Copy Link
Add to Bookmark
Report

Default Newsletter Issue 02

eZine's profile picture
Published in 
Default Newsletter
 · 26 Apr 2019

  

Default, Help Net Security newsletter
issue #1, Friday 20th August 1999


TABLE OF CONTENTS
-----------------

I. Editorial
II. Last weeks news on Help Net Security
a) Help Net Security news headlines
b) Vulnerabilities reported in last week
c) Site News
d) Defaced Pages
III. Y2K: As the millenium approaches
IV. A look into basic cryptography
V. Internet privacy: What are the issues?
VI. Telecommunications 101
VII. Macintosh Security: How to set up a gateway and firewall
VIII. Computing: A closer look at hard- and software
IX. Linux Firewalls
X. Infection and vaccination
XI. More from the ACPO front
XII. Freedom of speech - related incidents
XIIV. Intrusion and detection
XIV. Guest column

* Due to our editor D. Muths' absence (vacation) we haven't
received work from him to add regarding the virus/spam sections,
we hope to be able to add his contribution next week.

** Due to unexpected (though very much appreciated :) user-contributions
and some deadline problems the "Meet the underground" column will be
postponed for a week, but will be back next week.


I. Editorial
------------

Hi, it's us again. In front of you, you have the second edition of Default, our weekly
newsletter. Our thanks go out to all people who helped us to keep up the quality and
improve it in some fields and thank you for all the kind words we got from you, the
readers, because you are what it's all about for us.

As you can see there have been some changes on our site
(http://default.net-security.org), most visible in the fact we ditched the html-version
for online reading. We got a lot of comments and complaints on that so it's gone unless
someone gives us some ideas on how we should handle that section of the site. The
discussion forum is up too, but we don't like it much so we're in the process of
changing that, it's been very hectic around here for a couple of days so please be
patient. we'll try to have it up in a day or two.
We got some request regarding the mirroring of our content too. You are allowed to
mirror complete issues without permission as long as no credits are removed. When you
want to use specific articles for other ways of publication then Default, you have to
contact the editor/writer in question. Ok, that's settled then :)

Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org

Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org


------------------------

IN MEMORIAM: We have the sad duty to inform you of the too early passing of deutron,
member of our close friends and associates at ech0 security, who committed suicide.

Last respects to deutron who left us too early in his 16th year

Rest in peace man,

HNS crew

------------------------



II. Last weeks news on Help Net Security
----------------------------------------

a) Help Net Security news headlines

- Friday 13th August 1999:

Interview with Eric Raymond
Microsoft and AOL
Default issue #1

- Saturday 14th August 1999:

Hacker mythology
Outside help isn't wanted
Israel and piracy
Ireland intends to criminalize e-signature fraud
Software reverse engineering allowed in australia
Government faces security skills shortage
Trinux 0.62 released
Hackers it consultants embrace free security tool
Infoseek hacked
Linuxppc crack-contest finished
Freshmeat.net bought

- Sunday 15th August 1999:

Japan clears wiretap bill
15-year-old admits hacking into TCS
Wireless crime-fighting
Detecting intruders in Linux

- Monday 16th August 1999:

Projectgamma back online
Hacker launches grudge-attack against former employer

- Tuesday 17th August 1999:

Surf anonymous for $5
GISB will use pgp
Y2k problems
19 arrested on child pornography charges
Y2k the movie
Packetstorm Security
Identity-theft
E-commerce and privacy
Two charged with promoting date-rape drug on the net
MS re-releases malformed http request header patch
NA/McAfee releases new virus service
Last respects to deutron
ReDaTtAcK charged anyways
The music industries' "cyber-sherrif"
Security through obscurity vs full disclosure
Telnet.exe heap overflow

- Wednesday 18th August 1999:

Bugs from Bugtraq
No y2k problems on the internet
Mitnick not able to follow kosher diet
MSN messenger exposes passwords
Linux death-match
Malicious attack on linux-kernel mailinglist
More cyber-war threats

- Thursday 19th August 1999:

MS audio format almost instantly cracked
New virus to destroy computers on Dec. 25th?
AOL hacking IM users?
Total digital privacy on the horizon?
Chinese sites told to cut links with foreign sites
Canadian security agency warns against cyber-attacks
Troubles in ukraine
New fix from microsoft

- Friday 20th August 1999:

Are you surfing at your own risk?
Software makers look to keep home networks safe
Carding in newcastle
Watching workers
Indonesia responds to cyber-war threats
Homophobic web site "stolen" by hackers?
Intel extends online privacy ad ban
Belgian bank compromised
ABC compromised

b) Vulnerabilities reported in last week (our thanks goes out to BugTraq for this list)

13-08 Ircd hybrid-6 Buffer Overflow Vulnerability
16-08 SuSE identd Denial of Service Attack
16-08 Microsoft Windows 9x IE5/Telnet Heap Overflow Vulnerability
16-08 Oracle Intelligent Agent Vulnerability
16-08 Multiple Vendor 8.3 Filename Vulnerability
16-08 xmonisdn IFS/PATH Vulnerability
16-08 Microsoft IIS And PWS 8.3 Directory Name Vulnerability
18-08 Mini SQL w3-msql Vulnerability
18-08 AIX Source Code Browser Buffer Overflow Vulnerability
18-08 BSDI Symmetric Multiprocessing (SMP) Vulnerability
18-08 Redhat Linux tgetent() Buffer Overflow
19-08 Linux in.telnetd Denial of Service Vulnerability
19-08 QMS 2060 Printer Passwordless Root Vulnerability

c) Help Net Security site news

* Not applicable this week *

d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org))

Site: GO Network (infoseek.go.com)
Mirror: http://default.net-security.org/2/infoseek.go.com.htm

Site: Fat Kid (www.fatkid.net)
Mirror: http://default.net-security.org/2/www.fatkid.net.htm

Site: FX Networks (www.fxinteractive.com)
Mirror: http://default.net-security.org/2/www.fxinteractive.com.htm

Site: Mendesgans (www.mendesgans.nl)
Mirror: http://default.net-security.org/2/www.mendesgans.nl.htm

Site: City of Naperville, Illinois (www.naperville.il.us)
Mirror: http://default.net-security.org/2/www.naperville.il.us.htm

Site: ABC (www.abc.com)
Mirror: http://default.net-security.org/2/www.abc.com.htm



III. Y2K: As the millenium approaches
-------------------------------------

This weeks' Y2K headlines:

United States Air Force created a Y2K simulation to test their systems
for the new millennium. Air Force received a budget of 1 billion
dollars to prepare themselves, and it looks that they are ready. Y2K
Flag East, a four-day exercise that ended Thursday at Eglin and Moody
Air Force Base, is one in a series the service has been conducting
since January. Brig. Gen. Gary Ambrose, who is in charge of secure
rollover to a new millennium without any glitches, said that there
have been no catastrophic failures presented on the Y2K test and
that Air Force will operate in the year 2000 no matter what happens.
According to them systems are 96 percent Y2K compliant and will be
100 percent well before January 1, and that 82 percent of all
evaluations have been completed. All of the assessments should be
done by October 15.

