[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99/2000=] Number 46 Volume 1 1999 Dec 12th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "This newsletter/ezine has been Declassified for the phearing impaired" ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #46 covering Dec 6th to Dec 12th (** #47 covers Dec 13th to 19th) ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Mailing list members: 447 Can we bump this up somewhat? spread the word! ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ | | | | ___ | |_ | |_| |/ _ \| __| | _ | (_) | |_ |_| |_|\___/ \__| _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ .gov and .mil activity proxy.gintic.gov.sg doegate.doe.gov sunspot.gsfc.nasa.gov gate1.mcbh.usmc.mil homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov mc1926.mcclellan.af.mil kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good Is It Worth It Followup to see our boys keeping up with the news... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _ ___ ___ _ ___ | | | \ \ / / \ | |__ __ ___ __/ _ \ _ __ _ __ _____ _____ | |_| |\ \ /\ / / _ \ | '_ \ / _` \ \/ / | | | '__| '_ \ / _ \ \ /\ / / __| | _ | \ V V / ___ \ _| | | | (_| |> <| |_| | |_ | | | | __/\ V V /\__ \ |_| |_| \_/\_/_/ \_(_)_| |_|\__,_/_/\_\\___/|_(_)|_| |_|\___| \_/\_/ |___/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _ _ _ _ _____ _ _ _ | | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___ | |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __| | _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__ |_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___| Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _____ _ _ _ | ___|__ _ __ _ __ ___ __ _| |_| |_(_)_ __ __ _ | |_ / _ \| '__| '_ ` _ \ / _` | __| __| | '_ \ / _` | | _| (_) | | | | | | | | (_| | |_| |_| | | | | (_| | |_| \___/|_| |_| |_| |_|\__,_|\__|\__|_|_| |_|\__, | |___/ A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed BTW if anyone can suggest a better editor than UEDIT for this thing send me some email i'm finding it lacking in certain areas. Must be able to produce standard ascii. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= __ __ _ | \/ (_)_ __ _ __ ___ _ __ ___ | |\/| | | '__| '__/ _ \| '__/ __| | | | | | | | | | (_) | | \__ \ |_| |_|_|_| |_| \___/|_| |___/ New mirror sites *** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ *** http://datatwirl.intranova.net * NEW * http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. *** Most likely to be up to date other than the main site. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ************************************************************************** ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Eris Free Net #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on from the zine and around *** *** the zine or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Melissa conviction to stop virus writers?........................ 04.0 .. Government asks hackers for Y2K break............................ 05.0 .. China Upholds Death Sentence For Electronic Intruder ............ 06.0 .. Symantec Discovers Another Worm ................................. 07.0 .. EPIC Sues NSA Over Echelon ...................................... 08.0 .. Wyoming Newspaper Attacked ...................................... 09.0 .. DoD Offers Military Docs to Surfers ............................. 10.0 .. NSA Funds Supercomputer Upgrade ................................. 11.0 .. "I was a teenage nmapper"........................................ 12.0 .. NIST Meeting Open To The Public ................................. 13.0 .. NT Passes Government Security Certifications .................... 14.0 .. Mitnick's Codefendant Sentenced ................................. 15.0 .. Videon Suffers Second Intrusion ................................. 16.0 .. GSM Phones No Longer Secure ..................................... 17.0 .. DARPA Looks At Face Recognition Technology ...................... 18.0 .. More Info On the Phonemasters Revealed .......................... 19.0 .. Proactive AntiVirus Software Now Available ...................... 20.0 .. South African Web Pages Defaced ................................. 21.0 .. Not Just a Game Anymore ......................................... 22.0 .. Y2K Fix Really An Extensible Worm ............................... 23.0 .. Distributed DoS Attacks Becoming Popular ........................ 24.0 .. FBI to Remain on Alert Over Y2K ................................. 25.0 .. IOPS Sets Up Y2K Watch Center ................................... 26.0 .. IDs Embedded In All Color Copies ................................ 27.0 .. Valiant of Halcon Speaks ........................................ 28.0 .. Scholarships for Surfing ........................................ 29.0 .. Dec 8th HNN Rumours.............................................. 30.0 .. Alleged Melissa Creator May Plead Guilty ........................ 31.0 .. Non-Anonymous Internet Violates First Amendment ................. 32.0 .. OSU Charges Two With Illegal Access ............................. 33.0 .. Microsoft Files Lawsuit Against Online Pirates .................. 34.0 .. CERT Releases Distributed Attack Paper .......................... 35.0 .. PWC Finds Serious Weaknesses in Pension Fund Company ............ 36.0 .. Freaks Macintosh Archives CD .................................... 37.0 .. Nortell Releases Personal Hardware Firewall ..................... 38.0 .. sSh/Dap interview by Sla5h....................................... 39.0 .. Melissa Creator Pleads Guilty ................................... 40.0 .. Privacy of US Military Officers Breached ........................ 41.0 .. Commerce Dept. Introduces New Security Initiative ............... 42.0 .. Attrition Celebrates One Year Birthday .......................... 43.0 .. Russian Echelon? ................................................ 44.0 .. Russian Bug Did Frequency-Hopping ............................... 45.0 .. Security Focus Newsletter #18.................................... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ ____ / ___| ___ _ _ _ __ ___ ___ ___ \___ \ / _ \| | | | '__/ __/ _ Y __| ___) | (_) | |_| | | | (_| __|__ \ |____/ \___/ \__,_|_| \___\___|___/ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ s News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ _ / ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___ \___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __| ___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \ |____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html ATTRITION.ORG's Website defacement mirror and announcement lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/mirror/attrition/ http://www.attrition.org/security/lists.html -- defaced [web page defacement announce list] This is a public LOW VOLUME (1) mail list to circulate news/info on defaced web sites. To subscribe to Defaced, send mail to majordomo@attrition.org with "subscribe defaced" in the BODY of the mail. There will be two types of posts to this list: 1. brief announcements as we learn of a web defacement. this will include the site, date, and who signed the hack. we will also include a URL of a mirror of the hack. 2. at the end of the day, a summary will be posted of all the hacks of the day. these can be found on the mirror site listed under 'relevant links' This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: mcintyre@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ (1) It is low volume on a normal day. On days of many defacements, traffic may be increased. On a few days, it is a virtual mail flood. You have been warned. ;) -=- -- defaced summary [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced domains on a given day. To subscribe to Defaced-Summary, send mail to majordomo@attrition.org with "subscribe defaced-summary" in the BODY of the mail. There will be ONE type of post to this list: 1. a single nightly piece of mail listing all reported domains. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- defaced GM [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced government and military domains on a given day. To subscribe to Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -- defaced alpha [web page defacement announce list] This is a low traffic mail list to announce via alpha-numeric pagers, all publicly defaced government and military domains on a given day. To subscribe to Defaced-Alpha, send mail to majordomo@attrition.org with "subscribe defaced-alpha" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the information will only include domain names. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. Further, it is designed for quick response and aimed at law enforcement agencies like DCIS and the FBI. To subscribe to this list, a special mail will be sent to YOUR alpha-numeric pager. A specific response must be made within 12 hours of receiving the mail to be subscribed. If the response is not received, it is assumed the mail was not sent to your pager. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. Win2k Security Advice Mailing List (new added Nov 30th) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To subscribe: send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body to listserv@listserv.ntsecurity.net Welcome to Win2K Security Advice! Thank you for subscribing. If you have any questions or comments about the list please feel free to contact the list moderator, Steve Manzuik, at steve@win2ksecadvice.net. To see what you've missed recently on the list, or to research an item of interest, be sure to visit the Web-based archives located at: http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec ============== NTSecurity.net brings the security community a brand new (Oct 99) and much-requested Windows security mailing list. This new moderated mailing list, Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues that pertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to a security risk, it's relevant to the list. The list archives are available on the Web at http://www.ntsecurity.net, which include a List Charter and FAQ, as well as Web-based searchable list archives for your research endeavors. SAVE THIS INFO FOR YOUR REFERENCE: To post to the list simply send your email to win2ksecadvice@listserv.ntsecurity.net To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to listserv@listserv.ntsecurity.net Regards, Steve Manzuik, List Moderator Win2K Security Advice steve@win2ksecadvice.net @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ ___ ___ _____ _ ___ | | | \ \ / / \ | ___/ \ / _ \ | |_| |\ \ /\ / / _ \ | |_ / _ \| | | | | _ | \ V V / ___ \ _| _/ ___ \ |_| | |_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ thedeuce ytcracker Folks from #hwa.hax0r,news and #fawkerz Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ AMD demostrates 900 MHz chips December 17, 1999 "Advanced Micro Devices Inc. has demonstrated two different versions of its Athlon microprocessor running at 900 MHz. One uses the company's standard 0.18-micron process with aluminum interconnects, while the second is produced at the same line width but comes from AMD's Dresden, Germany, fab and features copper interconnects." Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * *still sick* ! this will prolly be a shorter issue than * normal like last weeks, so enjoy what there is and we'll * be back on track soon... sorry for the lack of quality * I'm striving to catch up so I can provide you with the * info you're used to getting in these issues, the last * couple are definately not my best works.... hang in * there... This issue 'features' an interview with the * now defunct sSh... check it out, and I still want * articles so send em in!... cruciphux@dok.org */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Melissa conviction to stop virus writers? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Spikeman http://www.zdnet.com/filters/printerfriendly/0,6061,2406928-2,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Melissa conviction to stop virus writers? By Robert Lemos, ZDNN December 9, 1999 5:25 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2406928,00.html Law enforcement officials and computer security specialists say that David L. Smith's conviction in the Melissa virus case -- the first successful prosecution of a virus writer in the United States -- will have a strong chilling effect on other authors of malicious code. "We are hoping that the sentence has a significant deterrent impact," said Robert J. Cleary, the U.S. attorney for the District of New Jersey, who led the federal prosecution. "I think this will have the effect we want. Those predisposed to white-collar crimes really do balance risk versus reward." Smith, 31, pleaded guilty in both state and federal courts on Thursday, agreeing that the virus he wrote and released -- named "Melissa" after a Florida stripper -- caused $80 million in damages (the minimum monetary amount needed in order to trigger stiffer federal sentencing guidelines). Smith is expected to receive anywhere between a four- and five-year sentence in the federal case and up to a 10-year sentence in the state case, accompanied by total fines of up to $400,000. As part of the plea agreement, state prosecutors have recommended that the sentences run concurrently. "The sentencing guidelines attempt to minimize disparity. If that works here, then anyone else that sends a virus out that does $80 million in damage should expect a similar sentence," said Cleary. Melissa's March madness The Melissa macro computer virus hit companies on Friday, March 26 after being released to a Usenet newsgroup as part of a list of porn sites contained in a Word document infected with the virus. The virus, which mailed itself out to the first 50 addresses listed in the address book of Microsoft's Outlook e-mail client, caused a massive spike in e-mail traffic, flooding corporate e-mail servers. Companies such as Microsoft Corp. (Nasdaq:MSFT), Intel Corp. (Nasdaq:INTC), Lockheed Martin Corp. (NYSE:LMT) and Lucent Technologies Inc. (NYSE:LU) shut down their gateways to the Internet in the face of the threat. Smith -- then a resident of Aberdeen, N.J. -- was arrested on April 1 by New Jersey authorities. "This becomes a landmark case, because it's the first time the (U.S.) federal government has successfully prosecuted a computer virus writer," said Dr. Peter Tippett, chief technologist at computer security firm ICSA.net, which helped the U.S. prosecutors estimate the damages caused by Melissa. Deterrent effect Tippett and others point to a virus case in England as potential proof that such a deterrent could work. In November 1995, the UK courts sentenced Chris Pile -- known underground as the Black Baron -- to 18 months in jail. The 26-year-old, self-taught programmer admitted to five counts of unauthorized access to computers to facilitate crime and five unauthorized modifications of computer software over a two-year period. Since that time, no major viruses have come out of the UK, said Tippett. Smith appeared in Monmouth County, N.J., Superior Court at 10 a.m. ET on Thursday, followed by his appearance at the U.S. District Court in Newark at 1:30 p.m. ET to answer to federal charges in the case. In both courtrooms, Smith admitted his guilt and agreed with the damages. When the judge in the Monmouth County court case asked if Smith agreed that it caused $80 million in damage to computer systems nationwide, Smith replied, "I certainly agree. It did result in those consequences -- without question." Edward Borden, Smith's attorney in the case, could not be reached for comment. @HWA 04.0 Government asks hackers for Y2K break ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/zdnn/stories/news/0,4586,2408969,00.html Contributed by Duro Government asks hackers for Y2K break President Clinton's Y2K guru asks for a hack moratorium during the New Millennium weekend. By Jim Wolf, Reuters December 14, 1999 10:52 AM PT WASHINGTON -- President Clinton's top aide on Y2K matters has urged computer hackers to exercise self-restraint until after year 2000 technology fears largely have passed. In an unusual plea for mercy, John Koskinen, chairman of the President's Council on Year 2000 Conversion, said that some people regard piercing computer network security to be a "great public service" because it calls attention to security cracks. "Hopefully those people will recognize we're going to have enough things going on that (New Year's) weekend that this will not be a particularly good weekend to demonstrate the need for more information security," he said on Monday. "If you want to, in fact, make those points, my hope is (you'll) make them the following weekend," when Y2K confusion is expected to have subsided, Koskinen said in reply to a reporter's question. One major concern of authorities is that confusion during the century date change could mask a wide range of malicious anti-U.S. activity, including possible computer-based attacks by hostile nations or guerrillas. Michael Vatis, the FBI agent who serves as the nation's top "cyber-cop," said last week that the interagency outfit he heads -- the National Infrastructure Protection Center -- would be on alert although it had no hard evidence of any planned attacks. "It's natural to expect there might be people doing stupid things with computers," he said of possible cyber attacks timed to exploit any high-tech confusion sparked by the century date change. Increased vigilance" urged Bruce McConnell, a former White House information technology expert who now runs the U.N.-sponsored International Y2K Cooperation Center, said viruses timed to trigger on Jan. 1 appeared to be spreading, notably hidden in e-mail attachments. "Clearly the end of the year is a time for increased vigilance with respect to computer security," McConnell said in a telephone interview. Adding to the confusion may be so-called denial-of-service attacks aimed at swamping government or private sector Web sites, according to Clark Staten, executive director of the Chicago-based Emergency Response and Research Institute. Last week, the U.S. Office of Personnel Management announced it would interrupt its Internet services for "several hours" during the New Year's weekend as a guard against hackers, power surges and other possible Y2K headaches. The agency said it would bar access during that limited period to the many data banks normally available on its Web site. The Defense Department and the U.S. Agriculture Department said last week they also were considering such precautions. Growing number of computer viruses seen Anti-virus software makers have reported a growing number of computer viruses timed to go off on or about Jan. 1, when systems engineered to recognize only the last two digits in a date field may confuse 2000 with 1900. "We are starting to see an increased frequency of viruses related to the year 2000. Some of them are timed to trigger on January first," said Narendar Mangalam, director of security strategy for Computer Associates, an Islandia, New York-based business computing firm. The CERT Coordination Center, a Defense Department-funded computer security project at Carnegie Mellon University in Pittsburgh, said it did not consider Y2K viruses a greater threat than the many others it has tracked. "There may be viruses that are particularly virulent that I'm not familiar with that are set to go off on January first," Shawn Hernan, CERT's team leader for vulnerability handling, said in a telephone interview. "In general, though, if you are susceptible to viruses that are spreading to be triggered on January first, you're going to be susceptible to those that are triggered to go off on January second and January third, and so on and so forth," he said. The best defense, Hernan said, was keeping up to date with anti-virus software updates, avoiding running programs of unknown origin, maintaining backups, paying attention to anomalies and reporting them to network security administrators. @HWA 05.0 China Upholds Death Sentence For Electronic Intruder ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan and Zorro The death sentence, imposed as punishment for Hao Jingwen last year, was upheld by The Yangzhou Intermediate People's Court in eastern Jiangsu province. Jingwen, together with his brother Hao Jinglong, electronically broke into the system of a state run bank that one of them worked at and transferred somewhere between $31,000 and $87,000US (reports vary) into an account they opened under false names. The elder of the two brothers, Hao Jinglong, received life in prison instead of the death penalty for assisting the police in their investigation. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/19991203/tc/china_hacker_1.html Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/19991203/wl/china_death_sentences_1.html Friday December 3 11:47 PM ET China Upholds Death Sentence for Computer Hacker BEIJING (Reuters) - A Chinese court has upheld the death sentence for a man who hacked into the computer system of a state bank to steal money, the Financial News reported on Saturday. The Yangzhou Intermediate People's Court in eastern Jiangsu province rejected the appeal of Hao Jingwen, upholding a death sentence imposed last year, the newspaper said. Hao Jingwen and his brother Hao Jinglong hacked into the computer network of the Industrial and Commercial Bank of China and shifted 720,000 yuan ($87,000) into accounts they had opened under false names, it said. They withdrew 260,000 yuan from the bank accounts in September last year, the newspaper said. Hao Jinglong, who was also originally sentenced to death, received a suspended death sentence in return for his testimony, it said. ($1.0 - 8.28 yuan) AP; Friday December 3 10:25 PM ET Chinese Bank Hacker Gets Death BEIJING - A court in the southern city of Yangzhou has sentenced one man to death and his elder brother to life imprisonment for hacking into a bank's computer system to steal $31,500, the state-run newspaper Beijing Morning Post said Saturday. An appeal by the two brothers was rejected after a higher court upheld the recent decision by the Yangzhou Intermediate Court, the report said. It said Hao Jingwen and Hao Jinglong used a homemade computer to hack into the Industrial and Commercial Bank of China's system, where they set up fake bank accounts. By the time they were caught, they had withdrawn $30,266 in embezzled funds. Police recovered all but $1,200 of it, the report said. It said the Hao Jinglong, the elder brother, got a lighter sentence because he had aided the police in their investigation. In a separate report, the newspaper Guangming Daily said Lin Guodi, the director of the Machinery Bureau in central Hunan province, was sentenced Friday to death for taking $638,000 in bribes. Lin's son, Lin Ruhai was given a life sentence and his wife, Zhao Youjuan, got a six-year jail term, it said. Lin and his son lost their appeals, it said. The reports did not say in either case if the death sentences had been carried out. @HWA 06.0 Symantec Discovers Another Worm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Nicola_Hibberd and no0ne The W32.Mypics worm has four payloads. It emails itself to fifty people in your address book, changes the web browsers home page to a porn site and then attempts to reformat the local hard drive. Also on Jan 1, 2000 the worm attempts to overwrite the the checksum data in the host computer's CMOS. Symantic, the discoverer of the worm says that this is the fifth such virus it has found with a payload that triggers at the start of the new year. This worm appears to only infect people running email clients from Microsoft. ZDNet UK http://www.zdnet.co.uk/news/1999/48/ns-11935.html Newsbytes - via CNNfn http://www.cnnfn.com/news/technology/newsbytes/140247.html Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/19991206/tc/yk_virus_3.html Fri, 03 Dec 1999 16:38:00 GMT Will Knight Symantec discover the nasty 'W32.Mypics worm' A new mega-virus that combines three potentially devastating characteristics has been found in the wild by the research laboratories at Symantec Anti-Virus Once the W32.Mypics worm arrives at an Outlook inbox, it sends itself out to 50 people in the address book and attempts to convert the Web browser's home page to a porn site. It also does its level best to format the local hard drive. Although Symantec has received only a small number of reports of Mypics, Aled Miles managing director for Symantec UK and Ireland says now is a crucial period in the development of the virus that was found in the wild at 4.48 GMT Friday. "If it's going to break, it's going to do it soon," he warns. "This sort of thing happens very quickly." Miles also believes Mypics represents a worrying new trend in virus technology. "The capability of viruses is increasing greatly, that's they key thing. There's a lot of talk about hype but you only need one of these to cause a lot of damage." Another daunting prospect raised by Miles: "What happens if two or three of these happens at the same time? Time is definitely condensing. Is this going to be a trend continuing up to and beyond the New Year?" A update for Symantec's anti-virus software that combats Mypics can be downloaded from the company's labs . http://www.sarc.com/avcenter/venc/data/w32.mypics.worm.html -=- Dangerous Y2K Worm Starts Weekend With A Bang December 03, 1999: 4:59 p.m. ET CUPERTINO, CALIFORNIA, U.S.A. (NB) -- By Steve Gold, Newsbytes. Symantec's [NASDAQ:SYMC] Anti-virus Research Center reported this morning that it has discovered a new worm virus that reformats PC users' hard disks and switches their Web browser home page to an adult site. Yunsun Wee, a spokesperson for Symantec, told Newsbytes that the Y2K virus is no relation to the MiniZip worm virus that hit PC users earlier this week and is far more deadly. "This is the fifth Y2K virus we've come across so far, but it's the most deadly in that it can reformat a user's hard disk, as well as cause other problems," she said. Wee added that the virus was discovered overnight by the company's SARC operation, and, as a result, the company issued a public warning via the business wire service this morning. "Unlike MiniZip, which everyone reported on earlier this week, and which was actually discovered some days earlier, we wanted to ensure that we got the warning message out as quickly as possible," she said. Symantec says that the virus disguises itself as a Y2K problem, and is received as an e-mail attachment disguised as a picture. Once the program infects the host PC, it attempts to send itself using Microsoft Outlook to up to 50 people in the users' Microsoft Outlook address book. It also changes the home page in Internet Explorer to a site containing adult content. Additionally, Symantec warns, on Jan. 1, 2000, the program will overwrite the checksum data in the host computer's CMOS (complimentary metal oxide semiconductor) memory so when the system is rebooted the user will think that there may be a Y2K-related problem with the computer's BIOS (basic input/output system). The firm says that, once the PC is restarted, the virus will attempt to format the local hard drives and erase all data. Symantec says that the W32/Mypics.worm can be easily spotted, since it arrives in an e-mail, with no subject line. The body of the message reads, "Here's some pictures for you!" with a Pics4You.exe" attachment that is approximately 34,304 bytes in size. Once the user opens the attachment, the worm loads itself into memory and executes by sending out copies of itself attached to e-mail addressed to up to 50 people in the user's address list. In addition, Symantec says that the code modifies the system registry to load its dropped file "cbios.com" on system startup and also changes the user's home page in Internet Explorer to http://www.geocities.com/siliconvalley/vista/8279/index.html, a Web site that contains some adult content. The firm advises PC users not to attempt to open the attached document. Symantec anti-virus users should also download a new definition set - available immediately through the company's LiveUpdate feature or from the Symantec Web site at http://www/symantec.com/avcenter/download.html . Reported by Newsbytes.com, http://www.newsbytes.com . 10:22 CST Reposted 15:49 CST (19991203/Press Contact: Yunsun Wee, Symantec -=- Monday December 6 2:43 AM ET Virus Trackers Report Bug Aimed at Y2K SAN FRANCISCO (Reuters) - The computer world's mischief makers struck this week with the first in what is expected to be a wave of viruses set to go off Jan. 1, 2000, computer experts said on Friday. A virus was discovered in computer systems of a number of companies, set to go off at New Year's and erase data from users' hard drives, security experts reported. ``This is the first Y2K virus we've seen that has really infected a number of people,'' said Sal Viveros, of Network Associates Inc. (NasdaqNM:NETA - news) , the largest computer security firm in the world. Anti-virus firm Symantec Corp.(NasdaqNM:SYMC - news) director of research Vincent Weafer said, ``This is the kickoff for the Y2k -- which is going to be like the Super Bowl for virus writers.'' The new virus, called W32/Mypics.worm, is set to disable computers as people try to start them up Jan. 1. The virus writer apparently is hoping to mislead users into thinking they've been hit by the much-publicized Y2K software bug, which is caused by computers' inability to read the ``00'' of year 2000. The virus is sent by e-mail with no subject line to a target user. Inside the e-mail is a message saying ``Here's some pictures for you!'' Clicking on the picture launches the damaging virus, or worm, a kind of virus that does damage but doesn't continue to propagate itself inside the host computer. Like the earlier Melissa ``worm,'' the new infection uses the target computer's Microsoft Outlook mailing list to send itself to 50 people via e-mail. It can be detected ahead of the Jan. 1 ``payload date'' through use of an anti-virus software, or by noting a suspicious switch in the default page of the user's Web browser. Computer security firm Symantech, the company that first sounded the alarm about the Y2K bug, said it has found five different Y2K viruses in recent days, but none reaching the level of the W32/Mypics.worm, which it classed as a ``medium to high-risk virus.'' Simon Perry, Computer Associate International Inc.'s (NYSE:CA - news) eTrust Business Manager said, ``As the year 2000 quickly approaches, we are starting to see an increased frequency of dangerous viruses.'' The year has already been marked by a wave of destructive infections, including the CIH, or Chernobyl Virus, which wiped out data on thousands of hard disk drives, and Melissa, which was one of the most widespread infections ever, though not as damaging to individual computers. A concerted effort to sound the alarm by computer protection services has tended to dampen the spread of the viruses, though some see their alarms as self-serving, since most recommend a dose of their medicine, anti-virus software, as the cure. ``Once a virus is in the wild, and it's on everyone's detection lists, it tends to chill a bit. But that doesn't mean it's not still a threat,'' said David Perry, security firm Trend Micro Inc. (NasdaqSC:TIMC - news) pubic information director. The most basic advice the security experts give is to avoid opening unsolicited e-mails. ``Don't take candy from strangers,'' said Perry, ``and don't open suspicious e-mails on your computer.'' @HWA 07.0 EPIC Sues NSA Over Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by blueghost, knobdicker, and Alien Plaque The Electronics Privacy Information Center (EPIC) has filed suit against the National Security Agency (NSA) in federal court in an attempt to gain more information about the agency's spy network dubbed Echelon, and to what extent the agency has been spying on American citizens. The NSA has 30 days to respond to the court filing. (I applaud EPIC for going after the NSA, however the courts have been very favorable to the NSA in past cases, so I personally doubt that much will come of this, but it's definitely worth a shot.) Electronic Privacy Information center http://www.epic.org/ Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1129/web-lawsuit-12-3-99.html ZDNet http://www.zdnet.com/zdnn/stories/news/0,4586,2404126,00.html?chkpt=zdnntop DECEMBER 3, 1999 . . . 