tech panel formed by U.S. Rep. Richard Gephardt, a Missouri Democrat, also are emphasizing the issue this week, sending a letter Tuesday to Clinton urging that he meet with them within the next week to discuss how best to make progress regarding encryption this year. A presidential advisory committee, the President's Export Council Subcommittee on Encryption, passed its recommendations on to the White House in June and although that report has not been made public it has been widely reported to advise that encryption restrictions be loosened. U.S. high-tech companies and some lawmakers have pushed for less-restrictive encryption laws, arguing that the current general prohibition on exportation of technology over 56 bits hurts vendors who cannot compete globally. However, the FBI and other law enforcement agencies argue that encryption restrictions should remain strong to keep encrypted data out of the hands of terrorists and other miscreants. The subcommittee has recommended that restrictions be eased so that products and technology using 128-bit key encryption can be exported, according to the New York Times. Gephardt's high-tech panel would likely welcome such a sweeping change. Along with Zoe Lofgren and Anna Eshoo, both Democrats from California, Gephardt is urging the administration to support the Security and Freedom Through Encryption (SAFE) Act (H.R. 850), under consideration by the House. SAFE would ease encryption export restrictions, but also addresses law-enforcement concerns. "We recognize that opponents of H.R. 850, including several senior members of your Administration, have raised national security and law enforcement concerns regarding this legislation. While we respect these individuals and the expertise they bring to this debate, we believe that their opposition fails to fully appreciate how important strong encryption is to protecting the integrity of our national information infrastructure, ensuring the privacy of our citizens' personal communications over the Internet and enhancing the safety of their electronic commerce transactions," said the letter from the three lawmakers to Clinton. "We must change our current encryption policy that needlessly places American companies behind the curve of technological advancements and international competition," they wrote. Nancy Weil is a correspondent in the Boston bureau of the IDG News Service, an InfoWorld affiliate. @HWA 30.0 Crypto Compromise Reached ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Dildog As expected, The White House has relaxed U.S. controls on the export of data encryption technology. On the surface it would appear that the high-tech industry, Internet users, and privacy advocates have won the debate, arguing that the export rules hand the entire market to non-U.S. companies. But who really wins here? The only major change is that the export limit has been raised from 56-bit to 64-bit. Law Enforcement agencies have said that they will still push for Key escrow. And what will now become of the bill currently in the House, authored by Rep. Bob Goodlatte (R-Virginia), that would relax crypto exports even further? Was this announcement a preemptive strike by the Clinton Administration to take the steam out from under this bill? C|Net http://news.cnet.com/news/0-1005-200-120700.html?tag=st.ne.1002.thed.1005-200-120700 Wired http://www.wired.com/news/news/politics/story/21810.html White House moves to ease encryption limits By Reuters Special to CNET News.com September 16, 1999, 1:10 p.m. PT WASHINGTON--President Clinton has decided to relax U.S. controls on the export of data encryption technology, a step long sought by the nation's computer industry and resisted by federal law enforcement officials. The move, which is to be announced later today, affects software and hardware and is intended to benefit the economy, preserve privacy, serve the national security interest, and protect law enforcement capabilities, said White House spokeswoman Nanda Chitre. Once the realm of spies and generals, encryption has become an increasingly critical tool for securing e-commerce and global communications over the Internet. Until now, the White House has tilted its export policy toward the needs of law enforcement and national security agencies, which fear strong encryption could be used by rogue nations and criminals to thwart U.S. surveillance. But the high-technology industry, Internet users, and privacy groups appear finally to have won the debate, arguing that the export rules are simply handing a vast, international market to non-U.S. companies. The announcement won't be without its detractors, though. "This is going to be a severe blow to national security interests, and it is going to hurt law enforcement," said Stewart Baker, former general counsel to the National Security Agency. But even Baker, a lawyer representing high-tech companies, said the change is inevitable, given the growing availability of encryption from non-U.S. companies. "If they had delayed much longer, there was a real risk that large parts of the encryption technology would have moved offshore irretrievably," he said. The change comes weeks ahead of an expected vote in the House of Representatives on legislation that would have gutted the existing export limits. The bill, authored by Rep. Bob Goodlatte (R-Virginia), was sponsored by more than half of the members of the House. Industry officials welcome the change, which has been a major lobbying priority for years. "It speaks very highly to their ability to see the writing on the wall and do exactly what they needed to do," said Lauren Hall, chief technology officer for the Software and Information Industry Association. People who were briefed on the White House policy change said the new rules will largely abandon the case-by-case licensing approach that has applied to all but the weakest encryption products. The slow and cumbersome licensing process has made it extremely difficult for U.S. companies such as Network Associates and RSA Security to sell their popular computer security products overseas. And for makers of mass-market software, such as Microsoft and IBM, the rules have forced companies to weaken the security in Web browsers, email programs, and other products. Under the new rules, such products with strong encryption features will undergo only a one-time review and then can be sold anywhere in the world--except to a handful of nations such as Libya and Iraq. Exporters will have to report who bought the products, such as an overseas distributor, but not who the ultimate end-user is--an impossible requirement for programs sold in retail stores to millions of customers. The administration's plan is also expected to ask for $500 million to beef up government computer security and additional funds to help law enforcement agencies deal with encrypted criminal communications. Story Copyright © 1999 Reuters Limited. All rights reserved. -=- Wired http://www.wired.com/news/news/politics/story/21810.html Decoding the Crypto Policy Change by Declan McCullagh 3:00 a.m. 17.Sep.99.PDT Why did the Clinton administration cave on crypto? What caused the nation's top generals and cops to back down this week after spending the better part of a decade warning Congress of the dangers of privacy-protecting encryption products? Why would attorney general Janet Reno inexplicably change her mind and embrace overseas sales of encryption when as recently as July she warned Congress of the "rising threat from the criminal community of commercially available encryption?" See also: Clinton Relaxes Crypto Exports and Crypto Law: Little Guy Loses It can't simply be that tech firms were pressing forward this fall with a House floor vote to relax export rules. National security and law enforcement backers in the Senate could easily filibuster the measure. Besides, Clinton had threatened to veto it. It could be the presidential ambitions of Vice President Gore, who just happened to be in Silicon Valley around the time of the White House press conference Thursday. Still, while tech CEOs can get angry over the antediluvian crypto regulations Gore has supported, they regard Y2K liability and Internet taxation as more important issues. Another answer might lie in a little-noticed section of the legislation the White House has sent to Congress. It says that during civil cases or criminal prosecutions, the Feds can use decrypted evidence in court without revealing how they descrambled it. "The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says. There are a few explanations. The most obvious one goes as follows: Encryption programs, like other software, can be buggy. The US National Security Agency and other supersecret federal codebreakers have the billion-dollar budgets and hyper-smart analysts needed to unearth the bugs that are lurking in commercial products. (As recent events have shown, Microsoft Windows and Hotmail have as many security holes as a sieve after an encounter with a 12-gauge shotgun.) If the Clinton crypto proposal became law, the codebreakers' knowledge could be used to decipher communications or introduce decrypted messages during a trial. "Most crypto products are insecure. They have bugs. They have them all the time. The NSA and the FBI will be working even harder to find them," says John Gilmore, a veteran programmer and board member of the Electronic Frontier Foundation. Providing additional evidence for that view are Reno's comments on Thursday. When asked why she signed onto a deal that didn't seem to provide many obvious benefits to law enforcement, she had a ready response. "[The bill covers] the protection of methods used so that ... we will not have to reveal them in one matter and be prevented, therefore, from using them in the next matter that comes along," the attorney general said. Funding for codebreaking and uncovering security holes also gets a boost. The White House has recommended US$80 million be allocated to an FBI technical center that it says will let police respond "to the increasing use of encryption by criminals." Another reason for the sea change on crypto is decidedly more conspiratorial. But it has backers among civil libertarians and a former NSA analyst who told Wired News the explanation was "likely." It says that since the feds will continue to have control of legal encryption exports, and since they can stall a license application for years and cost a company millions in lost sales, the US government has a sizeable amount of leverage. The Commerce Department and NSA could simply pressure a firm to insert flaws into its encryption products with a back door for someone who knows how to pick the lock. Under the current and proposed new regulations, the NSA conducts a technical analysis of the product a company wishes to export. According to cryptographers who have experienced the process, it usually takes a few months and involves face-to-face meetings with NSA officials. "This may be a recipe for government-industry collusion, to build back doors into encryption products," says David Sobel, general counsel for the Electronic Privacy Information Center and a veteran litigator. Sobel points to another part of the proposed law to bolster his claim: It says any such information that a company whispers to the Feds will remain secret. That section "generally prohibits the government from disclosing trade secrets disclosed to it [by a company] to assist it in obtaining access to information protected by encryption," according to a summary prepared by the administration. Is there precedent? You bet. Just this month, a debate flared over whether or not Microsoft put a back door in Windows granting the NSA secret access to computers that run the operating system. While that widespread speculation has not been confirmed, other NSA back doors have been. In the 1982 book The Puzzle Palace, author James Bamford showed how the agency's predecessor in 1945 coerced Western Union, RCA, and ITT Communications to turn over telegraph traffic to the feds. "Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at least two decades. In 1995, The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so US eavesdroppers could easily break their codes. The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its security products to some 120 countries, including prime US intelligence targets such as Iran, Iraq, Libya, and Yugoslavia. Crypto AG disputed the allegation. "It's a popular practice. It has long historical roots," says EFF's Gilmore. "There's a very long history of [the NSA] going quietly to some ex-military guy who happens to run the company and say, 'You could do your country a big favor if...'" Could the security flaw be detected? Probably not, said Gilmore, who during a previous job paid a programmer to spend months disassembling parts of Adobe's PostScript interpreter. "Reverse engineering is real work. The average company would rather pay an engineer to build a product rather than tear apart a competitors'." @HWA 31.0 Network Solutions Screws Up ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by McIntyre Network Solutions attempted to offer a free email service to all of its customers yesterday. Unfortunately they totally screwed up the implementation. First, the default passwords on these accounts where relatively simple and easily guessable. Second, they emailed those passwords in the clear to their customers. Third, they made it almost impossible to remove yourself from their spam list. If you did opt to remove yourself you would no longer receive real info from Network Solutions about your domains. It is unknown what Network Solutions has done to rectify this situation but the free email site is not currently open. InfoWorld http://www.infoworld.com/cgi-bin/displayStory.pl?990916.iinsi.htm Attrition - Security Advisory http://www.attrition.org/news/content/99-09-16.001.html NSI makes free e-mail security blunder By Sean Dugan InfoWorld Electric Posted at 12:00 PM PT, Sep 16, 1999 Network Solutions Inc. (NSI) discovered that no good deed goes unpunished this week, when its attempt to offer a free e-mail service backfired with a significant security problem. NSI, the company that assigns and manages Internet domain names, recently launched a new Web site (www.netsol.com) and an accompanying free e-mail service, similar to that offered by Yahoo and Microsoft Hotmail. Through the service, called "Dot Com Now Mail," NSI offered free e-mail accounts for all those who registered domain names. However, as it turns out, nearly anyone, including unauthorized users, could sign up to use a domain registrant's e-mail account -- thanks to badly configured default security. NSI set up the e-mail accounts for registrants using the convention "domainid" for log-in, and "domainidnsi" for the password. InfoWorld on Wednesday confirmed that anyone who knows a domain name could access the free e-mail account before the legitimate owner did. In doing so, the unauthorized user could change the password and effectively lock legitimate users out. Additionally, the accounts were set up using the domain registrant's last name, with the password "lastnamenai" convention, which makes them subject to the same problem -- if an unauthorized user knows a registrant's last name, they gain access to the e-mail account. NSI could not be reached for comment Thursday. As of 2 p.m. Eastern time Thursday, the NSI Web site www.netsol.com was redirecting users to NSI's home site at www.networksolutions.com. Sean Dugan is InfoWorld's senior research editor. attrition advisory #001 September 16, 1999 - "NSI are morons" 99.09.16-001.nsi_stupidity_and_blackmail by: jericho@attrition.org Vulnerability: Due to Network Solutions (NSI) unsolicited email, practical monopoly on domain registration, and their own stupidity, all NSI "customers" are at risk. Two vulnerabilities have been identified at this time, "stupidity" and "blackmail" respectively. Vendor Status: NSI was contacted and made aware of this issue on Wed, 15 Sep. Due to past lack of correspondance, no reply is expected. Impact: Any NSI customer is vulnerable to a wide variety of social engineering attacks stemming from a "service" being forced upon them by NSI. NSI customers must continue to receive unsolicited spam at the threat of losing service from NSI. Details >------------------------------------------------------------------- Stupidity: ---------- Beginning mid September, NSI began spamming their 'customers' with the mail regarding "Important information about your domain name account". For anyone who has registered a domain via NSI, you are likely to be targeted and potentially affected by this security threat. NSI's mail goes on to offer all domain holders a free "dot com" email service. This web based email is akin to Hotmail or any of the other free mail services out there. Unfortunately, NSI makes two mistakes. 