Small company is closing there doors because Year 2000 problem.
TriMark Enginnering (http://execonn.com/doorway) published that they
won't be ready for new millennium: "I am happy to announce that ALL
released versions of the Doorway program are y2k compliant. It does
not read or use a date, but keeps time by counting timer ticks. Old
date limted versions of the beta version of Doorway unfortunately did
read the clock, so even though they have expired, they will begin
working again on Jan. 1, 2000 and will work for about 89 years. Please
download the latest version as these old limited versions have many bugs
in them. Unfortunately the computers used in our operations are not
y2k compliant. These computers were purchased and used before Windows
95, and are all old DOS systems. They are not compliant and we do not
have the resouces to make them compliant"


Britain warned shipowners on Monday that vessels calling at British
ports could be detained if they have not ironed out Y2K problems.
The Maritime and Coastguard Agency said that Y2K could start many
problems on ships (from navigational equipment to all compuer guided
functions of the ship). From September 1, ships that have not
identified equipment that could fail or taken remedial action will
be recorded in a European database and be targeted for further
inspection.

Y2K - The movie. Yeah right. NBC is shooting a film with the topic of
Year 2000 glitches. Ofcourse you will see many catastrophic events in
this movie - story of the film goes like this: the bug causes an East
Coast power outage, ATM failures, airliners whose instruments don't
work and other assorted calamities. Main character battles one of the
biggest imagined consequences of the bug when a nuclear power plant
threatens to go into meltdown.

Here you can read Clinton's memo on Year 2000 (published by Newswire).

MEMORANDUM FOR MEMBERS OF THE CABINET
SUBJECT: Year 2000 Computer Problem

The end of 1999 is less than 6 months away. Federal agencies have made
significant progress in meeting the challenges posed by the Year 2000
(Y2K) computer problem since the Vice President and I discussed this
issue at the Cabinet meeting in January 1998. Virtually all of the
major Federal agencies have completed, or will soon complete, work
on their mission-critical systems, and agencies are working
aggressively to encourage compliance among their organizational
partners for the delivery of key Federal services.
Our efforts to solve the Y2K problem provide an important example of
the Government's ability to respond to difficult management challenges,
and I appreciate your commitment to this critical issue. However, your
ongoing support through 1999 is essential to the Nation's ability to
achieve the ultimate goal of minimizing Y2K- related failures in the
public and private sectors.
You should continue your outreach efforts to organizations domestically
and internationally. We must encourage compliance efforts among our
partners, such as State and local govern-ments helping to deliver
Federal services and private sector organizations supporting the
Nation's critical infrastructure. Internationally, the continued
exchanges of technical infor-mation with other governments about Y2K
experiences will help to limit potential Y2K problems in our trading
relationships.
You also should maintain your focus on contingency and back-up plans.
While many systems and processes have been tested multiple times,
being prepared with alternate operating plans provides an important
extra layer of insurance against unexpected difficulties and will
enhance our ability to respond to any challenges associated with the
date change.
I also encourage you to continue to work closely with my Council on
Year 2000 Conversion, and with each other, as we approach January 1,
2000. If we continue our hard work on this important issue, I am
confident that we will be able to oversee a successful transition to
the new millennium.

WILLIAM J. CLINTON


Y2K TOOLS
---------

TITLE: Milli2000
SIZE: 39 Kb
TYPE: Shareware
REQUIREMENTS: Windows 95/98/NT, Microsoft Access 97.
DOWNLOAD: http://default.net-security.org/2/milliy2k.zip

INFO: Milli2000 is a Microsoft Access add-in that helps make Access
databases Y2K compliant by automatically adding 4-digit year input
masks and formats to all date fields in forms, reports, tables, and
queries. It can be run on tables, queries, forms and reports individually,
or all at once. Milli2000 can also be used to quickly standardize
formatting of dates throughout your entire database, by simply setting
the default date format, and running the program

TITLE: January2000! (16-bit) and (32-bit)
SIZE: 16-bit 550 Kb & 32-bit 230kb
TYPE: Shareware
REQUIREMENTS: 16-bit Windows 3.1 & 32-bit Windows 95/98
DOWNLOAD: 16-bit > http://default.net-security.org/2/jan2k16x.zip
32-bit > http://default.net-security.org/2/jan16132.zip

INFO: January2000! (16-bit) is a software Y2K rollover fix for PC clock
hardware. If you already know you have hardware Y2K problems (the
program does not perform any tests to determine this for you), you can
either buy a new PC, or install a software fix. January2000! fixes the
CMOS / RTC (Real Time Clock), BIOS and System Clock, even if programs
are running when you enter the new millennium. No user intervention is
needed, and there is no interruption to programs. January2000! is
transparent to system functions, but always on guard.
Note that the program does not actually fix your system until you
purchase a key.


BHZ
Berislav Kucan
bhz@net-security.org



IV. A look into basic cryptography
----------------------------------


This is Iconoclast, and lets get back into some basic cryptography. Todays cipher will
be slightly more difficult to crack. I am going to use this fact to teach you something
else.

Oftentimes you may hear that an algorithm is secure. This means that the mathematics
behind the algorithm itself is secure from being reverse engineered within a given
amount of time (usually 5-10 years) with current technology. This however does not mean
that data encrypted with this new cryptosystem itself is secure because the
implementation of the algorithm may be insecure. Here is an example of that.

Okay on to the next type of cipher that my friend tried to use that was even easier to
get by.

I went to the page that contained the cryptosystem with Netscape and up popped a window
to enter a password...

I could not check the source because the java applet took control of Netscape.

I then opened up my favorite html editor, Homesite, which allows you to open web page
source code. I pointed Homesite to the URL and tada, I downloaded the source code for
the page.