17:35 Lawsuit claims NSA spying on Americans BY DANIEL VERTON (dan_verton@fcw.com) The privacy watchdog group Electronic Privacy Information Center today filed a lawsuit in federal court that aims to force the National Security Agency to release sensitive documents thought to contain evidence of surveillance operations against U.S. citizens. EPIC wants to obtain documents recently denied to Congress by NSA's General Counsel on the grounds of attorney/client privilege. NSA also has failed to reply to a Freedom of Information Act request filed by EPIC to obtain the documents. The lawsuit centers on documents that are said to detail the operations of the so-called Echelon global surveillance network. Details surrounding Echelon came to light last year when the European Union launched a full-scale investigation into privacy abuses against European citizens by the NSA ["European Union may investigate U.S. global spy computer network," fcw.com, Nov. 17, 1998]. EPIC director Marc Rotenberg said in a statement released to the press, "The charter of the National Security Agency does not authorize domestic intelligence-gathering. Yet we have reason to believe that the NSA is engaged in the indiscriminate acquisition and interception of domestic communications taking place over the Internet." A spokesperson for the agency said, "NSA operates in strict accordance with U.S. laws and regulations in protecting the privacy rights of U.S. persons. Its activities are conducted with the highest constitutional, legal and ethical standards." Echelon, a Cold War-vintage global spy system, is believed to consist of a worldwide network of clandestine listening posts capable of intercepting electronic communications such as e-mail, telephone conversations, faxes, satellite transmissions, microwave links and fiber-optic communications traffic. EPIC is planning a major study of the Echelon network to be published next year that looks at the operations of signals intelligence agencies around the world, such as the NSA. "We expect that Congress will hold hearings on this early next year and we plan to pursue our case very aggressively," Rotenberg told FCW. "If the NSA is intercepting Internet communications of U.S. citizens -- and we believe they are -- then it is a critical question of Constitutional government to determine whether they are acting within the law or outside of it." @HWA 08.0 Wyoming Newspaper Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Alien Plague George Russell James, 26, of Laramie, Wyoming has been charged with one felony count of crime against computer users. James is accused of several unauthorized entries into Trib.com which is run by the Casper Star-Tribune. According to the Trib.com staff, the entries are said to have caused slowed online response time over a couple of days and disrupted the provider's news and information Web site. (From the information posted in this article it would seem that they don't have a very strong case against this guy. Unfortunately he will probably plead guilty instead of fighting these accusations.) The Billings Gazette http://www.billingsgazette.com/wyoming/991204_wyo02.html Laramie man charged with hacking into major Internet provider CASPER, Wyo. (AP) - A Laramie man has been charged with hacking into one of Wyoming's primary Internet service providers. George Russell James, 26, surrendered at the Albany County Courthouse on Friday and was charged with one felony count of crimes against computer users, according to the state Division of Criminal Investigation. James is accused of several unauthorized entries into trib.com, according to the Casper Star-Tribune, which administers the service. Police searched James' apartment Thursday and seized a personal computer and other evidence, said Steve Miller, deputy director of the state Division of Criminal Investigation. They also found about one-eighth ounce of marijuana and charged James with possession of a controlled substance, he said. "Without going into a lot of detail, basically there are a lot of electronic footprints you can often trace back to the individual," he said of how James was pinpointed. Trib.com staff said the tampering slowed online response time over a couple of days and disrupted the provider's news and information Web site. "We haven't been able to manipulate the programs like we normally do, which has made stories awkward to read," Web site designer Fred Jacquot said. Some subscribers who logged onto the site Thursday may have found pages with incomplete information or graphic artwork, he said. Larry Ash, systems administrator for trib.com, said the problems resulted from a two-fold attack on the system. First, the alleged hacker tapped into the trib.com server, which meant the entire system needed to be checked for possible flaws. "We spent a lot of time tearing down the old system and building it up again from scratch," he said. Then on Thursday, a program from a site in London jammed the trib.com network and slowed service to a crawl. The "denial of service attack" flooded the system with thousands of information requests. "It's kind of like a water main that is split into lots of smaller pipes," said trib.com programmer Steve Claflin. "If one person draws all the water, no one else can get any." The trib.com system was so tied up processing the information and repairing itself after the break-in that it could not respond as quickly to regular tasks. Star-Tribune publisher Rob Hurless said trib.com staff were still checking computer logs Thursday to find out exactly what happened during the break-in. The network was nearly back to normal operating speed Thursday afternoon, he said. Miller said the trib.com break-in was among an increasing number of computer-related crimes DCI has looked into recently. He said the agency, in cooperation with federal and local law enforcement agencies, has investigated 18 reports of computer crimes in Wyoming, including seven in the last month. "It's pretty crazy right now," Miller said. "I don't know if hacking is increasing or people are just identifying it more rapidly and reporting it." Updated: Saturday, December 4, 1999 Copyright © The Billings Gazette, a division of Lee Enterprises. @HWA 09.0 DoD Offers Military Docs to Surfers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Department of Defense has made available over 100,000 documents on categories ranging from nuclear technology to explosives to communications security. There also seems to be a good chunk of information on TEMPEST. It is unknown how long this site will remain publicly available. Grab it while you can. Defense Automation and Production Service http://assist.daps.mil (Site appears locked up when I tried it... -Ed) @HWA 10.0 NSA Funds Supercomputer Upgrade ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by biggranger The National Security Agency is funding the upgrade of the San Diego Supercomputer Center from a Tera MTA-8 system to a MTA-16 system made by Tera Computer Company. The MTA-16 is based on a multithreaded architecture and retails for between 7 and 10 million dollars. Tera Computer Company http://www.tera.com/www/press/mta16.html Tera Press Release; Tera Computer Company Receives First Purchase Order for a Tera MTA-16 System Funding Provided by National Security Agency Contacts: Lippert/Heilshorn & Assoc. Lillian Armstrong/David Barnard, CFA lillian@lhai-sf.com,david@lhai-sf.com 415/433-3777 Keith Lippert 212/838-3777 Tera Computer Company Ken Johnson/Jim Rottsolk, 206/701-2000 ken@tera.com,jim@tera.com or Terren S. Peizer, Chairman: 310/444-3222 SEATTLE, WASHINGTON, November 10, 1999 - Tera Computer Company (NASDAQ NM: TERA) today announced that it has received its first purchase order for a Tera MTA-16 system. This order represents an upgrade to the existing 8-processor Multithreaded Architecture (MTA) supercomputer now in use at the San Diego Supercomputer Center (SDSC). This upgrade, which doubles the size of SDSC's MTA system from 8 processors and 8 gigabytes of shared memory to 16 processors and 16 gigabytes of shared memory, is specially priced at $2.5 million. Initial purchases of Tera MTA-16 systems are typically priced at $7-10 million, depending upon configuration. Delivery of the SDSC MTA-16 is expected by year-end 1999. This order follows SDSC's successful evaluation of the MTA-8, which was initially funded by the National Science Foundation and the Defense Advanced Research Projects Agency. Funding for the MTA-16 upgrade is being provided by the National Security Agency (NSA). The MTA-16 system will be used to run computationally demanding applications of interest to users, including medical researchers, graphics experts and computational chemists. "Tera's multithreaded approach to parallel processing is of great interest not only to SDSC, but also to the entire high-end computing community," said Sid Karin, Director of SDSC. "The performance achieved on our eight-processor MTA supports the argument that hardware multithreading will be the future of high-end computing. By doubling the size of our MTA, we expect to run some applications on it faster than on any other machine at SDSC. We further expect that this will allow us to transition some of our production workload to the MTA." Jim Rottsolk, President and CEO of Tera Computer concluded, "The sale of an MTA-16 represents another significant milestone in our push toward full-scale commercialization of the MTA technology. The benefits of this transaction go beyond the purchase alone, as we will have access to the SDSC MTA-16 system, and plan to use it to demonstrate high-performance applications of interest to the industrial customer base, such as MSC NASTRAN and LS-DYNA3D. The currently installed base of vector processing supercomputers represents an attractive and timely market opportunity for the Tera MTA-16." According to the International Data Corporation, there are approximately 200 SGI/Cray Research vector supercomputers installed worldwide, constituting a large portion of the customer base of industrial supercomputing users. With an average selling price of approximately $10 million each, this installed base is valued at $2 billion. Of those 200 systems, about 60 T90s have been installed in the last three years, with the balance of that installed base representing previous generation systems such as the Cray C90. Tera also announced that its Progress Report: Summer 1999 video is now available on VHS or CD-copies can be requested by visiting the Tera website at www.tera.com. Among those interviewed on this video are Sid Karin, SDSC's Director; Wayne Pfeiffer, SDSC's Deputy Director; Richard Charles, Greg Johnson, and Allan Snavely, three SDSC scientists; and Professor David McQueen, a medical researcher at New York University's Courant Institute. About Tera Computer Company Tera Computer Company designs, builds and sells high performance general-purpose parallel computer systems. Tera believes its Multithreaded Architecture system represents the next wave in supercomputer technology because of its unique ability to provide high performance, broad applicability and ease of programming in a single system. For more information about Tera and its MTA systems, contact Tera at 411 First Avenue South, Suite 600, Seattle, WA 98104-2860. Phone: 206/701-2000. Fax: 206/701-2500. E-mail: info@tera.com, or www.tera.com. Safe Harbor Statement This press release contains forward-looking statements, among other things, Tera's plans to build larger MTA systems and the successful running of key applications on the MTA-16. There are certain factors that could cause Tera's execution plans to differ materially from those anticipated by the statements above. Among such factors are risks associated with building larger MTA systems, necessary modifications to software and hardware systems, timely availability of commercially acceptable components from third party suppliers and successful porting of third party applications. For a discussion of such risks, and other risks that could affect Tera's future performance, please see "Risk Factors" in Tera's most recent SEC Form 10-Q. @HWA 11.0 "I was a teenage nmapper" ~~~~~~~~~~~~~~~~~~~~~~~~~ http://geekmafia.dynip.com/~xm/ I was a teenage nmapper. Perhaps the best place to start this story is with a disclaimer. Because of possible legal implications and verbal agreements between the sysadmin of an organization I am affiliated with, the companies involved and myself, I am not going to disclose any real information. The story begins at a large organization. I am a voluntary network / network security consultant at times here. However, I am legally forbidden to "attempt to bypass security restrictions on the network ... or to aid others in doing so by providing information (logins, passwords, etc.) to do so with." However, the very nature of my informal position involves me violating this agreement, with the permission of the network admins. In the past, I have scanned the entire external address block from my own personal network with permission. I recently uncovered an unprotected webserver containing a network informational chart listing unprotected netbios shares containing extremely sensitive data. I attempted to see if these were exploitable without touching any sensitive materials. After reporting my findings to the network admins, I was given a little lecture about how I should have contacted them before attempting something that potentially volatile. The organization where these events took place currently relies on a filtering Internet proxy to provide web access to its ~1000 users. The company that manufactures the proxy maintains the machine it runs on (an UltraSPARC IV running SunOS 5.7). Previously they have been given some security alerts by me through the admin at my school. The proxy maker was once a small startup but was recently acquired by a fairly prominent software maker, so they have become increasingly corporate since they began work with our organization. One day in mid/late November (1999), I was doing a little halfhearted blackbox audit of one of the cgis in the package. I discovered a serious vulnerability that could allow anyone to read any file on the system (by transversing up directories using "../../../../etc/motd" as a parameter to a file argument in the cgi). I quickly reported this to my sysadmin who passed in on to the company. I wanted to report the bug on BugTraq but I was warned that this would be a violation of the agreement I had signed (So I didn't). Meanwhile, I head home that day (Friday) and casually fire up nmap (nmap -sS -O -v -v www.company.com) to see what they're running (out of curiosity). On Monday afternoon, the sysadmin calls me into his office. Apparently, the company freaked out when they saw me scanning them. During the code audit of the hole, they realized that the scope of the bug was far greater than I had uncovered (I assume a buffer overflow but the engineer I spoke to couldn't comment). They were about to email me a thank-you when they saw the incoming scan. The company responded by basically scanning me back and probing a few key services: sendmail (actually postfix), finger and web. They realized that the "attack" against their network was coming from a machine belonging to the guy who had just discovered a huge hole in their network. Not knowing if I realized the total potential of the hole in their system, they pulled the plug on their network connection and made hard copies of all relevant info. They consulted their legal counsel in their parent company. Under Rhode Island, Massachusetts and federal law, my benign, simple stealth port scan was perfectly legal. However, since the webserver I scanned was located in Virginia (home of ambiguous anti-spam laws), I may have violated the Virginia Internet Policy Act (or some other AOL/NSI-backed civil-liberty violating, anti-freespeach^H^H^H^H^H^H^H^H^H^Hspam law). To quote CNET: "... Aiming in part to ease congestion on networks owned by Internet service providers such as AOL and MCI WorldCom, the commission wants unsolicited bulk email or communication that is "fraudulent, unauthorized, or otherwise illegal [to be] prosecuted just as it would in any other medium." Virginia's "computer trespassing" law, which means using an ISP's equipment without permission, also should be updated, the Act states." Anyway, I was informed about this on Monday afternoon. I was quickly on the phone with Russell, a very friendly Cisco / TCPIP-oriented guy at the company. He said they had decided not to pursue legal action and we discusses security issues. He was quite friendly and even invited me to visit the proxy maker's offices if I was in the area. What did we learn? Nmap -D www.microsoft.com,www.aol.com,www.yahoo.com,ME Corporate takeovers of small guys suck Don't disclose information except through BugTraq. If anyone has comments on the technical accuracy, legal accuracy, content or wants to point me at some resources email xm@geekmafia.dynip.com. @HWA 12.0 NIST Meeting Open To The Public ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The next meeting of the Computer System Security and Privacy Advisory Board of the National Institute of Standards and Technology will be open to the public. The meeting will be held from December 7, thru December 9, 1999. The meeting will be held in Lecture Room B of the NIST Administration Building in Gaithersburg, Maryland. Computer System Security and Privacy Advisory Board http://csrc.nist.gov/csspab/ Federal Register: December 2, 1999 - via Crytome http://cryptome.org/csspab120299.txt @HWA 13.0 NT Passes Government Security Certifications ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench and KnobDicker Windows NT has been certified as compliant with Federal Information Processing Standard 140-1 (FIPS 140-1) and the C2 level of the Trusted Computer System Evaluation Criteria (TCSEC). Windows 95, 98 and 2000 have also received FIPS 140-1 certification. The C2 certification only applies to stand-alone, non-networked machines. Operating systems used by the Department of Defense are supposed to carry a security rating of C2 or higher, despite the fact that DoD has used NT since 1996. This ends a long battle for Microsoft to achieve this security certification. (We still say "C2 my ass.") Government Executive Magazine http://www.govexec.com/dailyfed/1299/120699j1.htm ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2404702,00.html?chkpt=zdnntop HNN Archive for January 13, 1999 http://www.hackernews.com/arch.html?011399 NW Fusion - NT Failed FIPS a Year Ago http://www.nwfusion.com/news/1999/0222fips.html L0pht Heavy Industries - More Info Regarding Government Certifications http://www.l0pht.com/cyberul.html December 6, 1999 DAILY BRIEFING Microsoft wins government security certifications By Joshua Dean jdean@govexec.com Microsoft Corp.'s Windows NT Server and desktop operating systems—products that are heavily used at many federal agencies—last week received two important security certifications from the federal government. The Windows NT 4.0 network operating system was certified as compliant with Federal Information Processing Standard 140-1 (FIPS 140-1) and the C2 level of the Trusted Computer System Evaluation Criteria (TCSEC). The desktop operating systems Windows 95 and Windows 98 and the forthcoming Windows 2000 also won FIPS 140-1 certification. "FIPS 140-1 is the certification which is more important," said Rick Therrien, leading edge services deputy in the Office of the Navy's Chief Information Officer. "FIPS 140-1 deals with information interchange on computers that are networked, as well as secure e-mail, authenticating onto a network and accessing secure Web sites." Therrien estimates that the Navy uses Windows NT on more than 400,000 computers globally. In addition, the Marine Corps just converted from Banyan Systems Inc.'s Vines network software to Windows NT 4.0. FIPS 140-1 was created by the National Institute of Standards and Technology. It lays out security requirements for the cryptography module within an operating system. Windows NT 4.0 was also tested by a private laboratory and certified by the National Computer Security Center, a unit of the National Security Agency, as achieving the C2 level of security. C2 products have demonstrated they can: Identify and authenticate system users Limit data access to only approved users Audit system and user actions Prevent access to files that have been deleted by others Therrien cautioned that while certification for Windows NT 4.0 is reassuring, "no operating system is 100 percent secure. What you have now is a way to calculate risks. We now have a way to quantify where our risks are. Without certification, there would be much more guesswork involved." Microsoft's new operating system, Windows 2000, is scheduled to be released in February. The network configuration used in evaluating the security of the NT 4.0 network operating system, as updated with Service Pack 6a consisted of single- and multi-processor Proliant servers from Compaq Computer Corp., along with Compaq PCs and printers and storage subsystems from Hewlett-Packard Co. -=- ZDnet; Microsoft wins high-level security rating After more than a year, Microsoft obtains the NSA's key C2 rating for NT 4.0. By Mary Jo Foley, Sm@rt Reseller UPDATED December 6, 1999 4:18 PM PT As Microsoft closes in on completing development of its next-generation Windows 2000 operating system, it finally has managed to receive the elusive C2 security rating for its NT 4.0 operating system. On Dec. 2, Microsoft Corp. (Nasdaq:MSFT) announced it had received the C2 rating for NT 4.0 Server and Workstation. Prior to last Friday, Microsoft had received the C2 rating only for NT 3.5. C2 is a basic security rating that is one of several evaluations awarded by the National Security Agency, based on its Trusted Computer System Evaluation Criteria, or "Orange Book" criteria. Information systems purchased by the Department of Defense are supposed to carry at least a C2 rating. Microsoft has been in pursuit of the C2 rating for NT 4 for more than a year. Originally, Microsoft had hired an independent contractor named Edward Curry to help the company obtain a C2 rating for NT 3.5 in the mid-1980s. But in 1995, Microsoft ended Curry's contract for reasons the company declined to divulge publicly. Curry brought to the Department of Defense's attention late last year the fact that Microsoft had not obtained C2 certification for any release of NT beyond 3.5. In March of this year, while continuing to make known his concerns regarding Microsoft's alleged lack of operating-system security, Curry died suddenly of a stroke. Prior to Curry's death, Microsoft hired Science Applications International Corp. (SAIC) to continue its C2 certification efforts. A year ago, SAIC was predicting Microsoft would pass its first C2 milestone within weeks. Microsoft officials have said they expect to be able to submit immediately Windows 2000 for evaluation under a newly merged U.S./U.K. security evaluation process, called Common Criteria Consolidation. @HWA 14.0 Mitnick's Codefendant Sentenced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan Lewis DePayne has been sentenced by US District Judge Mariana Pfaelzer to six months of home detention with five years of probation, 225 hours of community service and a fine of $2,500. DePayne pleaded guilty earlier this year to a single count of wire fraud for his involvement in a scheme with Kevin Mitnick to defraud Nokia of proprietary software for mobile phones. ZD Net http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2404937,00.html Mitnick Codefendant Sentenced Accused hacker faces probation, community service, and fine. By Iolande Bloxsom December 6, 1999 Kevin Mitnick's codefendant, Lewis DePayne, was sentenced today in federal court in Los Angeles. Unlike the imprisoned hacker, DePayne was not restricted in his use of computers. US District Judge Mariana Pfaelzer sentenced DePayne to five years of probation, which includes six months of home detention. He will also be required to serve 225 hours of community service (to be determined by the probation office) and to pay a $2,500 fine and the cost of any home detention. DePayne pled guilty on April 16 of this year to a single count of wire fraud. According to the plea agreement, in May of 1994 he and Mitnick participated in a scheme to defraud Nokia of proprietary software for mobile phones. DePayne admitted to placing a call to a Nokia office in Florida pretending to be a Nokia supervisor named K.P. Wileska. In the plea agreement, the approximate value of the software was set at $240,000. However, the judge ordered DePayne to pay only about one tenth of that amount as a fine. In Mitnick's case, Judge Pfaelzer set the fine higher, at $4,125, but still significantly lower than the prosecution's suggested restitution of $1.5 million. @HWA 15.0 Videon Suffers Second Intrusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by r@ven Videon Internet, based in Winnipeg Canada, has suffered its second major intrusion in one week. Sensitive account information, including e-mail passwords, evidently were compromised. A complaint has been filed with the Winnipeg Police Service's commercial crimes unit. The company has has shut down their email server "for the security of Videon customers". Winnipeg Free Press http://205.200.191.20/cgi-bin/LiveIQue.acgi$rec=4241?local Videon security blown again Customers without e-mail after latest hack attack Sun, Dec 5, 1999 By Paul McKie Staff Reporter THOUSANDS of Videon customers who pay a premium price for high-speed Internet access are without e-mail today after another hacker broke into the system. Videon general manager Debra Jonasson-Young confirmed the company was once again the victim of a hacker who had access to sensitive account information, including e-mail passwords. "We were hacked last week. This is a different hack. I want to make it perfectly clear -- we were hacked both times," said Jonasson-Young. The second security breach was discovered Friday afternoon and a complaint has been filed with the Winnipeg Police Service's commercial crimes unit, Jonasson-Young said. A decision was made to shut down the @Home e-mail server at 1:30 a.m. yesterday for the security of Videon customers. Jonasson-Young said she didn't know how long the server would be down. Customers still have web access, however, and can continue to surf the Internet. She said Videon is continuing to work with an outside security agency to remedy the situation and has been advised not to bring the server back up until it is secure. She couldn't say when the e-mail server would be operational again. One Videon customer, who requested anonymity, said he was astounded when he discovered the Videon Internet system had been hacked again and he hadn't been warned. "A week ago when it happened, they promised it would never happen again," he said. The customer, one of 2,700 who use the service, called Videon yesterday to get his new password after his old password was compromised. "The lady said she was sorry, another breach had happened," he said. "There are just too many things Videon does wrong . . . they're pretty screwed up over there." Jonasson-Young said cable-modem customers were informed of the latest breach when they called in yesterday. But she said Videon was also beginning a call-out campaign to affected users. She said that last week the company e-mailed customers, but that wasn't an option this time with the mail server down. She noted the Internet is a public-domain area that presents a myriad of security problems. "There's always a risk that something can happen, no matter what kind of line you're on," Jonasson-Young said . Videon's competitors beg to disagree. Reg Parkin, corporate security manager for Manitoba Telecom Services, agreed that when word gets out that a site has been hacked, others will always try it again. However, Parkin said that at MTS, where Internet access is through phone lines, personal information is kept in a different site not accessible through the Internet. He said the trick to security is having several layers, like an onion skin, so that if any one layer is stripped away, there's still protection in place. "I don't recall there ever being a breach. There have been attempts," he said. Videon isn't the only victim of hackers. Last summer, the mighty Microsoft had its Hotmail system, with 50 million users, infiltrated. Parkin said that because of such incidents, security has to be constantly evolving. "It's more vigilance. If you wait for something to happen and react to it, you're in trouble," he said. Jonasson-Young said she's aware of the knocks against Videon and the company is trying to correct them. "We're under the spotlight right now; we recognize that." But she said people must also recognize that both the company and the customers are victims. "It's been a crime perpetrated against us," she said. @HWA 16.0 GSM Phones No Longer Secure ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by C0nd0r Alex Biryukov and Adi Shamir two Israeli researchers have discovered design flaws in the algorithm A5/1 which is present in digital GSM phones. This algorithm is used in phones made by Motorola, Ericsson, and Siemens. Over 330 million GSM phones are in use around the world. While this research does indicate how the encryption may be broken, actually intercepting that signal is not explained. Wired http://wired.lycos.com/news/print/0,1294,32900,00.html Cell Phone Crypto Penetrated by Declan McCullagh 10:55 a.m. 6.Dec.1999 PST Israeli researchers have discovered design flaws that allow the descrambling of supposedly private conversations carried by hundreds of millions of wireless phones. Alex Biryukov and Adi Shamir describe in a paper to be published this week how a PC with 128 MB RAM and large hard drives can penetrate the security of a phone call or data transmission in less than one second. The flawed algorithm appears in digital GSM phones made by companies such as Motorola, Ericsson, and Siemens, and used by well over 100 million customers in Europe and the United States. Recent estimates say there are over 230 million users worldwide who account for 65 percent of the digital wireless market. Although the paper describes how the GSM scrambling algorithm can be deciphered if a call is intercepted, plucking a transmission from the air is not yet practical for individuals to do. James Moran, the fraud and security director of the GSM Association in Dublin, says that "nowhere in the world has it been demonstrated --an ability to intercept a call on the GSM network. That's a fact.... To our knowledge there's no hardware capable of intercepting." The GSM Association, an industry group, touts the standards as "designed to conform to the most stringent standards of security possible from the outset [and] unchallenged as the world's most secure public digital wireless system." Not any more. Shamir says the paper he co-authored with a Weizmann Institute of Science colleague in Rehovot, Israel, describes a successful attack on the A5/1 algorithm, which is used for GSM voice and data confidentiality. It builds on the results of previous attempts to attack the cipher. "It's quite a complex idea, in which we fight on many fronts to accumulate several small improvements which together make a big difference, so the paper is not easy to read or write," Shamir, a co-inventor of the RSA public key crypto system in 1977, said in an email to Wired News. A group of Silicon Valley cypherpunks has organized previous efforts to highlight what they view as the poor security of GSM encryption standards. In April 1998 they reported that it was possible to clone a GSM phone, which the US Cellular Telecommunications Industry Association dismissed as more theoretical than practical. The North American GSM Alliance similarly dismissed cloning as a serious threat in a statement. Earlier this year, the group, which includes Marc Briceno, Ian Goldberg, and David Wagner, described how to penetrate the less-secure GSM A5/2 algorithm used in some Pacific rim countries in less than a second. In May 1999 they released the source code to A5/1, which the Weizmann Institute computer scientists used in their analysis of the cipher. "Because of Biryukov and Shamir's real-time attack against A5/1 and our group's 15 millisecond attack against A5/2, all the GSM voice privacy ciphers used worldwide can be broken by an attacker with just a single PC and some radio hardware," Briceno said. "Since the voice privacy encryption is performed by the handset, only replacing the handset would address the flaws found in the recent attacks," he said. The GSM Alliance's Moran said he needed time to review the paper, which has not yet been released. But he said it would be a topic of a discussion at the next GSM security working group meeting on 16 December. Previously the GSM encryption algorithms have come under fire for being developed in secret away from public scrutiny -- but most experts say high security can only come from published code. Moran said "it wasn't the attitude at the time to publish algorithms" when the A5 ciphers was developed in 1989, but current ones being created will be published for peer review. @HWA 17.0 DARPA Looks At Face Recognition Technology ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Face recognition technology has been around for a while. Cameras mounted on street lamps in a few British cities have been picking faces out of the crowd for over a year. Now DARPA is interested in using this technology in conjunction with other biometric technology such as thermal signature of the blood vessels in the head and the shape of a person's ear to create a more accurate and complete system. Scientific American http://www.sciam.com/1999/1299issue/1299techbus5.html HNN Archive for October 20, 1998 http://www.hackernews.com/arch.html?102098 Defense Technology SEEN BEFORE To guard against terrorism, the Pentagon looks to image-recognition technology In the East London borough of Newham, a surveillance network of more than 200 cameras keeps watch on pedestrians and passersby, employing a facial-recognition system that can automatically pick out known criminals and alert local authorities to their presence. Not surprisingly, civil liberties groups oppose the system--Privacy International, a human-rights group, gave the Newham council a "Big Brother" award last year on the 50th anniversary of the publication of George Orwell's famous novel. The council, however, claims overwhelming support from citizens who are more concerned about crime than about government intrusions. It could count as one of its supporters the U.S. Department of Defense, which is keeping tabs on the Newham system as well as on other, related technologies. The department hopes that some combination of "biometrics" will vastly improve its ability to protect its facilities worldwide. For the military, biometrics usually means technologies that can identify computer users by recognizing their fingerprints or voices or by scanning their irises or retinas. But after a terrorist truck bomb blew up the Khobar Towers U.S. military barracks in Saudi Arabia in 1996, killing 19, the Pentagon elevated to the top of its priority list the need for "force protection"--namely, keeping troops abroad safe from attack. That spurred the Defense Advanced Research Projects Agency, essentially a Pentagon hobby shop, to action. Building on some ongoing work with video surveillance and modeling techniques, as well as on commercial (but still experimental) technologies such as those used to identify