1. As a domain holder, you are not given a choice in receiving this account. Further, NSI sends you the login name and password, via email, with no encryption or other means of protection or verification. Here is a sample from the mail I received. (Yes, my password was changed). "3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho >>>>>>>>>>>>Password: jerichonsi" 2. As you can probably guess, the login name and password are quite easily guessed. Examining my domain: Forced Attrition (ATTRITION2-DOM) Administrative Contact, Technical Contact, Zone Contact: Jericho, T (TJ2573) jericho@DIMENSIONAL.COM 602.347.0028 (FAX) private By using the last name as the "login name", and "last name+nsi" as the password, it is trivial to log into the 'dot com' mail service and pose as the legitimate owner of the domain. Blackmail: ---------- The last paragraph of the unsolicted mail reads: "If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account." This is a clear case of blackmail on NSI's part. By clicking on the link, they inform you that no further updates will reach you regarding your domain. This means that you must suffer under their unethical ways and receive their spam if you wish to receive mail about your registered domain that you paid for. Reference >----------------------------------------------------------------- Here is the full text of the mail for reference. Use this to alert others and watch for blatant spam by NSI. Date: Wed, 15 Sep 1999 21:00:29 -0400 From: Network Solutions To: "T Jericho" Reply-To: Network Solutions Subject: Important information about your domain name account Dear T Jericho, As a customer of Network Solutions or one of our Premier Program members, we'd like to update you on three important items: 1. On September 18, 1999, Network Solutions plans to move to a new Web-based prepayment process for registering domain names. At that point, we will no longer accept NEW registrations without payment in full at time of registration. This new online payment method gives customers the convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART. If you register ten or more domain names per month, you could be eligible for Network Solutions' Affiliates or Business Account Programs. Under these programs, you may qualify to continue receiving invoices for domain name registrations. To be eligible, you must apply at http://www.netsol.com/affiliates or http://www.netsol.com/business_account. 2. Because you registered your domain name with us, your company has received a FREE listing in the NEW dot com directory. We believe the dot com directory gives you a unique competitive advantage, enabling potential customers to find and do business with you. Search the directory for your own business to see how easy it is! Go to http://www.netsol.com/directory to find your business. You can also click on "Update Your Listing" to search for and verify your company information. 3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho >>>>>>>>>>>>Password: jerichonsi Please visit http://www.netsol.com/dotcomnowmail to review all the features of dot com now mail and set up your account. Thank you for choosing Network Solutions to launch and develop your Internet identity. We look forward to serving you for many years to come. Network Solutions, Inc. the dot com people Copyright 1999 Network Solutions, Inc. Network Solutions is a registered trademark. The following are trademarks of Network Solutions, Inc.: the dot com people; dot com directory; dot com now mail. All rights reserved. If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account. (c)opyright 1999, Brian Martin. Permission granted to reprint this advisory in full for any non-profit purpose. @HWA 32.0 Feds Approve GPS Tracking ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by TurTleX The US Federal Communications Commission agreed on Wednesday to allow cellular telephone companies to include GPS technology in their phones. Some uses for this will be to help lost travelers or provide directions to a destination. The primary reason for this, however, is to pinpoint 911 callers for emergency services. (Those of us who are a little paranoid see a few other possible uses. Glad I don't have a cell phone.) Wired http://www.wired.com/news/news/business/story/21781.html Feds OK Cell Phone Tracking by Joanna Glasner 3:00 a.m. 16.Sep.99.PDT Cell phone users of the future many never have to get lost or deal with the embarrassment of asking for directions. But if they ever need help, police and paramedics won't have trouble tracking them down. On Wednesday, the US Federal Communications Commission agreed to allow mobile phone companies to distribute handsets equipped with global positioning satellite, or GPS, technology that pinpoints the location from which a call is made. FCC officials said GPS-equipped handsets will help authorities get to the scene of emergencies faster by tracing the source of 911 calls from mobile phones. Currently, police and paramedics don't always arrive at the scene as fast as they might without detailed information about a wireless caller's location. Manufacturers said the technology could also have commercial uses, like providing directions to drivers or access to local Yellow Pages. GPS technology, which uses an embedded device in a handset to transmit location information to a satellite, is one of two main technologies used for tracking the source of mobile phone calls. Cellular providers can also derive location information by triangulating the location of the base station and antenna nearest to the caller. But technologies for placing the location of cell phones have raised the hackles of privacy advocates, who say the technology can be used to track users without their consent. Advocates of the GPS system argue users can avoid surveillance by switching off their GPS units. Steve Poizner, chief executive of SnapTrack, a company that develops GPS systems for wireless handsets, said many carriers are leaning toward the satellite technology. Getting FCC approval was the last major hurdle in the way of a commercial launch. "Everyone has had a wait-and-see posture," Poizner said. "We expect to see pretty rapid deployment now." The company is planning its first commercial rollout in Japan later this year, and hopes to launch in the United States in the second half of 2000. @HWA 33.0 Student Sentenced to Five Weeks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid Four students of North View Secondary in Singapore shoulder surfed a password from a teacher two years ago. Some of those students then used that password for their own use. One student, no longer in school, has been sentenced to five weeks in jail, another is awaiting sentencing. The Strait Times http://www.straitstimes.asia1.com/cyb/cyb1_0917.html Students stole Net password in class One of them gave the password to a friend, so that the friend could access the Internet on the school's account FOUR students of North View Secondary peeped over a teacher's shoulder when he was logging on to the Internet two years ago, and memorised the password for their own use. One student also gave the password to a friend, so that the friend could access the Internet on the school's account. All of them are no longer at the school. Yesterday, one of the students involved, and the youth who was given the password admitted securing unauthorised access to a computer account. The youth, NSman Koh Chee Siang, 20, was sentenced to five weeks in prison. One of the students who got hold of the password, Adam Cheang Mohamed Khairi, 17, will be sentenced on Wednesday. Cheang first stole the password and used it himself. After the passwords were changed, he conspired with three others to steal a new password. Deputy Public Prosecutor Christopher Ong told the court yesterday that in 1996, the head of North View's information technology department, Mr David Chia Hock Boon, had applied to subscribe to three Internet accounts for the school. Two would be used by students and one would be used by staff. The students did not have free access to these accounts. They had to ask Mr Chia for permission. Then he would personally enter the password and log in, and let them use the computer. In November 1996, Cheang requested permission. Mr Chia agreed and logged on to one account. Cheang peeped over Mr Chia's shoulder and memorised the password used. He then made use of the account on several other occasions to access the Internet. In January 1997, Mr Chia changed the password for all three of the school accounts. About a week later, Cheang conspired with three other North View students to get the new password by the same method. One of them then gave the password to Koh, a former North View student, who used it to access the Internet. In mitigation yesterday, Koh's counsel said that his client started on Internet relay chat in 1996, when he first became a subscriber. A year later, Koh told his friend, one of Cheang's accomplices, that he had stopped going on IRC because it was getting too expensive. That friend then gave him North View's password so that he would not have to pay for Internet access, the lawyer added. He asked the court to be lenient with Koh, saying his client had used the password illegally only to chat with his friends, and not for illegal purposes. The cases of the other two boys allegedly involved in this incident will be mentioned on Wednesday and another is expected to be dealt with on Sept 30. ILLEGAL ACCESS Koh Chee Siang, 20, was given the password for North View Secondary's Internet account by a friend. Koh had told the friend that he had stopped going on IRC chats because it was getting too expensive. Koh, a former North View student, was sentenced to five weeks in prison. @HWA 34.0 Stupid Mistakes Worse than Viruses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid A poll of 300 Microsoft Windows NT administrators found that 88 percent claimed accidental deletions of computer files by in-house workers caused more problems than viruses. Only 3 percent of the administrators said viruses were a major problem. Chicago Tribune http://www.chicago.tribune.com/tech/specialreport/article/0,2669,ART-34595,FF.html Electronic data loss: malice or missteps? By Darnell Little Tribune Staff Writer September 17, 1999 Worried about computer viruses like Toadie, ExploreZip and Melissa? Maybe you shouldn't be. When it comes to electronic data loss, malicious viruses are no match for the daily missteps of average computer users, according to a recent poll. Out of the 300 Microsoft Windows NT administrators surveyed in the study, 88 percent said accidental deletions of computer files by in-house workers caused most of their headaches, while only 3 percent said viruses were a major problem. "There is a tremendous amount of media coverage on viruses and the amount of damage that viruses can cause, but even in some of the oldest studies that I've pulled up, viruses only account for 3 to 7 percent of all data loss," said Phil Proffit, director of research for Broadcasters Network International, the California-based market research firm that conducted the study earlier this summer. "I can understand why the media covers viruses so much, it's a sexy topic," Proffit said. "And yet there is this vastly larger amount of data and productivity being loss due to accidental deletions. If we try to place a dollar value on it, it would just be billions and billions of dollars being lost in terms of productivity." The poll focused only on Windows NT because of the operating system's growing popularity among business users and because there is a general belief among system administrators that Windows users are less technically adept than users on other operating systems, according to Proffit. "Unix users tend to be better educated than NT users," he said. "And uneducated users are the single largest source of accidental deletions. It's just that on Unix-based systems, either the system administrators have been more clever about how they protect certain critical files on servers or the users themselves tend to be a bit more educated on exactly what the program can and can't do. "This isn't to say that educated users aren't making mistakes. But the uneducated user is a greater risk on NT systems because they have the Recycle Bin sitting there and they think, 'Great, if I make a deletion it's caught, it's not a big deal.'" Microsoft's Recycle Bin, however, doesn't provide equal protection to every type of computer file on a network system. If a Windows user deletes a file on a local hard drive, the file goes into the Recycle Bin and stays there until the user manually empties the Bin. Until the Bin is emptied, all deleted files in the Bin can be easily recovered. But data deleted from within an application program or files deleted from a network drive don't go into the Recycle Bin, and many NT users learn this fact the hard way, Proffit said. "I also found an amazing degree of ignorance about programs that would handle accidental deletions