Heres the actual applicable code:

<HEAD>

<SCRIPT>

var ccup1="abcdefghijklmnopqrstuvwxyz~_.-:#/"

+"ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@!%^&*";

ccup2=ccup1.substring(10,11)+ccup1.substring(0,1)+ccup1.substring(12,13)+ccup1.substring(0,1)+ccup1.substring(10,11)+ccup1.substring(0,1)+ccup1.substring(25,26)+ccup1.substring(8,9)+"";

ccup3="http://www.bob.com/xwing/202/"+ccup1.substring(62,63)+ccup1.substring(63,64)+ccup1.substring(64,65)+ccup1.substring(65,66)+ccup1.substring(62,63)+ccup1.substring(28,29)+ccup1.substring(7,8)+ccup1.substring(19,20)+ccup1.substring(12,13)+ccup1.substring(11,12);

var name = prompt("Enter your User Password:", "For this example use the word CoffeeCup")

if (name ==ccup2) {

(confirm("Access to this site is granted. Click [ OK ] to Proceed."))

location.href=ccup3;

}

else{ alert("INCORRECT PASSWORD. The password: " + name + " is not acceptable.");

history.back();

}

</SCRIPT>

</HEAD>



Now you look at this and think... wow that's a mouthful how could we get passed that?

First step is to save it to your local machine so you can edit the code and reload the
page from your own machine.

Then, look at the way it works, if statements... plain and simple.

Here's some analysis of the code:

The input must equal ccup2 for access (ccup2 is encrypted way past my ability of
deciphering)

ccup3 is the encrypted URL of the site I'm trying to get into (again encrypted way past
my ability)

Name is the variable that you enter.

Now here is some basic pseudo-code explaining the implementation of the cryptosystem.

If the variable "name" is the same as the variable ccup2

give access and send to the URL encrypted in ccup3

if not,

dont give access and yell at the user

The best way of getting past this is NOT cracking the algorithm... it's too difficult to
understand the cryptosystem without more data.

Start playing with it... it helps to know some minor programming.

Here is what you would need to have in order for it to work (hopefully)

if (name !=ccup2) {

(confirm("Access to this site is granted. Click [ OK ] to Proceed."))

location.href=ccup3;

}

else{ alert("INCORRECT PASSWORD. The password: " + name + " is not acceptable.");

history.back();

}

Mind you, there is a single character that needed to be changed.

in most programming languages (at least in C, C++, and Java), to compare two variables
you use == for equal to and != for not equal to.

The changed code will accept ANY password you enter EXCEPT the correct password.

Save this to your computer and open it in Netscape or IE or whatever.... enter gibberish
when it asks you for a password and tada, it works.

Another thing you could have done is edited it to look like this

if (name =="myownpassword") {

(confirm("Access to this site is granted. Click [ OK ] to Proceed."))

location.href=ccup3;

}

else{ alert("INCORRECT PASSWORD. The password: " + name + " is not acceptable.");

history.back();

}

Now this changed code will only allow access if you enter the string: "myownpassword"
when it asks for a password.

As I said before, open this up with your browser and tada, you're in.

Okay, that is it for this issue, there is much more to come that wouldn't fit in here
today. Expect more, and in the next issue, we will begin the interactive part.

For the time being, if you come across ANYTHING that you think could be of use to anyone
in the field of cryptography, please, drop me a line at crypt@default.net-security.org
and I will probably include it in the next issue.

It's been fun.

-Iconoclast

crypt@default.net-security.org

On side-note I received no feedback last issue and because of that, I was unable to to
add any reader-comments. Please, this cannot succeed without you, the reader. If you
have any comments at all, please feel free to send them in. If you want anonymity just
tell me, and I wont mention you or your email address.



V. Internet privacy: What are the issues?
-----------------------------------------


It's Saturday morning and you hop on the Net looking for some
info on smoking related illnesses 'cuz your best friend's been
thinking of quitting lately and you figured you'd help out with
some cold, hard facts.

You hit a few web sites, buy a book on the evils of tobacco, and
sign up for a newsletter that delivers a "tip of the week" for
people looking to kick the habit.

A few months later, it's time to renew your medical insurance
at work but your boss informs you that in order to qualify,
you'll need to take a complete medical and chest x-ray.

Why?

Because your company's insurer drew the wrong conclusion after
buying your profile from a marketing firm that's been tracking
your online habits.

Sound invasive? - it is.

Right now, companies are working on new computer technology that
will enable many of our household appliances to be networked
through the Internet.

Your microwave is on the fritz? No problem, hit a few buttons
on the console, and the unit will instantly seek out the
manufacturer's website through its Internet connection and
download the code it needs to correct the problem.

Out of eggs? Your refrigerator is also Net-ready, and through it
you can email your local grocer to fill out your next food order.

But as more and more of the products we use each day become Internet-
connected, the personal information they collect will be fed to
marketers - and bought and sold without our knowledge or consent.

Those eggs your fridge has been ordering online for you - coupled
with some high-fat foods and cheeses - set off a few warning
bells at your insurance company which recently purchased this
information. Don't be surprised to see your premiums go up next
year, or when ads for cholesterol-lowering products start to
appear on your PC.

It's no longer possible to avoid being tracked online

The potential for abuse is enormous, as false assumptions are
made about us based on bits of information picked up here and
there.

As digital television emerges, our viewing habits will also be
tracked by companies who monitor what we watch, when we watch it
and what we buy.

Spending a lot of time on the home-shopping channel? Be prepared
for a slew of invasive marketing aimed at you for varied products
and services.

Tuned in to the Playboy Channel last night? Watch out for
adult advertisements next time your daughter logs onto the
Net from her home computer.

If we don't lay down the law regarding Internet privacy while
the Net is still in its infancy, we'll never be able to reclaim
it..."

Once your personal data is lost - spread out in 1000's of
databases all over the world - you can *never* get it back.

As individuals, we need the ability to "
pull the blinds" online
and say, "
Hey, I have a right to privacy!"

Jordan Socran
Zero Knowledge Systems (http://www.zeroknowledge.com)



VI. Telecommunications 101: Scanners and the radio spectrum
-----------------------------------------------------------

My last column dealt with pager-communications, and more specifically with the POCSAG
pager protocol. Now we've gained a little general knowledge on how basic (alpha-numeric)
pager communications work, it's time for a little more indepth review on all the
wonderfull things you could do with the signals described last week. Once again this is
a completely theoretical discussion. Intercepting and decoding of radio signals is
illegal in a lot of countries and neither me, nor Help Net Security takes any
responsibility for your actions if you decide to put the here discussed into use. Ok,
now that's out of the way, here goes :)

As I mentioned before, there are several pieces of software availble on the Internet
nowadays which enable you to decode radio signals. This is mostly done in combination
with a scanner in place to do the actual intercepting. By plugging the scanner (on low
volume) in to the "
line in" port of your soundcard you can then feed these signals to
your computer, after which the software will (try to) decode them. I say try to because
altough the POCSAG is the most widely used (pager) protocol, it's certainly not the only
one. And it's not all pager signals that's going through the air nowadays.