automatic-teller machine customers by scanning their faces, DARPA set out to investigate the potential for a network of biometric sensors to monitor the outsides of military facilities. The result is a program known as Image Understanding for Force Protection (IUFP), which the agency hopes to get started in 2001. Described by the Pentagon as "an aggressive research and development effort," IUFP is supposed to improve site surveillance capabilities by "creating new technologies for identifying humans at a distance." Biometric systems in use with ATM machines and computers have two advantages over what DARPA has in mind: proximity and cooperation. For military purposes, biometric sensors and networks must be able to "see" and identify subjects from distances of between 100 and 500 feet--subjects who probably don't want to be identified. In addition, they must be capable of picking faces out of crowds in urban environments, keeping track of repeat visitors who, according to DARPA's George Lukes, "might be casing the joint," and alerting users to the presence of known or suspected terrorists. Databases could even be shared by different facilities, informing security officials, for example, that the same person is showing up repeatedly near different potential targets. The software behind Newham's anticrime system that has drawn DARPA interest is called FaceIt, from New JerseyÇbased Visionics Corporation. FaceIt scans the visages of people and searches for matches in a video library of known criminals. When the system spots one of those faces, the authorities are contacted. A military version might work the same way. Over the past year, according to a DARPA document recently sent to Congress, "several new technical approaches have been identified" that could provide improved face recognition at longer distances, as well as extend the range of iris-recognition systems. DARPA believes, however, that combining several types of technologies could form a network that is more capable than a single system. New concepts it is exploring include the thermal signature of the blood vessels in the head, which some researchers suspect is as unique to a person as his or her fingerprints; the shape of a person's ear; and even "the kinetics of their gait," in DARPA's words. "There are some unique characteristics to how people move that allow you to recognize them," explains DARPA's David Gunning. After conducting a "thorough analysis" of existing technologies, the agency says it is "ready to begin immediately with the new developments." The Pentagon hopes to spend $11.7 million in 2000 on the IUFP program--a good deal of money for a DARPA effort. The potential for an integrated network of identification techniques has understandably generated significant interest among defense and intelligence agencies that are prime targets for terrorists. "There's a lot of enthusiasm," Gunning says--after all, through the marriage of recognition systems and surveillance technologies, DARPA thinks it has a handle on how to keep track of "one of the few detectable precursors" to terrorist attacks. --Daniel G. Dupont @HWA 18.0 More Info On the Phonemasters Revealed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Maggie They were arrested almost five years ago but the massive inroads made into the nations telecommunications systems is only now becoming fully clear. The Phonemasters coordinated what is being called one of the largest computer intrusion schemes in U.S. history. As the case finnally draws to a close and the various members of the group receive their sentences a few new tidbits of information are coming out. (We are still amazed at how little press coverage this case has gotten.) Union Tribune http://www.uniontrib.com/news/uniontrib/sun/news/news_1n5hacker.html (Story has moved, couldn't locate it online - Ed) HNN Archive for October 4, 1999 http://www.hackernews.com/arch.html?100499 @HWA 19.0 Proactive AntiVirus Software Now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Finjan Software has introduced a proactive first-strike security solution, SurfinShield Corporate, claims to block worms and other malicious code by monitoring the behavior of programs rather than relying on a known virus signature. By using a proactive monitoring technique to 'sandbox' programs and monitor their behavior SurfinShield can instantly block programs that violate a security policy, such as attempting to delete a user's files. PR Newswire http://library.northernlight.com/FB19991206040000127.html?cb=0&dx=1006&sc=0#doc Finjan Software http://www.finjan.com/ TROJAN WORM ATTACKS CLOUD THE FUTURE OF REACTIVE ANTI-VIRUS SOFTWARE FINJAN'S PROACTIVE FIRST-STRIKE SECURITY SOFTWARE STOPS MALICIOUS CODE By Monitoring Code Behavior and Requires No Database Updates Story Filed: Monday, December 06, 1999 7:30 AM EST SAN JOSE, Calif., Dec 6, 1999 /PRNewswire via COMTEX/ -- As last week's MiniZip worm proved, current anti-virus software technology is not able to protect users from first-strike attacks by malicious code in the Internet age. Compression or "packer" tools such as NeoLite can be used to change the signature of known Trojan horse programs, making them invisible to anti-virus software. Finjan Software's proactive first-strike security solution, SurfinShield Corporate, blocks worms such as MiniZip by monitoring the behavior of programs rather than relying on a known virus signature. "If you take the ten-thousand plus known Trojans multiplied by the ten or more available compressor utilities, you're looking at more than 100, 000 Trojan horses that can pass right through anti-virus software today -- without writing a single new attack," said Bill Lyons, president and CEO of Finjan Software, Inc. "Without a doubt, whether it's MiniZip 2 or a new Trojan worm, more of these types of attacks are coming." Compression Tools Packers are legitimate compression tools that can compress windows executable (."EXE") files, much like how people use the well-known WinZip product to compress document or graphics files before e-mailing. However, with these packer tools, the resulting compressed executable will bypass any static anti-virus scanning engine because the virus signature is changed and the anti-virus software will not recognize it. There are dozens of commercial and free compression tools that can be used to hide known Trojan horses and worms from anti-virus software, including AS-pack, PECompact, Petite, PKLite, NeoLite, Shrinker and WWpack32. The real risk is that anyone now can take one of these packer tools and easily develop new attacks with known Trojan horse programs. With easy to use "point and click" interfaces, there is no more need for programming skills. One simply takes an old attack, compresses it with the packer tool of choice and creates a brand new attack. Why Anti-Virus is Not Enough Millions of dollars can be lost due to deleted files and lost productivity in the first 24 hours when a malicious code attack first strikes. Anti-virus companies and security experts agree that anti-virus software cannot stop these new types of attacks: "The problem with anti-virus software is that it's inherently reactive," said Dan Schrader, vice president of new technology at Trend Micro Inc. "We have artificial intelligence for identifying viruses, but virus writers are good at getting around heuristics." (source: Computerworld) Sal Viveros, Network Associates, Inc. marketing manager insisted no available anti-virus product could have detected MiniZip. "It is impossible to detect beforehand all the different variables out there they use to write a malicious attack," said Viveros. (source: Computerworld) "We're at a turning point right now," said Carey Nachenberg, chief scientist for the Symantec Anti-virus Research Center. "We need to re-examine our anti-virus software, and companies need to re-examine their anti-virus strategies." (source: ZDNet News) "The pattern matching security offered by most anti-virus software providers is antiquated. It's akin to practicing medicine with leeches," said Dr. Gary McGraw, vice president of corporate technology at Reliable Software Technologies. "To be truly effective, modern security approaches must be proactive, not reactive." New Approach Needed: First-Strike Security Finjan's SurfinShield Corporate software uses a proactive monitoring technique to "sandbox" programs and monitor their behavior and instantly block programs that violate a security policy, such as attempting to delete a user's files. Finjan's product acts as a filtering mechanism between a PC's operating system and the program, to monitor and block malicious behavior. "By itself, anti-virus software is not an effective defense against new attacks because of its reactive nature," said Donna Slattery, security analyst with The Hurwitz Group. "Companies should supplement their anti-virus protection with proactive solutions like Finjan's first-strike security software." Finjan educated its customers and partners this morning about compression tools (alert is below). About Finjan Software Finjan Software is the leader in First-Strike Security(TM) software, delivering proactive security solutions that protect companies and computer users from first-strike malicious code attacks. Finjan allows companies to conduct e-business and e-commerce safely with best-of-breed security products that enforce multiple lines of defense and protect critical data. Finjan is a privately held company based in San Jose, Calif. For more information, visit www.finjan.com. Finjan Software, Inc. Compression Tools Alert 12/6/99 Finjan customers and partners, As MiniZip showed us last week, compression and packer tools are now being used to pass Trojan executable files through anti-virus software and successfully launch new attacks. We thought it might be helpful to show you what we've found out about these tools. Compression Tools (aka "Packers") OVERVIEW Compression tools or "packers" can compress windows executable (."EXE") files much like the well-known WinZip product. The resulting compressed executable will bypass any static anti-virus scanning engine (because the virus signature is compressed). However, these programs allow a compressed file to decompress and run automatically without requiring the same utility to open it. MiniZip Worm was a "packed" version of the ExploreZip worm that struck in June 1999. The only difference is that MiniZip was compressed with a commercial utility called NeoLite. NeoLite is a publicly available "point and click" software program ($25) that can be used to "cloak" known Trojan executables. There are many different commercial and free packers available on the Web, including: ASPack Cexe PECompact PE-Pack Petite PKLite Shrinker UPX WWpack With an estimated 10,000-plus known Trojan horses, times a minimum of 10 packer tools, hackers can select from more than 100,000 Trojans to create new attacks that may bypass your anti-virus software. And with these easy to use compression tools, it no longer requires programming experience to create new attacks. It appears that the immediate reaction by anti-virus vendors to stop MiniZip is to block the NeoLite pattern. Finjan believes that there may be legal issues with regards to blocking commercial applications from operating at the desktop. Unfortunately, the only approach that is plausible, based on present AV technology, may be to spot the NeoLite or other compression pattern, decompress, and compare the result to the original pattern (e.g., ExploreZip). A major problem, however, comes from recursive attacks; that is, wrappers around wrappers, where a Trojan worm is packed multiple times with other packers. The negative affect of resolving and analyzing such files is a massive performance hit. That's why we believe that behavior blocking is the more appropriate answer. HOW TO PROTECT YOURSELF Supplement your anti-virus software with first-strike security solutions. Finjan's SurfinShield Corporate will protect users from new "packed" Trojan executables through its proactive monitoring technology that "sandboxes" executables and blocks any executable program that violate security policies. By monitoring actual code behavior, Finjan's SurfinShield Corporate protects PCs without requiring users to download any software patch or pattern update. SOURCE Finjan Software (C) 1999 PR Newswire. All rights reserved. http://www.prnewswire.com CONTACT: Sharon Sim-Krause of Shandwick International, 650-596-5880, ext. 4278, or skrause@shandwick.com, for Finjan Software; or Dave Kroll of Finjan Software, 408-324-0228, ext. 307, or dave@finjan.com WEB PAGE: http://www.finjan.com GEOGRAPHY: California INDUSTRY CODE: CPR MLM Copyright © 1999, PR Newswire, all rights reserved. @HWA 20.0 South African Web Pages Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Zilly The website of the SA Police Service (SAPS) along with a dozen other local sites was defaced last Sunday. The SAPS said it believed security measures were sufficient to prevent access to confidential information. The South African Law Commission is working on a new computer crimes act which is expected to have proposals for this sort of crime. Business Day http://WWW.BDAY.CO.ZA/99/1206/news/news2.htm Hackers deface police website with obscenities Simphiwe Xako COMPUTER hackers claiming responsibility for two recent attacks on Statistics SA's website have vandalised several other internet pages, including the website of the SA Police Service (SAPS). The hackers, operating under the name "B1nary Outlawz", alerted newspapers to their most recent attacks with e-mail messages yesterday, one of which contains obscenities directed at Telkom. These messages characterised the attacks on the Stats SA website. "SA Police website hacked by B10Z - www.saps.co.za. Another high-profile hack by the B10Z crew … www.statssa.gov.za, www.eskom.co.za, www.saps.co.za," one e-mail said. Text and links on the default page of the SAPS website were replaced by obscenities directed at the police. The SAPS insignia was distorted and the hackers' insignia superimposed on it. About a dozen other locally-based websites were targeted in a similar way. A Telkom representative, who asked not to be named, said she did not believe the hackers had anything against Telkom in particular, but targeted large companies in general. "This is a case of juvenile (delinquents seeking) approval. You can even see (it in) the type of language they use," she said. The SAPS could not confirm the extent of the attack on its website last night, but said it believed security measures were sufficient to prevent access to confidential information. Supt Welma Nortje of the SAPS's management services said: "We have a daily backup system to ensure that information remains highly confidential." Detectives would investigate the attack and trace the culprits. The SA Law Commission is working on a discussion document on a new computer crimes act which is expected to include proposals on ways of dealing with computer hackers. @HWA 21.0 Not Just a Game Anymore ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Martin The response to Brian Martin's previous article Is it Worth It proved so overwhelming that a more thorough article was warranted. This time Mr. Martin takes an in depth look at just what laws apply and who investigates web page defacements. Buffer Overflow http://www.hackernews.com/orig/buffero.html Not Just a Game Anymore By: Brian Martin This is a followup to a previous article titlted Is it worth it? Dispelling the myths of law enforcement and hacking, released on November 22, 1999 via Hacker News Network. Included with this article are several sanitized copies of various documents pertaining to computer crime investigations. Names, dates and locations have been changed. Some of the information in this article may be a bit redundant from the last article, but is done in order to present a self standing article that is as complete as possible. Some of the links to agency homepages have been changed to point to their true home page, not just the system hosting the page. Topics: More on Search and Seizure The Search The Seizure Statute of Limitations What exactly is illegal? More on Punishment Investigating Agencies: Federal Bureau of Investigations (FBI) Defense Criminal Investigative Service (DCIS) NASA Office of the Inspector General (NASA OIG) Naval Criminal Investigative Service (NCIS) U.S. Army Criminal Investigation Command (USACIDC) Royal Canadian Mounted Police (RCMP) Defense Computer Forensic Laboratory (DCFL) Appendix and Additional Information A - Search and Seizure Warrant B - Search and Seizure Warrant, Attachment A (apartment) C - Search and Seizure Warrant, Attachment A (colocated machine) D - Search and Seizure Warrant, Attachment C E - Warrant for Arrest> F - Indictment G - USDOJ Press Release More on Search and Seizure Before any Law Enforcement (LE) officer/agent may step foot in your place of living, they must obtain a search warrant that gives them explicit permission to do so. The warrant will list the physical address of the premises to be searched, a description of the establishment, a time frame for the search and seizure, and a list of acceptable material that may be seized. The warrant is likely to be issued by your District Court to the agent in charge of the investigation. Rather than explain each part of the search and seizure warrant, I have included a sanitized vrsion of one with this article. From my experience and communication with others, the warrant included can be taken as a very typical and standard version used throughout the U.S. Appendix A includes the first page of the warrant which details the premisis to be searched, dates, who will conduct the seizure and more. Appendix B is a copy of Attachment A which is a wordy description of the premises to be searched. Appendix C is a copy of Attachment C which lists all material covered under the search and seizure guidelines. Appendix A - Search and Seizure Warrant Appendix B - Search and Seizure Warrant, Attachment A (apartment) Appendix C - Search and Seizure Warrant, Attachment A (colocated machine) Appendix D - Search and Seizure Warrant, Attachment C Some notes and observations about the material contained in Appendix A. Outlined on the warrant, the agents may conduct the search and seizure either between the hours of 6:00am - 10:00pm, OR "at any time in the day or night as I find reasonable cause has been established". One of the two options should be struck through and initialed by the Judicial Officer. Also included is a date that the search must be executed by. The Search Being subjected to an FBI search and seizure is an interesting experience to say the least. No official wording on any warrant can come close to explaining the experience. Typically arriving at your residence between 6:00 and 8:00am, almost a dozen agents are ready to toss your apartment to fufill the warrant. After being greeted at gunpoint and your residence secured, the agents will mark each room with a postit note and number. These numbers correspond to the receipt they leave you detailing what material was taken from each room. In keeping with standard search and seizure practice, not much is left unturned. Some of the places you can expect the agents to search: Under the bed, between the sheets, between the frame/box Behind each and every hanging picture, especially framed Under/Behind dressers and furniture In the reservoir of your toilet Any attic or crawl space Every drawer, cupboard, container, shelf or other storage area Inside the refridgerator/freezer Under/Inside any cushion with removable insides Between the pages of books In air vents or other commonly used places to conseal items If this does not help paint a picture that agents are rather thorough, let me clear it up. They are quite thorough. Do they find everything? Not all the time. In some cases agents even miss items out in the open that they might normally take. To balance this, they almost always take a considerable amount of material that is completely irrelevant or esoteric. For the most part, you can also dismiss any notions you may have about hiding items before the raid. When they knock on the door, they will not give you time to do anything short of opening the door and complying with their demands. If they have any idea that you may be destroying evidence, they are empowered with the ability to forcibly enter your residence, physically detain you, and carry on. The search and seizure will not be short by any means. You can expect it to last anywhere from a few hours to a full day. During this time you will be questioned by a number of agents regarding anything and everything they might think to ask. I don't know if it is intentional and designed to throw you off, but they may ask extremely bizarre questions that lead you to wonder about their intelligence. During this questioning do one of two things. Refuse to answer ALL questions until your lawyer is present. Answer questions honestly. Lying to law enforcement agents may seem like a clever thing to do at the time, but it is much more likely to hurt you in the long run. If caught in a single lie during questioning, it will further encourage the agents to question you more. They also have the option of charging you with obstruction of justice if so inclined. When an agent gets it through their head that you are guilty, bad news for you regardless of your guilt or innocense. It is extremely important that you realize your rights. UNDER NO CIRCUMSTANCE do you have to answer questions without the presence of your lawyer. No matter what the LE agent says, suggests, or implies, this is a fundamental right. In many cases, raid victims are not being charged with a crime. Because of this, their rights are not read to them. Just because you aren't under arrest does not mean those rights are waived! The courts have recently found that police can be sued if they discourage raid victims from consulting a lawyer. More on this ruling can be found in this Washington Post article. The Seizure What can LE Agents take from you? EVERYTHING. You can't argue about it either. While they may take material that is not explicitly covered under the warrant and may later be forced to give it back to you, that doesn't help you when they are rummaging through your house. Re-read the list of material that are covered under Attachment C again and think about how broad it is. It is safe to say that absolutely anything remotely computer related is covered under the warrant. There are a few things that are also covered under the guidelines that tend to surprise people when confiscated. "electronic organizers": these include ones with mini keyboards like the Sharp organizers, as well as touch screen like Palm Pilots. "personal diaries": even your little black journal detailing sexual exploits, or a notepad with poetry. "books, newspaper, and magazine articles concerning hacking": this includes ANY computer book in your residence. Newspapers or magazines that have security or hacker articles are included. "cassette tapes, video cassette tapes, and magnetic tapes": If it isn't a store bought tape, it is subject to seizure. Doesn't matter if it contains episodes of the Beavers or pornography. "fax machines": despite a fax machine typically not having the ability to store information long term, it is fair game. "indicia of occupancy or tenancy..": Any paperwork or proof that you own or rent your place. Any sales receipts, billing records or anything else close. "other items ... in violation of Title 18..": Perhaps the worst listing of them all, this allows them to take just about anything else they may deem necessary. Statute of Limitations Another often asked question is how long the feds can investigate you. As long as they want. For most cases, LE can investigate a crime for up to five years after it was committed. This is known as the Statute of Limitations and means how long they can investigate and press charges against you for the crime. Hypothetically that is. If the crime is serious, several agents have assured me that the U.S. Government will find a way to stretch that timeframe. Regardless, if the agents have not made a case against you, the government attorney's will not press charges. Even so, you can expect them to hold onto any seized equipment until the conclusion of their investigation. If they go so far as seizing equipment and not pressing charges, you can expect to get your stuff back 1,825 days after it was taken, just to spite you. What exactly is illegal? Thanks to the vague (or was it intentional?) wording of the Title 18 laws, several actions you may consider harmless could fall into murky legal territory. As a DCIS agent recently said in a conversation about the last article, "Even if you telnet to a machine and type anything in, that can be attempted intrusion!". As fascist as that may sound, it is true. Any activity or connections to a remote machine without authorization may be illegal. Because it is partially based on intent and partially based on your activities, this is still somewhat uncharted territory. While it is highly unlikely you will be charged for portscanning a machine, repeated poking at an open port could be enough to spark interest in your activities. Another term often used by agents and lawyers is "illegal access device" (IAD). What has turned into another all encompassing term, this can be used for a wide variety of things in a case against you. Some of the few things that fall into this category: login/passwd: Any login and password for any type of system be it unix, VAX/VMS, voice mail or something else. ESN/MIN: Cloning cell phones is illegal as you know, but each ESN/MIN pair counts as one IAD. CC/Exp: Each Credit Card w/ Expiration Date. Remember, it takes both pieces to purchase anything. Access keycard: Find an access device in the dumpster? Pick it up after someone dropped it? This allows access (illegally) into a building. Employee ID: Like an access keycard, these are often used to bypass controlled access points or visual checks at guard desks. Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you. When federal agents hold up to a thousand felony charges over your head, it is often enough to make you want to cut a deal. This is one reason that strong encryption is the friend of hackers. More on Punishment The punishment for hacking crimes is growing. Convicted hackers five years ago could expect a light slap on the wrist, a few hours of community service, and not much else. These days, a single felony count of computer hacking can lead to 15 months in jail along with restitution in the tens of thousands of dollars. Looking at a verbose list of restrictions placed on Kevin Mitnick, examine them closely and consider what they really entail. While the following restrictions may not be applied to every case, consider that they have been applied to one convicted hacker. Further consider that as such, these restrictions may be used as case law in future court hearings. The following restrictions are taken from a larger document concerning Kevin Mitnick and the restrictions. http://www.kevinmitnick.com/081898writ.html#release_conditions A. Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, 'personal information assistants,' and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with on-line, internet, world-wide web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a 'land line' telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not acts as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment. For a period of THREE years, being subjected to these restrictions. Not only does your primary hobby go away, your means for stable income are at serious risk. Think of every job you could hold with these restrictions and life does not look so pleasant. Even working at Taco Bell requires the use of computerized registers. Telemarketing and other menial tasks that once were viable methods of income also go away. Jobs that consist mostly of physical labor become about the only option left to you. Don't forget, many companies will not hire convicted felons, even for physical labor. Court ordered restitution will be a new world of difficulty. Many people fail to realize that not only are restitution amounts fairly significant, but they must be paid back in a timely fashion. Oh yeah, remember that you are not likely to hold a job that pays more than six bucks an hour. So how much is US$50,000 when it comes down to it? Consider that you might be able to earn US$25,000 a year if you are fortunte. Giving up your entire salary would allow you to pay it off in two years. If you can live off of US$15,000 (poverty level), you could then pay back the restitution in only five years. Five years of living at a poverty level. Is defacing a web page and putting up a message "hackerX 0wnz j00" REALLY worth it?Not Just a Game Anymore By: Brian Martin This is a followup to a previous article titlted Is it worth it? Dispelling the myths of law enforcement and hacking, released on November 22, 1999 via Hacker News Network. Included with this article are several sanitized copies of various documents pertaining to computer crime investigations. Names, dates and locations have been changed. Some of the information in this article may be a bit redundant from the last article, but is done in order to present a self standing article that is as complete as possible. Some of the links to agency homepages have been changed to point to their true home page, not just the system hosting the page. Topics: More on Search and Seizure The Search The Seizure Statute of Limitations What exactly is illegal? More on Punishment Investigating Agencies: Federal Bureau of Investigations (FBI) Defense Criminal Investigative Service (DCIS) NASA Office of the Inspector General (NASA OIG) Naval Criminal Investigative Service (NCIS) U.S. Army Criminal Investigation Command (USACIDC) Royal Canadian Mounted Police (RCMP) Defense Computer Forensic Laboratory (DCFL) Appendix and Additional Information A - Search and Seizure Warrant B - Search and Seizure Warrant, Attachment A (apartment) C - Search and Seizure Warrant, Attachment A (colocated machine) D - Search and Seizure Warrant, Attachment C E - Warrant for Arrest> F - Indictment G - USDOJ Press Release More on Search and Seizure Before any Law Enforcement (LE) officer/agent may step foot in your place of living, they must obtain a search warrant that gives them explicit permission to do so. The warrant will list the physical address of the premises to be searched, a description of the establishment, a time frame for the search and seizure, and a list of acceptable material that may be seized. The warrant is likely to be issued by your District Court to the agent in charge of the investigation. Rather than explain each part of the search and seizure warrant, I have included a sanitized vrsion of one with this article. From my experience and communication with others, the warrant included can be taken as a very typical and standard version used throughout the U.S. Appendix A includes the first page of the warrant which details the premisis to be searched, dates, who will conduct the seizure and more. Appendix B is a copy of Attachment A which is a wordy description of the premises to be searched. Appendix C is a copy of Attachment C which lists all material covered under the search and seizure guidelines. Appendix A - Search and Seizure Warrant Appendix B - Search and Seizure Warrant, Attachment A (apartment) Appendix C - Search and Seizure Warrant, Attachment A (colocated machine) Appendix D - Search and Seizure Warrant, Attachment C Some notes and observations about the material contained in Appendix A. Outlined on the warrant, the agents may conduct the search and seizure either between the hours of 6:00am - 10:00pm, OR "at any time in the day or night as I find reasonable cause has been established". One of the two options should be struck through and initialed by the Judicial Officer. Also included is a date that the search must be executed by. The Search Being subjected to an FBI search and seizure is an interesting experience to say the least. No official wording on any warrant can come close to explaining the experience. Typically arriving at your residence between 6:00 and 8:00am, almost a dozen agents are ready to toss your apartment to fufill the warrant. After being greeted at gunpoint and your residence secured, the agents will mark each room with a postit note and number. These numbers correspond to the receipt they leave you detailing what material was taken from each room. In keeping with standard search and seizure practice, not much is left unturned. Some of the places you can expect the agents to search: Under the bed, between the sheets, between the frame/box Behind each and every hanging picture, especially framed Under/Behind dressers and furniture In the reservoir of your toilet Any attic or crawl space Every drawer, cupboard, container, shelf or other storage area Inside the refridgerator/freezer Under/Inside any cushion with removable insides Between the pages of books In air vents or other commonly used places to conseal items If this does not help paint a picture that agents are rather thorough, let me clear it up. They are quite thorough. Do they find everything? Not all the time. In some cases agents even miss items out in the open that they might normally take. To balance this, they almost always take a considerable amount of material that is completely irrelevant or esoteric. For the most part, you can also dismiss any notions you may have about hiding items before the raid. When they knock on the door, they will not give you time to do anything short of opening the door and complying with their demands. If they have any idea that you may be destroying evidence, they are empowered with the ability to forcibly enter your residence, physically detain you, and carry on. The search and seizure will not be short by any means. You can expect it to last anywhere from a few hours to a full day. During this