on NT networks," he said. "Many people are unaware of utilities from Symantec or Executive Software that could help un-delete files. "A lot of people rely on tape backups, but trying to find the tape backup that might contain some version of the file that was deleted is a bit like jumping into the space shuttle to go to the grocery store. It's just a tremendous amount of work, and in many cases we found that a lot of times the backups failed." The susceptibility of NT networks to accidental data loss is the shared fault of both NT administrators and Microsoft, according to Antony Chen, vice president of Advantage Consulting and Technologies in Ann Arbor, Mich. "People who are running Windows environments just don't seem to educate their users enough about the type of power they wield and how not to step on their own feet," Chen said. "So you end up with user madness, they just don't know any better. They go and delete stuff and they empty the Recycle Bin and they just don't think about it." But Microsoft contributes to the problem in the way that NT systems are designed to be set up, Chen said. "When you create a new file system in Unix, it basically gives all the users no rights whatsoever and you actually have to install the rights. In NT, it's the other way around. Everyone has got access to everything and then you've got to lock it down." Although the Unix method is more work, it forces the system administrator to manually give the appropriate access privileges to each user, Chen said. Unfortunately, since NT administrators can skip this step, many do and NT users often end up with more usage rights than they really should have. "(Microsoft) thinks that, at first, you should just give everyone access to everything. The problem with that is it creates data-loss situations," Chen said. Accidental data loss can, however, happen quite frequently on other operating systems besides NT, according to Edward Garcia, the management information systems manager for Datalogics, a Chicago-based publishing software firm. Garcia manages more than a dozen different operating systems at Datalogics, and he's seen even vaunted Unix users destroy data through careless mistakes. "People will issue command line commands and forget where they are in terms of directory structure," Garcia said. "So they do a delete *.* and they wind up deleting their whole home directory. That's basically where most of our restores happen. I'm surprised it doesn't happen more. "Or you do a copy command on a Unix system, and there's something that already exists with the same name in the location you're copying to. Unix doesn't ask if you are sure you want to overwrite it, it just does it." Datalogics also suffers from too many users having too much access to network drives and files, Garcia said. But having a nearly wide-open system was a corporate decision, not a technical one. "It's kind of crazy, but we feel -- at least the management feels -- that it's not worth it to risk hindering somebody from getting their job done as a result of security. I cringed when I first heard that, but we're kind of wide open here. And that's where inadvertent mistakes such as deletions really come back to haunt you, because somebody shouldn't have the rights to delete an entire shared folder. But because we like to leave it open that type of a situation happens." But of all the issues confronting Garcia as a manager of multiple networks, he says viruses barely qualify as a minor nuisance. "I've lost zero data as a result of viruses. I have never been bit by a virus so badly that an anti-virus software package couldn't fix it for me." @HWA 35.0 'Hackers' Equal Global Terrorists In '23' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond A new movie by Hans-Christian Schmid entitled '23' uses the stereotypical, media perpetuated image of the 'hacker' as a small-time gangster and global terrorist. Supposedly based on true events, "23" details how two anti-nuclear protesters break into computers, steal data and later sell it to the KGB. (Yeah, I'll wait in line to see this drivel.) The Boston Phoenix http://www.bostonphoenix.com/archive/movies/99/09/16/23.html "23" Why have so many notorious political assassinations or elections occurred on the 23rd of the month? Why do Masonic symbols appear on US currency? Why is information more important than wealth? Hans-Christian Schmid's German thriller makes clever use of the writings of Robert Anton Wilson, whose Iluminatus trilogy explores the web of secret societies that rule the world as we know it. Karl Koch and his pal David are 19 years old in 1985: phone phreaks and computer hackers involved with anti-nuclear protesters. They meet a couple of small-time gangsters who arrange to sell their information to the KGB. Drunk on power, high on drugs, and obsessed with conspiracy theory, Karl and David take to their life of cyber-crime like ducks to water. Later a TV network wants to buy their story, and Karl, who has become a coke and speed addict, manages to hack into the security system of a nuclear facility. But he's being followed by cops, and he's increasingly paranoid and out of touch with reality, seeing occult significance in news headlines and secret agents around every corner. Remember the '80s? People snorted coke on dashboards, Reagan sold weapons to Qaddafi, computers were as big as fridges, and a small brotherhood of geeks with PCs infiltrated the political and economic infrastructure. Based on true events, "23" follows the maze of discovery that made hackers into global terrorists and suggests a terrifying explanation for the Chernobyl disaster. Using lots of claustrophobic slow motion and fuzzed edges, Schmid crafts a slice of history so surreal it seems a fairy tale -- and so plausible it must surely be our future. -- Peg Aloi @HWA 36.0 STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 18th September 1999 on 2:30 am CET A super stealthy software covertly monitors all keyboard and application activity, then invisibly e-mails a detailed report to the employees' boss. The newly upgraded software, Investigator 2.0 from WinWhatWhere, runs silently, unseen by the end-user as it gathers exacting details on every keystroke touched, every menu item clicked, all the entries into a chat room, every instant message sent and all e-commerce transactions. While it bolsters IT's ability to monitor workplace computer usage, it troubles privacy advocates who are claiming that workplace electronic monitoring calls out for new privacy legislations. Story. Stealth Software Rankles Privacy Advocates (09/17/99, 5:19 p.m. ET) By Stuart Glascock, TechWeb A super stealthy software covertly monitors all keyboard and application activity, then invisibly e-mails a detailed report to the employees' boss. While it bolsters IT's ability to monitor workplace computer usage, it troubles privacy advocates. The newly upgraded software, Investigator 2.0 from WinWhatWhere, runs silently, unseen by the end-user as it gathers exacting details on every keystroke touched, every menu item clicked, all the entries into a chat room, every instant message sent and all e-commerce transactions. "You get shocking detail," said Richard Eaton, president of WinWhatWhere, in Kennewick, Wash. In one client case, a large grocery store chain suspected an employee was wrongfully taking information. Management installed the software and discovered the suspect employee was saving accounting information onto a diskette. In other cases, employees have been busted for taking client lists and sales leads. WinWhatWhere Customers have included sensitive government agencies, private investigators, a trucking company, a tool and die company, a penitentiary, a dentist, and several libraries. Specific customers have included the U.S. State Department, the U.S. Mint in Denver, Exxon, Delta Airlines, Ernst & Young, the U.S. Department of Veteran Affairs, and Lockheed Martin. "People buying it the most are people in corporations who need it because they suspect something is going on in a department, so they put on a computer for a small amount of time," Eaton said. While it may sound Orwellian, electronic monitoring can serve a purpose, said Jan Kallberg, chief operating officer of CyberDefense, a New York company specializing in protecting corporate digital assets. "It can be a good thing if the rules are set and everybody knows the policies, then it eliminates the risk that someone gets blamed who is without any guilt," he said. It is not surprising that major employers are concerned about employee computer use, but monitoring all their keystrokes is frightening, said Lou Maltby, ACLU director of employment rights. "Employers who practice this kind of monitoring don't have a clue as to what they are getting into," Maltby said. "People now turn to the Web for all kinds of information, including information about the most sensitive personal issues imaginable. If you are a member of [Alcoholics Anonymous], 20 years ago, you went to a meeting. Today, you are just as likely to talk to your support group over the Web. The same is true for incest survivors and people who are HIV positive. If you want to pry into your employees' deepest, darkest secrets, there couldn't be a better way." Workplace electronic monitoring calls out for new privacy legislation, Maltby said, adding it is illegal for employers to listen in on an employee's telephone call to a spouse. But the same conversation over e-mail could be read and posted on a bulletin board. No legislation to address the issue is currently pending. Privacy concerns aside, most corporations need protection, and not just from people who are hacking into their network, but from people working inside the firewall, Eaton said. "If it is used incorrectly it is horrible," Eaton said." If you put it on with no suspicion or reason, that's wrong. But if you suspect something is going on your equipment, you have every right to do this." Pricing runs from $99 for a single user to $5,500 for site licensing. @HWA 37.0 SOPHOS: TOO MUCH VIRUS SCAREMONGERING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 17th September 1999 on 8:30 pm CET UK company Sophos has laid into arch anti-virus rivals Network Associates and Symantec for "virus scaremongering". Sophos, quoting recent statements by collegues Network Associates and Symantec, warned that with many businesses deeply concerned about Y2K, confusing statements from anti-virus companies trivialise the virus issue and damage the credibility of the industry as a whole. 17 September 1999 Too much virus scaremongering, says vendor by Jo Pettitt, VNU Newswire Anti-virus vendors are falling into yet another spat, this time about whether the millennium poses a severely increased risk of virus attacks. UK company Sophos has laid into arch anti-virus rivals Network Associates and Symantec for "virus scaremongering", claiming that in a recent interview, the chief researcher at Symantec said there might be up to 200,000 new viruses written especially for the millennium. In addition, it said that Network Associates has set up a Web site warning of virus threats which, according to Sophos, are not in the wild and are never likely to be. Sophos warned that with many businesses deeply concerned about Y2K, confusing statements from anti-virus companies trivialise the virus issue and damage the credibility of the industry as a whole. Graham Cluely, Sophos senior technology consultant, commented: "Predictions of this type are unhelpful. We are surprised to see anti virus companies trying to capitalise on Y2K worries." Executives at Symantec said Sophos had taken its comments out of context. Kevin Street, Symantec technical director, commented: "What he meant was that there could be between one and 20,000 new viruses, but the numbers aren't what matter. What matters is that we are prepared." He added: "There will be a great temptation for virus writers to be the one to write the first Y2K virus to get the attention." David Emms, product manager at Network Associates, said the company's new Web site had been set up in response to customer requests. "We have put the information up there because people are concerned," he said. He added: "We don't know exactly what the numbers of viruses will be yet, but it is most likely that virus writers will tack on to Y2K because of the date." To comment on this story email newswire@vnu.co.uk Article from» News Wire ©1999 VNU Business Publications @HWA 38.0 CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 17th September 1999 on 8:10 pm CET Sun senior staff engineer Alec Muffett told an audience of developers at Sun's ".com" conference and exhibition in London on Thursday that businesses using strong encryption, such as RSA, had to be aware of developments like the recently broken 512-bit keys in the latest RSA challenge and cycle their keys often; especially banks that adopted 512-bit crypto in the 1980s to protect long-term information such as mortgage databases. "You must think ahead," he said. "Use cryptography not only against people like me, here and now, but people who come after me in 10, 15, 20 years time." Techweb. Crypto Breaker Tells Programmers To Wise Up (09/17/99, 1:56 p.m. ET) By Madeleine Acey, TechWeb Since the recent breaking of an RSA 512-bit encryption key -- the kind used by many banks -- IT managers should think longer-term about how to protect data with a long shelf-life, said one of the team that won the latest RSA challenge. Sun senior staff engineer Alec Muffett told an audience of developers at Sun's ".com" conference and exhibition in London on Thursday that businesses using strong encryption, such as RSA, had to be aware of developments like this and cycle their keys often; especially banks that adopted 512-bit crypto in the 1980s to protect long-term information such as mortgage databases. At the time, breaking 512-bit keys "wasn't something a band of mere mortals could do," Muffett said, but things had changed. The self-described "band of like-minded geeks" took just a few days to crack the required 155-digit number using Cray supercomputers and spare capacity on an Amsterdam university's PCs. "You must think ahead," he said. "Use cryptography not only against people like me, here and now, but people who come after me in 10, 15, 20 years time." A Giga Information Group spokesman said many banks used outside technology experts to look after certain aspects of their security, but there was a range of different levels of awareness. "It's a constant game of using advances in technology to stay ahead of advances in technology," the spokesman said. "Not everyone is up to speed." As well as foresight, IT decision makers also needed the support of thoughtful programmers, Muffett said. They had a responsibility to not program "silly things" into software in the first place when it came to security. "Passwords of only one to eight characters are very silly," he said, and have been since the 1970s. "How many of you still have 1234 as the password for your voice mail?" said Geoffrey Baehr, Sun's chief networking engineer, sharing the stage with Muffett. "We as engineers have done a terrible job." "I've definitely heard complaints on that from experts," the Giga Information Group spokesman said. The panel, including Sun's chief scientist John Gage, took the opportunity to attack rival Microsoft. "The best thing you can do is run a secure OS," Baehr said. "No one system can be stronger than the weakest point." "'That's it,' some countries say. 