But let's start at the beginning, todays piece will describe the scanner half of this
construction. What is a scanner? How does it work? Well to understand that, we first
have to take a look into what scanners tap into, the radio spectrum.

A radio wave is an electromagnetic wave sent and received through an antenna. Radio
waves have different frequencies, and by tuning a radio receiver to a specific frequency
you can pick up a specific signal. Those frequency bands are controlled and issued by
government organizations. Examples of frequency bands are AM radio (535 khz - 1.7 Mhz)
and FM radio (88 - 108 Mhz). Besides these radio-frequency bands (TV has quite a few of
these too btw, but we're focussing on by scanner receivable signals for a moment), a lot
of other organizations and appliances have their own frequency band. For example Air
Traffic Control, GPS, radio controlled toys, cell phones etc, etc.

The difference between scanners and most regular radios you come across is that the
latter are single-purpose radios. They can be used to listen to AM or FM radio stations
for example, but that's it. Scanners on the other hand are radio receivers with a very
wide frequency range. This enables you to pick up a very large number of frequencies
as opposed to only AM/FM frequency bands. Typically this allows you to tune in to
police, fire and emergency radio in your area or to air traffic control frequencies.
Or to pager messages..

Usually you would set a scanner to scan a specific range of frequencies and stop
scanning when a signal is received on one of these frequencies or you set it up to scan
one particulair frequency. In our case we want it to use the pager band. In my own
little playground (The Netherlands that is) pager frequencies lie between approx. 154
and the 467 khz.

Scanners work very specific where it comes to frequencies, sometimes you need to be very
specific in setting it up to actual receive something and frequency bands tend to differ
between cities, but most of the time you can get some good results even with a bit less
receiption. Another possibility is to modify a pager itself to receive multiple bands.
My final and last column on the pager-subject next week will deal with this kind of
manual modification of a pager. Hope you'll join me then.

Xander Teunissen,
aka Thejian, Help Net Security
thejian@net-security.org



VII. Macintosh security: How to setup an gateway and firewall
-------------------------------------------------------------

MacOs is not so easy to hack on the networking stack side, the code is usualy heavy.
The networking part on mac needs a external software to be modified, don't even think
about changeing a line of code on MAcOs!
New types of connections allow to get connected 24/24 for a cheap price and fast
connection, even in Europe! Asdl, cable modem, and other type of connections allow you
to stay online all the time.Always keep in mind that the internet is a wild place! Those
networks are very often scanned for wingates, and trojan open ports (mainly based on
wintel) and other bunch of crap. The word firewall is in most people mind a very
difficult thing to build, well if you think that you're wrong. It's just ip filter, with
rules allowing or refusing packets.
Requirements: minimum 2 MacOs computers and an ip filtering software (ip netrouter
for eg. http://www.sustworks.com/products/product_ipnr.html). The 1st computer will be
our "
goat", a bastion host and LAN client(s), a Internet connection, a crossover Rj-45
cable or a hub if you plan to have more than 2 clients using this connection.
This software based router allow us to make several things: Share an Internet with other
LAN clients(even pppconnection), make a low cost firewall editing inbound and outband
rules, creating NAT (Network Address Translation). The goat computer will act as a
gateway for any computer MacOs, Win9*, Unix.


<----Internet----> _______________ <---IpNet Router--->_______<---Bastion Host--->___
(ppp, cable modem, T1 etc) (ip filters) (transfert cl. request) |
|
|
-----------------
| | | | |
Lan Clients(win9*-Mac-Unix)

The set up are very easy to make, on the goat computer you have to select your
connection interface (for ex select ethernet connection for cable modem and adsl as 1st
IP interface). Then create a 2nd IP interface (ex:160.92.216.1 subnet mask 255.255.255.0).
Check "
bring Up" or eventualy check NAT box is you want to use ip masquerading for LAN
clients. Save your configuration! You may not have to restart to use the gateway.
Now on each LAN client provide set with ip: 160.92.216.2-254 mask 255.255.255.0. Make
sure they all have 160.92.216.1 as gateway.
If you want after that you can also add ip filters to make the gateway a real firewall.
You will have to edit the inboud, outbound filters with ip, ports etc.. Read
http://www.sustworks.com/products/ipnr/gettingstarted/firewall.html for more details
about editing rules.

It takes a few minutes to setup this firewall, and to share your Internet connexion in
a safe way.The main advantage is that puting a mac as a bastion host is safer, and takes
less time than setting a windows box. Plus the computer doesn't have to be very
powerfull a 68030 or higher is required. Don't forget that IPNet Router is shareware ;-)

deepquest
deepquest@default.net-security.org

All rights not reserved- Serving since 1994
http://www.deepquest.pf



VIII. Computing: A closer look at hard- and software
----------------------------------------------------

August, 1999, is a landmark month in the history of PC processors. For one thing, three
new processors have been introduced in one week. The 600MHz Pentium III and the 500MHz
Celeron were introduced on August 2 by Intel. August 3 saw an announcement that National
Semiconductor was selling its Cyrix unit to VIA Technologies of Taiwan. August 4 saw a
similar announcement: Integrated Device Technology (IDT) was also selling its Centaur
unit (designer/manufacturer of the WinChip and WinChip 2 processors) to VIA. And today,
August 9, Advanced Micro Devices (AMD), manufacturer of the K6, K6-2 and K6-III
microprocessors, announced the introduction of its new, seventh-generation Athlon (nee
K7) processors, at introductory speeds of 500MHz, 550MHz, 600MHz and 650MHz.
The big news? Intel no longer makes the fastest x86 processors on the market. That
distinction now passes to AMD, and not just because its 650MHz Athlon bests the Pentium
III (and Pentium III Xeon) chips by 50MHz. On our WinScore tests, the 600MHz
Athlon-powered systems beat the three 600MHz Pentium III-powered systems by an average
of 14.6%. That means the 600MHz Athlon-powered systems performed like a 688MHz Pentium
III -- if there were such an animal.