time you will be questioned by a number of agents regarding anything and everything they might think to ask. I don't know if it is intentional and designed to throw you off, but they may ask extremely bizarre questions that lead you to wonder about their intelligence. During this questioning do one of two things. Refuse to answer ALL questions until your lawyer is present. Answer questions honestly. Lying to law enforcement agents may seem like a clever thing to do at the time, but it is much more likely to hurt you in the long run. If caught in a single lie during questioning, it will further encourage the agents to question you more. They also have the option of charging you with obstruction of justice if so inclined. When an agent gets it through their head that you are guilty, bad news for you regardless of your guilt or innocense. It is extremely important that you realize your rights. UNDER NO CIRCUMSTANCE do you have to answer questions without the presence of your lawyer. No matter what the LE agent says, suggests, or implies, this is a fundamental right. In many cases, raid victims are not being charged with a crime. Because of this, their rights are not read to them. Just because you aren't under arrest does not mean those rights are waived! The courts have recently found that police can be sued if they discourage raid victims from consulting a lawyer. More on this ruling can be found in this Washington Post article. The Seizure What can LE Agents take from you? EVERYTHING. You can't argue about it either. While they may take material that is not explicitly covered under the warrant and may later be forced to give it back to you, that doesn't help you when they are rummaging through your house. Re-read the list of material that are covered under Attachment C again and think about how broad it is. It is safe to say that absolutely anything remotely computer related is covered under the warrant. There are a few things that are also covered under the guidelines that tend to surprise people when confiscated. "electronic organizers": these include ones with mini keyboards like the Sharp organizers, as well as touch screen like Palm Pilots. "personal diaries": even your little black journal detailing sexual exploits, or a notepad with poetry. "books, newspaper, and magazine articles concerning hacking": this includes ANY computer book in your residence. Newspapers or magazines that have security or hacker articles are included. "cassette tapes, video cassette tapes, and magnetic tapes": If it isn't a store bought tape, it is subject to seizure. Doesn't matter if it contains episodes of the Beavers or pornography. "fax machines": despite a fax machine typically not having the ability to store information long term, it is fair game. "indicia of occupancy or tenancy..": Any paperwork or proof that you own or rent your place. Any sales receipts, billing records or anything else close. "other items ... in violation of Title 18..": Perhaps the worst listing of them all, this allows them to take just about anything else they may deem necessary. Statute of Limitations Another often asked question is how long the feds can investigate you. As long as they want. For most cases, LE can investigate a crime for up to five years after it was committed. This is known as the Statute of Limitations and means how long they can investigate and press charges against you for the crime. Hypothetically that is. If the crime is serious, several agents have assured me that the U.S. Government will find a way to stretch that timeframe. Regardless, if the agents have not made a case against you, the government attorney's will not press charges. Even so, you can expect them to hold onto any seized equipment until the conclusion of their investigation. If they go so far as seizing equipment and not pressing charges, you can expect to get your stuff back 1,825 days after it was taken, just to spite you. What exactly is illegal? Thanks to the vague (or was it intentional?) wording of the Title 18 laws, several actions you may consider harmless could fall into murky legal territory. As a DCIS agent recently said in a conversation about the last article, "Even if you telnet to a machine and type anything in, that can be attempted intrusion!". As fascist as that may sound, it is true. Any activity or connections to a remote machine without authorization may be illegal. Because it is partially based on intent and partially based on your activities, this is still somewhat uncharted territory. While it is highly unlikely you will be charged for portscanning a machine, repeated poking at an open port could be enough to spark interest in your activities. Another term often used by agents and lawyers is "illegal access device" (IAD). What has turned into another all encompassing term, this can be used for a wide variety of things in a case against you. Some of the few things that fall into this category: login/passwd: Any login and password for any type of system be it unix, VAX/VMS, voice mail or something else. ESN/MIN: Cloning cell phones is illegal as you know, but each ESN/MIN pair counts as one IAD. CC/Exp: Each Credit Card w/ Expiration Date. Remember, it takes both pieces to purchase anything. Access keycard: Find an access device in the dumpster? Pick it up after someone dropped it? This allows access (illegally) into a building. Employee ID: Like an access keycard, these are often used to bypass controlled access points or visual checks at guard desks. Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you. When federal agents hold up to a thousand felony charges over your head, it is often enough to make you want to cut a deal. This is one reason that strong encryption is the friend of hackers. More on Punishment The punishment for hacking crimes is growing. Convicted hackers five years ago could expect a light slap on the wrist, a few hours of community service, and not much else. These days, a single felony count of computer hacking can lead to 15 months in jail along with restitution in the tens of thousands of dollars. Looking at a verbose list of restrictions placed on Kevin Mitnick, examine them closely and consider what they really entail. While the following restrictions may not be applied to every case, consider that they have been applied to one convicted hacker. Further consider that as such, these restrictions may be used as case law in future court hearings. The following restrictions are taken from a larger document concerning Kevin Mitnick and the restrictions. http://www.kevinmitnick.com/081898writ.html#release_conditions A. Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, 'personal information assistants,' and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with on-line, internet, world-wide web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a 'land line' telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not acts as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment. For a period of THREE years, being subjected to these restrictions. Not only does your primary hobby go away, your means for stable income are at serious risk. Think of every job you could hold with these restrictions and life does not look so pleasant. Even working at Taco Bell requires the use of computerized registers. Telemarketing and other menial tasks that once were viable methods of income also go away. Jobs that consist mostly of physical labor become about the only option left to you. Don't forget, many companies will not hire convicted felons, even for physical labor. Court ordered restitution will be a new world of difficulty. Many people fail to realize that not only are restitution amounts fairly significant, but they must be paid back in a timely fashion. Oh yeah, remember that you are not likely to hold a job that pays more than six bucks an hour. So how much is US$50,000 when it comes down to it? Consider that you might be able to earn US$25,000 a year if you are fortunte. Giving up your entire salary would allow you to pay it off in two years. If you can live off of US$15,000 (poverty level), you could then pay back the restitution in only five years. Five years of living at a poverty level. Is defacing a web page and putting up a message "hackerX 0wnz j00" REALLY worth it? @HWA 22.0 Y2K Fix Really An Extensible Worm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench W95.Babylonia seems to be a breakthrough in virus/worm technology. It is the first known 'extensible worm' which allows the author, or anyone else, to remotely change the capabilities of the software after infection. According to Symantec, the virus was authored by a group calling itself the 29A (666 in hex) virus writing group. The primary means of infection so far has been through IRC where it poses as a fix to the Y2K bug. More than 20 instances of infection have been reported so far. There have been four plug-ins discovered that the worm can download to extend its capabilities. Wired http://wired.lycos.com/news/technology/0,1282,32956,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2405495,00.html?chkpt=zdnntop Wired; Virus Masquerades as Y2K Fix Wired News Report 2:25 p.m. 7.Dec.1999 PST Virus fighters warned Tuesday of a new virus that is spreading in online chat rooms disguised as a Y2K bug fix. Computer Associates and other antivirus software companies said W95.Babylonia is the first "extensible worm" computer virus of its kind and attacks users of Internet Relay chat (IRC) rooms. More Infostructure in Wired News Experts said the virus is uniquely dangerous because its author can alter the damage or data-theft inflicted on a daily basis. "It is particularly dangerous due to the virus writer's ability to change the virus' payload remotely and after infection," Simon Perry, business manager for CA Security Solutions, said in a statement. "This virus represents a new level of virus capability." To become infected a user of IRC software need only visit a chat room where the virus is being spread. The virus infects Windows-based computers and can be spread by executing a downloaded file or by another infected machine via MIRC software, an application used to participate in IRC chat rooms. According to a description on the Computer Associates Web site, the virus begins polling a Web site in Japan every 60 seconds, looking for updates the author has written to extend the capabilities of the virus. The virus can download the updates to infected computers, where it can reformat a hard drive, delete files, or collect sensitive information. The companies report there are currently four plug-ins that the virus can download to extend its capabilities. Once a user's machine is infected, Babylonia will attempt to infect every executable and help file in the user's Windows environment, said Computer Associates. Companies offering fixes to prevent the virus from infesting include Computer Associates and Symantec. According to Symantec, the virus was authored by a group calling itself the 29A virus writing group. More than 20 instances of infection have been submitted to Symantec, the company said in a statement. -=- ZDNet; Experts warn of new, updatable virus W95.Babylonia uses the Web to upgrade itself -- and could pave the way for smarter viruses with heavy payloads. By Robert Lemos, ZDNet News UPDATED December 8, 1999 7:57 AM PT Anti-virus firms are warning of a new computer virus that spreads through Internet chat rooms and updates itself automatically with files from the Web. "This is the tip of the iceberg," on Tuesday said Eric Chien, senior researcher for anti-virus software maker Symantec Corp., who stressed that the virus' capacity to upgrade itself makes it a concern. "Virus writers again are using more network-centric ideas to create viruses." Symantec (Nasdaq: SYMC) has only encountered two dozen reports of the virus, dubbed W95.Babylonia, since it was discovered on Friday, Dec. 3. Another security firm, Computer Associates Inc. (NYSE: CA), has only encountered 15 reports so far. Currently, the virus infects executible (.EXE) and help (.HLP) files. While the computer virus has not spread widely and currently has no dangerous payload, anti-virus experts fear that a better-written clone could be more effective in the future. Or, just as bad for users, the virus writer could decide to add a new payload to the virus. Unique in that it looks at a virus-exchange Web site in Japan for updates, Babylonia is actually just an 11KB program that spreads itself when an infected file is opened and transfers updates from the Web when the host machine is online. Virus downloads four modules The current version downloads four modules from the Japanese virus-exchange site. The first module is just another copy of the virus, which could update the virus. The second module is a text file that replaces the autoexec.bat file on the host computer with a new one containing the message: W95/Babylonia by Vecna (c) 1999 Greetz to RoadKil and VirusBuster Big thankz to sok4ever webmaster Abracos pra galera brazuca!!! --- Eu boto fogo na Babilonia! The text identifies the writer as Vecna, which Symantec claims is a member of a Latin America virus group known as 29A (or 666 in hexadecimal). The Bubbleboy virus was allegedly created by Zulu, another member of the 29A group. The third module sends an e-mail message to a Hotmail account established to count the number of computers infected by Babylonia. And the fourth module contains code that causes infected users who use mIRC chat software to send a copy of the virus to everyone in the chat room using the DCC file transfer feature of mIRC. In most cases, the chat software will notify the recipients that someone is sending them a file. However, users that have DCC downloading set to "automatic" will receive no notification. Unless the file, which parades as a Y2K bug fix (not coincidentally called Y2k bug fix.exe), is run, the user's computer will not be infected with the virus. However, any or all of these aspects of the virus could change. The writer could add a new set of updates to the Web to change the copies of the virus already infecting users' machines, tweak the methods the virus uses to spread, or even add a destructive payload. "Tomorrow, it could be using Outlook to spread," said Symantec's Chien, referring to a number of recent viruses, including Melissa and ExploreZip, that have spread by sending themselves using Microsoft (Nasdaq: MSFT) Outlook and its address book. Ironically, the ability to update a virus resembles the LiveUpdate technology that Symantec uses to keep its virus scanner in touch with the times. The ability to upgrade is one that has been used by the software industry for a few years to fix applications over the Net. Problematic for home users "At this point, it is a proof of concept," said Narender Mangalam, director of security products for Computer Associates. "It spreads through chat rooms, it will mainly be a problem for home users, who tend to be more lax about security." The current form of the virus can be detected by searching for a file called Babylonia.exe on any questionable computer. In addition, computers that show the aforementioned message at start up should be considered infected. Just remember, however: Tomorrow, all bets are off -- the symptoms could change. @HWA 23.0 Distributed DoS Attacks Becoming Popular ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond New Denial of Service tools, such as Trinoo and TFN, have security experts concerned. These new tools can launch a crippling attack on an Internet server with an overwhelming number of requests from several machines at once. CERT plans to release a report on this 'distributed attack' method later this week. Currently there is no simple fix or patch. USA Today http://www.usatoday.com/usatonline/19991207/1723034s.htm (Document not found - Ed) @HWA 24.0 FBI to Remain on Alert Over Y2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Turtlex Michael Vatis, director of the FBI's National Infrastructure Protection Center (NIPC), has said that the FBI would be on alert during the new year changeover. He explained that agents would be looking for malicious activities directed against Internet sites although they had no hard evidence of any planned attacks. (Hmmm, I think the key words here are "no hard evidence".) Reuters - Via Excite News http://news.excite.com/news/r/991207/11/net-internet-fbi FBI Official Says Primed for Y2K Internet Malice Updated 11:29 AM ET December 7, 1999 LONDON (Reuters) - U.S. federal agents are prepared for malicious attacks on Internet web sites under cover of any broader confusion during the transition to the new millennium, a senior official said Tuesday. Michael Vatis, director of the FBI's national infrastructure protection center, told a meeting of international business representatives and legal officials the bureau would be on the alert although it had no hard evidence of any planned attacks. "It's natural to expect there might be people doing stupid things with computers," he said, discussing concerns that computer confusion generated by the date change may provide cover for attacks on Internet computers. Some devices risk crashing if their internal programming does not enable them to recognize 2000 as part of the next century. Fears have also been voiced that computer hackers could exploit that confusion, especially with viruses. @HWA 25.0 IOPS Sets Up Y2K Watch Center ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Internet Operators Group (IOPS.ORG) is planning to coordinate real-time communications between major global ISPs, equipment vendors and government officials to handle any Y2K Internet problems that may arise. IOPS will sponsor a telephone conference bridge to keep major ISPs in continuous contact in order to report on and resolve any Internet related incidents. The telephone conference bridge initiative, named "Silent Night," will begin before midnight on December 31, New Zealand time and stay open for at least 48 hours. PR Newswire http://library.northernlight.com/FB19991207640000071.html?cb=0&dx=1006&sc=0#doc INTERNET OPERATORS PREPARE FOR 'SILENT NIGHT' ON THE INTERNET DURING MILLENNIUM ROLLOVER IOPS.ORG SPONSORS UNIQUE YEAR-END TWO-DAY Worldwide Telephone Bridge And 'Trouble-Ticket System' to Provide Early Warning and Technical Assistance On Y2K Internet Incidents Story Filed: Tuesday, December 07, 1999 10:23 AM EST RESTON, Va., Dec 7, 1999 /PRNewswire via COMTEX/ -- As the millennium unfurls around the globe starting December 31, 1999 in New Zealand, The Internet Operators Group (IOPS.ORG) will coordinate real-time communications between major global Internet Service Providers, equipment vendors and government officials to handle any Y2K Internet problems and facilitate resolving them before they have a significant impact, especially in the United States, where a majority of the world's 160 million Internet users reside. IOPS will sponsor a telephone conference bridge to keep Internet operators in continuous contact in order to report on and resolve any Internet incidents. The telephone conference bridge initiative, named "Silent Night," will begin before midnight on December 31, New Zealand time (early morning EST on December 31 in the US) and stay open for at least 48 hours with ports directly to 20-25 Internet service providers, equipment vendors and other entities. "Although we don't expect problems, by midnight on December 31 in the US we should be well aware of any issues that will impact the Internet," stated IOPS Executive Director, Ira Richer. "This is the first time that so many major global Internet networks and equipment vendors have cooperated in real-time to identify and resolve potential Internet outages, security hacks and other incidents around the world." IOPS also will use its Web-based shared "trouble-ticket" system as an alternative communications path, should Y2K issues affect the telephone system. An open "trouble ticket" -- a continuously updated information form accessible to authorized users via the Web -- can provide real-time status information and document Internet incidents and responses among providers. IOPS.ORG is a group of Internet Service Providers that fosters industry cooperation in the public interest on joint technical problems and operations concerning the global Internet ( http://www.iops.orq). Its executive director, Richer, is an employee of Corporation for National Research Initiatives; which hosts IOPS. Members have tested their own Internet systems for Y2K readiness, but are preparing for possible problems beyond the scope of their own systems. The IOPS conference bridge and trouble ticket system will be coordinated with the President's Council on Year 2000 Conversion's Information Coordination Center (ICC) -- the Federal Government's central point for monitoring system operations during the Y2K rollover. The ICC will share information among the different economic sectors, coordinate with international entities and provide reports to the public. "This unprecedented cooperation between competing Internet networks and providers will be enormously helpful to ensure United States preparedness to meet any technical problem that could result from Y2K-related network and telecommunication failures around the world," said John Koskinen, Chair of the President's Council on Year 2000 Conversion. "We are pleased to partner with IOPS members who are committed to ensuring that US Internet users and businesses can count on a reliable Internet infrastructure." G. Mark Hardy, Director of Professional Services at Secure Computing Corp., a premiere security software and consulting firm, commented, "Script-kiddies will be trying to take advantage of Internet and software weaknesses during the millennium cross-over, but the real hacker pros will be out enjoying the millennium parties. Initiatives like the IOPS "Silent Night" hotline could be extended to real-time linkups on demand, so that Internet operators can quickly respond to major system problems in the future, such as a massive outbreak of a new type of virus." IOPS' Internet Service Provider members include AT&T, BroadWing Communications Inc., Cable&Wireless, Conxion, EarthLink, GTE Internetworking, ICG, Qwest, and Sprint. Besides IOPS members, additional Silent Night participants include: AboveNet, America Online, MCI WorldCom's UUNET and its east and west coast Metropolitan Area Ethernets (MAEs), ISPs from the North American Network Operators' Group (NANOG) and equipment vendors including Cabletron, Cisco, Juniper Networks, Lucent Technologies, and Marconi. IOPS also will coordinate its activities with cooperating operators of the Domain Name System and of Internet traffic exchange points. About IOPS IOPS.ORG is a group of Internet service providers who work together in the public interest to resolve and prevent network integrity problems and address other issues that require technical coordination and information sharing IOPS members, for example, worked with the Internet Engineering Task Force (IETF), the Computer Emergency Response Team (CERT), equipment suppliers and customers to cut down on so-called "smurf" denial-of-service attacks. Such attacks can cause a "packet storm" that could impair or disable the target ISP's network. IOPS provided information on how networking equipment can be configured to prevent these attacks. SOURCE Conxion Corporation (C) 1999 PR Newswire. All rights reserved. http://www.prnewswire.com CONTACT: Megan O'Reilly-Lewis of Conxion Corporation, 408-566-8546, or megan@conxion.net; or Ira Richer of IOPS.ORG, 617-621-7152, or Richer@cnri.reston.va.us WEB PAGE: http://www.iops.orq @HWA 26.0 IDs Embedded In All Color Copies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dr. Mudge Rumors regarding color copier IDs have been circulating for a long time. While it has been well known fact for years that invisible IDs are inprinted on all color copies it has not been widely reported and has even reached the status of myth in some laymen circles. A recent report in the PRIVACY Forum Digest indicates that every color photocopier and printer does in fact include a unique identifier stegonagraphicly embedded into the image as background noise. PRIVACY Forum Digest, December 6, 1999 http://www.vortex.com/privacy/priv.08.18 PRIVACY Forum Digest Monday, 6 December 1999 Volume 08 : Issue 18 (http://www.vortex.com/privacy/priv.08.18) Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS IDs in Color Copies--A PRIVACY Forum Special Report (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 18 Quote for the day: "It's not the heat, it's the humanity!" -- Jeff Douglas (Van Johnson) "Brigadoon" (MGM; 1954) ---------------------------------------------------------------------- Date: Mon, 6 Dec 99 13:31 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: IDs in Color Copies--A PRIVACY Forum Special Report Greetings. We've recently seen a tirade of stories about "hidden" identification codes and what many would consider to be surreptitious centralized information flowing from various popular Internet products and packages. These have tended to highlight an important truth--whether or not users really would be concerned about the particular identifiers or data involved, they tend to get the most upset when they feel that an effort was made to perform such functions "behind their backs." While it can be argued how routine, intrusive, or even mundane and innocent a particular case may be, it's certainly true that people feel a lot better when they know what's going on. This issue isn't restricted only to the Internet world. A case in point-- the recurring rumors floating around regarding the presence or absence of identification codes in color copies (or color prints xerographically generated from computer output systems). A recent story involved a customer who was refused permission to make a color copy of his driver's license (to deal with an identification problem with his local telephone company). A Kinko's (copying center) worker reportedly told him that such a copy was "illegal," and could be traced back to the store through a "hidden ID." Regardless of whether or not the Kinko's employee was being overzealous in his interpretation of the rules, what's really going on here regarding a so-called hidden ID code? In fact, rumors about this, often chalked up as an "urban legend," have been circulating for a long time. This is a bit ironic, given that in the copier/printer industry it's been well known for years--no secret--that "invisible" IDs *are* imprinted on virtually all color xerographic output, from (apparently) all of the manufacturers. But for persons outside of "the trade," this hasn't been as widely known (even though the issue goes back to the early 90's, and the topic has appeared in publications such as the Wall Street Journal). However, it does not appear that the privacy-related aspects of this technology have ever been subject to significant public discussion. In an effort to pin down the current state of the art in this area, I had a long and pleasant chat with one of Xerox's anti-counterfeiting experts, who is the technical product manager for several of their color-copying products. The conversation was quite illuminating. Please note that the details apply only to Xerox products, though we can safely assume similar systems from competing manufacturers, although their specific policies may differ. Years ago, when the potential for counterfeiting of valuable documents on color copiers/xerographic printers became apparent in Japan (where such machines first appeared) manufacturers were concerned about negative governmental reaction to such technology. In an effort to stave off legislative efforts to restrict such devices, various ID systems began being implemented at that point. At one stage for at least one U.S. manufacturer, this was as crude as a serial number etched on the underside of the imaging area glass! Modern systems, which are now reportedly implemented universally, use much more sophisticated methods, encoding the ID effectively as "noise" repeatedly throughout the image, making it impossible to circumvent the system through copying or printing over a small portion of the image area, or by cutting off portions of printed documents. Effectively, I'd term this as sort of the printing equivalent of "spread spectrum" in radio technology. To read these IDs, the document in question is scanned and the "noise" decoded via a secret and proprietary algorithm. In the case of Xerox-manufactured equipment, only Xerox has the means to do this, and they require a court order to do so (except for some specific government agencies, for whom they no longer require court authorizations). I'm told that the number of requests Xerox receives for this service is on the order of a couple a week from within the U.S. The ID is encoded in all color copies/prints from the Xerox color copier/printer line. It does not appear in black and white copies. The technology has continued to evolve, and it is possible that it might be implemented within other printing technologies as well (e.g. inkjet). At one time there were efforts made to also include date/time stamps within the encoded data, but these were dropped by Xerox (at least for now) due to inconsistencies such as the printer clocks not being set properly by their operators, rendering their value questionable. It's interesting to note that these machines also include other anti-counterfeiting measures, such as dumping extra cyan toner onto images when the unit believes it has detected an attempt to specifically copy currency. These techniques have all apparently been fairly successful--the Secret Service has reported something on the order of a 30% drop in color copying counterfeiting attempts since word of such measures has been circulating in the industry. The average person might wonder who the blazes would ever accept a xerographic copy of money in any case... but apparently many persons are not very discerning. I'm told that the Secret Service has examples in their files of counterfeit currency successfully passed that was printed on *dot matrix* printers. So counterfeiting is certainly a genuine problem. OK, so now you know--the IDs are there. The next question is, what does this really mean? Obviously the vast majority of uses for color copies are completely innocuous or even directly beneficial to the public good (e.g. whistleblowers attempting to expose a fraud against the public). Is it acceptable for an ID to be embedded in all color copies just to catch those cases? The answer seems to be, it depends. In some cases, even having an ID number doesn't necessarily tell you who currently owns the machine. While some countries (e.g. China) do keep tight reign on the ownership and transfer of such equipment, there is no "registration" requirement for such devices in the U.S. (though the routine servicing realities of large units might well create something of a de-facto registration in many situations). Xerox points out that non-color copies (at least on their machines) have no IDs, and that most copying applications don't need color. It is however also true that as the prices of color copiers and printers continue to fall, it seems only a matter of time before they become the "standard" even for home copying, at which time the presence of IDs could cover a much vaster range of documents and become increasingly significant from a routine privacy standpoint. It's also the case that we need to be watchful for the "spread" of this technology, intended for one purpose, into other areas or broader applications (what I call "technology creep"). We've seen this effect repeatedly with other technologies over the years, from automated toll collection to cell phone location tracking. While there is currently no U.S. legislative requirement that manufacturers of copier technology include IDs on color copies, it is also the case that these manufacturers have the clear impression that if they do not include such IDs, legislation to require them would be immediately forthcoming. It is important to be vigilant to avoid such perceived or real pressures from causing possibly intrusive technology creep in this area. In the copier case, that ID technology being used for color copies *could* be adapted to black and white copies and prints as well. The addition of cheap GPS units to copiers could provide not only valid date/time stamps, but also the physical *locations* of the units, all of which could be invisibly encoded within the printed images. Pressures to extend the surveillance of commercial copyright enforcement take such concepts out of the realm of science-fiction, and into the range of actual future possibilities. What many would consider to be currently acceptable anti-counterfeiting technology could be easily extended into the realm of serious privacy invasions. It would only require, as Dr. Strangelove once said, "The will to do so." Perhaps the most important point is that unless we as a society actively stay aware of these technologies, however laudable their initial applications may often be, we will be unable to participate in the debate that is crucial to determining their future evolution. And it's in the vacuum of technology evolving without meaningful input from society that the most serious abuses, be they related to the Internet or that copy machine over on your desk, are the most likely to occur. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ End of PRIVACY Forum Digest 08.18 ************************ @HWA 27.0 Valiant of Halcon Speaks ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Mark Recently blamed for for a massive attack on the Australian Republican Movement website the long time underground group Halcon Technologies has remained unusually quiet. Now one of the groups members Valiant has offered the first interview from the group to explain just what the hell went on down under. QuadCon #1 http://the.wiretapped.net/security/textfiles/quadcon/quadcon-1.txt **************************************************************************** ***************************<-=- QuadCon -=->******************************** **************************************************************************** *************The Newsest Zine To Hit Australia And The World**************** */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ ============================================================================ December 1999 - Issue 1 ============================================================================ Whats In This Issue: # Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some Special Tips In Trying To Prevent Your Machine From Being Hacked =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au ---------------------------------------------- BackGround: Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown to atleast ten members. Still growing, in October 1996 the group took on the name Halcon Technologies and in 1997 Valiant registered a business name, allowing them to register the halcon.com.au domain name. Although the group was not widely known, on 22nd October 1999, Halcon was blamed for a massive hack on the Australian Republican Movement website. Despite denials and misquotations, the story was covered by news outlets, an example of which is at the following URL: http://www.halcon.com.au/arm0001.html Following this incident, Halcon received massive amounts of publicity (most of it was unwanted) and Valiant claims that Halcon has become the most popular hacking group in Australia. It currently has 24 members and thousands of supporters. Having been misquoted once, Valiant has since denied all interviews to the press, including an offer from Channel Nine. QuadCon is therefore proud to present an exclusive, uncut interview with Valiant. ------------------------------------------------------------------------------- The Interview ------------- QuadCon: If you were a system administrator of a newly installed slackware linux machine and you had 20 minutes to secure it what would you do? Valiant: Go to all the available sites (www.halcon.com.au/links.html) that cater for that, and quickly grab and install as many patches for your software available. Close all services (especially fingerd) that arn't needed, relocate telnet to a different port (I know it breaches RFC's, but fuck it.) and make sure that you don't adduser lamers. :) QuadCon: What is the most common thing to hack to gain access to? Valiant: Fingerd is the most exploitable feature on machines, the good old crackers highway. Allthough these days it's neglected as a mode of system penetration, also alot of sysadmins don't understand the point of finger anymore and remove it anyway. As for hacking, the best method available that I remember overusing would be a buffer overflow in a certain software which makes calls to root. Flood the software, bang, down it goes and you have root. :) QuadCon: Does the name Halcon have any relavence to you and why did you choose it for the name of the group? Valiant: Halcon .. well, I chose that many years ago, so I can't really remember why it was chosen, other than that it sounds funky. :P QuadCon: How would you characterize the media coverage of you? Valiant: Trivial and biased. They just want an 'evil hacker genious' who brags about how he hacked NASA, they don't really like me as basically I won't brag, and I prefer to explain how idiotic the consumers are for purchasing fucked computers, etc, and other consumer related problems. QuadCon: What do you think about hacks done in your name--for instance, the Australian Republican Movement hack? Valiant: I wasn't expecting such media coverage on that topic, however they have no evidence against me, and I have yet to admit to even being born at this point in time. So fuck 'em all. :) QuadCon: What's the biggest misconception perpetuated by Hollywood cybermovies? Valiant: There is no such thing as a hot female hacker named Acid Burn who has pert tits and lips that would look very nice wrapped around my hard disk. :) QuadCon: In your own words, define hacker. Valiant: There's two meanings. I fall into both. The code hacker, who lives to program and does it the hard way, and the system hacker, who loves finding exploitable features in systems to gain access, does so, notifies the sysadmin and patches the hole. QuadCon: What is your technical background. (Which platform do you prefer PC/MAC? What is your online background? Do you do networking? Do you know programming languages,etc.) Valiant: At the moment my prefered operating system is Windows 98 due it's usability and comprehensive system architecture, when it comes to personal use, for industrial things such as networking, I prefer any linux distribution. I am a PC user, allthough I have a few old Apple Classics in my computer collection. I've been using the internet through BBS gateways for ten or more years. I network when I have to, but I used to work as a network engineer. As for programming languages, I have a bad memory and generally have to 'relearn' things when I need them, however it's more a refresh than a relearn. :) QuadCon: I understand that hackers assume an online nickname to become known by - how did you acquire your nickname? Valiant: I was seven years old when I logged onto a BBS using an audio coupler 900 bps modem at a friends place. It asked for a handle, Valiant was my current dungeons and dragons charracter, so I typed it in sheepishly. I've been known by it ever since. :) QuadCon: What do you portray system administrators are like? Valiant: Fail-safe devices that take care of systems, that if programmed correctly would never need human assistance. :) QuadCon: What do you think of ALOC, another aussie hacking group? Valiant: Who? :) QuadCon: What currently is Halcon working on? Valiant: Currently working on? We're currently working on the ultimate encyclopeadia of how to be slothenly and lazy. :) QuadCon: What would you like Halcon to be in the future? Valiant: I don't know, that's a hard question really. I never wanted it to be anything to begin with, time has just made it bigger than I ever expected. Back when I was a kid and it first started, I never really thought it would exceed a BBS group of users who were of the same interests. Now it's allmost like a religious cult for some. :) QuadCon: Who in the world do you dislike most? Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a tad over. The others should be neutered and shot. :) QuadCon: Any last comments? Valiant: I like being a cunt-rag. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Special Thanks -------------- Valiant of Halcon http://www.halcon.com.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Support Us ---------- Please support us - we are looking for a fast permanent unix box to host a website with all our zines on. If you believe you can help see the contact section below. Also if you know anyone who wants or deserves to be interviewed also see the contact section below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Contact ------- I can be contacted on IRC irc.wiretapped.net or on the email address marena@iinet.net.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 1999 QuadCon -=- http://www.halcon.com.au/arm0001.html Hackers deny Republican attack From AAP 22oct99 AN underground computer hacking group blamed for today's sabotage of the Australian Republican Movement's head office has denied responsibility. The group, known both as Halcon and as the Australian Underground and Empire Loyalist Movement, was blamed for jamming phones and e-mails into ARM and shutting down its computer system. Halcon hacker "Valiant" tonight denied the group was responsible for the incident. He said the sabotage was probably done by a "scriptkiddy", a young teenager working alone trying to get the group's attention. "You only need a modem and a computer, a 12-year-old could do it," Valiant told AAP. "We are anti-republican, but we wouldn't take that sort of action, we consider that lame." ARM was also faxed a list containing 200 names of ARM staff and supporters along with threats of violence. Halcon is Australia's oldest underground hacking group, formed in 1993. It has 24 current members and thousands of supporters. @HWA 28.0 Scholarships for Surfing ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Fran 2500 one and two person teams will once again be able to compete for scholarships to Florida State University by Surfing the Web. Registration for is now open for the third annual Florida State University Online Scholar Challenge. The competition pits teams of high school students against one another in finding answers to tough questions online. FSU Online Scholar Challenge http://www.fsu.edu/~unicomm/challenge.html High School Juniors and Seniors! Are You an Online Scholar? If you're a high school junior or senior, and you're good at finding information online, you can win a four-year tuition scholarship to Florida State University, along with other great prizes. Florida State University's Online Scholar Challenge is an "online information scavenger hunt." The Challenge, now in its third year, pits high school juniors and seniors against one another in seeking information and answering tough questions on a wide variety of topics through the LEXIS®-NEXIS® Scholastic Universe information service. Qualifying rounds are conducted on the Internet. The five top-scoring teams will receive all-expense-paid trips to Florida State University April 7-8, 2000, for the FSU Online Scholar Challenge finals. Act Today! Registration is limited to the first 2500 teams (a team may have one or two students). (Follow link for further info and rules etc - Ed) @HWA 29.0 Dec 8th HNN Rumours ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Valiant We aren't sure what to make of this but it would appear that the Australian government is out to silence certian individuals. While we have nothing to go on for verification of this story, other than this web page, we are hoping that some more resourceful individuals can gather additional information. Big Brother -is- Watching! http://www.halcon.com.au/bigbrother.html Big Brother -is- Watching! This is a true story, only the names and other identifying details have been changed to protect the innocent. The person this story is about, who we shall name Citizen X, is still on the run from the powers that be, even though he is innocent. This story will be updated when-ever Citizen X can contact us. 6th of December, 1999 - Introduction to The Machine. As I sit here writing this, I realise that out there I am on the 'most wanted' list of Australia. I am Citizen X, for years I have been in the Australian underground, and I am probably one of the highest profile political hackers in Australia. Telstra and Optus have been wanting me out of the scene for years. My crime is that I tell the truth, my crime is that I seek the truth. For this I am marked as a dangerous criminal mastermind by 'them'. Who -is- Big Brother I hear you ask? Big Brother is what we call them, the conglomeration of the government, the federal bodies, the police (state and federal, aswell as all the little spook divisions on the side) and also into 'them' goes the corporations. The corporations -do- have power in the 'system' because they have the money. We all know the government loves them and will back them to the hilt. Six months ago Big Brother had no idea who I was, except I made one mistake. I trusted Australia's privacy laws and a corporation. I was asked to call a mates school and make a bomb threat just to get him out of class, which is pretty lame, I agree, however I wanted to see whether our privacy existed, or whether Australia is as bad as America when it comes to monitoring the populace and controlling them. A few weeks ago I was called up by a spook, he said that the call was traced to my cellular phone and that due to the fact I gave a fake address for the account, I am on the most wanted list. He said that my options are to turn myself in, or be hunted down practically. Now normally a prank call is let go of, however, when the police got to the school they said, in their over ambitious way, that they found 'seven potentially explosive devices' in the premises. Mind you there was nothing in the school, however the moronic police made that statement and lo, they have to stick to it. Now they need someone to crucify so they don't lose face in front of Big Brother, they need to find the Xibomber. Some spook in his corporate office in Big Brother's bedroom spotted the links between me and my political hacks, even though my hacks promoted morals and lawful upholding of Australian citizens freedom, they persist that now, I, Citizen X, am a dangerous criminal. I must be caught and punished for my crimes against 'them' and for planting seven explosive devices in a school on the other side of Australia I've never heard of nor seen. Don't trust the government, don't trust the system. They want to control us, they want to keep us as mindless zombie-like consumers who work, raise kids to follow in our footsteps, consume, and die. All telecommunications companies are also in with 'them', I know this now because of this situation. I cannot explain it perfectly, as it is I've given away too much information and am risking even more trouble from Big Brother. But let me say that, at this moment in time, they will never catch me. Due to their own fuck up, they now have the need to find a sacrificial lamb to publically crucify to make them seem 'right'. Why don't I go public? Why don't I tell the Australian Associated Press? Simple, because they are part of the system also. There's no escape once the government have it in for you, other than making a new identity, getting fake ID's made up for it, and living as the other being. I am Citizen X, an unlawful evil sadistic serial killer hacker with attitude, I must be caught, and I must be punished for my crimes against society. What a crock of shit, I am a lawful hacker who likes to tell the truth about the conspiracy behind Australia's 'system', but hey, I may aswell be a serial killer in 'their' eyes. This story will be updated when Citizen X can contact us. Welcome to the Machine! @HWA 30.0 Alleged Melissa Creator May Plead Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Alex The accused creator of the Melissa virus, David Smith, is scheduled to appear in Monmouth County NJ Superior Court on Thursday. He is also scheduled to appear in the US District Court in Newark, New Jersey later the same day. Insiders believe that he will plead guilty to charges of interruption of public communication, theft of computer service, and wrongful access to computer systems. ZD Net http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2344196,00.html (Note: There is an audio/video report that accompanies this article on ZDNet - Ed) Accused Melissa Author to Plead Guilty Sources close to law enforcement say David Smith will plead guilty to state and federal charges on Thursday. By Alex Wellen and Luke Reiter December 8, 1999 3:25 a.m. EST (UPDATED 3 p.m.) Paul Loriquet, a spokesman for the New Jersey attorney general's office, confirmed that accused Melissa author David Smith was scheduled to appear before Judge John Riccardi in Monmouth County Superior Court at 10 a.m. EST on Thursday. Loriquet would not comment on the reason for Smith's appearance. A second Smith appearance is scheduled in the US District Court in Newark, New Jersey, at 1:30 p.m. Smith is set to appear before Federal District Court Judge Joseph A. Greenway, Jr. Court documents indicate Smith will enter a plea at that time, according to a staff member at the federal courthouse. The New Jersey attorney general's office plans to release a media advisory regarding Smith's appearance at 4:30 p.m. on Wednesday, Loriquet said. The advisory is expected to contain only logistical information on the appearances. Edward Borden, Smith's attorney, would not confirm the appearance or a plea late Tuesday. The slow road to resolution Smith, a 31-year-old former computer programmer, was charged in New Jersey with interruption of public communication, theft of computer service, and wrongful access to computer systems in early April. According to a source close to law enforcement and familiar with the investigation, New Jersey faced difficulty prosecuting the case because companies hit by Melissa were unwilling to step forward and publicly admit they were victimized by the virus. Federal investigators were involved in this case from its inception, but to date have not filed formal federal charges. Among other offenses, Smith could be charged under the Computer Fraud and Abuse Act, Federal Statute Title 18, USC Sec. 1030(a)(5)(A), which makes it illegal to send code that causes damage to a "protected" computer. On Melissa's trail Smith, of Aberdeen, New Jersey, was arrested on April 1, 1999, on charges he created and distributed the Melissa virus-- a Word macro that swept through the email systems of thousands of computers in late March and brought down mail servers around the world. Although the virus does not corrupt files, it resulted in significant server slowdowns, and forced the shutdown, in some companies, of entire email systems. Smith reportedly admitted to investigators at the time of his arrest that he created the Melissa virus, according to court papers filed by the New Jersey attorney general's office. Worst security breach since 1988 The virus, which authorities said was named after a topless dancer in Florida, spread via Microsoft's Outlook email program and could instantly generate dozens of outgoing email messages. It affected tens of thousands of workstations, propagating itself into commercial, government, and military email gateways and systems. An analyst from Panda Software said Melissa caused the worst security breach since the Morris Worm, which took down the entire Internet in November, 1988. A user would contract Melissa by opening an infected Word attachment in Office 97 or Office 2000, which would then execute the macro. From there, the swift-moving macro would prompt Outlook to send an infected document to the first 50 names in a user's address book, with the subject line "Important Message From [the sender's name]." The message itself said, "Here is that document you asked for, don't show anyone else. ;-)." Once the email had been sent to the first 50 names, each person who opened the document would then send it on to 50 more and so on. The result was rapidly overloaded servers. In the first 48 hours alone, both Microsoft and Intel were forced to shut down mail servers due to Melissa. Other major companies, including Lucent, Motorola, Dupont, and Compaq were hit. The VicodinES connection Investigators looked for a link between the Melissa author and a virus writer who goes by the name of VicodinES who has been considered a source of the code. In late March, a CyberCrime investigation revealed that Smith and VicodinES were both linked to the same Internet service provider in New Jersey. Further research indicated that Smith and VicodinES shared a number of similarities, including the same age, location, and profession. Smith's attorney would not respond to that allegation. However, the New Jersey attorney general's office said that Smith is not VicodinES. @HWA 31.0 Non-Anonymous Internet Violates First Amendment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Anonymity on the Internet should be protected and deserves to be treated no differently than anonymous pamphlets or other speech, according to a study released today by the Cato Institute. U.S. and foreign law enforcement officials regard anonymity as a threat to public order and talk about limiting anonymity online. Proposals to limit anonymous communications on the Internet would violate free speech rights long recognized by the Supreme Court. Anonymous and pseudonymous speech was used to great extent by the founding fathers such as Thomas Paine, Alexander Hamilton, John Jay, James Madison, Samuel Adams, and others. Today, human rights workers in numerous third world countries have reestablished anonymity and free speech. Given the importance of anonymity as a component of free speech, the cost of banning anonymous Internet speech would be enormous. It makes no sense to treat Internet speech differently from printed leaflets or books. (Finally some sanity in the anonymity debate.) Nameless in Cyberspace: Anonymity on the Internet - PDF http://www.cato.org/pubs/briefs/bp-054es.html @HWA 32.0 OSU Charges Two With Illegal Access ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by boomer Oklahoma State University has charged students in connection with an illegal entrance into a computer system owned by General Atomics, a company based in San Diego. General Atomics initiated the investigation on October 18 when they noticed an OSU Internet address illegally accessing their system. The O'Colly http://www.ocolly.okstate.edu/issues/1999_Fall/991208/stories/hack.html Published: Wednesday, December 8, 1999 Two OSU students suspected of hacking From Staff Reports An intrusion into a Department of Energy subcontractor's computer system has two Oklahoma State University students charged in suspicion of the crime. Maxwell Evan Mishkin, 18, and his roommate, Gary Steven Holmes, 19, were arrested Nov. 18, in connection with an illegal entrance into a computer system owned by General Atomics, a company based in San Diego, according to a press release. Mishkin is charged with two counts of violating the Oklahoma Computer Crimes Act. Holmes is charged as an accessory to a felony. Both were arraigned at Payne County Courthouse Nov. 18, the release said. Mishkin was released on $5,000 bond, and Holmes was released on $2,500 bond. General Atomics, according to its website, is one of the world's leaders in high technology systems development and nuclear technology. The press release states that both students will also face disciplinary action through the university because of violating OSU policy. The investigation began Oct. 18, when an General Atomics security analyst alerted OSU's Computing and Information Services that someone with an OSU Internet address illegally accessed the General Atomics system. The 1998 Oklahoma Computer Crimes Act states that any person gaining access, or attempting to gain access to computer systems without authorization can be convicted of a misdemeanor punishable by up to 30 days in county jail and a $5,000 fine. @HWA 33.0 Microsoft Files Lawsuit Against Online Pirates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Microsoft has filed lawsuits against auction Web sites or online software sellers in six states that frequently use spam to advertise. Microsoft says that it was made aware of these illegal activities through its anti-piracy hotline. Wired http://www.wired.com/news/technology/0,1282,32985,00.html Microsoft Sues Online Pirates by Wired News Report 1:55 p.m. 8.Dec.1999 PST Microsoft has filed lawsuits against businesses in six states to stop allegedly counterfeit sales of the company's software. Microsoft said it investigated the companies, which are either auction Web sites or online software sellers that frequently use spam to advertise. The company said it had received thousands of tips about the questionable sales activities on its anti-piracy hotline. The lawsuits, which sought to obtain injunctions to prevent the sellers from continuing to offer the software, were filed Wednesday. The organizations alleged to have counterfeited copies of Microsoft Office, Windows, and Office Professional include Abu Salahuddin in Morgantown, West Virginia; Capital One CDRom Warehouse, aka Internet Marketing in Corpus Christi, Texas; KT Services, aka Vantage Software and Pacific Ventures, in Los Angeles; Martin Johns in Fond Du Lac, Wisconsin; NC Software in Wilmington, North Carolina; and Software Blowouts in Hackettstown, New Jersey. Microsoft said in a statement that by filing the suits, it hopes to help "make holiday Internet shopping safer for millions of consumers." According to the Business Software Alliance estimates there are 840,000 Internet sites selling counterfeit software as genuine product. In addition to being illegal, counterfeit software also has the potential to include viruses and miss key software codes, and it renders customers ineligible for technical support, warranties, and upgrades, according to the company. "Internet piracy is growing nearly as rapidly as the Internet itself, and it is severely harming consumers and their confidence in feeling safe to conduct legitimate business online," said Tim Cranton, corporate attorney in charge of Microsoft's Internet piracy efforts, in a statement. "There is a possibility that this problem could spiral out of control, and we need consumers to help us hold back the floodgates by being knowledgeable online shoppers." @HWA 34.0 CERT Releases Distributed Attack Paper ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by jgrasett The Computer Emergency Response Team has released the paper mentioned on HNN yesterday regarding distributed DoS attacks. The paper examines the use of distributed-system intruder tools and notes that better forensic techniques and training are needed. Results of the Distributed-Systems Intuder Tools Workshop - PDF http://www.cert.org/reports/dsit_workshop.pdf (CERT should be commended for using the word 'intruder' throughout this document as opposed to the word 'hacker') @HWA 35.0 PWC Finds Serious Weaknesses in Pension Fund Company ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Mr Man It appears that during an audit the security auditors of Price Waterhouse Coopers were able to break into computers at The Pension Benefit Guaranty Corporation in Washington using dial up lines. Once inside, the auditors had the ability to not only create fictitious beneficiaries and send them money, but they could also edit or delete files and information on individuals in the systems. Pension Benefit Guaranty Corp. is owned by the federal government and guarantees the retirement checks of 42 million Americans. (Hmmm, I wonder how long those lines where vulnerable before the audit? And how many other companies have modems dangling off their network behind the firewall?) NY Times http://www.nytimes.com/library/tech/99/12/biztech/articles/08pension.html (Subscription required to retrieve this article - Ed) @HWA 36.0 Freaks Macintosh Archives CD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Freaky Freaks Macintosh Archives has produced a CD that contains all the Macintosh underground files known to exist. The CD also contains edited versions of Freaks talk at Defcon VII where Space Rogue officially directs users of the Whacked Mac Archives to Freaks Macintosh Archives. The CD is ready for pre-orders, this will assure that you get the low 20.00 price. To Pre-Order send a email to freaky-order@staticusers.net Freaks Macintosh Archives http://freaky.staticusers.net/ @HWA 37.0 Nortell Releases Personal Hardware Firewall ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlaque Users of Cable modems, DSL, ISDN and even dedicated dial up connection are rapidly discovering the hazards of being online all the time. To help protect these users Nortel has introduced the personal hardware firewall that will sit on the line between your modem and computer. Currently 'Secure Cable' is only available for cable modem users but other bandwidth types will be available soon. (I hope this thing does an auto update or it will be out of date very quickly.) Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/19991208/tc/cable_internet_security_1.html PR Newswire - via Yahoo http://biz.yahoo.com/prnews/991208/nortel_sec_1.html Wednesday December 8 3:13 PM ET Device Protects Internet Cable Users NEW YORK (AP) - Nortel Networks today introduced a new device that cable operators can use to protect their Internet subscribers from computer hackers. While cable TV modems provide speedier Internet service than dial-up connections through a telephone wire, the cable link is more vulnerable to hackers because it is usually on all the time. Some cable-Internet subscribers protect their computers from hacker intrusions with special software or ``firewall'' hardware. Secure Cable, a feature of a new network connection box developed by Nortel, is a firewall that's designed to block hacker attacks in the network, before they reach subscriber computers. Nortel has introduced similar devices for dial-up service and digital subscriber line, or DSL, a high-speed link over a telephone wire that shares the vulnerabilities of cable. ``Having these types of solutions ... makes a lot of sense,'' said Lisa Pierce, analyst at the Giga Information Group, noting that more than 10 percent of high-speed Internet users have experienced security problems. ``The average user shouldn't have to think about these technical issues.'' The new Nortel firewall is part of its Shasta 5000 Broadband Service Node. A node is the part of a cable network that connects a group of neighboring subscribers to the Internet. It also enables users to subscribe to different Internet service providers. Nortel, based in Ontario, is one of the largest suppliers of network hardware. It had sales of $17.6 billion last year. -=- PR Newswire; Wednesday December 8, 9:01 am Eastern Time Company Press Release SOURCE: Nortel Networks Corporation Nortel Networks Launches 'Secure Cable' Anti-Hacking Protection for Residential and Small Business PC Users On-Line Security Critical as U.S. Operators Open Their Cable Networks For Internet Access BOSTON, Dec. 8 /PRNewswire/ - Personal computer users subscribing to `always-on` cable Internet access can now be protected from hackers -- an increasing problem as cable modems become more and more popular -- thanks to a new, mass market security solution being launched by Nortel Networks (NYSE/TSE: NT), the company announced today. Nortel Networks and its Shasta IP Services division are launching Secure Cable, which offers anti-hacking protection for Internet cable subscribers by securing each cable connection with network-based firewalls. Because cable Internet connections are always on, personal computers linked to cable are exposed to hacker attacks. And, as broadband becomes more widely deployed here and abroad and cable and telecommunications companies offer high-speed Internet access through cable or Digital Subscriber Line (DSL), more consumers are reporting hacker attacks on their PCs, sometimes leading to copying or destruction of sensitive data. And the problem could get worse. It is predicted that by 2003, more than 30 million U.S. households will be eligible for high-speed access cable. Furthermore, more than 12 million U.S. households will have high-speed Internet access over cable or DSL by 2003, according to industry analyst firm, The Strategis Group (Cable Trends, June 1999). This represents a massive increase from today's 1.4 million cable and DSL Internet access subscribers throughout the country. `At least one out of 10 high-speed Internet users will experience or be victimized in a hacker attack,` said Ron Westfall, senior analyst, Current Analysis. `We see an increased demand for a basic, secure access solution for high-speed connections like cable and DSL. A basic 'door lock' solution from Internet Service Providers would help protect customers from simple hacker attacks and help speed the adoption of broadband. Nortel Networks addresses the problem with a network-based firewall solution in its Shasta 5000.` Nortel Networks' Shasta 5000 Broadband Service Node (BSN) also provides cable operators with an IP services platform to provide for wholesale access to their high-speed cable networks, allowing subscribers the choice of Internet service providers. It is the latest in a suite of enhanced broadband services provided by Nortel Networks, which earlier this year, launched its Secure Dial and Secure DSL solutions that are now being used by service providers around the world. `Nortel Networks is at the heart of the Internet revolution and is a global leader in the cable, Internet and telephony market,` said Anthony Alles, president and general manager of the company's Shasta IP Services business unit. `Besides building a faster, more reliable Internet, it also means enhancing broadband security for Internet users of DSL, cable and other high-speed technologies, and we're achieving that for our customers.` Nortel Networks has a major presence in the cable industry, providing high speed optical networks, switches and routers, head-end equipment, cable telephony systems, cable modems, and the Shasta Broadband Services Node for value-added cable internet services. The company and its Arris Interactive joint venture with Antec supplies cable solutions to major customers such as AT&T BIS, Time Warner, GTE, Comcast, Cox, Cablevision, Rogers Communications, UPC, SPTA, Csii and Mitsui.` Nortel Networks is a global leader in telephony, data, wireless and wireline solutions for the Internet. The Company had 1998 revenues of US$17.6 billion and serves carrier, service provider and enterprise customers globally. Today, Nortel Networks is creating a high-performance Internet that is more reliable and faster than ever before. It is redefining the economics and quality of networking and the Internet through Unified Networks that promise a new era of collaboration, communications and commerce. For more information, go to www.nortelnetworks.com. @HWA 38.0 Interview with dap from sSh ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exclusive by Sla5h Dap has since disbanded sSh (Sesame Street Hackers) the EFNet irc channel #sesame is still in operation but has suffered several takeovers as is the way with 'scriptkiddy/cracker' channels these days. This interview was done when sSh was still active, a few weeks ago, and didn't make it to these pages until now due to connectivity problems between the interviewer and myself. Dap dropped the ftp info for http://www.sShackers.com/ in several channels inviting people to 'deface' the site, which of course happened readily. The current state of the site has this message: ALL OF YOU GIMPS THAT SO CALLED "HACKED" THIS SITE ARE STUPID!%$@^ IF YOU HIT THIS PAGE... ITS CAUSE I GAVE YOU THE FUCKIN' FTP INFO ALL YOU GUYS ARE GIMPS... NOT HACKERS... IT WAS SUPOSED TO BE A BIG JOKE... NOT ANOTHER DEFACED SITE TO ADD TO YOUR ATTRITION SHIZM... AND SEEIN' AS I WAS A MEMBER OF gH, GH IS DEAD, YOU STUPID COCK SUCKIN' MUTHER FUCKER.. GO BACK TO WHERE YOU CAME FROM... AND TRY AND CONVINCE SOMEONE YOU ARE ELITE QUOTE UN-QUOTE SOMEWHERE ELSE! GOT IT????? STUPID PIECE OF SHIT... sSh IS GAY... I KNOW THAT... THAT HAS TO MEAN A LOT COMIN' FROM THE EX-FOUNDER. GO ./HACK A BOOK. IDIOTS. - DAP sSh/dap interview with Sla5h: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Session Start: Sun Nov 28 14:53:06 1999 Session Ident: slash- (slash@ad5-m80.tel.hr) ---start interview--- sup? sup G well nadda. thanx for taking the time for this interview pleasure is all mine :D Can U tell us who came up with the idea to start sSH ?!? well.. the idea came to me while I was a member of gH. gH had recently went legit, and a lot of the members still wanted to do penetration but seeing as a few of the members got raided.. hacking under the name of gH was like a death wish. ..so U started sSH yes. How many members sSH counts today ?!? about 20 we've grown rapidly since our media hype with ytcracker. and fuqrag I heard they got raided ?! is that true !? they haven't got raided... yet :) U aint afraid to get raided ?! I was told that rackmount, ytcracker and fuqrag will be raided soon. well... if you look at most of my defacements... only a few are .mil's and .gov's I dont target the government as much as the other members do seeing as im not into the IIS4 shit. only government boxes I hit are running an operating system unix based. Will sSH end like gH ? I hope not... y'see... sSh is always excepting new members... we will always exist... if 5 members get raided... they'll prolly be another 6 joining. within the next month or so I dont want the group to be to big... but I dont want it to die out Why do You deface ? well... hmm... :) Ok .. the thing is... most of the systems I deface, I've had root on for a while... about a month or so... So they had the time to fix the holes and the funny thing is... they didn't even know til I defaced the site... they had more then enuf time. but still... Someone once said that hackers do it to satisfy their ego I have gotten a few job offers from sites that I have defaced.. and they have contacted me for technical support etc. I like that attitude in an admin. slash.. thats somewhat true... some due it for the media hype. i.e (ytcracker) Yeah yt really hit the media yah ... You don't do it for fame !? its not really hard to get into the media like that. but... ytcracker needs to take a reality check. did real hacking loose sense ?!? he is a good friend... and whatever he wants to do, I got his back. is it all about fame these days ? but he thinks he is in a dream world and that he wont get raided. did real hacking loose sense... thats another one of the reasons I started sSh .. I have been in the 'scene' for some time now. and the ethics sure have changed since 4 years ago. (when I was 12) nobody did it for the media... cept for LOU a lot of people just wanna be known... now a days nobody cares about ethics anymore... it just turned into a big popularity contest U plan to retire some day !? well... im sure I will just say fuck it.. and stay off irc for good. but.. seeing as I do penetration testing for a living, I gotta stay ontop of security So we'll be seeing you in the future as an individual or U'll do defacments for sSH ?1 if you wont see me defacing for sSh, you prolly wont see me at all.. Is there anyone in this scene truly the king? hold? k talking to a fed on the fone... ;\ :( can we continue now ? hold hello? yah sup? Session Close: Sun Nov 28 15:38:48 1999 Session Start: Mon Nov 29 15:49:30 1999 Session Ident: slash- (slash@ad9-m74.tel.hr) hi sorry about yestrday I got disconnected ok sup? you wanna finish the interview? Session Close: Mon Nov 29 15:53:17 1999 Session Start: Tue Nov 30 14:37:12 1999 Session Ident: slash- (slash@ad11-m107.tel.hr) what's the key for sesame FBEYE whats the url for HWA and the interview the interview isn't out yet we have to finish it ok.. continue k -------------------------------- Is there anyone in this scene truly the king? there is people i give mad respect to... like xdr prym soupnazi not really a king, more like pros In what category do U sort to !? I dont possition myself in any category ... I like to learn different things... I'd rather know a little about everything then a lot about one thing Can U tell us more about sSH members ? like how skilled they are etc. sSh members skilled in different areas... like .. we got members aging from 12 to the 30's 12 !??! w0w we have a female w0000wwww who is she ?! Mya She defaces !? she defaced 2 sites so far ... she just started. ;\ we got about 27 members kewl that's alot http://www.sShackers.com/members.html site is fucked, but the guy cant do html for shit :| (checking the site up) ok . it isn't bad yes it is if you view it in IE its ok dap dude sup? I'mm be back in 1/2 hour I'll be back ok whats the url? for the HWA site or whatever it is welcome.to/HWA.hax0r.news l8r ok bye bye Session Close: Tue Nov 30 15:22:03 1999 @HWA 39.0 Melissa Creator Pleads Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirb David L. Smith, who was arrested for creating and releasing the Melissa virus in April, plead guilty on Thursday to a second-degree charge of computer theft. The charge covers intercepting computer communications and damages to computer systems or data and is punishable by 5 to 10 years in jail and up to a $150,000 fine. "Yes, I admit those events occurred as a result of the spread of the Melissa virus. But I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental. In fact, I included features designed to prevent substantial damage. I had no idea there would be such profound consequences to others." - David Smith (quote taken from ZD Net) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2406592,00.html?chkpt=zdnntop Reuters http://www.nandotimes.com/technology/story/body/0,1634,500140419-500165810-500604970-0,00.html Associated Press - via ABC News http://abcnews.go.com/sections/tech/DailyNews/virus_melissa991209.html Smith pleads guilty to Melissa virus Melissa infected hundreds of thousands of computers -- now its creator faces 10 years in prison and a $150,000 fine. By Robert Lemos, ZDNet News UPDATED December 9, 1999 12:40 PM PT David L. Smith, who was arrested for creating and releasing the Melissa virus in April, plead guilty on Thursday to a second-degree charge of computer theft. The Melissa macro computer virus hit companies on March 26 after being released to a Usenet newsgroup as part of a list of porn sites contained in a Word document infected with the virus. The virus, which mailed itself out to the first 50 addresses listed in the address book of Microsoft's Outlook e-mail client, caused a massive spike in e-mail traffic, flooding corporate e-mail servers. Companies such as Microsoft Corp. (Nasdaq: MSFT), Intel Corp. (Nasdaq:INTC), Lockheed Martin Corp. (NYSE: LMT), and Lucent Technologies Inc. (NYSE:LU) shut down their gateways to the Internet in the face of the threat. After Judge John Riccardi outlined the events, a nervous Smith read the following statement: "Yes, I admit those events occurred as a result of the spread of the Melissa virus. But I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental. In fact, I included features designed to prevent substantial damage. I had no idea there would be such profound consequences to others." 'I certainly agree' When the judge again asked if Smith agreed that it caused significant damage to computer systems nationwide, Smith replied, "I certainly agree. It did result in those consequences, without question." The crime -- which covers intercepting computer communications and damages to computer systems or data -- is punishable by 5 to 10 years in jail and up to a $150,000 fine. As part of the plea agreement, Smith has agreed to the maximum penalty for the crime, but the presiding judge could ignore the recommendation. Smith appeared in Monmouth County, N.J., Superior Court at 10 a.m. ET. He has another appearance scheduled in the U.S. District Court in Newark later today to answer to federal charges in the case. According to law enforcement sources close to the case, Smith will enter a guilty plea in federal court as well. Edward Borden, Smith's attorney in the case, could not be reached for comment. Court papers filed in August stated that Smith confessed to writing the virus. Smith had admitted his guilt at the time of the arrest, said Paul Loriquet, a spokesman for the New Jersey Attorney General's office, in a ZDTV interview. "There was a statement made at the time of the arrest from Mr. Smith to our investigator... that, in fact, at the time of the arrest, he had admitted to creating the virus and had said that he had destroyed the personal computers that he had used to post it on the Internet," Loriquet said in the report. -=- Reuters/Nandotimes; Computer programmer pleads guilty to creating 'Melissa' virus Copyright © 1999 Nando Media Copyright © 1999 Associated Press By JEFFREY GOLD NEWARK, N.J. (December 9, 1999 11:59 a.m. EST http://www.nandotimes.com) - A computer programmer admitted Thursday to creating and distributing the "Melissa" virus. David L. Smith acknowledged caused millions of dollars of damage by disrupting e-mail systems worldwide. Smith pleaded guilty to a state charge of computer theft. He was expected to plead guilty in federal court in Newark later Thursday. The virus, believed to be named for a topless dancer Smith knew when he lived in Florida, wreaked havoc at the end of March. "I did not expect or anticipate the amount of damage that took place," Smith read from a statement after answering a series of questions from his lawyer. Smith said he believed any damage would be minor. Smith, 31, is believed to be among the first people ever prosecuted for creating a computer virus. He was arrested April 1 at his brother's home in nearby Eatontown in Monmouth County and freed on $100,000 bail the next day. Smith said he created the virus on computers in his Aberdeen apartment and used a stolen screen name, "Skyroket," and password to get into America Online. In the online service's alt.sex newsgroup, he posted a file called "list.zip," a listing of adult web sites and passwords, which contained the virus. Asked by his lawyer, Edward F. Borden Jr., if that was designed to entice people to download the file, Smith said, "Yes." "Melissa" struck thousands of e-mail systems on March 26. Disguised as an "important message" from a friend or colleague, the virus spread around the world like an electronic chain letter. The virus was designed to lower security settings on computers with Microsoft Word 97 and Microsoft Word 2000, making them vulnerable to other viruses so that any document created would be infected. It also was designed to send infected mail to the first 50 names in a computer user's address book through the Microsoft Outlook e-mail program. Under his plea bargain, Smith could face five to 10 years on the state charge and up to five years in prison on a federal charge. Sentencing for the state charge was tentatively set for Feb. 18. -=- Associated Press; Virus Guilty Plea Entered Suspected Creator of ‘Melissa’ in Court David L. Smith, center, and his attorney Ed Borden, left, talk to a court official in the courtroom after Smith's hearing at the Monmotuh County Courthouse in Freehold, N.J., on Thursday, April 8, 1999. (Daniel Hulshizer/AP File Photo) By Jeffrey Gold The Associated Press N E W A R K, N.J., Dec. 9 — A computer programmer admitted today he created and distributed the “Melissa” virus that he acknowledged caused millions of dollars of damage by disrupting e-mail systems worldwide. David L. Smith pleaded guilty to a state charge of computer theft and later to a federal charge of sending a damaging computer program. In the federal plea, both sides agreed the damage was greater than $80 million. The virus, believed to be named for a topless dancer Smith knew when he lived in Florida, wreaked havoc at the end of March. However, authorities said today they could not confirm the origin of the name of the virus. Claims Did Not Anticipate Effects “I did not expect or anticipate the amount of damage that took place,” Smith read from a statement after answering a series of questions from his lawyer. Smith said he believed any damage would be minor. Smith, 31, is believed to be among the first people ever prosecuted for creating a computer virus. He was arrested April 1 at his brother’s home in nearby Eatontown in Monmouth County and freed on $100,000 bail the next day. Smith said he created the virus on computers in his Aberdeen apartment and used a stolen screen name, “Skyroket,” and password to get into America Online. In the online service’s alt.sex newsgroup, he posted a file called “list.zip,” a listing of adult web sites and passwords, which contained the virus. Downloading was Expected Asked by his lawyer, Edward F. Borden Jr., if that was designed to entice people to download the file, Smith said, “Yes.” “Melissa” struck thousands of e-mail systems on March 26, disguised as an “important message” from a friend or colleague, and spread around the world like an electronic chain letter. Melissa was designed to lower security settings on computers with Microsoft Word 97 and Microsoft Word 2000, making them vulnerable to other viruses so that any document created would be infected. It also was designed to send infected mail to the first 50 names in a computer user’s address book through the Microsoft Outlook e-mail program. Under his plea bargain, Smith could face five to 10 years on the state charge and up to five years in prison on a federal charge. Sentencing for the state charge was tentatively set for Feb. 18. @HWA 40.0 Privacy of US Military Officers Breached ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench It has been standard practice of the Department of Defense to report the names and social security numbers of officers getting promoted to the US Senate. This information is then entered into the Federal Register for all to see. Several of these officers have become victims of credit card fraud. The Secret Service is investigating. The Pentagon said it is no longer providing Social Security numbers to Congress. (Thats just brillant. Any foriegn power can now run credit checks on high ranking military personel. Wonderful.) Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500140349-500165712-500603813-0,00.html Public Sources for SSNs http://www.glr.com/ssnpub.html Credit scam hits military officers Copyright © 1999 Nando Media Copyright © 1999 Associated Press WASHINGTON (December 9, 1999 8:27 a.m. EST http://www.nandotimes.com) - The Pentagon said Wednesday that hundreds of military officers, including some of the nation's top officers, have become victims of credit card fraud after their names and Social Security numbers were published in the Congressional Record and on the Internet. The Secret Service, which has jurisdiction over credit card fraud, has taken the lead in the investigation. "It's something the Defense Department has been concerned about for some time," Pentagon spokesman Bryan Whitman said Wednesday after reports that one Web site listed the names and Social Security numbers of 4,500 military officers. The information was culled from the pages of the Congressional Record. Whitman said the Pentagon no longer provides Social Security numbers to Congress. Self-styled Pennsylvania privacy expert Glen L. Roberts, who acknowledges putting the names and numbers on his Web site, said he was merely trying to underscore how easy it is to obtain such information. "People in the Pentagon are outraged that I would be so bold as to quote the Congressional Record," Roberts said. In 1968, the military services began using Social Security numbers as general identification numbers for all military personnel. Until recently, these numbers were routinely carried in the Congressional Record every time military promotions were reported to the Senate. Roberts said he has not posted any new Social Security numbers on his Web site since the Congressional Record stopped publishing them and that there is no way to tell whether identity crooks obtained the names from his site, or from the Congressional Record itself. @HWA 41.0 Commerce Dept. Introduces New Security Initiative ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Yet another government/industry partnership focusing on Internet security has been introduced, this time by the Commerce Department. This one hopes to spread information security best practices throughout the private sector. There are 65 companies and associations from almost every industry segment involved in the Partnership for Critical Infrastructure Security. (Sounds familiar. Ummm does Infraguard or FidNET ring a bell? How many of these taxpayer funded organizations do we need?) Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/1206/web-security-12-09-99.html Yahoo News http://dailynews.yahoo.com/h/nm/19991209/tc/tech_security_2.html DECEMBER 9, 1999 . . . 14:31 EST Feds, industry join forces on info security BY DIANE FRANK (diane_frank@fcw.com) NEW YORK -- The Commerce Department on Wednesday introduced a new government/industry partnership that will help spread information security best practices throughout the private sector and will improve the overall security of U.S. critical infrastructure. The Partnership for Critical Infrastructure Security is the latest initiative under Presidential Decision Directive 63, which requires agencies to protect their critical information systems and infrastructures against cyberattack. PDD 63 has led to the creation of government security organizations, including the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center. But much of the nation's infrastructure is built and run by industry and not controlled by government, so the private sector must take an active roll in the protection, said Commerce Secretary William Daley. "We are, based on the President's directive, extremely concerned about the nation's infrastructure...but the federal government alone can't protect it; it's in the hands of the private sector," he said. There are 65 companies and associations from almost every industry segment involved in the partnership. Part of the mission of the partnership will be to encourage participation by more small businesses and state and local government groups and to enhance information sharing on security knowledge and expertise, Daley said. "This cross-sector work is very important," said Harris Miller, president of the Information Technology Association of America, a partnership member organization. "Information security has not yet permeated the consciousness of boardrooms and suites across the country." The partnership has set five issues to focus on: education; work force development; awareness and training; best practices; and research and development. Another issue that the partnership plans to study is globalization. Although the Clinton administration mainly is concerned about U.S. national security issues, many of the companies in the partnership are global, Miller said. The structure of the partnership is still under development, but Commerce will be serving in an advisory and enabling role, providing personnel, advice and other resources when needed, not regulation or federal requirements, Daley said. And as the leaders for the group, industry sees this as a way to forestall potential legislation or regulation from Congress, Miller said. -=- Thursday December 9 1:29 AM ET US Companies, Commerce Dept Meet on Tech Security By Bill Rigby NEW YORK (Reuters) - Commerce Secretary William Daley met representatives from major corporations on Wednesday to seek ways to protect America's banks, electrical grids, phone lines and other key services from breakdowns caused by computer hackers or technological glitches. On hand to kick start the new government-private sector forum were representatives from about 80 companies, including Microsoft Corp., (NasdaqNM:MSFT - news) Citigroup, (NYSE:C - news) AT&T Corp. (NYSE:T - news) and Consolidated Edison Inc. (NYSE:ED - news), among others. They agreed to hold a summit early next year to find ways federal government and businesses could work together to guard against major disruptions from technology breakdowns or security lapses. The Partnership for Critical Infrastructure Security was created after a 1998 government white paper called for a bridge between federal agencies and companies in technology-reliant sectors such as finance and banking, transport, energy and public emergency services. Daley said Y2K computer problems were not a prime concern of the forum. He said the government and companies were already in a good position to counter any inconveniences in services that may follow the millennium date change, which some computers may not recognize correctly because of outdated software. Daley told reporters after the meeting that the federal government alone could not protect privately controlled technology infrastructure systems such as the Internet or utility power grids. He said there was a close tie between economic and national security which made a public-private partnership crucial. He said the fast expansion of business conducted electronically left the country vulnerable to various threats including hostile computer hackers. Corporate representatives said they hoped to establish industry standards for security of electronic data, and increase awareness of ``cyber-ethics''. Kenneth Watson, representing computer networking giant Cisco Systems (NasdaqNM:CSCO - news), said the nascent forum had identified education, workforce development, research and development and the establishment of best practices in technology security as the key areas the forum would look at. Microsoft representative Howard Schmidt said the forum marked an important shift in which companies would become more proactive in working with government to ensure security standards. Harris Miller, representing the Information Technology Association of America trade group, said one of the forum's chief aims was to get companies to give information security practices the same priority as physical security. @HWA 42.0 Attrition Celebrates One Year Birthday ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by hero Attrition.org is celebrating one year of free service to the net. Attrition is well known for its crypto/text/denial/advisory archives as well its errata sections. It is probably most well known for the excellent work they do on the Attrition Defacement mirror. Attrition.org Birthday Message http://www.attrition.org/news/content/99-12-10.001.html ttrition's One Year Birthday Rant And the folks at Attrition are quite strange. So strange as to run a weird web site that goes against the grain of all things deemed 'good web design'. No graphics, use of dark colors, no advertising or self promotion of services. Everything people associate with an evil hacker site. Despite this, we offer more information and more services than almost any other security site out there. Because of the red text on black background, our ethics and morals are constantly assumed and maligned. We're quite used to that these days. Let the stuffy dogmatic atavistic twerps dare to evolve. While they are sitting at home enjoying their string beans and meat loaf, eating dinner with their significant other and 2.4 kids, we are enjoying our hedonistic lifestyles. Oh yeah! While it isn't quite that extreme, the staff here are constantly reminded of this picture. Unfortunate that a few detractors tarnish the picture painted by millions of viewers of our site. I guess that is the nature of the pessimistic beast. Onward... To be honest and up front with you, this article has no real value to the hardcore info-whore. Instead, we offer nothing more than a fun rant as a reward to ourselves for a job well done. We'll even include some choice quotes about Attrition and her staff that should provide a well rounded view of what type of degenerates run this thing. Eleven months ago, Attrition was little more than a unix system with a handful of accounts that provided a stable place for email. Originally a quick web page with a handful of files carried over from Jericho's personal web page and not much more. Every day that passed, some new element of the web page begun. We quickly picked up a few more users and opted to focus on offering new sources of information. Early on, there were ten to fifteen users on the system. You were either a shell user, or not. Eventually, questions were asked about who ran the system, who owned it, the meaning of life and more. At that point the designation 'staff' was brought about. 'Staff' is probably not the best word as it implies some greater sense of responsibility or obligation. What it really means is the person has the ability to change things (root), or is trusted to speak on behalf of the system. Not much more. With the advent of the Attrition Mirror, the site has grown in exposure considerably. At first, mirrors were taken using wget followed by half a dozen commands to make them accessable to viewers. The past few weeks have seen considerable development in a custom tool called aget (Attrition Get) that automates about 90% of the mirroring tasks. It is our hopes that the next few months will see a finished version of aget that automates everything, including doing the laundry. Perhaps the most consistant but low-key sections of Attrition are the text archive and crypto library. Receiving attention on a near daily basis, Modify and Wrlwnd spend considerable time and effort to bring viewers a well organized and comprehensive collection. Utilized by thousands of people a day, these two sections bring utilities and information to the masses. Today, Attrition is udpated by less than ten people, in their spare time. A labor of love so to speak, Attrition is not a business or a requirement. Where it goes tomorrow is uncharted territory. Voila! Here we are. Yes, that is the short history of things. Technically and statistically, what is Attrition, and what does it do? Wonders. The main system is a P166 with 64 megs of RAM. The simple fact that the machine has not been reduced to a smoldering pile of plastic and circuits is simply amazing. 'forced' handles a considerable amount of traffic each day. Our busiest days see over 100,000 pieces of mail transfered and over 750,000 HTTP requests served. This makes for over 5 million hits per month on the web server, serving over 4 million different people. Not bad for a little pentium hosting a hobby site. Things I Learned From Attrition For the most part, net users are stupid, shallow, and petty. I know I know, that is not a nice thing to say, but being the negative person I am combined with the assault of stupidity we receive, it is difficult to think otherwise. Net etiquette is dead. People can't seem to deal with their problems any more. Even hiding behind their monitor and keyboard, they still refuse to confront someone they think they have a problem with. Nine out of ten complaints about Attrition were sent to our upstream provider without even copying us on the mail as a general courtesy. Our upstream dutifully forwards the mail to us to get our side of things and goes on from there. Eight of those nine complaints are unfounded or we deal with them without the aid of our upstream. People could save so much time by at least giving us a chance to address any issues. If I didn't know better, I would swear the net consists of almost fifty percent of cheap bastard lawyers that know as much law as they read on the back of a cereal box. We have been threatened with almost two dozen lawsuits so far. Not a single one made it to a phone call or paperwork. Each and every time it takes a few minutes to quote some relevant law, or explain things very clearly and the ignorant/hostile party backs down without much to say. In case it isn't clear, a threat of lawsuit will only make us treat you like shit. Grow up. To the handful of people who have written in thanking us for our work, we thank you in return. It is those few shreds of appreciation that make us realize our work is appreciated. To the rest of you primates, if you don't like something about the site, you have two things you can do. The first is to give constructive criticism so that we may try to improve if we agree with you. To clue you in, constructive criticism does not include "fucking stupid", "wtf is that", or like comments. The second thing you can do is kindly fuck off and quit viewing our site. Don't like it? Don't look. End of story. We are not a business, we do not make money off you visiting, we do not need you. Future One of the most often asked questions these days is something akin to "Where is Attrition going next?" To answer this once and for all, without equivocation, We do not know! Attrition has no grand plan or well defined map. Day to day we make decisions or brainstorm new ideas that lead to an overall picture of what the site is. We believe it is this lack of plans that helps construct what Attrition is. Attrition exists for the users and viewers. Anyone who has contacted attrition staff in the past should realize this. We respond to almost every piece of email, regardless of content. If nothing else, we send acknowledgement that we received the email so that readers know we care about their comments. Pointers to typos or errors go answered in hours. Features or suggestions are almost always implemented, sometimes in a day or less. Thanks to our readers, serious refinement has been done to several pages. Our aget utility has receied many enhancements at the suggestions of our readers, and we thank you for it. On top of the staff and viewers of Attrition, there exists another special group of degenerates that deserve special thanks and recognition. These are the individuals that have helped bring our name to the masses. First and foremost, we thank the Hacker News Network (HNN) for being the first to give daily links to our mirror, as well as special segments devoted to other sections of Attrition. Yes, that blue haired freak of nature Space Rogue is constantly helping us out in many ways. We love you! Others like the 'skinhead' degenerate Netmask at Mindsec, our 'media darling' (barf) Ender at OSALL, and the foreign folks at Net-Security and 403 Security all deserve a round of thanks/beer. In recent months, professional sites like SecurityFocus and NTSecurity.net have also begun linking to us. Their links add a sort of professional validation to the work we do. To finish this piece, we look to readers, detractors and staff for final comments. We asked people what they thought of Attrition, or what came to mind when they thought of it. To be fair, we sort of encouraged more obscure or esoteric answers. No, we can't be normal. We'll start with the true foundation of Attrition. Asking the mothers of the staff members. What do you think of Attrition, or what does it mean to you? "The first time I looked at it, I thought you were all disturbed." - Punkis' Mother "Attrition.org has changed my life - not in the way you might think - you see, attrition.org is my grandchild in a bizarre sort of way. Attrition.org was conceived by my son and just as for any mother the journey into the role of grandmother is quite unique. This grandchild, attrition.org., has opened many doors for me. This child shows me things I have never seen. Sometimes it scares me with where it goes in the world of cyberspace. Sometimes it brings me to tears with laughter. It never ceases to amaze me. Like any one year old I believe it is still finding its way. Attrition.org is the image of its father. It is a brilliant star, a myriad of emotions, a wealth of knowledge, a whirlwind of activity. I hope I am around for many years to come to enjoy attrition.org., this one of a kind offspring who has come so far in just 365 days. Happy Birthday!!!" - Jericho's Mother Turning to the Attrition staff, we get the most.. disturbing answers. "'What does attrition mean to me....' I was recently asked to comment on this by cult_hero for attrition's 1 year aniversary piece and I have been racking my brains as to how I wanted to answer that, in my usual smart ass fashion or actually being a little serious for once. Mabey I will try a little of both. Attrition means a lot of things to me. For example ever since we have started mirroring web page defacements I have found myself saying "punkis, you picked the wrong year to quit sniffing glue..." Although it can be a giant pain in the ass to maintain I have always beleived it is a good resource. I guess thats a good way to sum up what attrition is all about, a great resource covering a very broad range of topics. Where else can you go to read security advisories, browse en excellent text archive, read music reviews, even read calimari reviews. We now even have pages demonstsrating how to properly and safely clean a variety of weapons. Attrition is a strange mix of freeks, geeks, hippies, poets, drunks, gun nuts, computer crime advocates (snicker) and generally unruly and rude people. Considering the site has always been a "hobby site" I think we have done a pretty good job of keeping the content fresh which can't be said about many sites. Like sites that have venture capital. I don't think I need to name names here...We have a lot of ideas on where we'd like to see attrition go so I think the site will grow to be more and more diverse as time goes on. We are the ones our parents warned us about. At night when you can't sleep and hear someone scratching on the wall, its us. Remember that time you went