'We cannot accept black box OSes that feed back information," said Gage, referring to the key labeled "NSA KEY" discovered in Windows, which Microsoft denied was a backdoor for the U.S. National Security Agency. "If you want a solid place to stand, it's good to be able to see everything," Muffett said. The Giga Information Group spokesman said the IT research company had found that "regardless of whether it's an espionage key, it definitely has harmed Microsoft overseas". @HWA 39.0 REPORT URGES TOUGH NET STALKING LAWS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 17th September 1999 on 1:05 am CET Federal and state laws should be strengthened to help curb the growing problem of online stalking, a U.S. Justice Department report recommends. Two-thirds of states have no laws on the books that explicitly cover stalking on the Internet or through other electronic communications means, the report found. And federal law ought to be amended to make it easier to track down "cyberstalkers," it said. Report urges tough Net stalking laws SACRAMENTO, Calif. (AP) - Federal and state laws should be strengthened to help curb the growing problem of online stalking, a U.S. Justice Department report recommends. Two-thirds of states have no laws on the books that explicitly cover stalking on the Internet or through other electronic communications means, the report found. And federal law ought to be amended to make it easier to track down ''cyberstalkers,'' it said. ''As more and more Americans are going online -- particularly our children -- it is critical that they are protected from online stalking,'' said Vice President Al Gore, who requested the report in February and was to release it in California on Thursday. ''Cyberspace should be a place for learning and exploration, not a place for fear,'' he said in remarks prepared for a meeting in San Diego with victims of online stalking and their family members. The report surveyed steps that law enforcement, online industries, victims groups and others are taking to crack down on cyberstalking, and explored whether existing laws are adequate to combat a problem it contends is on the rise. Internet service providers, which link users to e-mail and the World Wide Web, report a growing number of complaints about harassing and threatening behavior online, it said. The head of the sex crimes unit in the Manhattan District Attorney's Office reported that about 20% of the unit's cases involve cyberstalking. The report cited several chilling examples. In one case, a Los Angeles security guard terrorized a woman who rejected his romantic advances by posting online messages that she fantasized about being raped, and listed her phone number and address. On at least six occasions, sometimes in the middle of the night, men knocked on her door saying they wanted to rape her. A San Diego man sent more than 100 e-mail messages to five female students at the University of San Diego and the University of California, San Diego last year. They included death threats, graphic sexual descriptions and references to the women's daily activities, prosecutors said. Federal law enforcement officials have reported many cases in which pedophiles have made advances to children through online chat rooms and later made contact with the children, the report said. Technology allows some stalkers to harass victims anonymously, it said. The report recommends that all states review their laws to ensure they prohibit and provide ''appropriate'' punishment for stalking through the Internet and other means of electronic communication, including pagers. California recently amended its stalking statute to cover cyberstalking. Last year President Clinton signed a bill into law that protects children from online stalking. But the report said the law should be expanded to outlaw interstate or international communication made with the intent to threaten or harass another person. Such new laws should include stiffer penalties when victims are minors, the report said. And federal law should make it easier for law enforcement to track down cyberstalkers. The report cited as a hindrance the Cable Communications Policy Act, which bars investigators from obtaining cable subscriber records without a court order and advance notice to the subscriber. @HWA 40.0 CODEBREAKERS AND PHONE-SPIES TARGET CRIME ON THE INTERNET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 16th September 1999 on 7:10 pm CET Here's more on the UK forming of a cybercrime unit tapping data streams and breaking codes for surveillance sake. Tapping proposals outlined in a Government consultation document call for the monitoring of one in every 500 telephone connections to the Internet to extend the Governments surveillance powers to the Web. According to a report in The Economist today, it would require the Home Secretary to issue 10,000 tapping warrants a year, five times the current level of authorisations. Codebreakers and phone 'spies' target crime on Internet By Robert Uhlig ONE in every 500 telephone connections to the internet is to be monitored under Government proposals to extend surveillance powers to the Web. The plans are outlined in a Government consultation document and require internet service providers to have facilities to intercept one telephone line in every 500 that they operate. The tapping proposals represent a considerable increase in police powers and a capacity roughly 20 times the level required in other European countries. According to a report in The Economist today, it would require the Home Secretary to issue 10,000 tapping warrants a year, five times the current level of authorisations. Using such tapping facilities, the police and intelligence agencies will be able to harvest raw data streams containing private e-mail or text and pictures. Jack Straw, the Home Secretary, has argued that law enforcers need to improve their ability to intercept communications between terrorists and criminals. The Home Office claims law enforcers now have few powers to fight the increased use of encrypted messages on the internet to arrange drugs deals or pass on paedophile images. To sift through the vast quantities of tapped data the Government is also to set up a £20 million specialist code-cracking unit using staff from the Government's communications centres at GCHQ, the National Criminal Intelligence Unit and code-breakers recruited from the private sector. But even the code-breakers admit that current encrypting technologies would take the most powerful computers several weeks to crack, by which time the information is likely to be redundant. The unworkability, cost and technical ignorance encompassed by the proposals have united the internet industry with privacy campaigners. Demon Internet, Britain's third largest service provider, estimates that the switches and infrastructure required by the intercept proposals would cost them more than £1 million initially and up to 15 per cent of their infrastructure costs to upgrade the facilities every year. Richard Clayton, Demon's Internet adviser, said: "If the Government wants this information they should pay for it." Tim Pearson, chairman of the Internet Service Providers Association, said his members were concerned by the extension in state and police powers being requested. Malcolm Hutty, director of Liberty, said the proposals were "hideously expensive, technically unworkable and a threat to civil liberties." He added that with such a tapping system in place "Government could be checking on people's tax returns or anything else they fancy keeping an eye on." @HWA 41.0 LAW ENFORCEMENT MAY BENEFIT FROM NEW CRYPTO POLICY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 16th September 1999 on 6:50 pm CET The White House in a briefing today will announce what one administration official told will be a "large" relaxation of encryption controls. This is a major victory from the industries' and users' point of view, but there is another side to it. Key recovery is expected to be a part of this proposal, something to which strong encryption export supporters object. The key recovery program essentially guarantees law enforcement officials a so-called "back door" to encrypted communications. Newsbytes. http://www.newsbytes.com/pubNews/99/136355.html Law Enforcement May Benefit From New Crypto Policy By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 16 Sep 1999, 10:54 AM CST Despite an initially jubilant reaction from the high- tech industry over the White House's anticipated relaxation of its encryption export controls, the policy change could pave the way for more unfettered law enforcement access to sensitive data. The White House in a briefing today will announce what one administration official told Newsbytes will be a "large" relaxation of encryption controls. Stewart Baker, a member of the President's Export Council Subcommittee on Encryption, told Newsbytes that if the administration allows an easing of regulations, it has a firm platform on which to petition Congress to pass its proposed Cyberspace Electronic Security Act (CESA), which would give law enforcement agencies sweeping access to sensitive communications. "Key recovery is dumb even from the Justice Department's point of view," Baker said. "It's peculiar to say 'I really like your industry and to encourage you I'm going to add costs and expose you to criminal liability.'" Baker said that when the subcommittee made recommendations to the administration to change its encryption export policies, "that was not on our list." Attorney General Janet Reno, Defense Department official John J. Hamre, and several other administration representatives are expected to announce that 64-bit encryption will now become the strongest mass-market algorithm level available, in conjunction with the 33-nation Wassenaar Arrangement. In addition, the administration is expected to make it easier for companies to export strongly encrypted products of an unlimited algorithm length, subject to a one-time Commerce Department review. The announcement is particularly important to the high-tech industry because it is getting itself heartily smacked in the encryption products arena by other countries that don't have such onerous export restrictions. Rep. Robert Goodlatte, R-Va., and his Democratic counterpart Zoe Lofgren, D-Calif., both are chief sponsors of the Security and Freedom Through Encryption (SAFE) Act, which calls for a total stand-down on encryption export controls. Goodlatte officials were not immediately available for comment, though he is expected to discuss the White House proposal at a press conference later today. Unfortunately for him, key recovery is expected to be a part of this proposal, something to which strong encryption export supporters object. The key recovery program essentially guarantees law enforcement officials a so-called "back door" to encrypted communications. Kristin Litterst of Americans for Computer Privacy said the administration announcement is significant because House Speaker Dennis Hastert, R-Ill., has said he wants SAFE to come to the House floor for a vote, but added that the ACP wants to work with the administration to shape the regulations. "The announcement is a real mixed bag from a privacy perspective," Center for Democracy and Technology (CDT) counsel Alan Davidson said. "We've seen so many promises of broad relief that don't in fact protect people's privacy… It opens up a very important new debate on the Fourth Amendment in cyberspace - under what circumstances the government should have access to our most sensitive information." Davidson added, however, that "If they follow through on their promise, this would be a real step forward. This would give encryption users around the world much stronger privacy protection software." A staffer for Senate Communications Subcommittee Chairman Conrad Burns, R-Mont., a stalwart supporter of strong encryption exports, said that "It's great that (the White House supports) the need for encryption reform....but anything that is going to allow the federal government to just creep in the back door of Americans' computers is just unacceptable to us." As a supporter of Senate Commerce Committee Chairman John McCain's, R-Ariz., PROTECT Act, the staffer said that Burns already has compromised his stance somewhat in deference to law enforcement, because PROTECT tends to fit in more with the scope of Wassenaar. He added that Burns is unwilling to give up more ground. Baker said that the administration announcement "will substantially reduce, if not completely eliminate, any of the burden associated with encryption controls, so it's a very big step and will probably take the issue off the table as a competitive (subject)." Nevertheless, the move seems to tie into the administration's desire to offer a gift to law enforcement now that it has tried to please the high-tech industry. Baker said CESA includes key recovery agent provisions, and allows law enforcement to ignore the privacy rights of criminal suspects in searches for information. The proposed bill also would allow law enforcement to require companies to get electronic information even in violation of privacy standards. It also calls for sentencing guidelines to be drafted that would devise encryption crime penalties. "It sounds mildly harmless, but in my view is potentially rather dangerous," Baker said. "That provision is too broad." He also said that CESA puts no restrictions on the Justice Department's ability to "order companies to violate the laws of other countries." "You can imagine how a foreign country would feel if a local Internet service provider started hacking into their citizens' computers at the order of the Justice Department," Baker said. MORE TO COME Reported by Newsbytes.com, http://www.newsbytes.com . 10:54 CST Reposted 11:31 CST (19990916/WIRES TOP, ONLINE, LEGAL, BUSINESS/WEBPOLICE/PHOTO) @HWA 42.0 LIBELING AGAIN ~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Thursday 16th September 1999 on 3:45 pm CET Attrition members reacted to latest John Vranesevich article (Loan Gunmen == HFG?). "Read on to see the obvious errors, illogical conclusions and outright libel contained within the AntiOnline article. It is being quoted here within guidelines of "Fair Use" quoting". http://www.attrition.org/news/content/99-09-15.001.html Attrition Responds to More AntiOnline Allegations Wed Sep 15 22:27:25 MDT 1999 ATTRITION Staff (Official Press Release) For almost five years, various members of the Attrition staff have fought off unyielding attempts by AntiOnline and/or its staff to slander and defame their characters. These countless accusations and libelous statements have always come without a shred of proof from those making them. Time and time again, Attrition meets these allegations with arguments citing each and every log or mail needed to openly prove our claims. Just once, the staff of Attrition would like to be maligned using reasonably founded proof. The sickening irony in John Vranesevich and AntiOnline's malicious comments, is that they come in the middle of them plagiarizing Attrition's mirrors and other resources. In the past thirteen days,our logs have shown 13377 unique hits from AntiOnline's "AntiBot" as it spiders our site and utilizes our resources. For them to turn around and call us criminals, makes one wonder if they are saying it purely to get media attention, supporting the people he speaks ill of, or some sick hybrid of the two. Read on to see the obvious errors, illogical conclusions and outright libel contained within the AntiOnline article. It is being quoted here within guidelines of "Fair Use" quoting. The original article is in white text, Attrition comments are in red. http://www.antionline.com/cgi-bin/News?type=antionline&date=09-13-1999&story=loan.news Loan Gunmen == HFG? Wednesday, September 15, 1999 at 15:27:48 by John Vranesevich - Founder of AntiOnline September 13, 1998, The New York Times was broken into by a group calling itself HFG, Hacking for Girlies. The attack, which the New York Times claims cost them over $1 million in damages, falls almost one year ago to the day of when the Nasdaq was broken into. ABC News, C-span, The Drudge Report, and now the Nasdaq have all fallen victim to a group calling itself "The United Loan Gunmen". AntiOnline has reason to believe that this "new group", is actually the HFG acting out under a new name. [Consistant with a five year pattern of allegations and no proof to back them, these conclusions are no different.] Using concepts developed under its "Virtual Fingerprinting System", AntiOnline has taken data from the recent United Loan Gunman hacks, and compared it to data in its extensive databases of over 6,700 individual hackers. The results? [This "Virtual Fingerprinting System" is nothing but a glorified hand- comparison of two files, as illustrated below.] Graphic Creation: Graphics created by members of the United Loan Gunman match the style and technique as graphics developed by members of HFG in September of last year. Several of these graphics also bear resemblance in creation method to a Defcon 6 logo submitted by a known individual, who's work also can be compared to several other attacks. [False. A comparison of their HTML elements and attributes, visual style, signatures and more, prove how inaccurate the above statement is. There is practically no similarity between HFG and ULG graphics. Determine for yourself. The Defcon 6 graphic referred to was designed well before HFG began their defacement spree. This image was paraded before over 4,000 hackers at the Defcon 6 convention in Las Vegas. The fact that a member of HFG chose to emulate the graphic is inconsequential to this scenario. To suggest otherwise without verfiable proof is to invite charges of defamation of character. Look at ALL of the graphics in question, on the same page. You make the determination.] Content: Similar writing styles, political agendas, affiliates, and attacks as hacks done in September of last year by HFG. [False. The writing styles of both groups are quite different. Compare the content in the ABC Hack (ULG) to that of the New York Times Hack. Notice the use of "elite speak" and all caps in most of HFG's defacements. This style is seen nowhere in the ULG mirrors.] HTML: Matches in "free hand" creation style to hacks done by the HFG. [Due to the fact that HTML is a markup language and lacks a header identifying how it was created, one cannot assume anything about how a page was created without the existance of appropriate META tags denoting the authoring tool used. Furthermore, well over half the pages created by defacers are done free-hand. Compare the radical differences in HTML style between the two groups. To claim that there are similarities between the HTML of both groups is a gross assumption.] Affiliation: "Attrition" members once again claim to have "spoken to" the individuals involved with the recent attacks, just as they claimed last year during the HFG hacks. Brian Martin, founder of Attrition, [False. HFG sent a notification e-mail to Brian Martin along with over twenty other people regarding their defacement. Likewise, the contact made between ULG and Attrition staff was via IRC who have logs readily available to any Federal law enforcement organization that makes a formal request as mentioned in the warning on our mirror. In the statement made by AntiOnline, the Attrition staff are being "jewelled." That is, they are being blamed for a crime simply because they are the bearer of the news before others. This is an ironic claim since AntiOnline has gained its reputation for doing exactly the same thing. The only difference is the Attrition staff did not admit to several felonies in their dealings with hackers. Attrition staff had no foreknowledge of the victim of the intrusions and make it known that they are aware such activity constitutes a felony.] was raided in December of 1998 as part of an FBI investigation into Hacking For Girlies (as reported by Forbes columnist Adam Penninburg). [References to the December 1998 raid of Brian Martin are total innuendo and counter the long-standing American concept of justice in which all are innocent until proven guilty. Further, it should be noted that it has been almost a year since the raid, no arrest warrant has been issued. That in itself speaks volumes when observing how quick Federal law enforcement has been recently in raiding and charging other hackers.] Attack Method: Once again the methodology seems to be rather cloudy, and other industry leaders are drawing similarities into the attack styles (this could potentially become more clear as data from the recent Loan Gunmen attacks surfaces from the individual organizations). [False. Industry leaders are not making such illogical conclusions. It has been confirmed that at a minimum, four machines compromised by HFG were Unix, (one of which was Solaris), and the operating systems of all four of the servers compromised by ULG were either Windows NT4 or Windows NT5.] Time: Just as before, attacks apparently done by the same group of people, yet under different names, are spread far apart by almost a year exactly. [False. AntiOnline has not established that there has been any indication of previous examples where one group turned out to be a second group just with a different name.] AntiOnline has been receiving more data from several other organizations who are also investigating these similarities, and is in the process of adding them to its catalog to be "fingerprinted". [If this is true, then just like AntiOnline, their resulting information is completely based on speculation and print such assumptions without concrete evidence is a violation of journalistic ethics.] Exact results of AntiOnline's investigations are leading to a particular group of known hackers that AntiOnline has extensive information on. For obvious legal reasons, that data is not being disclosed to individuals outside of the law enforcement arena. [Such statements should be closely examined by AntiOnline readers. Attrition staff has recently obtained hard proof that Vranesevich has continued to be involved in illegal activity, all in the name of 'journalism'. See for yourself.] For more information about "Hacker Profiling", read AntiOnline's Three Part Special Report entitled: "[6]How To Be A Hacker Profiler. Related Information On AntiOnline: [And see how easily these methods are countered in our piece called "Debunking the Hacker Profiler".] [7]What Hackers Head The Culture? [Another example of Vranesevich's libel can be found in this article. Once again, we have pointed out the errata and slander in this piece.] - Attrition Staff The original Article from Anti-Online Loan Gunmen == HFG? Wednesday, September 15, 1999 at 15:27:48 by John Vranesevich - Founder of AntiOnline September 13, 1998, The New York Times was broken into by a group calling itself HFG, Hacking for Girlies. The attack, which the New York Times claims cost them over $1 million in damages, falls almost one year ago to the day of when the Nasdaq was broken into. ABC News, C-span, The Drudge Report, and now the Nasdaq have all fallen victim to a group calling itself "The United Loan Gunmen". AntiOnline has reason to believe that this "new group", is actually the HFG acting out under a new name. Using concepts developed under its "Virtual Fingerprinting System", AntiOnline has taken data from the recent United Loan Gunman hacks, and compared it to data in its extensive databases of over 6,700 individual hackers. The results? Graphic Creation: Graphics created by members of the United Loan Gunman match the style and technique as graphics developed by members of HFG in September of last year. Several of these graphics also bare resemblance in creation method to a Defcon 6 logo submitted by a known individual, whose work also can be compared to several other attacks. Content: Similar writing styles, political agendas, affiliates, and personal attacks as hacks done in September of last year by HFG. HTML: Matches in "free hand" creation style to hacks done by the HFG. Affiliation: "Attrition" members once again claim to have "spoken to" the individuals involved with the recent attacks, just as they claimed last year during the HFG hacks. Brian Martin, founder of Attrition, was raided in December of 1998 as part of an FBI investigation into Hacking For Girlies (as reported by Forbes columnist Adam L. Penenberg). Attack Method: Once again the methodology seems to be rather cloudy, and other industry leaders are drawing similarities into the attack styles (this could potentially become more clear as data from the recent Loan Gunmen attacks surfaces from the individual organizations). Time: Just as before, attacks apparently done by the same group of people, yet under different names, are spread far apart by almost a year exactly. AntiOnline has been receiving more data from several other organizations who are also investigating these similarities, and is in the process of adding them to its catalog to be "fingerprinted". Exact results of AntiOnline's investigations are leading to a particular group of known hackers that AntiOnline has extensive information on. For obvious legal reasons, that data is not being disclosed to individuals outside of the law enforcement arena. For more information about "Hacker Profiling", read AntiOnline's Three Part Special Report entitled: "How To Be A Hacker Profiler". http://www.antionline.com/SpecialReports/hacker-profiler/ @HWA 43.0 SECURITY A MANAGEMENT PROBLEM? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 16th September 1999 on 2:50 am CET The next big issue after the year 2000 is the threat to computer security, said a senior federal official whose job includes hacking into government systems to find their vulnerabilities. "Like Y2K, computer security is a management problem," says Keith Rhodes on a conference entitled "Defending Cyberspace: Enabling Electronic Government", quoting weaknesses in engineering, operations, and management. http://www.techweb.com/wire/story/TWB19990914S0014 Most Computer Attacks Come From Organizations (09/14/99, 1:46 p.m. ET) By Mary Mosquera, TechWeb ARLINGTON, VA. -- The next big issue after the year 2000 is the threat to computer security, said a senior federal official whose job includes hacking into government systems to find their vulnerabilities. Although threats to computer security from somewhere on the Internet capture more headlines, the most successful government break-ins are from within, said Keith Rhodes, director of the General Accounting Office's computer and information-technology assessment unit. Rhodes tests the security of federal systems by breaking in from within the government and from the Internet. Like Y2K, computer security is a management problem. "There was no emphasis on Y2K until management took it seriously," Rhodes told a conference titled "Defending Cyberspace: Enabling Electronic Government," in Arlington, Va. Computer-security threats come from non-malicious hackers, such as teenagers breaking into systems for the thrill, malicious attackers spreading viruses or wreaking other havoc, industrial spies, and terrorists. "Being a cybercop is like being a sheriff in the old Arizona territory," Rhodes said. Security is not just an issue for large federal or financial systems, but for any company doing business online or depending on email for communications. Well-publicized viruses, such as the Melissa virus, took their toll, albeit temporary, on businesses, including Microsoft and General Electric, Rhodes said. In sniffing out security vulnerability, Rhodes finds weaknesses in engineering, operations, and management. "Why protect a computer firewall when you prop open the door to the computer room?" Rhodes said. While it used to take Rhodes one hour to break into government computers, it now takes three minutes, he said. Lessons to be learned from Y2K start with having good personnel, Rhodes said. Similar to early in harnessing national attention for Y2K, management is afraid to disclose information about computer security for fear of litigation or disturbing public confidence. Threats come from not having enough competent personnel and the inability to recognize if a crash is Y2K-related or a break-in, Rhodes said. Organizations must take care with whom they outsource major tasks, such as payroll, and which personnel are given code to mission-critical systems. Myths about computer security can make organizations complacent until they get creamed and need valuable time to get back up, Rhodes said. Some believe security is adequate if a single standard can be developed, or a sole vendor or product fills all its needs. "Public-key infrastructure is needed now," Rhodes said, adding "You won't be able to operate without it." "Attacks are faster and more bad software is being sold with holes in it. And changing system software will still present problems," Rhodes said. Although systems can never be completely secure, a company can protect itself by putting a value on assets and deciding what it wants to protect, assure continuity of operations with contingency plans, and form a computer emergency response team that can protect the system, detect attacks, and react to them. Organizations should be willing to cooperate with law enforcement when systems are attacked, Rhodes said. Because of its size and importance, government is experiencing increasingly more cyber attacks. "Government must take the lead in defending cyberspace," said Ben Miller, chairman of CardTech/SecurTech, which promotes advanced smart card and secure technologies. Congress is recognizing the importance of computer security by increasing agency budgets against cyberthreats. However, funds are being taken from other programs, Rhodes said. @HWA 44.0 TROJAN IN FAKE MICROSOFT Y2K MAIL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 15th September 1999 on 11:40 pm CET Antivirus experts are urging computer users not to open a year 2000 countdown program that comes in the form of an e-mail sent by Microsoft. The "Y2Kcount.exe." file is said to include a Trojan. Users who try to install the program will see a message saying the Y2K counter was unable to install. It says: "Error!.. Password protection error or invalid CRC32!." However, analysis of the program's installation routine shows it already has connected to internal Windows files by the time it displays the error message. Beware Of Virus-Riddled Y2K E-Mail (09/15/99, 3:36 p.m. ET) By Lee Kimber, Special To TechWeb, TechWeb Antivirus experts are urging computer users not to open a year 2000 countdown program that comes in the form of an e-mail sent by Microsoft on Tuesday. The e-mail was not sent by Microsoft, and the enclosed attachment is not a Y2K countdown program, but rather a Trojan virus. If users attempt to open the alleged program, the virus can install itself onto the user's computer and then is capable of sending data and information from that system across the Internet. Microsoft did not return calls by publishing deadline time. Antivirus experts at Star Internet, a U.K.-based ISP, along with Network Associates and Sophos, are analyzing the e-mail attachment, called "Y2Kcount.exe." Star has confirmed that the virus, which has been named Count2K, originated in Bulgaria and has also identified some key warning signs. "It makes a lot of socket communications calls," said Star antivirusprogrammer Alex Shipp. "There's also a lot of file handle calls and keyboard handling calls." Shipp said similar to the ExploreZip virus that decimated corporate e-mail systems several months ago, Count2K appears to have the ability to take files from users' systems and send them across the Net. The destination of the files or data has not yet been determined by Star's virus experts. On Wednesday, Network Associates antivirus experts confirmed Shipp's findings. Shipp's analysis has determined -- that like the ExploreZip Trojan virus -- both are written in Pascal. He also said the internal programming of two viruses are very similar. Users who simply open the e-mail but do not attempt to load the Y2K program are in no danger from the virus. Users who try to install the program will see a message saying the Y2K counter was unable to install. It says: "Error!..Password protection error or invalid CRC32!." However, analysis of the program's installation routine shows it already has connected to internal Windows files by the time it displays the error message, Shipp said. "If you see that [message], you think it failed," said Shipp. "By then, it has installed itself." The message first raised eyebrows because of awkward wording that didn't seem like it would come from Microsoft. The accompanying message headers also suggested that the e-mail passed through CompuServe's e-mail system. No valid e-mail from Microsoft should route through CompuServe. Antivirus experts said they are working quickly to develop a Count2K fix. Network Associates confirmed that programmers in their antivirus labs are working on a patch. Sophos has posted a warning on its website alerting users that it is working on a patch. Star Internet has already protected its 1,000 U.K. business customers from the Trojan by installing a scanner on its e-mail servers. The scanner looks for the Trojan's unique signature. @HWA 45.0 CERT ADVISORY CA-99-11-CDE ~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Wednesday 15th September 1999 on 7:12 pm CET CERT (www.cert.org) released an advisory on several vulnerabilities in the Common Desktop Environment. http://www.cert.org/advisories/CA-99-11-CDE.html CERT® Advisory CA-99-11 Four Vulnerabilities in the Common Desktop Environment Original release date: September 13, 1999 Last revised: September 13, 1999 Source: CERT/CC A complete revision history is at the end of this file. Systems Affected Systems running the Common Desktop Environment (CDE) I. Description Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those discussed in CA-98.02. We recommend that you install appropriate vendor patches as soon as possible (see Section III below). Until you can do so, we encourage you to disable or uninstall vulnerable copies of the CDE package. Note that disabling these programs will severely affect the utility of the CDE environment. At this time, the CERT/CC has not received any reports of these vulnerabilities being exploited by intruders. Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism The ToolTalk messaging server ttsession allows independent applications to communicate without having direct knowledge of each other. Applications can communicate through an associated ttsession which delivers messages via RPC calls between interested agents. On many systems, ttsession uses AUTH_UNIX authentication (a client-based security option) by default. When messages are received, ttsession uses certain environment variables supplied by the client to determine how the message is handled. Because of this, the ttsession process can be manipulated to execute unauthorized arbitrary programs with the privileges of the running ttsession. Vulnerability #2: CDE dtspcd relies on file-system based authentication The network daemon dtspcd (a CDE desktop subprocess control program) accepts CDE requests from clients to execute commands and launch applications remotely. When a client makes a request, the dtspcd daemon asks the client to create a file that has a predictable name so that the daemon can authenticate the request. If a local user can manipulate the files used for authentication, then that user can craft arbitrary commands that may run as root. Vulnerability #3: CDE dtaction buffer overflow The dtaction utility allows applications or shell scripts that otherwise are not connected into the CDE development environment, to request that CDE actions be performed. A buffer overflow can occur in some implementations of dtaction when a username argument greater than 1024 bytes is used. Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION There is a vulnerability in some implementations of the ToolTalk shared library which allows the TT_SESSION environment variable buffer to overflow. A setuid root program using a vulnerable ToolTalk library, such as dtsession, can be exploited to run arbitrary code as root. II. Impact Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism A local or remote user may be able to use this vulnerability to run commands on a vulnerable system with the same privileges of the attacked ttsession. For this attack to work, a ttsession must be actively running on the system attacked. The ttsession daemon is started whenever a user logs in using the CDE desktop, or upon interaction with CDE at some future point. Vulnerability #2: CDE dtspcd relies on file-system based authentication A vulnerable dtspcd may allow a local user to run arbitrary commands as root. Vulnerability #3: CDE dtaction buffer overflow A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. III. Solution Install appropriate patches from your vendor We recommend installing vendor patches as soon as possible and disabling the vulnerable programs until you can do so (or uninstalling the entire CDE package if not needed). Note that disabling these programs will severely affect the utility of the CDE environment. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Compaq Computer Corporation Problem #1 CDE ToolTalk session daemon & ToolTalk shared library overflow This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E, V4.0F and V5.0. This patch can be installed on: V4.0D-F, all patch kits V5.0, all patch kits *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches The patch file name is SSRT0617_ttsession.tar.Z Problem #2 Compaq's Tru64/DIGITAL UNIX is not vulnerable. Problem #3 CDE dtaction buffer overflow This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F. This patch can be installed on: V4.0D Patch kit BL11 or BL12 V4.0E Patch kit BL1 or BL12 V4.0F Patch kit BL1 *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches The patch file name is SSRT0615U_dtaction.tar.Z Problem #4 CDE ToolTalk shared library overflow See solution fix described in in Problem #1. Fujitsu Fujitsu's UXP/V operating system is not vulnerable to any of these vulnerabilities. Hewlett-Packard Company HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE patches previously recommended in HP Security Bulletins are not vulnerable to vulnerabilities #2, #3, and #4. All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability #1. Patches are in progress. IBM Corporation All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon: AIX 4.1.x: IY03125 IY03847 AIX 4.2.x: IY03105 IY03848 AIX 4.3.x: IY02944 IY03849 Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from /etc/inittab. Run the following commands as root to disable CDE: # /usr/dt/bin/dtconfig -d # chsubserver -d -v dtspc # chsubserver -d -v ttdbserver # chsubserver -d -v cmsd # chown root.system /usr/dt/bin/* # chmod 0 /usr/dt/bin/* For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from: ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z Filename sum md5 ================================================================= dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602 dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152 libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560 libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731 ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9 ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816 ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060 NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix. 1. Uncompress and extract the fix. # uncompress < cdecert.tar.Z | tar xf - # cd cdecert 2. Replace the vulnerable executables with the temporary fix for your version of AIX. # (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix) # (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix) # (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix) # chown root.system /usr/dt/lib/libtt.a.before_security_fix # chown root.system /usr/dt/bin/ttsession.before_security_fix # chown root.system /usr/dt/bin/dtaction.before_security_fix # chmod 0 /usr/dt/lib/libtt.a.before_security_fix # chmod 0 /usr/dt/bin/ttsession.before_security_fix # chmod 0 /usr/dt/bin/dtaction.before_security_fix # cp ./libtt.a_ /usr/dt/lib/libtt.a # cp ./ttsession_ /usr/dt/bin/ttsession # cp ./dtaction_ /usr/dt/bin/dtaction # cp ./ttauth /usr/dt/bin/ttauth # chmod 555 /usr/dt/lib/libtt.a # chmod 555 /usr/dt/bin/ttsession # chmod 555 /usr/dt/bin/dtaction # chmod 555 /usr/dt/bin/ttauth IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/support/rs6000.support/downloads or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send electronic mail to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. Santa Cruz Operation, Inc. SCO is investigating these vulnerabilities on SCO UnixWare 7. Other SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open Desktop 3.0 and CMW+) are not vulnerable as CDE is not a component of these releases. SCO will make patches and status information available at http://www.sco.com/security. Silicon Graphics, Inc. SGI acknowledges the CDE vulnerabilities reported and is currently investigating. No further information is available at this time. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. The SGI Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html Sun Microsystems, Inc. Vulnerability #1: Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX authentication mechanism (default) is used with ttsession. The use of DES authentication is recommended to resolve this issue. To set the authentication mechanism to DES, use the ttsession command with the '-a' option and specify 'des' as the argument (see ttsession(1) for more information). The use of DES authentication also requires that the system uses Secure NFS, NIS+, or keylogin. For more information about Secure NFS, NIS+, or keylogin, please see the System Administration Guide, Volume II. Information is also available at: http://docs.sun.com:80/ab2/coll.47.8/SYSADV2/@Ab2PageView/34908?DwebQuery=secure+rpc Vulnerability #2: The following patches are available: CDE version SunOS version Patch ID ___________ _____________ _________ 1.3 5.7 108221-01 1.3_x86 5.7_x86 108222-01 1.2 5.6 108199-01 1.2_x86 5.6_x86 108200-01 1.0.2 5.5.1, 5.5, 5.4 108205-01 1.0.2_x86 5.5.1_x86, 5.5_x86, 5.4_x86 108206-01 1.0.1 5.5, 5.4 108252-01 1.0.1_x86 5.5_x86, 5.4_x86 108253-01 Vulnerability #3: The following patches are available: CDE version SunOS version Patch ID ___________ _____________ _________ 1.3 5.7 108219-01 1.3_x86 5.7_x86 108220-01 1.2 5.6 108201-01 1.2_x86 5.6_x86 108202-01 Patches for CDE versions 1.0.2 and 1.0.1 will be available within two weeks of the release of this advisory. Vulnerability #4: Patches will be available within two weeks of the release of this advisory. Sun security patches are available at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pubpatches The CERT Coordination Center would like to thank Job de Haas for reporting these vulnerabilities and working with the vendors to effect fixes. We would also like to thank Solutions Atlantic for their efforts in coordinating vendor solutions. This document is available from: http://www.cert.org/advisories/CA-99-11-CDE.html CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html @HWA 46.0 HACKER PROFILER ~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Wednesday 15th September 1999 on 7:01 pm CET John Vranesevich published his thesis on United Loan Gunmen. Combining his "hacker profiler technique", he concluded: "Using concepts developed under its "Graphics created by members of the United Loan Gunman match the style and technique as graphics developed by members of HFG in September of last year". His article - "Loan Gunmen == HFG?" (found elsewhere in this issue, see LIBEL section 42.0) @HWA 47.0 eDOCTOR GLOBAL NETWORK ~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Wednesday 15th September 1999 on 6:11 pm CET Security software company Trend Micro Inc. today released new online virus scanning service that builds virus protection directly into networks and e-mail systems. Service is called eDoctor Global Network and you could find more information on it here http://www.antivirus.com/corporate/default.htm Trend Micro Announces eDoctor™ Global Network September 14, 1999— Trend Micro Inc. today announced the eDoctor Global Network, a worldwide Internet antivirus service initiative designed to provide a better defense against Internet viruses. The eDoctor Global Network builds malicious code protection right into the Internet infrastructure, enabling customers to obtain virus protection as a value-added service from Internet service providers, telcos, and managed service providers. By utilizing Internet technology and partnering with Internet infrastructure providers and security maintenance experts, the Trend eDoctor Global Network provides both home and corporate customers with the highest level of virus protection, 24x7 support and information, and faster response to virus events. Global Network Service Providers include Sprint, US WEST Breakwater Security Associates and others. @HWA 48.0 DEFAULT ISSUE 5 OUT ~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Tuesday 14th September 1999 on 7:37 pm CET We have released fifth edition of Default newsletter. Topics in this issue are: Hit2000 report, Interview with v00d00, Want secure and encrypted e-mails?, Security audit with our Mac Part-2/2, More from the ACPO front, Infection and vaccination, Watch out for documents you publish on The Internet, Freedom of speech - related incidents, Y2K survey for 72 countries and brief article on Journalism (see the story below). So download default5.txt or default5.zip. If you want to get Default in your mailbox mail majordomo@net-security.org with this message in the body - subscribe news your@email. @HWA 49.0 ANOTHER WANNABE HACKER CAUGHT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Tuesday 14th September 1999 on 7:24 pm CET Another trojan user has been caught in Croatia. Denis Perisa (16) was questioned of entering the home PC of a known politician in his country. He said that he just wanted to snatch a connection password for Croatian ISP. Article was first published in daily newspapers Vecernji list, but I had to react to the article. It was written very badly and the purpose of the article was to modify his part in it. The plain trojan user without any knowledge became a super-hacker. My comments to the article could be seen here (Croatian language). http://www.monitor.hr/security/clanci/denis.htm @HWA 50.0 TROJANS - MODERN THREAT ~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Tuesday 14th September 1999 on 7:18 pm CET SubSeven, Hack'a'Tack, Deep Throat, NetSphere are just couple of hundreds of trojans that are cruising The Internet. German web site (www.heise.de) has a nice article on trojans and their impact. Read the article here http://www.heise.de/ct/english/99/17/088/ Norbert Luckhardt Party Crashers Danger from uninvited guests on the Windows PC It was hardly possible not to hear the uproar triggered by the new Back-Orifice version. But there are several other less known relatives of these hacker tools lurking in the Internet that are just as dangerous - no matter whether they are called Trojan Horses, viruses or remote management tools. The most prominent member of the backdoor family is probably Back Orifice 2000 (BO2K). Already one week before its 'birth' the online media went into a reporting frenzy as if it was the unborn successor to the thrown of a cherished monarch. Up to now there was much less commotion around SubSeven, Hack'a'Tack, Deep Throat, NetSphere and other cousins of the backdoor celebrities. Nevertheless the analysts of the Data Fellows virus laboratories write about the SubSeven author Mobman: 'His backdoor is the currently most advanced out there'. And also Network Associates (McAfee) attest a 'high risk potential' for SubSeven - while BO2K is only recognizes as a medium-size danger. Windows backdoors offer an attacker almost unrestricted access to the victims' computer - according to what is publicized again and again. But this formulation is actually still not strong enough: Besides complete access to all files and system passwords such a 'remote management access' also paves the road to the local network or Intranet with all the rights of the user. If the user has a multimedia computer with camera and microphone he offers the attacker a monitoring station with picture and sound. There even are special Websites that show pictures of Back-Orifice victims. Encryption and security software are no real obstacles: The backdoor sends all keyboard entries to the attacker; they can also record protocol functions while the user is offline. Together with secret keys or management information from the hard disk the attacker has the same capabilities as the rightful user. The backdoors are generally able to start any software while hiding it - there are no visible windows. Changing entries in dialog boxes in the last second also seems possible: Just before the user sends off his transfer during homebanking for example - PIN and TAN have already been entered - an attacker could principally lock the keyboard, blackout the screen, quickly change the data on the fly and finish the transaction. Until the user gets a sobering look at his account statement he probably would assume the whole thing only was a minor technical glitch... The 'open' computer can also be used for downloads or remotely turned into a server that covers up the tracks of the attacker for more - possibly criminal - activities: for example breaking into other computer systems or exchange and trading with illegal software copies or pornography. Apart from that the hacker tools offer a variety of harmless functions that only serve the purpose of confusing and annoying the user: switching mouse keys, mirroring the screen, opening and closing the CD-ROM drive, playing sounds, ending or crashing Windows and so on. In the early days of the backdoor servers a dial-up connection to the Internet provider still offered a certain protection. After all, the attacker needed the IP address of the victim to connect with the parasitical software - and that address generally changes with every call. However, today the advanced backdoor servers notify their owners via the communication service ICQ, IRC (Internet Relay Chat) or via email and give them the IP victims as soon as their computer goes online. From Redmond ... Meanwhile there are more than a handful of universal very well camouflaged backdoors. Partially they try tricking their opponents the virus scanners by changing shape or varying the data lengths. The anti-virus industry remains unfazed and says that the hacker community is underestimating the capabilities of the scanner if they think that they will not be discovered. However, the pure amount does bother the manufacturers: Almost 120 culprits are found on one single Website in the 'Black Library of Trojans' - 'The Trojans Removal Database' (www.multimania.com/ilikeit/) lists more than 50 backdoors with standard file names and registry entries. The motto for the virus laboratories is 'stay on it'. Contrary to the classic viruses that only do damage after some time, it does not help the user to find out after two weeks that he has a backdoor problem - by then the damage is probably already done. Unfortunately the virus scanners so far only fight half-heartedly against the threat from backdoor servers. The software recognizes known Trojan horses (often just called 'Trojans' disregarding the historical events) and for the most part is also capable of deleting the dangerous program files. But specific problems are often not taken care off: For example virus scanners investigate generally only executable files with the usual file extensions - but during the start from the registry a backdoor server could also be called 'Readme.txt'... Additionally backdoors are usually not recognized during regular operation. Therefore the risk of overlooking Trojans depends very much on the users' behavior - if he just relies on the standard settings of a virus scanner he is only protected moderately. Elaborate descriptions of the PC parasites are also hard to find - even if they are in the virus databases. The terminology is getting more and more mixed up and makes the search more difficult than necessary. Up to one year ago the families were separated clearly: remote management software allows system administrators and support personnel access to the computer without actually having to sit in front of it. Trojan horses steal the passwords in the background or do other nasty things while the innocent user is deceived by the façade of a more or less useful application or even just by an error message during the startup of the program. Viruses attach to the files, multiply and wait to be spread by the user - and then come up with a nasty surprise sometime later. And today? The unsuspecting user opens a backdoor to his system without realizing it while starting or installing a program - with lax security settings it could happen by just clicking on a WWW page or reading an email (fortunately in this case several factors must come together - so far more a theoretical threat). The backdoors nest in the Windows systems like a virus in a file, trigger hidden actions like a Trojan and possess the same capabilities like remote management programs. For example 'Kuang2' is the first real file virus that opens a backdoor to the file system - with only 11 KByte code. Luckily Kuang2 is not very widespread. ...to Troy Initially the manufacturers of anti-virus software took the easy way out by classifying the backdoors as Trojans because of the hidden functions. Strictly speaking this is not correct because the hacker tools do not do anything different than they claim to do - they are only difficult to detect. The actual Trojans are the programs that an attacker uses to wrap up the backdoor so a user installs them without knowing it. And there even is no need for programming - everything works with the toolbox principle: There is more than just one hacker tool for linking events during the program start of Back Orifice and consorts to random useful or funny programs or self-extracting archives without the need for any hex editor or previous knowledge. The fact that the producers of anti-virus software increasingly add the new class 'backdoor' to their taxonomy will help to clarify matters. Unfortunately the conventions and names of the PC parasites differ from distributor to distributor making it difficult to stay informed - a synchronization of the names seems to become more and more impossible because of the sheer number of new entries. On top of that the backdoor authors increasingly protest against the 'denigration' as Trojan Horses: they actually have a point by saying that the 'official' tools for remote management can be installed in a certain way so the user does not notice it. The NetBus people even accuse Symantec for ruining their business: Their tool is in direct competition with Symantec's PCAnywhere but the virus scanner calls NetBus a Trojan leading to confusion among potential customers (also see our interview with C.F. Neikter). The Back Orifice authors from the Cult of the Dead Cow (cDc) direct their criticism against Microsoft: On one side Bill Gates' company condemns the cDc program as vicious because it contains 'camouflage functions that have no other purpose than to make it more difficult to detect'. On the other side Microsoft writes in their security guide for their own remote management software: 'It is possible to configure remote management in a way that there is never any proof of existing remote accesses'. Appropriate measures have been take to satisfy certain customers. CDc calls this 'hypocritical'. Side door To declare the hacker tools as a 'totally normal' remote management program that could be misused is only half the truth, however: Whether the risk of the authors implementing additional backdoors to their programs is higher than with software from commercial distributors is yet another story. But at least the customer would stand a chance of winning when suing the latter for damages. On top of that in many hacker tools it seems to be possible to supersede the password protection that is supposed to protect implemented servers from unauthorized access. The openly displayed source codes of Back Orifice 2000 offer a new quality: Everybody can convince himself that the backdoor is not a real Trojan Horse as well. Evaluating the source code also decreases the probability of undetected implementation errors that can lead to security holes - this is a competitive advantage to commercial software for remote management. As long as the operating system does not offer any protection against unwanted programs and hidden functions the user can only use the virus scanner to avoid backdoors. A manual search is almost impossible. We can only discourage from using any special solutions against the backdoors: Firstly it is highly recommendable to have a virus scanner in the system anyway. And on top of that many backdoor killers originate from hacker circles. The temptation of adding a few hidden functions should be fairly high. The best protection against a PC parasite is a healthy portion of mistrust: To execute a program from an unknown source is like crossing the street without looking left and right first. It is definitely not a good idea to start executable files that were send as an attachment to email if the transfer was not explicitly arranged with the sender. This is also true for personal email - there is quite a variety of viruses that automatically send out email with the name of the computer owner. And 'executable files' is becoming a wider and wider expression with regards to macro-capable office documents and HTML mails with active content: If you not care about the more colorful presentation or have confidential data on your computer you should rigorously ban active contents (ActiveX, Java, Javascript, VBScript and so on) from mail client and Web browser. In general if the backdoor is used it would probably look more like a cat-and-mouse game between the hacker and the home user. However, one should not underestimate possible damage and the threat of criminal use. We can only hope that for future operating system generations more thought is given to the question whether every program really needs to have access to every resource of the computer. Until then only three things should be kept in mind: to be careful - but also to use chip cards that at least protect secret key data, and to store data that need protection on non-networked computers. (nl) Rainer Hansen Moose test for Windows NetBus Pro and how it happened Since version 2.0 the former perfect Trojan example NetBus does not want to be called Trojan Horse nor backdoor but be recognized as commercial software for remote management. What started out as hacker fun among friends wants to be all grown-up now. The 21-year-old programmer Carl-Fredrik Neikter caused a lot of commotion. The young Swede developed one of the first programs that allows spying out a Windows computer in quite an easy fashion. With version 1.60 Netbus gained worldwide attention because contrary to the first Back Orifice it also worked under Windows NT. Neitker almost completely rewrote version 2.0 and added many functions and a sophisticated user interface. Therefore the author does not just call it a spy tool anymore but experienced remote management software. At the same time NetBus changed from Freeware to Shareware (12 US-Dollar). c't talked to Carl-Fredrik Neikter about background and history of the controversial tool. c't: What are your motives behind NetBus? Neikter: The NetBus 1.x versions were supposed to be a toy. When I noticed that the program is mainly used as a hacker tool I decided to continue developing it into remote management software. It already had a few good features that suggested this direction. There are already a few good remote management programs on the market. With the spy functions I wanted to carve out a special niche for NetBus Pro. My plan is to also integrate real-time control functions like you would find for example in PCAnywhere or in ReachOut. This would allow real-time interaction with other computers. c't: How do you see NetBus in comparison to similar programs like Back Orifice or Socket de Troie? Neikter: I reject any comparison between NetBus Pro and Trojan Horses - NetBus Pro is not a Trojan anymore and should not be treated like one by anti-virus software either. Read my Website (www.netbus.org) and you will understand that every program can be hacked and misused. NetBus Pro is in the limelight and this can be a problem. But NetBus Pro is not the predominant program out there that can be misused. Look at the macro problems with Microsoft Word and the recently discovered CALL security hole in Excel. Should anti-virus software not also detect and 'disinfect' non-patched Word and Excel versions? c't: Do you know about any serious damage resulting from your program? Neikter: I do not have any statistics but I know that it was misused often. I received mail from angry people. I am afraid that hackers that only wanted to destroy stuff logged on the systems. Unfortunately there are bad people everywhere. c't: Have there also been questions from 'official' sides? Neikter: Yes, a few. NASA and the US Air Force wrote to me. The security chief wanted more information about NetBus because he was working on a presentation. c't: Could NetBus not also be used for actual criminal purposes - for example for manipulating homebanking? Neikter: I do not believe that there is a big threat of money being stolen from bank accounts, because online banking (at least in Sweden) uses the same password only once. You enter your PIN code in a password generator and receive a code for logging into the system or transactions. For every login or for every transaction you must generate a new code [annotation of the editor: in Germany this is still pie in the sky.] @HWA 51.0 IE5 BUG LEAVES COMPUTERS OPEN TO INVASION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Monday 13th September 1999 on 10:30 pm CET Microsoft is warning users of its Internet Explorer 5.0 Web browser about a vulnerability in IE 5's ImportExportFavorites that could let an attacker take the user's computer hostage. This feature could allow a malicious Web site operator run executable code on the computer of someone who visits that Web site. "The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," warned Microsoft in a security alert. More info. http://news.cnet.com/news/0-1005-200-117462.html?tag=st.ne.1002.thed.1005-200-117462 IE 5 bug leaves computers open to invasion By Paul Festa Staff Writer, CNET News.com September 13, 1999, 9:40 a.m. PT Microsoft is warning users of its Internet Explorer 5.0 Web browser about a security hole that could let an attacker take the user's computer hostage. The vulnerability is in IE 5's ImportExportFavorites feature, which lets users import and export lists of commonly accessed Web addresses. The trouble is that the feature lets a malicious Web site operator run executable code on the computer of someone who visits that Web site. "The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," warned Microsoft in a security alert. Microsoft said IE 5 users can disable Active Scripting to protect themselves pending the release of a patch. Scripting lets Web authors run mini applications, or "scripts," on a visitor's computer that operate without the user's interaction. Scripting typically is used on Web sites for functions like launching pop-up windows or scrolling text across the screen. Microsoft posted a list of frequently asked questions, which includes instructions for disabling Active Scripting. Microsoft acknowledged Bulgarian bug hunter Georgi Guninski for discovering the security hole. Guninski has been credited for discovering numerous security holes in Microsoft and America Online's Web browsers, many exploiting unintended effects of Web scripting capabilities. Guninski reported a similar hole in IE two weeks ago. Microsoft patched yet another hole in IE's armor the same week. @HWA 52.0 US OFFERS RUSSIA TO HELP TRASH ISLAMIC MILITANT SITES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Monday 13th September 1999 on 10:00 pm CET The FBI has offered Russia a helping hand in cleaning up the Web from Islamic militants fighting in Dagestan. According to a report by the BBC the Feds have offered to trash Web sites set up by Islamic militants and "eliminate" them. Read (a bit) more. http://www.theregister.co.uk/990910-000023.html Posted 10/09/99 3:33pm by Tim Richardson US helps Russia trash Islamic militant Web sites The FBI has offered Russia a helping hand in cleaning up the Web from Islamic militants fighting in Dagestan. According to a report by the BBC the Feds have offered to trash Web sites set up by Islamic militants and "eliminate" them. Although there has been no official confirmation it would not be the first time such tactics have been used in international disputes. Earlier this year it was reported that the CIA had been given the go-ahead by President Clinton to wage a cyberwar against Yugoslav leader Slobodan Milosevic. Tim Richardson @HWA 53.0 RUSSIAN HACKERS REPORTEDLY ACCESSED US MILITARY SECRETS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Sunday 12th September 1999 on 11:00 pm CET Russian hackers broke into U.S. government computers and may have snatched classified naval codes and information on missile systems, Newsweek reported in its latest issue. The weekly, quoting intelligence sources, said the suspects were elite cyber-spooks from the Russian Academy of Sciences, a government-backed organization which works with Russia's leading military laboratories. Newsweek quoted one Pentagon official as saying this was "a state-sponsored Russian intelligence effort to get U.S. technology," adding it was apparently the first such attempt by Moscow. It further quoted Deputy Defense Secretary John Hamre as saying: "We're in the middle of a cyber war." Full story. http://www.techserver.com/noframes/story/0,2294,92270-146247-1027890-0,00.html Russian hackers reportedly accessed U.S. military secrets Copyright © 1999 Nando Media Copyright © 1999 Agence France-Press From Time to Time: Nando's in-depth look at the 20th century WASHINGTON (September 12, 1999 2:03 p.m. EDT http://www.nandotimes.com) - Russian hackers broke into U.S. government computers and may have snatched classified naval codes and information on missile systems, Newsweek reported in its latest issue. The weekly, quoting intelligence sources, said the suspects were elite cyber-spooks from the Russian Academy of Sciences, a government-backed organization which works with Russia's leading military laboratories. The hackers targeted computer systems at the Defense and Energy Departments, military contractors and leading civilian universities. Pentagon officials, describing the intrusions as "sophisticated, patient and persistent," said they began in January and were almost immediately detected by U.S. security agents who traced them back to computers in Russia and developed counter-measures, according to Newsweek. But the cyber-spies were said to have quickly developed new tools that allowed them to penetrate undetected, although they at times left behind electronic traces. Newsweek quoted one Pentagon official as saying this was "a state-sponsored Russian intelligence effort to get U.S. technology," adding it was apparently the first such attempt by Moscow. The weekly said Washington had not yet protested to Moscow but quoted Deputy Defense Secretary John Hamre as saying: "We're in the middle of a cyber war." It said the security breach was so serious that the Pentagon had ordered its civilian and military employees to change their computer passwords, the first time such a step has been taken. @HWA -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... High Tech Computer Sales Jargon NEW - Different color from previous design ALL NEW - Parts not interchangable with previous design EXCLUSIVE - Imported product UNMATCHED - Almost as good as the competition DESIGNED SIMPLICITY - Manufacturer's cost cut to the bone FOOLPROOF OPERATION - No provision for adjustments ADVANCED DESIGN - The advertising agency doesn't understand it IT'S HERE AT LAST! - Rush job; Nobody knew it was coming FIELD-TESTED - Manufacturer lacks test equipment HIGH ACCURACY - Unit on which all parts fit DIRECT SALES ONLY - Factory had big argument with distributor YEARS OF DEVELOPMENT - We finally got one that works REVOLUTIONARY - It's different from our competitiors BREAKTHROUGH - We finally figured out a way to sell it FUTURISTIC - No other reason why it looks the way it does DISTINCTIVE - A different shape and color than the others MAINTENANCE-FREE - Impossible to fix RE-DESIGNED - Previous faults corrected, we hope... HAND-CRAFTED - Assembly machines operated without gloves on PERFORMANCE PROVEN - Will operate through the warranty period MEETS ALL STANDARDS - Ours, not yours ALL SOLID-STATE - Heavy as Hell! BROADCAST QUALITY - Gives a picture and produces noise HIGH RELIABILITY - We made it work long enough to ship it SMPTE BUS COMPATABILE - When completed, will be shipped by Greyhound NEW GENERATION - Old design failed, maybe this one will work MIL-SPEC COMPONENTS - We got a good deal at a government auction CUSTOMER SERVICE ACROSS THE COUNTRY - You can return it from most airports UNPRECEDENTED PERFORMANCE - Nothing we ever had before worked THIS way BUILT TO PRECISION TOLERANCES - We finally got it to fit together SATISFACTION GUARANTEED - Manufacturer's, upon cashing your check MICROPROCESSOR CONTROLLED - Does things we can't explain LATEST AER0SPACE TECHNOLOGY - One of our techs was laid off by Boeing @HWA SITE.1 #1 http://www.in.tum.de/~pircher/anonymouse/ Anonymous Email, WWW and surfing. A sample of a message sent from the anonymous replay remailer is included below. This message arrived with 15 minutes of me sending it from the WWW. Check this site out before it gets closed down/becomes pay. Email sent using the remailer; Return-Path: Received: from physical.graffiti.datacrest.com (physical.graffiti.datacrest.com [205.241.5.77]) Delivered-To: dok-cruciphux@dok.org Received: (qmail 5532 invoked from network); 19 Sep 1999 18:45:25 -0000 Received: from basement.replay.com (HELO mail.replay.com) (194.109.9.44) by physical.graffiti.datacrest.com with SMTP; 19 Sep 1999 18:45:25 -0000 Received: (from remailer@localhost) by mail.replay.com (8.9.2/8.9.2) id UAA28531; Sun, 19 Sep 1999 20:44:57 +0200 (CEST) Date: Sun, 19 Sep 1999 20:44:57 +0200 (CEST) Message-Id: <199909191844.UAA28531@mail.replay.com> From: Anonymous Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at . To: cruciphux@dok.org You can Send in submissions for this section too if you've found a cool site... anonymous email ------------------------------------------------------------- Sent with AnonEmail at http://anonymouse.home.pages.de/ -=- #2 http://lynx.neu.edu/z/zbrown/ug.html From smog.cjb.net (remodelled, check it out!) Origami is the art of "modelling" paper, erotism is the art of naked bodies. See these two mix in Zak Brown Underground origami page. See the dollar bill vagina...etc @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Mass Defacement By: L0rdMyst1cal Mirror: http://www.attrition.org/mirror/attrition/1999/09/17/www.herreramedia.com OS: NT Domains: www.tental.com www.herreramedia.com www.worldtek.net www.danwebb.com www.elixirs.com www.brownsweb.com www.jodo.com www.voyagergroup.net www.softwarepundits.com www.crowe.org www.mayhewandassoc.com www.cruisinco.com [--------------------------------------------------------------------SNIP Uh oh...It seems we have a small security problem here..LoL. This page is 0wned by L0rdM1stycal. AkA W4rl0rD I am g0d. h0 h0 h0 h0 naw, just kiddin, this site was h4x0r3d by santa clause.... How d0es it feel t0 be 0wned lewzer? The fact of the matter happens to be, the newz and the press, and the government all get the wrong idea of what a hacker really is, it kinda makes me sick, i'm doing this for edjucational perposes ONLY, and i'm doing it because it's fun, and i'm doing it because i'm smarter then you, but the main reason that i'm doing all this is because i'm g0d, naw, just kidding, i'm actually doing it, because you IDIOTS out there have no idea what hacking really is. If i see this on the newz and i hear a hacker did it, i'm going to hack 80 more pages, why? because what i just did isnt hacking, i diddn't delete anything, i diddn't fuck anything up, all they have 2 do is re-upload index.html or index.htm whichever it happens to be on that particular server. The point is i CRACKED this page, i diddn't HACK it, you people need to learn the difference between the 2, and stop badgering real hackers because of what some lamer did. "This moment in history shall always be remembed, know thy name, but never know they face" -99 L0rdMyst1cal [--------------------------------------------------------------------SNIP Latest cracked pages courtesy of attrition.org Last Updated: 09/16/99 at 14:30 The Nasdaq Stock Market Web page (www.nasdaq-amex.com) Penghu Islands National Scenic Area, Republic Of China (www.tbrocph.gov.tw) L'Association des maires de France (www.amf.asso.fr) CompuCentre (www.compucentre.net.au) The HITman (www.hitman.hm) Elite Hangout (www.elitehangout.com) #2 Ministry of Civil Service, Republic of China (www.mocs.gov.tw) Taiwan Traffic Bureau, Republic Of China (www.tbrocecnsa.gov.tw) Millennium Computers and Technology Center (www.scmctc.com) Catholic Men (www.catholic-men.org) National Guard Bureau (ngbsc2.ngb.army.mil) Shop-With-Me Wines (wines.shopwithme.com) Maos Realty (www.maosrealty.com) Agape (www.agape.ne.jp) Expoente (BR) (expoente.com.br) Montelane (www.montelane.com) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]