This superiority lies not just in the area of integer performance--where AMD has long
proven competent--but also in the area of floating point performance. AMD calls the
Athlon a true seventh-generation processor. It's superscalar, meaning it can execute
more than one instruction per clock cycle (actually, nine, compared to five for the
Pentium III), and superpipelined, meaning it has multiple, parallel paths for
simultaneous, out-of-order execution of instructions. The Athlon has a 128KB level 1
cache (compared with 32KB for the Pentium III), and a unique, frequency-programmable
level 2 design. Initial Athlons will have 512KB of level 2 cache, matching the Pentium
III, but level 2 cache can scale all the way to 8MB, four times that of Intel's Pentium
III Xeon chip. With a 200MHz frontside bus (vs. 100MHz at present for the Pentium III),
a new slot for the processor that is mechanically similar to Intel's Slot One (though
electrically identical to Compaq's Alpha EV6 bus) and multiprocessor capability, it's
easy to see that AMD is swinging for the bleachers. The Athlon also includes an
"
Enhanced" version of the company's 3DNow SIMD (single instruction, multiple data)
instructions, with 24 new instructions. Nineteen of these instructions bring 3DNow's
functionality to parity with the Pentium III's SSE instructions, and five are DSP
(digital signal processor) instructions to improve the performance of soft modems,
soft ADSL, MP3 and AC-3 decoding. The latest video drivers from 3dfx, Matrox and nVidia
are already compatible with Enhanced 3DNow. ATI and S3 will roll their compliant drivers
shortly, and you should expect compliant versions of DirectX and OpenGL in short order.
AMD is introducing the Athlon with an AMD chipset, but chipsets are currently being
developed by ALi, SiS and VIA. American Megatrends, Award and Phoenix are all providing
BIOS support, and motherboards are being introduced by ASUS, FIC, Gigabyte and Microstar.

First out of the gate with Athlon-based systems are IBM and Compaq (though Compaq's
Presario 5861 won't be available to customers until September). AMD points out that
nine of the top 10 worldwide PC vendors are shipping AMD-powered systems (No. 2 Dell
is the lone holdout). Skeptics would point out that AMD has had problems shipping in
volume with the introduction of new processors. AMD has responded to these fears by
rolling out the Athlon in its proven, 0.25-micron process. The company is also trying
to minimize support infrastructure problems by sticking with 100MHz SDRAM upon launch,
though faster memory architectures will be introduced for the Athlon later on. In fact,
though the Athlon uses different motherboards and chipsets than Pentium III systems use,
this is already the case with its K6-2 and K6-III processors. All other system
components are identical to existing Pentium III PCs. Intel demonstrated a 1GHz version
of its Pentium III processor earlier this year, but the company is not expected to roll
out its next iteration of the Pentium, code-named Coppermine, until late October.
Coppermine is expected at 667MHz and 700MHz. Intel has demonstrated repeatedly its
ferocious competitiveness, however, and is expected to respond to the Athlon's
introduction through a series of moves to blunt the new challenge from AMD. Price cuts
and early rollouts of processors and chipsets to make the Pentium III and Pentium III
Xeon chips more competitive are the likeliest responses. AMD chose to introduce the new
Athlon brand (rather than using the code name, K7) to mark a break with its past policy
of undercutting Intel's pricing by 25%, a policy that has left the company vulnerable to
aggressive pricing strategies by Intel. AMD's new pricing strategy is to "
offer a
superior product at a fair price." Announced pricing for the Athlon at launch (in
quantities of 1,000 chips) are: 650MHz, $849; 600MHz, $615; 550MHz, $449; and 500MHz,
$249. Intel's 600MHz Pentium III sells for $669 in 1,000-chip quantities. AMD plans to
extend its Athlon brand with Athlon Ultra processors, aimed at enterprise server and
workstation markets; Athlon Professional, aimed the enterprise high performance PC
market; and Athlon Select, aimed at the value PC market. The Athlon will be produced
initially at AMD's Fab 25 facility in Austin, Texas. A new plant, Fab 30, opens in
Dresden, Germany, next year, and will double production capacity. With the introduction
of Athlon, AMD for the first time competes with Intel across the company's entire
product line of processors. Cynics will give you a dozen reasons why AMD will fail in
its attempt to compete, among them the company's history of production problems, or the
fact that other competitors have fallen by the wayside, or the fact that AMD has lost
money for three straight years. That shouldn't detract from the stunning accomplishment
Dirk Meyer and his team of designers at AMD have achieved. For the moment, AMD stands
at the top of the heap in microprocessor design, and deserves credit for a job well
done.

AMD's CEO, Jerry Sanders, must be the type who likes to tilt at windmills. AMD had built
a profitable and comfortable business selling 486 clones to (mainly) the third world
when he decided, some four years ago now, to make a headlong rush to compete with giant
Intel across the board. The results have been mixed. The company's first all-new design,
the K5, lagged seriously behind Intel's Pentium chip, and had to be sold at fire sale
prices. The 1997 launch of the K6--a chip that outperformed Intel's Pentium with MMX
chip--seemed promising, but lagged behind Intel's Pentium II processor. Worse, the
company's problems in mass producing the chip seriously shook confidence among system
vendors in the stability of its supply. AMD surmounted that difficulty, and last year
introduced the K6-2, the first mainline processor with SIMD (single instruction,
multiple data) instructions for speeding 3D graphics performance--months ahead of
Intel's SSE instructions, which Intel introduced with its Pentium III processors. And
early this year, the company introduced the K6-III, a chip with on-chip level 2 cache,
offering application performance on a par with the Pentium III at similar clock speeds.
AMD began to enjoy considerable success, at least in terms of units sold. The company
grabbed an important piece of the market for computers sold at retail, and even
surpassed Intel's market share in that market in the fourth quarter of 1998. But this
success turned out to be a Pyrrhic victory. The company has hemorrhaged money since
directly taking on Intel, with average selling prices for its processors falling at an
alarming rate. AMD's overall market share for x86 microprocessors is currently 15.5%,
according to the company. It hopes to achieve a market share of 30% by late 2000.
Intel's response to AMD has been to roll out its Celeron processors, ramping them up to
higher and higher clock speeds (currently topping out at 500MHz) while aggressively
cutting prices. The result: Though AMD can sell as many K6-2 and K6-III processors as
it can make, it has been unable to make any money doing so. It's akin to the situation
faced by Continental Airlines 15 years ago, when it was still based in Denver. The
saying among locals was that while it was true Continental lost $20 every time a
passenger set foot on one of its planes, the company made it up on volume. AMD isn't
the only competitor losing money. Cyrix's M II processors were forced to undercut even
AMD on price--with the result that the company sold itself to National Semiconductor,
which in turn sold its Cyrix unit to VIA Technology of Taiwan just last week. And
Centaur Technology, maker of the low-priced WinChip, sold itself to Integrated Device
Technology, which in turn also sold Centaur to VIA last week. AMD hopes to reverse its
fortunes with the Athlon chip, and it is obvious Jerry Sanders is betting the company
on this strategy. It plans to be able to lick its production problems by staying with
its proven processes at its Fab 25 plant in Austin, and introduce new production
methods at its Fab 30 plant in Dresden next year. Technologically, the Athlon is a
winner, outperforming the Pentium III in virtually every area. But the success of the
Athlon will hinge on its ability to win customers, not just in consumer PCs, but in
corporate desktops, workstations and servers. This market has proven resistant to AMD's
charms so far. The added performance the Athlon offers may begin to change that. For
production workstations running computer animation, for example, the 650MHz Athlon may
offer performance as high as 124% of the 600MHz Pentium III. If that workstation were
busy rendering, it could perform a task in 48 minutes that takes the Pentium III one
full hour. Over eight hours--and this is truly a hypothetical case, since no PC would
be doing that one task, full bore, for eight hours--the Athlon would save 93 minutes.
That's real money, on the positive side for a change. Intel will no doubt respond with
higher performance Pentium IIIs, but the Athlon has been designed from the ground up
for higher and higher clock speeds. Dirk Meyer, head of the AMD design effort, came to
AMD from Digital, where he participated in the design of the RISC Alpha chip, which was
similarly designed for blazing clock speeds.
So will AMD survive? The company deserves to survive, and the Athlon certainly will
survive, either at AMD, or as intellectual property sold to some other corporation.
For those of us who have always admired the Don Quixote's of the world, 'tis devoutly
to be wished. And Continental Airlines, after all, is pretty profitable these days.