camping and saw those wierd lights in the sky? Yes, it was us. Read about that small government that was recently overthrown? We were probably involved. Roswell? We aren't that old....well except for cancer omega." - punkis Being with Attrition is like being in a rock band. We have a tendency to cause a stir whereever we go, even though we're trying to be inconspicuous. We travel a great deal and always have our equipment in tow. Our best work is when we all sit down together, just pickin' and grinnin' like the old times. Seems like someone's always trying to spy on us so they can get some kind of inside scoop on us; like they're trying to figure us out and can't quite wrap their brain around what we really are. People either absolutely love us or absolutely hate us. The people who love us sometimes hate us for the different things we do, and those who already hate us will continue to hate us no matter what we do. The only difference is we don't have roadies or near as many groupies. And at last count, nobody's rushed the stage when we gave a show. That being said, there is nothing more to say. Viva Attrition! - Cancer Omega "I wish I could explain in words what Attrition has meant to me but that's rather impossible. However I've never been involved in a project that allowed me to immerse myself in a culture in less than 10 months. Being involved with Attrition is quite an experience. I love how none of the staff take any shit and each person adds their own perspective to the site. Of course, the minute I send this I'll have the Pulitzer-winning speech of a lifetime. Suffice it to say that I'm proud and honored to have some great friends like you guys, it really is great." - McIntyre The quasi-grandfather of Attrition (so said because he is two days older than dirt) came up with a few great quotes to mock the rest of staff. "Before I found attrition, I was all messed up on drugs. Now that I've found attrition, I'm all messed up on attrition." - McIntyre "Since I joined attrition, I'm my own hero. And hers, too!" - cOmega "I didn't know what to make of attrition until I visited Jericho and he showed me that he'd spelled out 'Have a Nice Day' with the skulls of Happy Hackers he'd decapitated. Now I'm sold." - Punkis "Attri-what?" - Modify "Go AWAY! I'm BUSY!" - Jericho Some of those seem to be quite accurate once you get to know the staff members! What are other members of Attrition saying? "Attrition.org is turning a year old....my my my...what can one say about such an occasion? Well, from the beginning....wait.. hold up..Attrition.org turning a year old and the millennium approaches? Is there a connection? Oh *cripes*....there must be. Why else would the government hold mal_vu hostage? They're working TOGETHER!! Okay...this information must get out into the general populas...wait...there's a knock at the door.... *bang*" - WrlWnd "Attrition is a [joke/comedy] [played on/performed before] an audience too afraid to laugh." - Munge "Where people with no friends hangout, doing weird shit, from warped minds and not giving a toss what others think. Where we get whipped and you get shit. The folks at Attrition once had social lives, were once popular, even had potential. Now they have minds of their own. Like we really care what you think? One year on: and getting stranger by the day. As time goes on the voice of attrition only gets loder, conforming to no society, having no real direction, just going with the flow of daily life. Finding a new freedom, pushing the boundries of each path it choses to partake in." - Blaise Yes, they seem more thoughtful and well read than we do! How about our affiliates? What kind words can they bestow upon us? "Attrition.org? One of us owes the other beer I think." - Space Rogue [HNN] "Attrition.org? Blergh. It's esoteric, it's prostate, lamentable and regrettable. In a word? Love. I love it." - Ender Wiggin [OSALL] "Even though attrition uses the letters "FUCK" on its main page, i still link it from my "try to be" professional site. So maybe I am a hypocrite. whatever. Attrition has given me data to use as a filler on my main site, something to do when my boss says I should be working. Some of the staff members make me realise that EverQuest is an evil game, and will eat your life away. This is why when I talk to jericho, he is always talking about killing spammers with his sword, and how they should know not to mess with any level 21 player. Honestly, Attrition went from a 'whats the point' type of thing to me, to a site that i respect, after I started to understand the actual point. It has also lead me to remember that some people, no matter how much you shit on them, and how many times you stabbed them in the back, they can throw together a "one more chance" type of deal (Yes.. It is true.. Jericho and I haven't always been so intimate^H^H^H^H^H^H^H^H friendly. Either way, ill end with.. The site rocks, the work is good, these people are just like me, they have no lives.. and they are doing something without pay or profit." - Erik Parker [Mindsec] "If this is Attrition at one year, I can't wait till it reaches the 'terrible two' stage" - C. Fennelly "Screw Attrition, them fools still owe me $50 for that last rock!" - Bronc Buster "Your site is unique in its own right, and despite what other egotisticle, idiotic, narrow-minded fools out there think, sites like yours are wonderful for the folks out there like me... who dont neccessarily take what we learn from your site and use it to our personal gain or anything else, but just for the simple reason of the knowledge of it all." - Nan "Because of the high dollar lobbyist donations to undisclosed members of the Senate, we are still non profit!" - Mal Vu Spammers have quickly learned that unsolicted commercial email is frowned upon. How anti-spam are we? "People who send spam to Attrition Staff, beware! They say that there's a room where they keep the skulls of spammers, lined up in a row on a shelf. They say that, late at night, they go there, and talk to them... They say the members of the Attrition Staff ask them, "Now tell us again, how *do* you make money fast?" - Jay Dyson, de-spammer for NASA JPL In conclusion, in case it wasn't readily apparent and beating you senseless... if you don't like what you see, don't look. Expect less and you will be disappointed less. That and a million other cliches. As Mcintyre always says, "keep your sheep warm at night." That is it. Until next year... ATTRITION Staff (staff@attrition.org) Copyright 1999 About Attrition: http://www.attrition.org/attrition/about.html Attrition Staff: http://www.attrition.org/attrition/staff/ Why (quasi-faq): http://www.attrition.org/attrition/why.html What's Attrition: http://www.attrition.org/news/content/99-09-10.001.html Our Disclaimer: http://www.attrition.org/attrition/warn.html @HWA 43.0 Russian Echelon? ~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlaque The successor to the KGB, the Federal Security Service (FSB), has set up a network of data links connected to every major Russian Internet service provider that allows unlimited monitoring of private emails and electronic banking. The System for Operational Investigative Activities (SORM) was introduced quietly late last year by government regulations that needed no parliamentary approval. The Times http://www.the-times.co.uk/news/pages/tim/99/12/08/timfgnrus01004.html?1124027 December 8 1999 RUSSIA Now Big Brother keeps eye on e-mail BY GILES WHITTELL BIG BROTHER is no longer watching Russia's citizens at every turn, but many of them fear he is reading their e-mails. The successor to the KGB has set up a network of data links connected to every major Russian Internet service provider that allows unlimited monitoring of private e-mails and electronic banking. Activists claim that the network is already being abused for profit, theft and blackmail. The System for OperationalInvestigative Activities (SORM in Russian) was introduced quietly late last year by government regulations that needed no parliamentary approval. Considered one of Russia's most ambitious internal espionage programmes since the fall of the Soviet Union, it is now in full force, according to an investigation in yesterday's Moscow Times. It allegedly has the co-operation of 350 Internet companies, who had to pay for its construction . Russia's unloved Federal Security Service (FSB), which took over the KGB's domestic duties, is able to monitor electronic communication without the need for search warrants.The FSB and its defenders in parliament insist that this is merely a cost-effective means of surveillance on crime in cyberspace, but few doubt that the FSB is not above selling its information to the highest bidder. Westerners and middle-class Russians in Moscow who increasingly rely on e-mail for cheap long-distance communication were alarmed by yesterday's report. @HWA 44.0 Russian Bug Did Frequency-Hopping ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The technical details of the listening device recently found at the US State Department is starting to beavailable. The devices was battery operated and voice activated. It was about the size of a quarter, and used a frequency-hopping mechanism to which made it harder to detect. The device was located inside the chair rail, a piece of molding mounted on the walls at waist level. (Wow, thats pretty neat.) ABC News http://www.abcnews.go.com/sections/world/DailyNews/russia991209.html Russian Suspected of Spying Diplomat Allegedly Caught Monitoring a ‘Bug’ in State Department A listening device was found in the State Department building, near U.S. Secretary of State Madeleine Albright's office. Federal authorities have ordered the expulsion of a Russian diplomat suspected of monitoring the device. (State Department) ABCNEWS.com W A S H I N G T O N, Dec. 9 — A Russian diplomat suspected of listening to a “bug” planted in a sensitive State Department conference room will be expelled from the United States, officials said today. The diplomat, attaché Stanislav Borisovich Gusev, was apprehended by agents of the FBI and the State Department’s Diplomatic Security Service at 11:39 a.m. Wednesday, while smoking a cigarette on a park bench a few blocks away from the State Department, according to Neil Gallagher, assistant director for national security at the FBI. Nearby was his car, in which agents found equipment apparently used to monitor the listening device planted within a seventh-floor conference room of the building, officials said. The conference room belongs to the bureau of Oceans and International Environmental Scientific Affairs. It is located on the opposite side of the building from the executive offices. Today, the wooden door to the room was locked, and the hallway nearby was quiet. The conference room is within a few steps of the office of Newly Independent States, which covers Russia, and the office of Special Middle East Coordinator Dennis Ross, as well as the Office of Nuclear Energy Affairs. The seventh floor houses all major department heads at State, including Secretary of State Madeleine Albright, as well as the 24-hour Operations Center, a communications hub connected via secure satellite to all American embassies. U.S. officials said that an investigation is still ongoing as to who may have used that room, but they said that sensitive conversations certainly took place there. It isn’t clear if officials from any of these offices used this conference room, but it is certainly available for their use. The Associated Press reports that security officials are interviewing “hundreds” of department employees to produce a damage assessment. Tracking the Device It was not clear who may have planted the bug. There is no record that Gusev was ever in the State Department headquarters. The device was detected over the summer and located several weeks ago, but it was kept in place during the inquiry to avoiding tipping off the Russian diplomat, said Gallagher. Security teams swept the department for other devices and were careful to make sure sensitive conversations didn’t take place near the bug, he added. The bug was removed Wednesday. A number of surveillance specialists said it wasn’t a very powerful device. It was about the size of a quarter, they said, and it was voice-activated, which saves on battery time. They added the device had a frequency-hopping mechanism, which made it harder to detect. A senior official told ABCNEWS the device was located inside the chair rail, a piece of molding mounted on the walls at waist level. The molding is used to keep chairs from scuffing the wall. There was no sign of inspections at the State Department today. Officials said in a briefing that there had been an aggressive sweep and there were no other bugs found. Hit the Road Gusev, who had been in the United States since March, was temporarily detained by the FBI but, because he claimed diplomatic immunity, was not charged with a crime. He was turned over to Russian officials almost three hours after being seized, Gallagher said. Gusev was declared persona non grata by the State Department and handed over to the Russian Embassy for expulsion within 10 days, State Department spokesman Jim Foley said in a statement. Undersecretary of State Thomas Pickering called on Russian Ambassador Yuriy Ushakov Wednesday afternoon to “firmly protest” Gusev’s actions, Foley said. Other Russian diplomats were also being investigated, officials said. Gusev came under suspicion when officials noted his unusual movement patterns, the official said. Then the FBI used sophisticated technological gear to figure out what he was doing. (See related story.) FBI Was Eager to Act FBI officials were keen on acting Wednesday because they felt their catch might slip away, leaving them unable to locate the bug. The bug was activated by the sensitive gear seized from the diplomat’s car and it could only be found when activated, sources said. FBI officials feared the diplomat would be pulled back from his alleged eavesdropping duties and the bug would soon go dormant, because the Russians felt there would be American retaliation for the detainment last week in Moscow of the U.S. Embassy staffer. Now, with the monitoring equipment in hand, officials said they can home in on other possible bugs. ABCNEWS’ Martha Raddatz, Beverly Lumpkin and Eric Wagner, ABCNEWS.com’s David Ruppe and the Reuters news service contributed to this report. Tit for Tat? Russia’s Foreign Intelligence Service reacted with indignation at the allegations. “I think there is a certain sequence here,” Boris Labusov, spokesman for SVR Foreign Intelligence Service, told Reuters. It is extremely unusual for the SVR to comment on spying cases and Labusov was careful not to confirm or deny Gusov was an agent. “We think this detention and the further expulsion of the Russian diplomat from the United States can be regarded as a reaction of the American side to the latest events in Moscow connected with the detention and expulsion of an American diplomat,” Labusov said. “If it is a reaction … we can only be sorry about it,” he said. “As far as the Russian side is concerned, we gave up the principle of an eye for an eye long ago.” On Nov. 30, Russian authorities said they caught a U.S. diplomat in the act of trying to obtain sensitive military information from a Russian citizen. Russian security officials said the U.S. diplomat, Cheri Leberknight, a second secretary in the U.S. Embassy’s political section, was a CIA agent and was caught carrying invisible ink and a pocket-sized electronic spy device to prevent eavesdropping when she was detained. Leberknight, who claimed diplomatic immunity, was turned over to the embassy and asked to leave within 10 days. Gusev’s expulsion is the latest in what has become a series of seemingly tit-for-tat spy allegations. (See interactive graphic, above, for some incidents involving Russia and the West.) “I do hope all these incidents will not hamper progress in bilateral relations,” Labusov said. RIA news agency quoted an unnamed senior government official as saying there could be more expulsions of Russians. “The clear and crude fabrication of allegations against a Russian diplomat is reminiscent of the Cold War era,” RIA quoted the source as saying. @HWA 45.0 Security Focus Newsletter #18 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter #18 Table of Contents: I. INTRODUCTION 1. Announcing the new Microsoft Focus area II. BUGTRAQ SUMMARY 1. SCO UnixWare 'xauto' Buffer Overflow Vulnerability 2. Symantec Mail-Gear Directory Traversal Vulnerability 3. Microsoft IE5 Offline Browsing Pack Task Scheduler Vulnerability 4. qpop Remote Buffer Overflow Vulnerability 5. Microsoft Windows 9x Plaintext Credential Cache Vulnerability 6. Solaris kcms_configure 7. Multiple Vendor CDE dtmail/mailtool Buffer Overflow Vulnerability 8. NT Subst.exe Vulnerability 9. FreeBSD gdc Buffer Overflow Vulnerability 10. FreeBSD gdc Symlink Vulnerability 11. Solaris arp/chkprm Vulnerabilities 12. FreeBSD Seyon setgid dialer Vulnerability 13. FreeBSD xmindpath Buffer Overflow Vulnerability 14. FreeBSD angband Buffer Overflow Vulnerability 15. RSAREF Buffer Overflow Vulnerability 16. IBM Websphere Installation Permissions Vulnerability 17. Endymion Mailman Default Configuration Vulnerability 18. Microsoft IE5 WPAD Spoofing Vulnerability 19. Netscape Enterprise & FastTrack Authentication Buffer Overflow Vulnerability 20. SCO UnixWare '/var/mail' permissions Vulnerability 21. SCO UnixWare 'pkg' commands Vulnerability 22. SCO UnixWare 'coredump' Symlink Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: Symantec Mail-Gear Directory Traversal 2. Vulnerability Patched: Microsoft IE5 Offline Browsing Pack Task Scheduler 3. Vulnerability Patched: qpop Remote Buffer Overflow 4. Vulnerability Patched: Microsoft Windows 9x Plaintext Credential Cache 5. Vulnerability Patched: RSAREF Buffer Overflow 6. Vulnerability Patched: Endymion Mailman Default Configuration 7. Vulnerability Patched: Microsoft IE5 WPAD Spoofing 8. Vulnerability Patched: Netscape Enterprise & FastTrack Authentication Buffer Overflow 9. Vulnerability Patched: Multiple BIND Vulnerabilities (Slackware) 10. Vulnerability Patched: Linux nfsd Remote Buffer Overflow (Slackware) 11. Vulnerability Patched: Linux syslogd DoS (Slackware) 12. Vulnerability Patched: Multithreaded SSL ISAPI Filter 13. Vulnerability Patched: RSAREF Buffer Overflow (OpenBSD) IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES 1. NSA Spies Running dry? (November 29, 1999) 2. Staples files suit against Web hacker. (November 30, 1999) 3. Worm Virus Cripples Corporate Computers (December 1, 1999) 4. Novell chief's credit card stolen online (December 2, 1999) 5. Court upholds hacker's death sentence (December 3, 1995) 6. Suspect in huge computer fraud case faces court (December 5, 1995) V. INCIDENTS SUMMARY 1. Port 98 scans & new 3128/8080 scans (Thread) 2. Strange Web Traffic (Thread) 3. Smurf / "ICMP Echo Reply" logs (Thread) 4. BIND Scanning (Thread) 5. problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread) 6. Port scanning (Thread) 7. Network security monitoring tools (Thread) 8. How to Report Internet-Related Crime (Thread) 9. rpc scans and nfs attacks from 210.217.26.15 (Thread) 10. New named attack or what? (Thread) 11. Traffic from 210.163.117.209 (Thread) 12. RunOnceEx VI. VULN-DEV RESEARCH LIST SUMMARY 1. Cisco NAT DoS (VD#1) (Thread) 2. PHP (Thread) 3. WordPad exploit development: executing arbitary code on Win98 (fin) (Thread) 4. Idiocy "exploit" (Thread) 5. Norton AntiVirus 2000 POProxy.exe (Thread) VII. SECURITY JOBS Seeking Staff: 1. Corporate Information Security Officer VIII. SECURITY SURVEY RESULTS IX. SECURITY FOCUS TOP 6 TOOLS 1. SecurityFocus.com Pager (Win95/98/NT) 2. SuperScan 2.0.5 (Windows 2000, Windows 95/98 and Windows NT) 3. IDS Alert Script for FW-1 (Solaris) 4. NTInfoScan 4.2.2 (Windows NT) 5. Fragrouter 1.6 (BSDI, FreeBSD, Linux, NetBSD, OpenBSD and Solaris) 6. Snort 1.3.1 (FreeBSD, HP-UX, IRIX, Linux, MacOS, OpenBSD and Solaris) X. SPONSOR INFORMATION - CORE SDI XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the Security Focus 'week in review' newsletter issue 18 sponsored by CORE SDI. http://www.core-sdi.com 1. Introducing the new Focus on Microsoft area The Focus Area idea was born out of a realization, reinforced by comments from our users, that there is an overwhelming amount of security information "out there" and a limited number of ways to filter and organize it. Under the 'Focus' umbrella we will be hosting a number of technology or platform-specific areas, each designed to offer well-ordered, timely content to those interested in that particular subject. More than just a new way of presenting the data we already have, each Focus Area will also include new original content, written by both SF staff and outside experts on a regular basis. I am happy to announce the opening of our first Focus Area, one devoted to all aspects of Microsoft security. The majority of our users are involved with MS security issues in one way or another, and the demand for an MS-centric subsection made it an obvious choice for our first Focus. Others will follow. In the meantime, have a look for yourself, at: http://www.securityfocus.com/focus/ II. BUGTRAQ SUMMARY 1999-11-27 to 1999-12-05 --------------------------------------------- 1. SCO UnixWare 'xauto' Buffer Overflow Vulnerability BugTraq ID: 848 Remote: No Date Published: 1999-12-03 Relevant URL: http://www.securityfocus.com/bid/848 Summary: Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto which is vulnerable to a buffer overflow attack which may result in an attacker gaining root privileges. This is exploitable to gain root privileges even though /usr/X/bin/xauto is not setuid root. This is due to a system design issue with SCO Unixware which is discussed in an attached message in the 'Credit' section titled "UnixWare 7 uidadmin exploit + discussion". 2. Symantec Mail-Gear Directory Traversal Vulnerability BugTraq ID: 827 Remote: Yes Date Published: 1999-11-29 Relevant URL: http://www.securityfocus.com/bid/827 Summary: Mail-Gear, a multi-purpose filtering email server, includes a webserver for remote administration and email retrieval. This webserver is vulnerable to the '../' directory traversal attack. By including the string '../' in the URL, remote attackers can gain read access to all files on the filesystem that the server has read access to. 3. Microsoft IE5 Offline Browsing Pack Task Scheduler Vulnerability BugTraq ID: 828 Remote: Yes Date Published: 1999-11-29 Relevant URL: http://www.securityfocus.com/bid/828 Summary: The Internet Explorer 5 Offline Browsing Pack includes the Task Scheduler utility. This program is similar to the NT AT service, and on NT systems, it replaces the AT service. The Task Scheduler will allow unauthorized users to create AT jobs by modifying an existing, administrator-owned file and placing it into the %systemroot%\tasks folder. This vulnerability could only be exploited remotely if the tasks folder was specifically shared, or through the default C$ share on NT. Task Scheduler can be made to use any other arbitrary folder by editing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent\TasksFolder (Changes will not take effect until after the target has been rebooted.) The IE5 Offline Browsing Pack ships with IE5, but is not installed by default. 4. qpop Remote Buffer Overflow Vulnerability BugTraq ID: 830 Remote: Yes Date Published: 1999-11-30 Relevant URL: http://www.securityfocus.com/bid/830 Summary: There is a buffer overflow vulnerability present in current (3.x) versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the host running qpopper can be completely compromised anonymously. The problem is in pop_msg.c, around line 68 and is the result of vsprintf() or sprintf() calls without bounds checking. 5. Microsoft Windows 9x Plaintext Credential Cache Vulnerability BugTraq ID: 829 Remote: No Date Published: 1999-11-29 Relevant URL: http://www.securityfocus.com/bid/829 Summary: Windows 95 and 98 cache a user's name and password in plaintext in RAM. This feature was included for backwards compatibility with Windows for Workgroups, which implemented this mechanism for use with the 'net' program, which handled most network configuration requirements for the WfW OS. This feature can be exploited via specific function calls to retrieve another user's credentials. In order for this to work , the attacker must have console access to the target machine, and it must not have been rebooted since the last logout. Only the most recent user's credentials can be retrieved. 6. Solaris kcms_configure BugTraq ID: 831 Remote: No Date Published: 1999-11-30 Relevant URL: http://www.securityfocus.com/bid/831 Summary: The binary kcms_configure, part of the Kodak Color Management System package shipped with OpenWindows (and ultimately, Solaris) is vulnerable to a local buffer overflow. The buffer which the contents of the environment variable NETPATH are copied into has a predetermined length, which if exceeded can corrupt the stack and cause aribtrary code hidden inside of the oversized buffer to be executed. kcms_configure is installed setuid root and exploitation will result in a local root compromise. 7. Multiple Vendor CDE dtmail/mailtool Buffer Overflow Vulnerability BugTraq ID: 832 Remote: No Date Published: 1999-11-30 Relevant URL: http://www.securityfocus.com/bid/832 Summary: There are three buffer overflow vulnerabilities in the CDE mail utilities, all of which are installed sgid mail by default. The first is exploited through overrunning a buffer in the Content-Type: field, which would look something like this: Content-Type: image/aaaaaaaa long 'a' aaaaaa; name="test.gif" Mailtool will overflow when email is selected which has a content-type field like that. It may be possible for an attacker to obtain root priviliges if shellcode is written appropriately and root selects the malicious email message. The second vulnerability is in dtmail, which will crash (and possibly execute arbitrary code) if a long paramater is passed argumenting the -f command-line option. The third is in mailpr, which is vulnerable to a long -f paramater as well. The most basic consequence of these being exploited is a compromise of local email, since all mail data is set mode 660, read and write permissions granted for members of group mail. As of November 30, 1999, Solaris 7 is the only known vulnerable platform. 8. NT Subst.exe Vulnerability BugTraq ID: 833 Remote: No Date Published: 1999-11-30 Relevant URL: http://www.securityfocus.com/bid/833 Summary: The SUBST command is used to map a drive letter to a folder on an existing drive. This command can be run by any user. After it is run, the mapping stays in effect until it is deleted, by issuing the subst command again with the /d option, or until the machine is rebooted. Loggin off does not remove the mapping. Therefore, it is possible for one console user to map a drive letter to a a folder of their choosing, and then log off, leaving the mapping intact for the next user. If the next user tries to manually map a differnt location to that letter, they will get an error 85, "The local device name is already in use." However, if the drive letter used is the same as their network-mapped home drive, the operation will fail without any error message. From the user's perspective, nothing obvious will happen to let them know that their 'home drive' is not their usual home drive t all. This opens the possibility of getting a user to run trojaned or malicious programs, as well as the possibility of having them write potentially confidential documents to a publicly-accessible or even network shared location. 9. FreeBSD gdc Buffer Overflow Vulnerability BugTraq ID: 834 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/834 Summary: There is a buffer overflow vulnerability known to be present in the version of gdc shipped with the 3.3-RELEASE version of FreeBSD. By default, only users in group wheel have execute access to gdc. The overflow occurs when the argument passed along with the -t flag (time) exceeds its predefined buffer length. It is possible to then corrupt the stack and alter the flow of execution (and execute arbitrary code). With gdc setuid root by default, this can lead to a local root compromise if exploited by users who have or gain access of or belong to the wheel group (or trusted gated group). 10. FreeBSD gdc Symlink Vulnerability BugTraq ID: 835 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/835 Summary: It is possible to write debug ouput from gdc to a file (/var/tmp/gdb_dump). Unfortunately, gdc follows symbolic links which can be created in tmp and will overwrite any file on the system thanks to it being setiud root. This does not cause any immediate compromises and is more of a denial of service attack since it does not change the permissions of the overwritten files (to say, world writeable or group writeable). Local users are required to be in group wheel (or equivelent) to execute gdc. 11. Solaris arp/chkprm Vulnerabilities BugTraq ID: 837 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/837 Summary: It is possible to read bin owned files to which read access is not permitted to local users through exploiting subtle vulnerabilities in arp and chkperm. With arp, this is done through specifying a file with the -f parameter . When arp tries to interpret the contents of this file (opening and reading it just fine being sgid/suid bin), it will fail and print the "erroneous lines" of the file along with its error messages. Those "erroneous lines" are the contents of the file to which you do not normally have read access (and belong to the user/group bin). For chkperm, exploitation would be through setting an environment variable to which chkperm references where to write a file with a known name (making it possible to supply arbitrary, places - where an attacker would have write access). The hacker would then make a lib subdirectory beneath the specified VMSYS path, and a file in lib/ called .facerc, which would be a symlink to whatever file you wanted to read. chkperm w ould then be run with the -l flag and the contents of the file pointed to will be displayed (as seen by bin). Solaris 2.x are known to be vulnerable. 12. FreeBSD Seyon setgid dialer Vulnerability BugTraq ID: 838 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/838 Summary: FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is known to have several vulnerabilities which can allow for a malicious user to elevate priviliges. The vulnerability, however, is that seyon is still installed setgid dialer in FreeBSD. When seyon is exploited, a local user can grant him/herself priviliges which allow access to the communications devices or anything else accessable by the group dialer. 13. FreeBSD xmindpath Buffer Overflow Vulnerability BugTraq ID: 839 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/839 Summary: The version of xmindpath shipped with FreeBSD 3.3 can be locally exploited via overrunning a buffer of predefined length. It is possible to gain the effective userid of uucp through this vulnerability. It may be possible, after attaining uucp priviliges, to modify binaries to which uucp has write access to and trojan them to further elevate priviliges), ie: modify minicom so that when root runs it, drops a suid shell somewhere. 14. FreeBSD angband Buffer Overflow Vulnerability BugTraq ID: 840 Remote: No Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/840 Summary: The version angband shipped with FreeBSD 3.3-RELEASE is vulnerable to a local buffer overflow attack. Since it is setgid games, a compromise of files and directories owned by group games is possible. 15. RSAREF Buffer Overflow Vulnerability BugTraq ID: 843 Remote: Yes Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/843 Summary: A buffer overflow vulnerability exists in the RSAREF cryptographic library which may possibly make any software using the library vulnerable. The vulnerability exists in four functions in the rsa.c source file. The functions are: int RSAPublicEncrypt() int RSAPrivateEncrypt() int RSAPublicDecrypt() int RSAPrivateDecrypt() All these function define a local variable called pkcsBlock of 128 byte length which can be overflowed making it possible to execute arbitrary code. This vulnerability, in conbination with BUGTRAQ ID 797, allows versions of SSHD linked against the RSAREF2 library to be vulnerable to a remote exploit. 16. IBM Websphere Installation Permissions Vulnerability BugTraq ID: 844 Remote: No Date Published: 1999-12-02 Relevant URL: http://www.securityfocus.com/bid/844 Summary: The IBM Websphere application server, when installed on Solaris (or possibly AIX), will create an deinstallation shellscript which is mode 777 in /usr/bin. The script is called by pkgmgr, which is run by root. This means that an attacker can modify the script and add malicious code to it, leading to a root compromise once it is run. IBM Websphere also installs many of its data files with mode 777 permissions. 17. Endymion Mailman Default Configuration Vulnerability BugTraq ID: 845 Remote: No Date Published: 1999-12-02 Relevant URL: http://www.securityfocus.com/bid/845 Summary: Endymion mailman is a commercial www email suite which is written in perl. When it is installed, by default it sets permissions which make it vulnerable to local compromise (666 for files, 777 for directories). Because of this it is possible for local, unprivileged users to read and write to aribtrary users email (who use the mailman system) as well as to files owned by uid webmaster. 18. Microsoft IE5 WPAD Spoofing Vulnerability BugTraq ID: 846 Remote: Yes Date Published: 1999-12-02 Relevant URL: http://www.securityfocus.com/bid/846 Summary: IE5's automatic proxy configuration feature, WPAD, (Web Proxy Auto-Discovery) can be fooled into using or attempting to use a non-authorized server as a proxy server. An attacker on a different network could use this to read web traffic from the IE5 client. IE5 will search for a WPAD server by looking for machines named wpad.x.x.x in the current domain. If none is found, it will proceed up the domain name structure, until it gets to the third-level domain name. For example, IE5 running on host a.b.c.d.net would first look for wpad.b.c.d.net, then wpad.c.d.net, then wpad.d.net. In certain network configurations, the third-level domain is not neccessarily a trusted part of the network, and an attacker could set up a server to cause IE5 clients to use a hostile machine as proxy. 19. Netscape Enterprise & FastTrack Authentication Buffer Overflow Vulnerability BugTraq ID: 847 Remote: Yes Date Published: 1999-12-01 Relevant URL: http://www.securityfocus.com/bid/847 Summary: Certain versions of the Netscape FastTrack and Enterprise servers for both Unix and NT contain a remotely exploitable buffer overflow vulnerability. This vulnerability is present in both the Application and Administration servers shipped with the respective packages.The problem lies in the HTTP Basic Authentication procedure for both servers has a buffer overflow condition when a long username or password (over 508 characters) are provided. This may result in an attacker gaining root privileges under UNIX and SYSTEM privileges under NT. 20. SCO UnixWare '/var/mail' permissions Vulnerability BugTraq ID: 849 Remote: No Date Published: 1999-12-03 Relevant URL: http://www.securityfocus.com/bid/849 Summary: Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/ directory with permission 777(-rwxrwxrwx) . This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker. 21. SCO UnixWare 'pkg' commands Vulnerability BugTraq ID: 850 Remote: No Date Published: 1999-12-03 Relevant URL: http://www.securityfocus.com/bid/850 Summary: Certain versions of SCO's Unixware (only version 7.1 was tested) ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read any file on the system regardless of their permission set. This is due to the package commands (pkginfo, pkgcat, pkgparam, etc.) having extended access due to Discretionary Access Controls (DAC) via /etc/security/tcb/privs. This mechanism is explained more thoroughly in the original message to Bugtraq which is listed in full in the 'Credit' section of this vulnerability entry. 22. SCO UnixWare 'coredump' Symlink Vulnerability BugTraq ID: 851 Remote: No Date Published: 1999-12-03 Relevant URL: http://www.securityfocus.com/bid/851 Summary: Under certain versions of SCO UnixWare if a user can force a program with SGID (Set Group ID) to dump core they may launch a symlink attack by guessing the PID (Process ID) of the SGID process which they are calling. This is required because the coredump file will be dumped to the directory in which it is being executed from as './core.pid'. The program dumping core does not check for the existence of a symlinked file and will happily overwrite any file which it has permission to do so to. Many SGID binaries under Unixware are in the group 'sgid-sys' a group which has write permission to a large number of system critical files. This attack will most likely result in a denial of service attack, however if the attacker can provide some provide data to the core file she may be able to leverage root access. For example is the intruder were able to get '+ +' into a line of it's own in the core file the intruder could then overwrite root's .rhosts file. III. PATCH UPDATES 1999-11-27 to 1999-12-05 ------------------------------------------- 1. Vendor: Symantec Product: Symantec Mail-Gear 1.0 Vulnerability Patched: Symantec Mail-Gear Directory Traversal Vulnerability BugTraq ID: 827 Relevant URLS: http://www.securityfocus.com/bid/827 Patch Location: http://www.symantec.com/urlabs/public/download/download.html 2. Vendor: Microsoft Product: IE5 Vulnerability Patched: Microsoft IE5 Offline Browsing Pack Task Scheduler BugTraq ID: 828 Relevant URLS: http://www.securityfocus.com/bid/828 Patch Location: IE 5.01 is not susceptible to this vulnerability. The task Scheduler that is included with 5.01 uses signature verification to check that all scheduled tasks were created by the administrator of the local machine. It can be downloaded at: http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm 3. Vendor: Qualcomm Product: qpop Vulnerability Patched: qpop Remote Buffer Overflow BugTraq ID: 830 Relevant URLS: http://www.securityfocus.com/bid/830 Patch Location: The newest version, qpopper3.0b22 (which is patched), is available at: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ 4. Vendor: Microsoft Product: Microsoft Windows 9x Vulnerability Patched: Microsoft Windows 9x Plaintext Credential Cache BugTraq ID: 829 Relevant URLS: http://www.securityfocus.com/bid/829 Patch Location: Microsoft has released a patch to deal with this issue. It is available at: Windows 95: http://download.microsoft.com/download/win95/update/168115/w95/en-us/168115us5.exe Windows 98: http://download.microsoft.com/download/win98/update/168115/w98/en-us/168115us8.exe 5. Vendor: RSA Data Security Product: RSAREF Vulnerability Patched: RSAREF Buffer Overflow BugTraq ID: 843 Relevant URLS: http://www.securityfocus.com/bid/843 Patch Location: RSA Security is no longer support the RSAREF library. CORE SDI has developed the following fix for RSAREF: http://www.securityfocus.com/bid/843 6. Vendor: Endymion Product: Endymion Mailman Vulnerability Patched: Endymion Mailman Default Configuration Vulnerability BugTraq ID: 845 Relevant URLS: http://www.securityfocus.com/bid/845 Patch Location: Endymion does warn customers to change permissions on software. A fix for this is to change the permissions to 0600 for the files and 0700 for the directories. 7. Vendor: Microsoft Product: IE5 Vulnerability Patched: Microsoft IE5 WPAD Spoofing BugTraq ID: 846 Relevant URLS: http://www.securityfocus.com/bid/846 Patch Location: Microsoft has released IE5.01, which is not vulnerable to this attack. IE5.01 can be downloaded from: http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm 8. Vendor: Netscape Product: Netscape Enterprise & FastTrack Servers Vulnerability Patched: Netscape Enterprise & FastTrack Authentication Buffer Overflow BugTraq ID: 847 Relevant URLS: http://www.securityfocus.com/bid/847 http://www.iss.net/xforce Patch Location: As taken from the ISS Advisory which is listed in full in the 'Credit' secion of this advisory. Affected users should upgrade their systems immediately. This vulnerability affects systems running Administration Server with password protected areas that rely on Basic Authentication. If you run any of the affected servers on any platform, upgrade to iPlanet Web Server 4.0sp2 at: http://www.iplanet.com/downloads/testdrive/detail_161_243.html. Netscape has stated that FastTrack will not be patched. Although Netscape released service pack 3 for Enterprise Server 3.6 that fixes the vulnerability in the web server, the Administration Server remains vulnerable. 9. Vendor: Slackware Product: Linux (Slackware) Vulnerability Patched: Multiple BIND Vulnerabilities BugTraq ID: 788 Relevant URLS: http://www.securityfocus.com/bid/788 Patch Location: ftp.cdrom.com:/pub/linux/slackware-4.0/patches/bind.tgz 10. Vendor: Slackware Product: Linux (Slackware) Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability BugTraq ID: 782 Relevant URLS: http://www.securityfocus.com/bid/782 Patch Location: ftp.cdrom.com:/pub/linux/slackware-4.0/patches/nfs-server.tgz 11. Vendor: Slackware Product: Linux (Slackware) Vulnerability Patched: Linux syslogd Denial of Service Vulnerability BugTraq ID: 809 Relevant URLS: http://www.securityfocus.com/bid/802 Patch Location: ftp.cdrom.com:/pub/linux/slackware-4.0/patches/sysklogd.tgz 12. Vendor: Microsoft Product: - Microsoft IIS 4.0 - Microsoft Site Server 3.0 - Microsoft Site Server Commerce Edition 3.0 Vulnerability Patched: Multithreaded SSL ISAPI Filter BugTraq ID: NONE Relevant URLS: http://www.microsoft.com/security/bulletins/MS99-053faq.asp Patch Location: - x86: http://www.microsoft.com/downloads/release.asp?ReleaseID=16186 - Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=16187 NOTE: This and other patches are available from the Microsoft Download Center (http://www.microsoft.com/downloads/search.asp? Search=Keyword&Value='security_patch'&OpSysID=1) 13. Vendor: OpenBSD Product: OpenBSD Vulnerability Patched: RSAREF Buffer Overflow BugTraq ID: 843 Relevant URLS: http://www.securityfocus.com/bid/843/ Patch Location: ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/i386/sslUSA26.tar.gz ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/sparc/sslUSA26.tar.gz ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/hp300/sslUSA26.tar.gz ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mvme68k/sslUSA26.tar.gz ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mac68k/sslUSA26.tar.gz ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/amiga/sslUSA26.tar.gz IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES ----------------------------------------- Due to popular demand we have added a 'Top Six Stories' section to the newsletter. SecurityFocus.com actually gathers over 100 news articles a week, these 6 before you are those which were the most read through our site, or those we thought were of special interest. 1. NSA Spies Running dry? (November 29, 1999) Excerpt: Spies at the US National Security Agency may be having trouble eavesdropping on information transmitted through the Internet and fiber optic cables. URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html 2. Staples files suit against Web hacker. (November 30, 1999) Excerpt: Officials at Staples Inc. filed a lawsuit in US District Court in Boston yesterday charging that ''John Doe,'' the unidentified hacker, illegally accessed the company's Web site and damaged the company by stealing e-commerce business. URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html 3. Worm Virus Cripples Corporate Computers (December 1, 1999) Excerpt: A deadly new version of a destructive computer worm has crippled e-mail systems among Fortune 500 companies and others, chewed up files and created havoc among the corporations that sought to limit the damage URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.apbnews.com%2fnewscenter%2finternetcrime%2f1999%2f12%2f01%2fvirus1201_01.html 4. Novell chief's credit card stolen online (December 2, 1999) Excerpt: Speaking at San Francisco's Digital Economy conference Thursday, Schmidt informed the crowd that his credit card number had been stolen over the Internet in the past. Although he isn't sure exactly how his card number was lifted, Schmidt says he believes it was through a mechanism that reads the cookies-files sitting on a user's desktop and storing personal information, such as passwords and preferences. URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html 5. Court upholds hacker's death sentence (December 3, 1995) Excerpt: A Chinese court has upheld the death sentence for a man who hacked into the computer system of a state bank to steal money, the Financial News reported on Saturday. The Yangzhou Intermediate People's Court in eastern Jiangsu province rejected the appeal of Hao Jingwen, upholding a death sentence imposed last year, the newspaper said. URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html 6. Suspect in huge computer fraud case faces court (December 5, 1995) Excerpt: He called himself "The Gatsby." And like F. Scott Fitzgerald's fictional character, he inhabited a world of power, money and cunning. That fantasy world abruptly ended Feb, 22, 1995, when FBI agents raided the bedroom of Jonathan Bosanac, aka The Gatsby, who lived in his parents' million-dollar home in Rancho Santa Fe. Federal law enforcers said Bosanac was a ringleader in one of the biggest computer hacking schemes in U.S. history. URL: http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.uniontrib.com%2fnews%2funiontrib%2fsun%2fnews%2fnews_1n5hacker.html V. INCIDENTS SUMMARY 1999-11-27 to 1999-12-05 --------------------------------------------- 1. Port 98 scans & new 3128/8080 scans (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=14401.22457.121945.823373@cap-ferrat.albourne.com 2. Strange Web Traffic (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=31933968789DD111BEAB0080C81D384C200F6A@CT_NT 3. Smurf / "ICMP Echo Reply" logs (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991129075230.6919.qmail@securityfocus.com 4. BIND Scanning (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991129165821.19627.qmail@securityfocus.com 5. problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=SIMEON.9911291006.E470@bluebottle.itss 6. Port scanning (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.05.9911301616040.1748-100000@marvin.junknet 7. Network security monitoring tools (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.BSF.4.10.9911302011220.9473-100000@ns1.host.qc.ca 8. How to Report Internet-Related Crime (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991201134808.B14851@securityfocus.com 9. rpc scans and nfs attacks from 210.217.26.15 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.05.9912020844320.24774-100000@grace.speakeasy.org 10. New named attack or what? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.21.9912020737001.12556-100000@ns.ldc.ro 11. Traffic from 210.163.117.209 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991202110508.3958.qmail@securityfocus.com 12. RunOnceEx Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=357a2b90036f8275f8cc9d935e7020e238481ac3@tripwiresecurity.com VI. VULN-DEV RESEARCH LIST SUMMARY 1999-11-27 to 1999-12-05 ---------------------------------------------------------- 1. Cisco NAT DoS (VD#1) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=199911290435.XAA20460@rooster.cisco.com 2. PHP (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=Pine.GSO.4.10.9911301431530.16932-100000@kenny.intranet.csupomona.edu 3. WordPad exploit development: executing arbitary code on Win98 (fin) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=19991130191759.43230.qmail@hotmail.com 4. Idiocy "exploit" (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=199912011302.IAA22031@mailhost.squonk.net 5. Norton AntiVirus 2000 POProxy.exe (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=Pine.BSF.4.10.9912011816320.12955-100000@shell20.ba.best.com VII. SECURITY JOBS SUMMARY 1999-11-27 to 1999-12-05 --------------------------------------------------- Seeking Staff: 1. Corporate Information Security Officer Reply to: Neal Fisher Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-29&thread=19991129174646.21886.qmail@securityfocus.com VIII. SECURITY SURVEY 1999-11-15 to 1999-11-27 ---------------------------------------------- The question for 1999-11-15 to 1999-11-27 was: Whose responsibility is it to notify vendors of security flaws in their products? 1. The person/group who discovered and posted the flaw 2. The resource where the information is published (ie Bugtraq, NTBugtraq, etc) 3. Vendors should be responsible for keeping up to date on discoveries about their software. Results: 1. 40% / 36 votes 2. 1% / 1 votes 3. 56% / 50 votes Total Votes: 88 votes IX. SECURITY FOCUS TOP 6 TOOLS 1999-11-27 to 1999-12-05 -------------------------------------------------------- 1. SecurityFocus.com Pager by SecurityFocus.com URL: http://www.securityfocus.com/pager/sf_pgr20.zip Platforms: Win95/98/NT Number of downloads: 1759 This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 2. SuperScan 2.0.5 by Robin Keir URL: http://members.home.com/rkeir/software.html Platforms: Windows 2000, Windows 95/98 and Windows NT Number of downloads: 1624 This is a powerful connect-based TCP port scanner, pinger and hostname resolver. Multithreaded and asynchronous techniques make this program extremely fast and versatile. Perform ping scans and port scans using any IP range or specify a text file to extract addresses from. Scan any port range from a built in list or any given range. Resolve and reverse-lookup any IP address or range. Modify the port list and port descriptions using the built in editor. Connect to any discovered open port using user-specified "helper" applications (e.g. Telnet, Web browser, FTP) and assign a custom helper application to any port. Save the scan list to a text file. Transmission speed control. User friendly interface. Includes help file 3. IDS Alert Script for FW-1 1.3 by Lance Spitzner URL: http://www.enteract.com/~lspitz/intrusion.html Platforms: Solaris Number of downloads: 1578 Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase. 4. NTInfoScan 4.2.2 by David Litchfield URL: http://www.infowar.co.uk/mnemonix/ntinfoscan.htm Platforms: Windows NT Number of downloads: 1417 NTInfoScan is a security scanner designed specifically for the Windows NT 4.0 operating system. It's simple to use - you run it from a command line - and when the scan is finished it produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. NTInfoScan is currently at version 4.2.2. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS share security and User account security. 5. Fragrouter 1.6 by Dug Song, Anzen Computing URL: http://www.anzen.com/research/nidsbench/ Platforms: BSDI, FreeBSD, Linux, NetBSD, OpenBSD and Solaris Number of downloads: 1043 Fragrouter is a network intrusion detection evasion toolkit. It implements most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. This program was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best. 6. Snort UPDATE 1.3.1 by Martin Roesch URL: http://www.clark.net/~roesch/security.html#Download Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, OpenBSD and Solaris Number of downloads: 826 Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a seperate "alert" file, or as a WinPopup message via Samba's smbclient. X. SPONSOR INFORMATION - ------------------------------------------ URL: http://www.core-sdi.com CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. CORE SDI also has extensive experiance dealing with financial and government contracts through out Latin and North America. XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. Alfred Huger VP of Engineering SecurityFocus.com @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG FOR INCLUSION HERE . . ............... . : : . . . . . . __:________ : : ___________ . . . \ < /_____:___ : ( < __( :_______ ) : )______:___\_ (___( : / =====/________|_________/ < | : (________________(====== : (__________________) :wd! . : : : - / - w w w . h a c k u n l i m i t e d . c o m - / - : . . . . . : : . . . . . :...............: . . ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... SITE.1 Domain of the week: http://www.icardedthisdomain.com/ No comment. http://www.nudehackers.com/ Dephile and others Exploits, tools, zines etc, check it out... - Ed http://hackadvantage.cjb.net Run by; SmoG If you're looking for tips on how to beat the system when it comes to free banners or paid-to-surf scams this is the place to check out, lots of info, updated regularily. http://geekmafia.dynip.com/~xm/ Run by: Ex Machina I've included the "I was a teenage nmapper" article from this site in this issue check it out, has some interesting stuff and a security how-to. You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially wsith some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< * Info supplied by the attrition.org mailing list. Listed oldest to most recent... Defaced domain: www.mecafrance-sa.fr Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.mecafrance-sa.fr Defaced by: bansh33 Operating System: BSDI (Apache 1.2.6) Defaced domain: www.workplacesolutions.org Site Title: Wider Opportunities for Women Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.workplacesolutions.org Defaced by: P Y R O S T O R M 6 6 6 Operating System: Windows NT (IIS/4.0) Previously defaced on 99.10.12 and 99.10.11 by unknown and forpaxe Defaced domain: www.lapsi.org Site Title: LAPSI Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.lapsi.org Defaced by: Hacking for Swedish Chicks Operating System: Linux (Apache 1.3.3) Defaced domain: www.activedev.net Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.activedev.net Defaced by: pyrostorm666 Operating System: Windows NT (IIS/4.0) Defaced domain: www.wnr.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.wnr.com Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.98fm.ie Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.98fm.ie Defaced by: FM104 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.98fm.ie Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.98fm.ie Defaced by: FM104 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.zoemorgan.com Site Title: Colin McPherson Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.zoemorgan.com Defaced by: w0lf Operating System: Irix (Rapidsite/Apa-1.3.4) Defaced domain: www.sshackers.com Site Title: Sesame Street Hax0rz Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.sshackers.com Defaced by: cryptic Operating System: FreeBSD Potentially offensive content on defaced page. HWA note: Dap gave out the ftp info for this site and invite defacers to hit it. Defaced domain: garfield.ir.ucf.edu Site Title: GroupWise Support At University of Central Florida Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/garfield.ir.ucf.edu Defaced by: Algorithm Cracker Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: www.asjainternational.com Site Title: ASJA International Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.asjainternational.com Defaced by: hV2k Operating System: BSD/OS Potentially offensive content on defaced page. Defaced domain: www.furbay.com Site Title: Furbay Electric, Inc Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.furbay.com Defaced by: r00tabega Operating System: BSDI 3.0 (Apache/1.2.6) Potentially offensive content on defaced page. Defaced domain: www.dwhs.org Site Title: Desert Winds High School Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.dwhs.org Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Previously defaced on 99.09.08 by Logik Boyz HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.familyheartbeat.org Site Title: Family Heartbeat Ministries Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.familyheartbeat.org Defaced by: Uneek Tech Operating System: BSDI 3.0 (Apache 1.2.6) Previously defaced on 99.11.30 by electr0n Potentially offensive content on defaced page. Defaced domain: www.mj.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.mj.gov.br Operating System: Windows NT (IIS/4.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.bottle-fun.com Site Title: Comport EDV Service Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.bottle-fun.com Defaced by: Uneek Tech Operating System: BSDI 3.0 (Apache 1.2.6) Potentially offensive content on defaced page. Defaced domain: garfield.ir.ucf.edu Site Title: University of Central Florida Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/garfield.ir.ucf.edu Defaced by: bansh33 Operating System: Solaris Previously defaced on 99.12.07 by AC Potentially offensive content on defaced page. Defaced domain: www.filmworld.com Site Title: Robert Konop (FILMWORLD-DOM) Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.filmworld.com Defaced by: #Hack-org Hacking Team Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: www.netsecuresolutions.com Site Title: NetSecure Solutions Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.netsecuresolutions.com Defaced by: unknown Operating System: Linux HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.fightclub.de Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.fightclub.de Defaced by: kryptek Operating System: Linux (Apache 1.3.6) Potentially offensive content on defaced page. Defaced domain: www.pheta.com Site Title: pheta.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.pheta.com Defaced by: RH Crew Operating System: Linux (Apache 1.3.3) Potentially offensive content on defaced page. Defaced domain: www.radicalwheeling.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.radicalwheeling.com.br Defaced by: Death Knights Operating System: Linux (Apache 1.3.4) Potentially offensive content on defaced page. Defaced domain: www.bearland.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.bearland.com Defaced by: n4rfy/Death Knights Operating System: Windows NT (IIS/4.0) Previously defaced on 99.11.03 by p4riah Potentially offensive content on defaced page. Defaced domain: www.sis.net Site Title: Strategic Information Solutions Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.sis.net Defaced by: n4rfy/Death Knights Operating System: Windows NT (IIS/4.0) Previously defaced on 99.09.10 by 139_r00ted Potentially offensive content on defaced page. Defaced domain: www.dprf.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.dprf.gov.br Defaced by: inferno.br Operating System: NT Defaced domain: www.elpublicista.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.elpublicista.com Defaced by: TH3 G4L4CT1C C0WB0YS Operating System: BSD/OS Potentially offensive content on defaced page. Defaced domain: www.megaadult.com Site Title: Empire Communications Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.megaadult.com Operating System: Windows NT (Netscape-Enterprise/3.6) Previously defaced on 99.08.27 by Uneek Tech Potentially offensive content on defaced page. Defaced domain: www.hawgparts.com Site Title: P And S, Inc Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.hawgparts.com Defaced by: Pyrostorm666 Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6) Previously defaced on 99.11.19 by Devil-C Potentially offensive content on defaced page. Defaced domain: www.aba.gov.au Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.aba.gov.au Defaced by: Ned R Operating System: Windows NT (IIS/4.0) Previously defaced on 99.11.27 by Ned R Potentially offensive content on defaced page. Defaced domain: www.portaldaserra.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.portaldaserra.com.br Defaced by: n4rfy/Death Knights Operating System: Linux (Apache 1.3.4) Potentially offensive content on defaced page. Defaced domain: www.vijya.com Site Title: Vijya & Associates Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.vijya.com Defaced by: pr1sm Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.98fm.ie Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.98fm.ie Defaced by: r4in Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.07 by FM104 Potentially offensive content on defaced page. Defaced domain: www.sshackers.com Site Title: SSH TECH Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.sshackers.com Defaced by: ex1t Operating System: FreeBSD 2.2.1 - 3.0 Potentially offensive content on defaced page. Attrition comment: 3 hacks in 2 days, no sign of repair. Likely hoax hacks or domain. HWA note: carnage continues from dap dropping the ftp info... Defaced domain: seresc.k12.nh.us Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/seresc.k12.nh.us Defaced by: bansh33 Operating System: Linux (Apache 1.2.4) Previously defaced on 99.11.14 by h4p Potentially offensive content on defaced page. Defaced domain: www.cccpstc.org Site Title: Public Safety Training Center Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.cccpstc.org Defaced by: dhc Operating System: Linux (Apache 1.2.4) Potentially offensive content on defaced page. Defaced domain: www.mautzetal.com Site Title: Mautz Baum & O'Hanlon LLP Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.mautzetal.com Defaced by: DHC Operating System: Linux (Apache 1.2.4) Potentially offensive content on defaced page Defaced domain: www.petewardtravel.com Site Title: Pete Ward Travel, Inc Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.petewardtravel.com Defaced by: DHC Operating System: Linux (Apache 1.2.4) Potentially offensive content on defaced page. Defaced domain: www.potatoflakes.com Site Title: Oregon Potato Company Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.potatoflakes.com Defaced by: DHC Operating System: Linux (Apache 1.2.4) Potentially offensive content on defaced page. Defaced domain: mail.wetnet.de Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/mail.wetnet.de Defaced by: Beezwax Operating System: WinNT Defaced domain: www.mustafakemal.org Site Title: Stichting Dinaar Aan Islam Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.mustafakemal.org Defaced by: nikobar Operating System: Linux (Apache 1.3.3) Potentially offensive content on defaced page. Defaced domain: www.melissa.com Site Title: Melissa Computer Systems Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.melissa.com Defaced by: BouTsen And Flogher Operating System: Solaris (Apache 1.3.3) Previously defaced on 99.11.21 99.11.17 99.11.16 99.11.04 by c0de red clobher p4riah p4riah Potentially offensive content on defaced page. Defaced domain: www.seokang.ac.kr Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.seokang.ac.kr Defaced by: burn0ut Operating System: DG/UX (NCSA/1.4.2) Potentially offensive content on defaced page. Defaced domain: www.americanbevel.com Site Title: American Bevel Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.americanbevel.com Defaced by: w0lf Operating System: Irix (Rapidsite/Apa-1.3.4 FrontPage) Potentially offensive content on defaced page. Defaced domain: www.sshackers.com Site Title: SSH Tech Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.sshackers.com Defaced by: antichrist Operating System: FreeBSD (Apache) Previously defaced on by Potentially offensive content on defaced page. Attrition comment: This *has* to be a hoax. HWA note: see previous notes Defaced domain: www.policiacivil.pi.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.policiacivil.pi.gov.br Defaced by: inferno.br Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.bhv.hn Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.bhv.hn Defaced by: bean0 Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.03 by acidklown Potentially offensive content on defaced page. Defaced domain: www.usinfo.be Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.usinfo.be Defaced by: PHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.melissa.com Site Title: Melissa Computer Systems Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.melissa.com Operating System: Solaris (Apache 1.3.3) Previously defaced on 5 previous times by Potentially offensive content on defaced page. Defaced domain: www.pira.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.pira.co.uk Defaced by: RoA Operating System: Solaris 2.5 (Apache 1.2.4) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.hwa.net Site Title: Hoefer WYSOCKI Architects Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.hwa.net Defaced by: Asysmptote Operating System: Windows NT (IIS/4.0) Previously defaced on 4 previous times by Potentially offensive content on defaced page. Defaced domain: www.schoolgirlporn.com Site Title: Adult Web Products Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.schoolgirlporn.com Defaced by: Hacking 4 Ponies Operating System: Solaris 2.6 - 2.7 (Apache 1.3.3) Previously defaced on 99.10.28 by h4p Potentially offensive content on defaced page. Defaced domain: www.girard.lib.oh.us Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.girard.lib.oh.us Defaced by: f1ber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cci-inspection.com Site Title: CCI Inspection Services, Inc Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.cci-inspection.com Defaced by: f1ber Operating System: Windows NT (IIS/4.0) Previously defaced on 99.10.19 by s0ften Potentially offensive content on defaced page. Defaced domain: www.pittsburg.k12.ca.us Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.pittsburg.k12.ca.us Defaced by: protokol Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ntacx.net Site Title: Ntacx Web-werkes Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.ntacx.net Defaced by: f1ber Operating System: Windows NT (IIS/4.0) Previously defaced on 99.10.22 by DHC Potentially offensive content on defaced page. Defaced domain: www.useu.be Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.useu.be Defaced by: PHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.thundercats.co.uk Site Title: Thundercats UK Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.thundercats.co.uk Defaced by: DHC Operating System: Solaris Defaced domain: www.kingston.com Site Title: Kingston Technology Corp Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.kingston.com Defaced by: Einstein Operating System: Windows NT Previously defaced on 99.11.25 by fuqrag FREE KEVIN reference in the HTML Defaced domain: www.hamilton-university.edu Site Title: Hamilton University Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.hamilton-university.edu Defaced by: Einstein Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: mercurius.isics.u-tokyo.ac.jp Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/mercurius.isics.u-tokyo.ac.jp Defaced by: eTC Operating System: Solaris 2.5x (Netscape-Enterprise/2.0d) Potentially offensive content on defaced page. Defaced domain: www.tenk.com Site Title: Tenk Machine & Tool Co. Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.tenk.com Defaced by: mistuh clean Operating System: Solaris Potentially offensive content on defaced pageDefaced domain: www.expoente.com.br Site Title: Expoente Brazil Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.expoente.com.br Defaced by: Death Knights Operating System: Windows NT Previously defaced on 99.10.19 by OHB Potentially offensive content on defaced page. Defaced domain: www.lumitex.com Site Title: Lumitex Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.lumitex.com Defaced by: pr1sm Operating System: Solaris Defaced domain: www.resconet.com Site Title: Robert Sweeney Co. Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.resconet.com Defaced by: pr1sm Operating System: Solaris Potentially offensive content on defaced page. and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://datatwirl.intranova.net ** NEW ** http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/zine/hwa/ *UPDATED* http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]