atlienz
atlienz@default.net-security.org



IX. Linux firewalls (packet-type firewalls, supported by Linux kernels)
-----------------------------------------------------------------------

General:
If you want to set up a firewall on your Linux, you probably
want to regulate access to your machine(s). This document covers
the "
packet filter" firewall, which is supported by Linux
kernels. New, ipchains system (2.2.x kernels) will be discussed here.

Tools to get:
When you compile in the Firewalling support in the kernel, you will
need the "
ipchains" tool to configure your firewall.

IP Masquerading:
If you also want to set up IPmasq, a system that turns your Linux into
a gateway machine, so other computers on the local network (OS-independent)
can use the Internet, get "
ipmasq", "ipautofw" and "ipportfw" utilities.
More on this in my next article for "
Default".

Firewalling:
Firewall decides which packets can go into your network and which cannot.
There are 4 main firewall chains: input, output, forward and user-defined.
For each of these categories, a separate table of rules is maintained.
Firewall rule specifies criteria for a packet, and a target.
Target can be ACCEPT, DENY, REJECT, MASQ, REDIR or RETURN.
ACCEPT lets the packet through, DENY drops it, REJECT drops it and
notifies the source of the dropped packet.
Since setting up firewall rules is trivial, lets take a look:

Show all rules, be verbose. If -v is omitted, rules are shown in somewhat
strange order and are not listed all.
> ipchains -L -v

Allow all packets from 192.168.7.1 (any interface) to go outside.
> ipchains -I output -j ACCEPT -s 192.168.7.1

Allow packets from 195.207.35.4 on specific (ppp0) interface to
pass the firewall (to go in).
> ipchains -I input -j ACCEPT -i ppp0 -s 195.207.35.4

Allow packets from all destinations and interfaces (-i is omitted) to
pass the firewall (to go out, notice the "
output")
> ipchains -A output -j ACCEPT

And the last example,
> ipchains -A output -j ACCEPT -d 195.206.222.14
will allow all packets going to -d (destination, 195.206.222.14) to pass
through. You can also use -I (insert) instead of -A (append). Both options
require chain name: output for outgoing packets, input for incoming packets,
forward for ip_masquerading system, and user defined chains.


Special devices in /dev and kernel options
There are some options in the kernel you can turn on, and then create
corresponding devices in /dev, to get some additional features. Those
include:

1) Device with major number 36. The kernel uses it to
publish network related information. For "
Routing messages" (kernel
option), do "
cd /dev/; mknod route c 36 0". Also, it is used by the
firewall code to publish information about possible attacks (option
"
IP Firewall packet netlink device"). "cd /dev/; mknod ifn c 36 3"
(ifn is an arbitrary name). If you compile the kernel with this option,
first 128 bytes of each blocked packet are passed on to optional user
monitoring software that can look for an attack. You need a special
user program to do that, ofcourse.

2) TCP syncookie support
Compile it in the kernel and add
echo "
1" > /proc/sys/net/ipv4/tcp_syncookies
to some of your system's init scripts (rc.local).
This option prevents "
SYN flooding" attacks.


3) Ethertap network tap
mknod /dev/tap0 c 36 16
User space program will be able to read/write raw ethernet frames
from/to that special file. You can configure the device with ifconfig
like any other ethernet device. However, there is usually no need
for this.

4) IP: Always defragment
Include this to have a more reliable firewall, but check the help page
in the kernel documentation first.


Next article: Setting up an IPMasquerading system on Linux servers
(pronounced as: How can all my computers access the Internet via single
interface on the server)

dev
dev@net-security.org



X. Infection and vaccination
----------------------------

This week we have information on 2 new Trojans. Sorry it is really short this
week. Hopefully next time we will make up for it.


The first Trojan we have is BoBo. BoBo's client looks a lot like Back Orifice
1.20. Also it has most of the same Back Orifice 1.20 features with an addition of an
ICQ 99a password stealer. Unlike Back Orifice 1.20 it listens on port 4321 TCP. BoBo
would not infect our Windows 95 = or NT machines but here is the manual removal info
if you do get infected:

1. Open regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
then remove the DirectLibrarySupport key.

2. Reboot or close the BoBo server.

3. Finally browse to c:\windows\system and remove the DllClient.exe file.

The other trojan we have is Trojan Spirit 2001a. This trojan was released in a
beta version and then 1.20. The beta version came with 3 different servers each had a
differnt Icon and slightly different in size. It has average features with a few
different password stealing ones. Here is the manual removal for the beta version:

1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
then remove the Internet key. Also remove the run=c:\windows\netip.exe in the Win.ini
under the [boot].

2. Reboot or close the Trojan Spirit 2001a server.

3. Finally browse to c:\windows\ and remove the netip.exe file.

Here is the manual removal for the 1.20 version:

1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
then remove the SystemTray key.

2. Reboot or close the Trojan Spirit 2001a server.

3. Finally browse to c:\windows\ and remove the windown.exe file.

zemac
zemac@dark-e.com
http://www.dark-e.com



XI. More from the ACPO front
----------------------------

Hi again...

I'm honored to be allowed to tell you a bit more about ACPO
[http://www.antichildporn.org] and our future...

This weekend, we will be traveling to deliver a presentation to our
first political group, http://WWW.mntaxpayers.org/#Moorhead Conference.
I'll fill you in on more of the details next week.
BTW .. just a little note here about politics, we do not support any
political group, just the stopping of child abuse and child porn on the
internet.. Some people are concerned with our involvement in governments
and their politics. But please tell me a way to stop this injustice
without involving ourselves in politics and the law!

We are just beginning to plan our first European tour--roughly in the
October/November time frame. While we know the places we must visit, we
are open to your suggestions, as to places we might have an opportunity
to tell our story, and recruit Euro. members. Please eMail me at
natasha@infovlad.net if you have suggestions or ideas.

On the home front, ACPO will be attending the Techno-Security & Disaster
Prevention '99 Conference. http://www.thetrainingco.com/Agenda-99.html
Plans are being made to develop additional approaches in assisting law
enforcement to identify and successfully prosecute child pornographers.
We anticipate forming both public and private partnerships to further
this cause.

Thanks again to net-security.org for their support, and this forum to
express ourselves, and to keep you informed.

Natasha Grigori,
Founder antichildporn.org
thenatasha@mediaone.net



XII. Freedom of speech - related incidents
------------------------------------------

*******************************************************************
Both free speech rights and property rights belong legally to individuals, but their
real function is social, to benefit vast numbers of people who do not themselves exercise
these rights.
- Thomas Sowell

*******************************************************************

Every day the battle between freedom and repression rages through the global ether.
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):

- 8/13-15-99:

512 bit RSA keys are
<http://www.businesstoday.com/techpages/encrypt08131999.htm>
no longer secure...

Australia legalizes
<http://www.dcita.gov.au/cgi-bin/trap.pl?path=4189>
reverse engineering for software...

- 8/16/99:

The US government wants your keys....
<http://www.fcw.com/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html>
Attempt #2...

The assumption:
<http://www.hackernews.com/orig/crypto.html>
Privacy is power therefore it must be regulated

- 8/17/99:

The coming Internet generation
<http://asia.yahoo.com/headlines/170899/world/934856400-90817022014.newsworld.html>
of Arab leaders...

"
But in the long-run Salama Ahmed Salama, a columnist with the Egyptian newspaper Al-Ahram,
expects younger Arab leaders to introduce democratic changes because they cannot resist ideas
spread through modern communications. "You cannot act like (you're still in) the 15th
century,"
Salama said. "The new generation of leaders will be forced to adapt itself to new
norms of government and democracy."
An Arab League official described the newcomers and those
waiting in the wings as "the internet generation," who want to open to the West and share in
the wealth created by new technology."

In China, 19-year-old, Wang Yingzheng, being tried behind closed doors with NO representation
<http://www.insidechina.com/news.php3?id=85970>
for writing an article...

"
Wang, who had just graduated from high school, was detained by police on February 26 as he
attempted to copy a leaflet he had written that condemned the central government for its
inability to wipe out corruption. "Many Chinese are discontented with the government's
inability to squash corruption. This is largely due to a lack of opposition parties in China
and a lack of press freedom,"
Wang reportedly wrote in his leaflet."

- 8/18/99:

New tech would let police
<http://www.apbonline.com/behindthebadge/1999/06/04/radar0604_01.html?s=WallsGlasses_247>
see through walls...

East Timor Threatens Indonesia with Cyberwar...
<http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_423000/423549.stm>
A 100-strong team of hackers from North America and Europe are creating viruses to target
the banking and military systems to launch if Indonesia's military engages in electoral
fraud...

Chinese web sites have been ordered to
<http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19990818025051546.asp>
remove their links to foreign sites to prevent "
invasion by hostile forces"...

"
The Guangzhou-based New Evening Express reported yesterday that a new department, the China
Network Security Management Centre, had been set up to strengthen the mainland's defence
against hackers. The paper said the Ministry of Information Technology and Telecom Industries
had developed software which could "effectively shut out the hackers"."


In just one week...

diva aka Pasty Drone
NewsTrolls, Inc. , http://www.newstrolls.com
pastydrone@newstrolls.com



XIIV. Intrusion and detection
-----------------------------

So you think you're being attacked. You've got your intrusion detection
systems running, and you've seen something in the logs that shouldn't be
there. Well, what now? What is the best way to respond to an incident?

This article is geared primarily toward the home user or small business.
The assumption is made that the user already knows a little about system
security and intrusion detection; if not, I recommend the following:

http://www.technotronic.com/unix.html
http://www.nwo.net/security/tools.html
http://xforce.iss.net/maillists/ (the IDS mailing list)
http://www.infotech.jyu.fi/~jej/nt-links.html
http://www.hill.com/TechLibrary/ntsecurity.html

Read up on intrusion detection, get some experience with it, and then read
this.

Response to an intrusion starts before the intrusion begins. The first
step lies in determining what it is you're looking for, and what it is you
care about -- for instance, if you know you're not running a web server,
you might not care about failed connections on port 80; successful
connects on port 31337, on the other hand, may be particularly
interesting if you're running a Windows machine. Once you have a good
idea of what's important to you, you're prepared to respond to an
intrusion. Second, find out who to contact at your ISP if you're under
attack. Most ISPs have an abuse mailbox; some even have a security
mailbox. It's a good thing to know ahead of time who to contact at your
ISP; they can often be your first line of defense. The third thing you
should do is find a good place to store your logs; most intrusion
detection systems come with a default log storage location. Make sure you
save logs when you're under attack -- there's very little that can be done
without them if you have to escalate the situation to your ISP or the
attacker's.

So. You've found something in your logs that doesn't look right. What
now? The first step is to look at the logs and find out exactly what you
see in there. What service is affected? Unix/linux users can look in
/etc/services for a list of common ports and their associated services;
those lists are also easily found on the web via your favorite search
engine. What is the attacker trying to do...or what has he already done?
If I see an entry in my logs that's unfamiliar to me, I find it easy to
cut'n'paste the line into a search engine (I use http://www.altavista.com/
and http://www.google.com/) and look through what turns up. Who is the
attacker? Is it coming from a bunch of different IP addresses all at
once, or just one? If it's coming from many IP addresses, you're probably
under a denial of service attack; contact your ISP's abuse department, if
this is the case (there -are- ways to deal with a DoS yourself, but
chances are if you're able to do that, you don't need me telling you how).
If it's all coming from just one address, and it is not a denial of
service attack, it's time to find out a little bit about who this is
trying to get into your system (or who has already compromised your
system).

As a note -- some attacks, especially most denial of service attacks, are
conducted from a spoofed source IP address; however, most actual intrusion
attacks, in which someone attempts to gain access to your computer, are
not run from a spoofed source; the reason for this is that attackers using
denial of service attacks don't need to see the responses from the victim
computer, while in most cases, actual intrusion attempts cannot be done
'blind' (without seeing the responses from the victim computer -- this
-is- possible, but not common). If an attacker uses a spoofed source IP
address, then when the victim computer responds to the packets the
attacker sends, the responses will go to the spoofed address...not to the
attacker. This is not always the case...but it's a good rule of thumb.

Now to find out who's doing the attacking. The first step -- do an
nslookup on the IP address, and find out who it is. If it's a dialup
machine from one of the major ISPs out there, your best bet is to contact
the ISP in question. I generally try to find that ISP's web page and look
through it for their Acceptable Use Policy/Terms of Service/whatever;
often an ISP will list an email address for abuse complaints. If it does
not, I suggest mailing abuse@whoever.isp and copying support@whoever.isp.
If you're sending mail to an ISP, I recommend against copying postmaster,
root, hostmaster, webmaster, and every other name you can think of, unless
both abuse and support bounce and you can't find the correct address on
the company's web page. It tends to annoy the ISP receiving the
complaint...and you want them on your side. Include your logs; the ISP
can't do much without them. I would also copy your own ISP's abuse
department on the mail, in case you later need their help. See below for
a sample letter template when mailing an ISP.

If the attacker is not an ISP's dialup user, but is coming in from a
machine with its very own DNS name, such as jojo.example.com, then you
have two options. The first is to send mail to your ISP and let them
handle it. The second is far more interesting -- find out some
information about the machine in question. Please note that this by no
means implies 'hacking them back' -- generally a bad idea which is likely
to get -you- in trouble. First, to give you an idea of what the attacking
system is like, try doing the command 'finger @jojo.example.com'. This is
not a conclusive step, but if jojo.example.com is running finger and is
allowing incoming connections, it may tell you who's on the system right
then. It's one piece of information to use. Another is whois -- do the
command 'whois example.com' (or, on machines without a 'whois' command,
go to http://www.networksolutions.com/cgi-bin/whois/whois/). That will
give you contact information; more to work with. As a further step,
http://www.arin.net/whois/ will give you additional information (look
things up by IP address, though, not by name). Traceroute will give you
their upstream provider -- do 'traceroute jojo.example.com' (or, on a
Windows machine, 'tracert jojo.example.com'). At this point, I go back to
the web. See if example.com has a web page -- what's it like? Are they a
business? Are they a group of hax0rz bragging about their sploits? Do a
search on the names you pulled off finger and whois -- get a feel for
who's on the other end. Go by your gut feeling; if you mail a complaint,
will the administrator of the box help you or hack you? At this point you
make an educated decision: you can mail postmaster@example.com with your
logs, and ask him to look into the situation...or you can mail
example.com's upstream provider. Either way, copy your ISP's abuse
department, just in case their help is needed later.

But what if you mail postmaster@example.com, and no one replies? What if
you don't trust that postmaster's going to help, but don't want to involve
the upstream provider yet? What if you think that jojo.example.com has
actually been hacked, and is being used as a launch point? There are a
number of ways to find out what kind of system you're dealing with.
Despite popular opinion, having finger running doesn't necessarily mean
the machine is not secured; you can try other methods. Keep them
above-board, though -- while telnetting to port 25 may get you some very
interesting information, it may get -you- in trouble. Likewise with nmap
scans -- they give you a lot to work with, but many administrators would
view an nmap scan as an attack (or at least a prelude to an attack). I
would suggest http://www.netcraft.com/ -- it's a site that scans hosts to
see what kind of web server they're running. Go over there and type in
example.com -- is it running an ancient default version of Apache on
Linux? Then there's a very good chance that jojo.example.com is wide
open, own3d, and being used as a launch for attacks. If this is the case,
I'd mail postmaster@example.com once again, and at the same time notify
his upstream ISP -- not to get him in trouble, but because they will have
means to contact the adminstrator.

When mailing your ISP or the ISP of the source of the attack on your
system, be polite. As I'd said earlier, you -want- them on your side in
the event of an attack. As a possible template:

----------------------------------------------------------------------------
To : postmaster@example.com
Cc : abuse@your.isp,abuse@upstream.isp,support@upstream.isp
Attchmnt:
Subject : Unauthorized access attempt
----- Message Text -----

To whom it may concern:

I noticed a number of entries in my log files starting at <when the attack
started> and lasting until <when the attack ended>. It appears that
jojo.example.com has been attempting to use <whatever attack the attacker
was trying to use> against my system. I have included the log files in
question below in plain text format. I would appreciate any help you
could give me in stopping the source of these access attempts on my
system. Please contact me if I can be of assistance.

<attach the log files here, in plain text so you can be assured that the
ISP can read them>

----------------------------------------------------------------------------

An attack doesn't have to be a crisis, and it shouldn't be an event that
leaves you lost and panicked. There are appropriate ways to respond to
intrusions and intrusion attempts.

/dev/null
null@fiend.enoch.org



XIV. Guest Column
-----------------

This weeks guest column is by Attrition.org's cult hero on, yes, Attrition.org

Attrition is not just a dark and clever name, oh no. What started out as
a bare bones web site receiving less than one thousand hits a month, has
now blossomed into a unique and valuable archive of security information.
With the recent criticism of "
security portals", Attrition has continued
to stay at the opposite end of the spectrum, acting as a security *content*
site. Perhaps one of the most difficult aspects of maintaining a base of
reference material is finding high quality reliable sites that fit your
needs. Attrition strives to meet that goal. Some of the resources we offer
free to the public:

Security Advisory Library: Currently over 1,900 security advisories providing
details on security holes, exploits, viruses and more. These range from
the original CERT advisories to more recent ones by companies such as eEye,
Redhat, and Microsoft.

Text Archive: Modify's collection of Over 18,700 text files dating back to
the early '80s. Ranging from hacking information, security texts, credit fraud,
internet RFCs, cellular, e-zines and more, the files here offer information
on just about any subject you can imagine.

Crypto Archive: Wrlwnd's cryptography archive contains almost 2400 files
and utilities covering every aspect of cryptography, cryptanalsyis and
more. Essential tools to privacy such as SSH and PGP can be found here.

Defacement Mirror: Headed up by McIntyre, this mirror archives the results
of over 2000 web pages that have been altered by intruders over the last
five years. Providing a telling portrait of 'hacker' activity, the mirror
cross references related hacks, groups and more.

Denial of Service Database: Perhaps the largest database of its kind, the
DoS DB catalogs information on hundreds of denial attacks. Each attack
is cataloged by the operating system or protocol it affects.

Newbie Track: For those new to the field of security but looking to get a
feel for it, the newbie track offers lessons in unix, penetration technique,
and security. Each lesson is written with the beginner in mind, and builds
on previous lessons.

More: The resources listed above are the foundation for the Attrition
project. These are by no means a complete or exhaustive list. The site
caters to those interested in art, music, fiction and more. With daily
updates to various sections of the site, this resource is sure to come
in handy for your security needs.

cult hero
jericho@attrition.org

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT