Copy Link
Add to Bookmark
Report
Default Newsletter Issue 07
Default newsletter Issue #7
http://default.net-security.org
19.10.1999 Help Net Security
http://www.net-security.org
TABLE OF CONTENTS
-----------------
I. Editorial
II. Default mirrors
III. Defaced pages
IV. 5 reasons why your Mac is safer than wintel
V. Setting up a great desktop Linux
VI. How to make safe Windows 95 based server
VII. Apple Power Mac G4
VIII. Web based encrypted e-mail (critic and the response)
IX. More from the ACPO front
X. Welcome to the wonderful world of cellular phreaking
XI. Unix logging and auditing tools
XII. Freedom of the speech related incidents
I. Editorial
-----------------
Hey again. After another box of Marlboro lights (bless them:) texts are re-formated
and you are reading new issue of Default newsletter. Three weeks passed since the
issue no. 6, but we were busy on redoing HNS. If you don't know 26.10.1999 is
our first anniversary, and HNS will change a little (on the better ofcourse:)
We have four new mirrors and lot of new subscribers. If you don't know
HNS/Default webboard is open now. Do join the discussions or give comments and
ideas in the following URL:
http://net-security.org/webboard.html
Enjoy reading,
For the HNS and HNS Default Crew:
Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org
Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org
Subscribing information:
mail majordomo@net-security.org with a message in the body "subscribe news youremail"
II. Default mirrors
---------------------
http://www.nwo.net/default
http://www.403-security.org/default
http://www.monitor.hr/security/default
http://www.attrition.org/~modify/texts/zines/default
http://www.projectgamma.com/archives/zines/default
http://www.dark-e.com/default
http://ech0.zort.org/default
http://www.deepquest.pf/default
http://hns.crolink.net/default
http://tlsecurity.com/e-zines/
http://default.aviary-mag.com
http://packetstorm.securify.com/mag/default
If you mirror Default, please inform us, so we could add you to the list.
III. Defaced pages
-------------------
Mirrors thanks to Attrition (www.attrition.org)
Site: State of Arizona (www.state.az.us)
Mirror: http://default.net-security.org/7/www.state.az.us.htm
Site: China Material Technology Research Center (chimeb.edu.cn)
Mirror: http://default.net-security.org/7/chimeb.edu.cn.htm
Site: Viacom Brazil (www.viacom.com.br)
Mirror: http://default.net-security.org/7/www.viacom.com.br.htm
Site: Department of Electronics, India (www.doe.gov.in)
Mirror: http://default.net-security.org/7/www.doe.gov.in.htm
Site: NOAA Climate Monitoring & Diagnostics Laboratory (luey.cmdl.noaa.gov)
Mirror: http://default.net-security.org/7/luey.cmdl.noaa.gov.htm
IV. 5 reasons why your Mac is safer than wintel
----------------------------------------------------
I know that's an old story, an old flame opening.Well but it's a sad reality
that wintel can't admit, or is that mac users that are wrong?All following
descriptions consider that you don't have an anti virus or firewall, just
default configuration without any update patchs.
1-Virus
Mac user are also affected by virus.But there's something I always like to
do to compare the number of virus in the virus list description...Around
18,000 on windows, around 75 times less on Mac.Just a fact:-)Why that?
Main reason is that it's hard to code sophisticated virus.The best actuality
just can read your internet preference file and forward to an email account,
or corrupt files but can't affect hardware.On wintel the virus can deeply
affect your computer, in the worst case you can even thrash your motherboard
which was the case of virus like CIh.The kind of affections are also very
different (thank to the OS) they're 3 main types of virus on wintel:
*Affecting files: injecting code in a file or a exe (*.exe, *.com etc...)
they're resident in memory.
*Affecting boot sectors: no mater if the disk contains the operating system
or not you'll have to reinstall everinthing in most case.Usualy the first
sector (face ?, track ?,sector 1)
*The trojan: they allow a remote person to do anything on the computer.It's
not dangerousat all, it's only the use that the person will do with it.It's
different.
On mac you won't find any trojan with such controle on your system.The only one
that could look like a netbus or back orifice would be WDTech
(http://weedo.blackout.org/WDTech_RAE_ReadMe), it's still buggy in ver 1.2b1.
But the other problem for potential attacker is that you can't insert code in
a mac a existing software.Many software allow u to hyde code in a simple jpg file
2-Default settings.
well from registry, to network shares windows 9* (less with NT) has more
holes than a swiss cheese.I could say a lot but the just read bugtraq.
3-Burst the stack.
Denial of Service attack against a mac are highly difficult thanks to the
open transport structure (macOs tcp/ip interface).Who never had fun with
poor port 139 open?Of course you could patch but for common users it was
not so important.Even syn flood attack doesn't bored that much open transport.
I drove very badly my mac from other OS with DOS tos.From wintows network hack
toys, to linuxppc network toys.I never had to restart my computer.
"I sense much NT in you.
NT leads to Blue Screen.
Blue Screen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside."
- Unknown Unix Jedi*
4-Most reliable OS to run a webserver.
I know I could easily use of us army website who switch to webstar running on
MacOs, damm I did!Most hacked sites were running NT server according to
Attrition**.It's very safe, I didn't say unhackable but the safest.The only
reported site running Mac system (MacOSX)was the only one for along time,
whereas 82 servers where repported for the month of september.MacOs X with
apache server allow more hit (connexions) on a site than regular MacOS so for
forget the argument saying that MacOs based webserver can server less
connexions.It was more or less true...but in the past.Another interesting
fact is that if you plan to run a webserver on win95 (yes some are doing it!
look netcraft.com) don't forget that you have to restart it every 45 days it
can't stay on-line more.
5-Y2K issues?Think Y3K!
Y2k is very "a la mode" word for several reasons.First it's a good business
for many companies around the world.Then it can be the total chaos for wintel
box, even if simulations in great companies were done very often since past
months, even if they applied 10,000 patchs it remains just a simulation.Not
only wintel computers or software are potential source of issues, Unix also
even if their chaos day will later on 1 jan 2047.MacOs is y2k compliant since
1984 and compliant till year 29,940...
"We may not have got everything right, but at least we knew the century
was going to end."
-Douglas Adams
According to information week (http://www.techweb.com/se/directlink.cgi?IWK19980525S0037 )
the Y2k software fiw will cost $ 600 billions.Well at that price you can
get 500,417,014 iMacs at $1199 each, if you place this order I'm sure you'll
get a discount.
deepquest had an injection of MacOs when he was 9 years olds, 18 years later
he's a sys admin who'd pay to work on MacOs X.
--Deepquest
Patience is key to knowledge
deepquest@default.net-security.org
credits:
Unknown Unix Jedi*: riped from http://www.attrition.org/quotes/msoft.html
** hacked OS stats attrition : http://www.attrition.org/mirror/attrition/os.html
V. Setting up a great desktop Linux
-----------------------------------
The problem: as most Linux distributions do not have predefined graphic
interface, which looks nice by default, few common misinterpretations
appear:
1) Linux does not have a complete, good looking graphic interface (GUI)
2) Setting things up requires a lot of work
Well, how is the X system designed?
The base of the GUI is the X server, that is, an appropriate binary
file for your graphic card. Those binaries usually reside in /usr/X11R6/bin/
and are named XF86_xxxx, where ``xxxx'' is the specific server. Which
server to start is determined by a file ``X'' which is a symbolic
link to some of the real server binaries. SO, the symbolic link ``X''
is located in /etc/X11 (or in /var on SuSE machines). Let's say we
have a XF86_VGA16 server (the compatible one for all VGA cards) in
the /usr/X11R6/bin. To specify to run it, one has to issue
``cd /etc/X11; rm X; ln -s /usr/X11R6/bin/XF86_VGA16 X''
An X server cannot be started without the proper config file, /etc/XF86Config.
As this file usually needs changes before it becomes useful, ``XF86Setup''
binary is provided. Run that command and select the parameters you
want. Changes will be saved upon the exit, and you will have your
X server configured. If it doesn't work, you may manually modify XF86Config,
or create a symbolic link manually, as described above.
When the X server is started, a specific ``windowmanager'' is invoked.
Windowmanager is actually Xserver client. Few good ones are icewm
(gnome based), kwm (part of KDE), and WindowMaker. To say which windowmanager
to run:
on SuSE Linux: set WINDOWMANAGER environment variable to the filename
of the wm, i.e.
export WINDOWMANAGER=''/usr/X11R6/bin/icewm''
on Debian Linux, edit the .xsession file:
icewm
On RedHat, edit the .xinitrc file.
Recently, we have seen so many GUIs on Linux, and now its the problem
to choose one. When you count all the windowmanagers, their themes
and more, it looks like a big mess and you end up confused. This document
will try to give you an idea. As a perfect desktop I see icewm windowmanager,
supported by Gnome and KDE applications. KDE itself has its own kwm
windowmanager, but it just takes too much resources to load it, and
I am not quite satisfied with its design (kwm is Windows95-like, enhanced
environment). On the other hand, Gnome's Enlightenment windownamanager
just isn't a good choice for unified environment. icewm is very fast
and small, and has all the nice features like Themes (which completely
change your screen, not just colors), keyboard shortcuts (alt+tab),
system and network load meters in taskbar etc.. I would also prefer
Gnome over KDE apps. since Gnome is more unix-like, but KDE developers
have a huge number of GUI-ported or newly created applications, which
do promise.
Gnome is based on gtk (Gimp ToolKit), and KDE works on QTlibrary, set
of widgets from Troll. Since Xserver supports multiple widget types,
that is not a problem, old applications which do not have modern interface
still work with old Athena widgets:) Gnome has its own setup system,
control panel like, but the changes do not affect non-gnome based
applications. An advantage of kwm is that, after you set the colors,
design etc., it gives unified look and feel for all the applications
and windows.
XFree86 X Server isn't designed very well. Besides it has some limited
keyboard options compared to the console, it does not handle anything
except the graphics and X servers are rather messy. The things began
to change, new 3.3.5 server has support for more graphic cards, S3
Savage4 server is contributed by the S3 itself (S3 bought Diamond,
btw..). The XF86 server version 4 should be a great enhancement, it
will, beside the other things, support servers as modules, but, rather
ironic, if XF86 continues with the same speed as they did by now,
we'll wait for it for a long time:) Also, they are to implement the
Xprint server, which will finally solve all problems with Linux printing.
Summary?
Yes, icewm, Gnome and KDE apps. Where to get it? Most of it is included
in modern distributions like SuSE 6.1, 6.2, RedHat 6.0, Debian 2.1.
If you don't have them, or want more recent packages from the Internet,
you can find them on many distribution sites (suse.com, redhat.com,
debian.org, kde.org, gnome.org, xfree86.org).
Also, this subject is getting more and more audience, so I will open
the ``screenshots'' section on www.net-security.org/linux.
dev@net-security.org , www.net-security.org/linux
VI. How to make safe Windows 95 based server
-----------------------------------
It is sad true that today there is a chance 1:10 that your box will be attacked
successfully.Web admins try to protect their boxes on these ways:
1) Buying an expensive hardware firewall
2) Setting Windows NT firewall
3) Using Linux box as firewall
4) Using Mac so they confuse attackers
First choice is the worst one, because:
1) It gives you illusion that, because of its price, you are safe from all attacks.
2) Upgrades are hard to obitan and often hard to install
3) Next three choices are better :)
Second choice has its own flaws:
1) As in 1) for hardware firewall
2) Microsoft is lazy
3) There are cheaper things than Windows NT
Third choice is the best but:
1) It is to complicated to manage it if you are not properly educated and even
then your box can be compromised (Symatec etc).
Fourth choice is the second after the third one but:
1) There are only few Mac that serve as servers so public doesnt know about
its flaws yet.When ratio of Macs installed as server will be grater more
exploits will be known.
In my opinion third choice is the best one but as I said it is to complicated to
be managed by newbie user and it wont do you any good.If you dont know
what hit you and how to stop it, whats the use?So, the best thing you can
do is to use OS and software that you are familiar with and that is
Windows 95 (OSR2, 98...its all the same).
Why?
You should do that way, because:
1) It is cheaper than Windows NT, Mac or hardware firewall
2) It is not so complicated as Linux
3) There are lots of shareware that can do what you want them to do
You shouldnt do that way if you want that your box is:
1) Online store
2) Mission critical server
3) receiving lots of visits pro day
4) You do something important and your reputation is also very important to
you.
Soooo, lets go!
Things you will need:
Windows CD.I prefer Windows 95 OSR 2 and not Windows 98.
2-4 boxes.One based on at least PI 233 and other to can be based even
on 486/120.Ram is critical here.For server 64 and for other 16-32.
Now for the schemes:
a) Fairly great security
Firewall
I
Firewall
I
Watcher----------------------Web server
b) Great security
Firewall
I
Watcher----------------------Web server
c) Fair security
Web server
Watcher---------------------- &
Firewall
Instruction will be made for Fairly great security scheme with apendix for
other two.
Preparation:
First you need to install Windows on all boxes.In order to cut expenses you
have two choices:
1) Buy used Windows CD.It is not important if they are 95, 95 OSR 2 or 98
so you can try at 95.Those CD should be seld for bargain, because people
are just crazy about 98 and the dont notice that those two things are
practically the same.
2) Download security and other software from Internet.If you have CD reco-
rder put it on CD-R so you dont need to look after them every time you
need something.If your software is more than 1 month old check web
site for new versions.You will need:
a) Rebol.This fantastic scripting language provides you with easy-to-learn
easy-to-use interpreter that has inbuilt net tools.Download it from
www.rebol.com.
Caution! There are a very big possibility that this scripting interpreter
doesnt work on Windows 95 OSR 2, version German.
b) Two firewalls.First I recommend Conseal Firewall (Net Security
approved :).Second one obtain from www.hotfiles.com or
www.tucows.com.Why two different firewalls?You will remove
possibility that script kiddies will reach you Web server, because
they will usually give up the work when they see two firewall servers.
You will also reduce opened flaws in firewalls (flaws that are not yet
known).
c) If you cannot run rebol on you computer buy something like Delphi or
download dev c++.I discourage you from using VB, because it is
unstable and bloatware.
d) Web server.Go to www.hotfiles.com type in web server and find some-
thing free.It would be great if you could make program that will check if
web server is running and if not, it would start another one.
e) Antivirus and CRC checker.Antivirus that will not prevent you from
using it in the network and CRC checker like NS Watch that will
check boxes for their applications integrity and find new things
in windows.ini, system.ini, and registry run keys.
f) OS upgrades.The most needed OS upgrade is that one for Dial-Up
networking that has Winsock protected from OOB attack.It would
be a very stupid thing that your firewall fails in its mission, because
of OOB attack.
3) Basic netkit.Netkit from Gericom (German computer manofacturer)
consist from 5 port hub, 2xRJ45 3m cables and 2x10 MBit cards
costs about 80 DEM (= 45 U$D).If you are going to use 4 boxes you
will need one more kit but without hub.
4) Boxes:
a) Best:
Firewalls: PII 266, 64 MB, 8 GB HDD
Server: PII 350, 128 MB, 18 GB HDD
Watcher: PII 233, 64 MB, 8 GB HDD
b) Optimum:
Firewalls: PI 166, 32 MB, 2 GB HDD
Server: PII 233, 64 MB, 3 GB HDD
Watcher: PI 100, 32 MB, 1 GB HDD
c) Cheap:
Firewalls: PI 133, 32 MB, 1,6 GB HDD
Server: PI 233, 32 MB, 2 GB HDD
Watcher: 486/120, 16 MB, 850 MB HDD
It is very wise to use optimum configuration.Equipment can be damaged in
attacks (viruses especially) so you will reduce possible damage.
Setting up:
First install Windows on every box.Then configure hardware and net
properties.Be sure to SET PASSWORD on every place you can and that
those password are DIFFERENT and wordlist proof.After that install
firewall and web software.On every firewall set the same rules so that
it can hold attacks for a time.It is unwise to set, for example, on one firewall
to block just OOB and on other ACK flood, so when first is firewall is down,
because ACK the second will be because of OOB.Do not install on this boxes
anything unnecessary either software or hardware.The last thing you need to
set is Watch box.It is the brain of everything.Install antivirus so it checkes
other boxes harddrives on low priority (we do not want to stop the whole
process, because of the virus scan), then use something like ours
NS Watch to scan for possible changes in exes CRCs, system.ini,
win.ini and registry run keys.I will make a option in NS Watch that will
enable to save logs.You could also set a small BBS so you could check
logs from outside while you are not at the place.
How safe is it?
System with two firewalls will help you to evade attacks from script kiddies.
They are looking for easy entrance and if there are non (two firewalls) then
they will go away.Watch box will protect you from trojans etc.It is high priority
that you DONT OPEN ANY emails on these boxes.Rather set email server
on server box and then download it to distant box.Antivirus will try to find
and viruses but if you dont execute games and all unnecessary software
on System boxes you will not experience any problems.
Costs (estimated in Croatia):
2xPI 166, 32 MB, 2 GB HDD = 600 DEM
PII 233, 64 MB, 3 GB HDD = 500 DEM
PI 100, 32 MB, 1 GB HDD = 200 DEM
4xWindows 95 = 200 DEM
2xNetkit = 160 DEM
Web & Email server = free
Rebol interpreter = free
Delphi (for utiliy developing) = 200 DEM
Antivirus (good, net scanning enabled) = 200 DEM
_______________________________________
2060 DEM
For that money you can hardly get any good hardware firewall.
Appendix:
If you are to reduce hardware parts (less firewalls or none) that you are
reducing System security.Easy calucations.
Do not take this prices for good.I am sure that you can reduce fundings
but think yout it: for 2060 DEM you can buy just one new computer.
Of course aboves prices for boxes are without monitor.You just need one
from you present box.
You can also set another services like news, or telnet but with them you
are making your box more vulnerable.
Conclusion:
As much as I tried to present you cheap Windows based configuration always
have in your mind somewhere that there is no such a Windows based
configuration as Linux based.However Windows boxes outnumber Linux
ones in maintance hours, logs trace hours etc.This configuration can serve
you for a long time and after you start to create a large amount of net traffic,
change it for Linux based, especially if you will try to set online store or
something like that.
For any comments contact me via goltha@net-security.org
Tomislav "Goltha" Petrovic
Net Security programer
goltha@net-security.org
VII. Apple dissapoints with it's delay - Mac G4
----------------------------------------------------
The top-of-the-line, 500-MHz version of Apple's Power Mac G4 -- originally
scheduled to ship in October -- may be delayed past Apple's current November
ETA because of outstanding performance issues, sources said.
Motorola's Semiconductor Product Sector in Austin, Texas, is reportedly working
to resolve "errata" that affect its new G4 processor when run at speeds of 500 MHz
or higher. And according to Motorola's own schedule, a fix isn't due until December.
Motorola released Revision 2.2 of its G4 processor this summer, followed closely
by Revision 2.6, which is shipping in the initial, 400-MHz version of the Power
Mac G4. Sources said -- and Motorola's Technical Support Hotline confirmed --
that both revisions 2.2 and 2.6 contain errata that can be avoided only by keeping
the processor speed below 500 MHz. Motorola tech support said that Revision 2.8
will fix this issue when it arrives in December.
Sources said that the problem -- which only arises when the G4 is run at speeds
of 500 MHz or higher -- can result in some corruption in the processor's data
cache. Motorola's recommended workaround is to enable the "GlobalWaitR" register
in the processor, which, while preventing
the problem, slows timing throughout the chip.
Motorola's Technical Support Hotline confirmed both the existence of the errata
and the workaround, which it acknowledged entails a "speed hit."
Although the G4 processors in shipping Power Mac G4s contain the errata, their
sub-500-MHz speeds keep them from encountering the corruption problem, sources
said.
Indeed, another source said, this issue might never evince itself in Macs, since
the OS doesn't manipulate data rapidly enough to cause the problem -- the glitch
would more likely effect more-efficient embedded operating systems. Even if data
corruption should occur, a source said, the result would be nothing more than a
system freeze, easily fixed with a restart.
"That kind of errata isn't unusual for new ships from any manufacturer," said
Keith Diefendorff, editor in chief of the Microprocessor Report in Sunnyvale,
Calif. He said that Motorola's warnings don't necessarily portend serious problems:
"Motorola, as a company, is relatively conservative, and they like to have everything
perfect."
Sources said Apple is telling a somewhat different story to its resellers and
customers. In a report to dealers last week, Apple reportedly noted "intermittent
shortages" of the 400- and 450-MHz Power Mac G4 systems and listed an "expected"
October ship date for the 500-MHz configuration. Sales staff at the Apple Store,
by contrast, said the top-speed model will be available by the end of November.
atlienz
atlienz@default.net-security.org
VIII. Web based encrypted e-mail (critic and the response)
-----------------------------------------------------------
If you are subscribed to ISN mailing list, you received this e-mail giving
out "paraonic" comments (who isn't at least a bit paranoid this days:)
We mailed Hushmail and gor their opinion on this post. So again we from
HNS didn't write this post or it wasn't written by us. We were just interested
in Hushmail comments to that post. You could read the original post and reply
to the post below.
Post:
-----------
Hi
If you value your freedom, only use hushmail for fun; don't say anything
you wouldn't say to a cop.
hushmail.com is claiming to provide strong encryption on email via a
web-based interface. You can only send encrypted mail to other hushmail
account holders, so people will obviously encourage their mates to join.
A very clever net--woven by the fish themselves?
Show me your friends...
Anyway I checked who is hosting the service . It was registered by
radiant.net who, on their home page, claim that hushmail is just a client
of theirs. Maybe, but then who owns the company? Safemail enjoys a big
link on the homepage, while lesser bodies such as Maxim Chemicals are
relegated to a list on another page. The other clients of radiant.net are
very interesting. It is a 'British' Columbia internet provider exclusively
for the 'corporate community'. Bear in mind the recent history of BC re
environmentalists particularly.
>From their 'about us' page:
"The corporate client needs a higher level of service and attention to
detail that is just not available from providers dealing with tens of
thousands of residential users. This dedication to the corporate community
is exactly the emphasis at Radiant and why Vancouver's businesses are
migrating to Radiant Communications."
Good buddies include:
B.C. Construction Association
New Westminster Police
Curlew Lake Resources Inc
D'N'A Military Import & Supply Inc
Georgia Pacific Securities Corporation
Hyatt Industries
Kerrisdale Lumber
Maxim Chemicals
Mineral Development Group
Pacific Metals Ltd.
Rubicon Minerals Corporation
Vancouver Condominium Services
and yes, the western canada wilderness comittee is in there too, but to me
that is no less corporate.
Well, call me paranoid if you like but it seems to me that it would be
very easy for a bunch of good buddy loggers and miners to get together
with the NW police and their extremely wealthy local internet experts (not
to mention the local redneck militia supplier) to provide this nice easy
crypto-mail service and erm... help out all the activists they love so
much.
Peer Review
A prerequisite for any encryption algorythm to be taken seriously is that
the source code be available for scrutiny by other cryptographic experts.
This is the only way ordinary folks can assure themselves that the thing
they use is actually secure. If many experts over a period of years have
been unable to mount aq sucessful attack on the encryption, then there is
a good chance that it is ok. There is too much to go into here, but
although hushmail's stuff is publicly available, I haven't found much peer
review (lots of advertising of course).
A good summary of some of the cons is at:
<http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail>
http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail
People I have corresponded with who are in the business of strong
encryption have confirmed my hunches. Anyone who knows anything about
security wouldn't touch this with someone else's computer, methinks. But
that's not who they are after, obviously. People need to be warned and we
need to find out more. It could well be bona fide, or at least
well-intentioned, but there is not enough information provided to know
that. As this can possibly be a matter of being imprisoned for some
people, I think warnings should be prepared and circulated, unless someone
with more knowledge than me can show it is as secure as pgp.
Any help appreciated. If you think this will do as a warning then feel
free to forward it to people you care about.
Andy
PS: Nearly forgot;
<http://www.radiant.net/>http://www.radiant.net/
Reply:
-----------
I'm really not sure what to think here... we've got the most secure web-
based email in the world, we offer it for free, we give our source code away
for free to everyone, we ask for all the crypto community to look at it, tear
it apart, find holes, or give their blessing, whatever....
and then we get a mail message like this, from a "privacy/security group",
saying "using HushMail is like talking to a cop".....
Perhaps you are fogetting that there are 100 million people out there using
*absolutely* no security on their web-based email. Many of them actually
care about their privacy, but the convenience of web-based email over-rides
their concerns. And, most of them haven't heard of HushMail. And if net-newbies
read unverified and untrue text about how "HushMail is probably
totally insecure", they'll go right on using their Yahoo!Mail accounts,
while Eshelon just keeps sucking their email up, databasing
it, for later search and retrieval. Somehow your article doesn't strike
me as "forward thinking privacy material"...
You might want to read our commentary on Bruce Schneier's crypto-gram (and
also his latest crypto-gram, in which he implies he doesn't have a problem
with our technology, but does dislike the mis-quoting going on in the press)
- it's linked off the "What's New" secion of our site:
http://www.hushmail.com/bruce_comments.htm
FYI, Radiant Communications is our bandwidth provider. They are also a
great bunch of people. Hush Communications Corporation is based in Anguilla,
also where the yearly Financial Cryptography conferences are held (which we
are sponsoring next year). If it makes you "feel" any better,
Vince Cate (a friend of mine who lives down the street here) is on our Advisory
Board... maybe you've heard of him, search on his name at wired.com if not,
since you seem to not trust "us". HushCom also has a large marketing subsidiary
in Austin, Texas, where I (and most of the other co-founders of Hush) are originally
from.
Sir, you can write whatever you feel like, but I might point out that a
lot of people who know a hell of a lot about security, privacy, and really care
about it, might think that slamming HushMail based on heresay and "Their Bandwidth
Provider also has <gasp> Police Web-Pages" a little less than good reporting...
If you're going to say something negative, try saying *exactly how* HushMail
isn't secure. If so, you might be surprised to find that we're happy to
hear about any potential security problems - and we fix them, and keep our *entire*
source code archive online, so all the truly interested can see the history and
development of HushMail.
Cliff Baltzley
Chairman, Hush Communications Corporation
IX. More from the ACPO front
------------------------------
Hi Ya'll,
Time for another update. I thought I would just send you this press
release for:
http://thetrainingco.com. We're looking forward to our presence there,
and we are sharing a booth with the people holding the Convention. If
you have any questions, feel free to mail me at natasha@infovlad.net
**********************************
CHILDREN: INNOCENCE EXPLOITED
Pedophiles, Child Phonographers and others who abuse, exploit and
victimizes children for their own selfish gain have turned
a once small criminal problem of a decade ago into monster of almost
immeasurable size. In 1994 a US study reported that
more then 450,000 pornographic images and files where available on the
Internet. Today that has grown to tens of millions!
Natasha Grigori, Founder of an Internet based group called the
Anti-Child-Porn Organization, states that "... with an estimated
500 million Internet users by the year 2000, technology has out striped
the global community ability defend against the
explosion of child pornography." Further Natasha claims "Pedophiles and
child pornographers are using the Internet to
facilitate their type of criminal actively; tracking and seducing
children, networking with other pedophiles, and as a medium
to exchange and sell for profit not only their product of banned child
pornography, but the children themselves."
The goals of The Anti-Child-Porn Organization is to educate the public
and politicians to this epidemic and the danger these criminals pose
to the collective social interest. To address the supply and demand
issues related to these illicit materials and to facilitate
co-operative
efforts between police agencies and other public interest groups,
world wide. Through the ACPO's web site, individuals can report
child-porn sites and news groups. These reports are then verified and
if confirmed, ACPO will use specialized software to trace the site and
report the findings to the appropriate law enforcement agency.
For further information please visit www.antichildporn.org
Thanks All
Natasha Grigori Founder ACPO
============================
Thanks for being 'Child-Friendly'
Natasha Grigori Founder
ACPO http://www.antichildporn.org/
mailto:natasha@infovlad.net
============================
X. Telecom 101 - Welcome to the wonderful world of cellular phreaking
----------------------------------------------------------------------
Hello and welcome once again. Well I guess this is the part where I explain
where this column has been the last couple of issues. Fact is I'm kind of busy
with a lot of other things and HNS main at the moment, but I've practically
finished a whole series of columns for the upcoming issues, so not to worry.
We'll be digging into the world of cellular phones a bit in upcoming
issues. This has several reasons. From the practical point of view (for me that
is) I can't discuss any other sort of telephony network specifically, because
of the amount of different systems used in the world today. Besides that, I want
to deal with some issues here which you guys and gals out there can actually try
out and use. Being international and all, we feel the need to cover international
standards first and when any of you feel the need to go further into a topic, just
let me know. Your wish is my command. For today, we'll start off with creating a
bit of understanding on the history and workings of GSM (you've got to learn how
something works before you can break it down :).
General oversight on GSM
Today probably the widest used standard in mobile telephony is GSM, which
was originally devised between 1982 and 1992 by the Conference of European
Posts and Telegraphs (CEPT) to create a more international standard in cellular
communications then all the systems which differed almost on a country basis.
he technology was also aimed at having a greater capacity, security and flexibility.
The name GSM was derived from the French name Group Special Mobile. Later, probably
to add a bit of the international touch, this was changed to Global System for Mobile
communication. It's probably the most widely used of the major teleservice technologies
used around the world. I came across claims of 120 million users worldwide in 120
countries, and it's hard to believe but with the speed at which these numbers are
growing (how many of your friends don't have one yet?) I'd say even these huge
numbers are getting outdated soon too. Because of this, the original goal of
setting Pan-European standard in telephony has been overachieved and
because of international roaming agreements between telecom operators, users can
nowadays often continue to use their mobile phones when in other countries . As
with almost all telecommunication services, GSM can be divided in bearer services,
teleservices, and supplementary services. The service for which it is known most
is of course the basic voice transmission teleservice we call
"making a (mobile) telephone call". :) Other services for example include
(with an additional fax adaptor) facsimile and SMS to name but a few, nowadays
you can even get your e-mail on your GSM!
The workings of GSM
A GSM MS (mobile station, here the mobile phone) uses a radio link which is
controlled (also by radiolink) by the BSS (Base Station Subsystem). The calls
between mobile phones or mobile phones and regular phones are switched through
the MSC (Mobile services Switching Center). This network is then overseen by the
OMC (Operations and Maintenance Center). Security in this network uses four
principles, subscriber identity authentication, subscriber identity confidentiality,
signaling data confidentiality, and user data confidentiality which are implemented
in the SIM (subscriver identity module), the MS and the network itself.
The GSM technology digitizes and compresses data and (sending and receiving
with rates up to 9600 bps) utilizes either the 900 or 1800 MHz frequency
band (890-960 bands are standard for telephony) splitting each band in 200 Khz
channels which then, using a method known as Time Division Multiple Access (TDMA)
are split into 8 time slots. Speech signals are divided in 20 ms samples which
after encoding gives a total bit rate of 13 kbps. A received signal is made from
the linear combination of previously received samples and the difference between
the predicted and the actual sample, so basically the current sample is predicted
rom the information of a previous sample. The data is besides speed and
electromagnetic interference issues also encoded for
security/privacy's sake.
In the next issue, I will discuss the actual coding and relevant encryption
algorithms as well as the implementation of the different security methods
(as mentioned above) in this system.
So stay tuned :)
Xander Teunissen,
aka Thejian, Help Net Security
XI. Unix logging and auditing tools
------------------------------------
Introduction:
-------------*
in this text i will talk about logging and auditing tools used in the Unix operating system
enviroment. whenever a user enters a system (be it through a network service or physically
at a terminal) he/she leaves trace of entering. this information is stored into different
types of log files, depending on what action the user takes. these logging and auditing
programs are very valuable to every system and network administrator and are therefore
included in every Unix-like system by default. other than these, there are also some other
commercial loggers which help better system logging.
logging improves site security very much. a lot of hackers do not know what types of loggers
exist and how to modify them, so logging always makes things easier for the system admins.
therefore, every administrator should enable all sorts of logging, even if it somehow
affects the privacy of system users.
however, logging programs are not the only part of a secure network. they too have some
limitations. a good example is when an intruder spoofs his/her IP address. then you have a
fake address which is of no use to you. therefore, loggers make tighter security but are not
the only security measure.
Unix default logs architecture:
-------------------------------*
as i said earlier, Unix provides a wide selection of auditing and logging tools. most of
them are intergrated in the system by default, but there are also some which come with
certain programs. basically, Unix stores log information in plain ASCII or in some other
formats, usually numerical. to access a log file one must first have root permissions
(although on old Unix versions everyone can look at and modify log files).
different versions of Unix store these files under different locations. /usr/adm was used
in early versions of Unix. then came /var/adm which was newer so that the /usr directory
could be mounted read-only. today, the most common locations are the /var/adm and /var/log
directories.
within these directories you can find log files.
Log file name: Purpose of the log file:
--------------*-----------------------------------------------------------------*
ACCT (PACCT) records commands which users run.
ACULOG records dial-out attempts.
LASTLOG records last successful and unsuccessful login.
LOGINLOG records bad login attempts.
SULOG records attempts of using the 'su' (superuser) command.
UTMP records who is currently logged into the system.
WTMP records who was in the system and system shutdowns and startups.
XFERLOG records use of FTP service.
other than these, which are essential for every system admin and potential intruder, there
are: MESSAGES (records system messages and outputs from the console), UTMPX (extended UTMP),
WTMPX (extended WTMP) and VOLD.LOG (logs errors from external media devices (CD-ROM drives,
floppies, external hard drives, etc.)).
i will now go detailed into each one of these logs.
LASTLOG -- this utility shows you who logged last time into your account. when you connect
to a host and type in the correct username and password combination the login program runs
lastlog:
--
login: hacker
password:
Last login: Tue Jul 20 15:54:25 from some.address
--
also, under some System V Unix versions you have both successful and unsuccessful logins:
--
login: hacker
password:
Last successful login for hacker: Tue Jul 20 15:54:25 from some.address
Last unsuccessful login for hacker: Tue Jul 20 13:44:03 from some.address
--
after this display, the login program updatess the lastlog file with new information. then
it also updates utmp and wtmp files.
by using the 'finger' command, you can see when a particular user logged in last time.
when you use the command, the program merely displays the users lastlog file (which is
located in /var/adm/lastlog or /var/log/lastlog for each user).
a big flaw in the lastlog file is that it is always overwritten on each new entry. this
means that if a hacker, once in the system, connects again with the use of 'rlogin' (remote
login utility) or, on old systems, 'login', the information stored will be overwritten with
new information -- in this case localhost (127.0.0.1). this is useless to the system
administrator. therefore, i recommend that you make a shell script which will make a backup
of an existing lastlog file for each user every couple of hours (cron-spawned task).
this can be done with a simple 'mv' and 'cp' commands combination. first you move the
existing backup to a new one and then copy the new lastlog into the old backup.
by default, there are no Unix programs which enable you to read the lastlog file. therefore,
i have included a simple Perl script which will work on SunOS and allows you to read the
lastlog file. you might want to change the second line into /var/log/lastlog if it doesn't
work. also, if you make a couple of adjustments you can make it work on any Unix-like
system. for details on this, take a look at the lastlog header file (LASTLOG.H) which is
usually located in the /usr/include directory. basically, the program checks for a command-
line argument. if none is given it uses /var/adm/lastlog. after that, it calculates the
number of seconds in half a year. this is done to determine output format (because logins
which are more than six months old are printed differently) for the lastlog file. after
this, the program reads every line, decodes it, and prints it on the screen.
also worth of mentioning is that some really old Unix systems log the lastlog information
into a file called .lastlog which can be found in each user home directory ('ls -al' will
check for this).
while lastlog can be useful, it does not provide a very detailed history of each login.
for this you must check the wtmp file.
UTMP -- this file is located in /var/run/utmp or in /etc/utmp. basically, it lists currently
logged users. programs such as 'who','w','whodo','users','write' and 'finger' use the utmp
log constantly to check for specific users on the system.
on some systems the utmp file permissions are set to be writable by any user. some programs,
which create virtual terminals, need this to show that the user is logged in on that virtual
terminal without requiring superuser privileges. this can help a hacker to modify the file
or even delete his/her entries.
in Berkeley-type Unix systems the entries in the utmp (and wtmp) contain: name of the
terminal device used for login, username, hostname (if not from a terminal) and the time
of login. under System V Unix you have: username, terminal line number, device name, process
ID of the login shell, code for type of entry, exit status and time of login. under Solaris,
IRIX and some other which use extended utmp and wtmp, you have: username up to 32 characters
long, inittab ID (type of connection), terminal name up to 32 characters long, device name,
code for type of entry, exit status, process ID of the login shell, time of login, session
ID, unused bytes for future expansions and remote hostname (if not from a terminal).
i should also mention that some versions of 'su', if not used correctly, will not report to
utmp and wtmp that you changed your enviroment. for example, if you become a superuser the
program will not update the log files and you will appear to have normal user privileges
(when someone uses 'finger' or similar service). this can be very confusing, not only to the
users but also to programs that are currently running. to correct this, use a dash with the
superuser command: 'su - root'. this will change your enviroment.
WTMP -- this log file is usually found in /var/adm/wtmp. every time a user logs in or out,
Unix makes a record of that action in the file wtmp. therefore, wtmp keeps a big database
of all user logins and logouts. this file will grow constantly and so many admins make
scripts which zero (blank) the file now and then (cat /dev/null > /var/adm/wtmp). this,
however, isn't recommended. rather than that, an administrator should make copies of the
old wtmp before it is zeroed out. these backups should be placed on another storage computer
or on external disks.
wtmp cannot be read, so you need a special program for this. 'last' is great for this. if
you run it with no command-line arguments it will show you all logins and logouts on all
services and devices for your network (you can abort the display with the interrupt
character (usually CTRL-C)).
--
$ last
john ttyp2 some.address Tue Jul 20 15:42 - 15:50 (00:08)
hacker ftp 195.229.205.8 Mon Jul 19 03:15 - 04:45 (01:30)
root console Mon Jul 19 08:00 still logged in
...
--
first you have the username, then the service/port used. after that there is a remote
address (or not, if the login came from the terminal/console). there is also a date and
how long that particular user was using the service.
to be more specified, you can use a username for the parameter. this will show you login and
logout records for a particular user:
--
$ last hacker
hacker ftp 195.229.205.8 Mon Jul 19 03:15 - 04:45 (01:30)
hacker telnet 195.229.205.8 Mon Jul 19 02:03 - 02:04 (00:01)
hacker ttyp4 fake.host Sat Jul 17 14:10 - 15:24 (01:14)
--
you can also use a number which specifies how many last logins you want to see. for example:
--
$ last -1
john ttyp2 some.address Tue Jul 20 15:42 - 15:50 (00:08)
--
some versions of the 'last' program enable you to look at entries from other files (such
as your backup files). you simply put '-f otherFile' as the argument. but, if your program
doesn't allow this then simply change the name of the backup to wtmp and you will be able
to read it. remember though that is you're reading your backup, each new user entry will be
stored into that backup.
you could also use 'ac'. it provides you with statistics for each user. this is useful for
checking the amount of time a user is logged in, etc.
on some systems, wtmp also logs system shutdowns/reboots and startups.
also, under some SVR4 systems you can look at the contents of the wtmp file by doing a
'who -a' command.
LOGINLOG -- failed login attempts (if you are not using System V Unix) are recorded in a
special file called /var/adm/loginlog. to log these attempts you must specifically create
this file by the following procedure:
--
# touch /var/adm/loginlog
# chmod 600 /var/adm/loginlog
# chown root /var/adm/loginlog
--
a bad attempt is when a user types in a wrong password fives times in a row. after the fifth
time the system will usually disconnect you. this is how a loginlog looks like:
--
hacker:/dev/pts/8:Tue Jul 20 16:30:01 1999
hacker:/dev/pts/8:Tue Jul 20 16:30:22 1999
hacker:/dev/pts/8:Tue Jul 20 16:30:35 1999
hacker:/dev/pts/8:Tue Jul 20 16:30:49 1999
hacker:/dev/pts/8:Tue Jul 20 16:30:58 1999
--
loginlog is useful when you want to check if someone is attempting a brute force over your
password.
ACCT (PACCT) -- process accounting is when every command typed by every user on the system
is being recorded. this is mostly used when you want to bill your users for using a specific
service and CPU time. /var/adm/acct contains the log information. this is not human readable
so you need to use a specific program called 'lastcomm' and 'acctcom':
--
$ lastcomm
sendmail S root __ 0.05 secs Tue Jul 20 19:50
vi F hacker __ 0.22 secs Tue Jul 20 13:24
--
first we have the program name, then the user which ran that program and finally the loading
time and the date/time of use. the flags (above S and F) are: S (command was executed by the
superuser), F (command ran after a fork, but without an exec), D (command generated a core
dump file when it exited) and X (command was terminated by signal).
although acct is useful, both for the system administrator and for the hacker, it has some
limitations. for example, it does not say from what arguments were given to the program and
where the particular program is located. therefore, if a hacker renames his program
(like a trojan, C compiler, etc.) there is no way you could know what the real program was.
under System V (SVR4) you start the accouting with the command 'startup' which is located in
the /usr/lib/acct directory. the accounting is logged into /var/adm/pacct and you view it
with the 'acctcomm' program.
under BSD you activate process accounting with 'accton filename' (it is found in /usr/etc or
/usr/lib/acct) where 'filename' is usually /var/adm/acct or /var/adm/pacct. you read the
file with 'lastcomm'.
MESSAGES -- this is a very useful log file (located in /usr/adm or /var/adm). it basically
logs every output message which is printed on the system console screen. it works by echoing
what's on the screen and printing it to a special file along with the date/time and computer
involved. here is an example (SunOS 4.1):
--
Tue Jul 20 13:20:34 computer1 su: 'su root' not succeeded for hacker on /dev/ttyp3
Tue Jul 20 13:20:34 computer1 su: 'su root' not succeeded for hacker on /dev/ttyp3
--
we see that a hacker is trying to compromise superuser privileges but doesn't know the
password (remember that we also have the sulog for this particular example).
SYSLOG -- this facility was created at the University of Californica at Berkeley for their
program sendmail. since then it has been ported to almost all Unix-like operating systems.
syslog is a host-configurable, unique system logging utility. it uses a special system
logging process which is located in /etc/syslogd or /etc/syslog. programs that need to have
information logged send that information to syslog. these messages can be logged to various
files, devices, remote computers, etc.
when a program wants to send a message to syslog, it must generate a syslog log message.
this message consists of four things: program name, facility, priority and the log message.
facilities are: kern (kernel), user (regular user processes), mail (mail system), lpr (line
printer system), auth (authorization system -- login, su, getty, ftpd, etc.), daemon (other
system daemons), news (news subsystem), uucp (Unix-to-Unix Client Protocol subsystem),
local0 - local7 (reserved for site-specific use) and mark (facility that sends out a message
every 20 minutes). there are also some others but the differ on the version you have. they
are: authpriv (other authorization messages), cron (cron daemon), ftp (ftp daemon messages)
and syslog (syslog daemon messages).
priorities are: emerg (emergency condition (system crash or similar), sent to all users),
alert (alert for immidiate correction of a system program/database), crit (critical alarm,
usually a hardware error), err (normal error), warning (warning message), notice (condition
that is not an error but should be handled in a special way), info (informational message),
debug (messages used in debugging processes) and none (indication not to send specific
messages to the selected file).
when the syslog daemon (syslogd) starts up, it first reads its configuration file (usually
/etc/syslog.conf) to see where to log specific things. after that, syslog is in 'listening'
mode -- it listens for log messages from three sources. these three sources are: /dev/klog
(used to read messages from the kernel), /dev/log (Unix domain socket. used to read messages
generated by local processes) and UDP port 514 (Internet domain socket. used to read/get
messages generated by other machines in the local area network).
to specify what actions syslog should take when getting log messages you must edit the
/etc/syslog.conf file to suit your network organisation and architecture. here is an example
file (Digital Unix V4.0):
--
# example syslog.conf file:
kern.debug /dev/console
daemon, auth.notice /var/adm/messages
auth.* @loggingHost.com, /dev/ttya
syslog.* /var/adm/syslog/syslog.log
lpr.debug root, operator
*.emerg *
--
note: when writing a syslog.conf file be sure to use TABs and not spaces!
you can see that each line has two arguments: a message selector field (for declaring which
actions and messages to log) and an action file (which specifies what to do with the logs).
the message selector field is divided into two parts: a facility and a priority.
for exmaple, kern.debug specifies that syslog should log all messages for the kernel which
have to do with debugging. you can also put an asterisk sign ('*') to specify all. for
example, *.debug would specify to log all debugging messages. kern.* would specify to log
all kernel messages.
the action field specifies what to do with the log files. there are five actions to choose
from: log to a file or device (in this case the field must include path of the file or
device), send a message to a specific user (sends a message to the specified user(s) only if
they are logged in (according to utmp)), send a message to all users (send a global message
to all users on the system. in this case there should be an asterisk sign in the action
field), send a message to a program (in this case you must include a pipe sign ('|') and
path to the specified program/action, such as sendmail) and send a message to a remote host
(you must include '@' and a hostname).
i will now explain line by line our syslog.conf example. the first line logs debugging
messages from the kernl to the system console device (/dev/console). the second line logs
daemon and authorization notice messages into the messages logging service. the third line
logs all authorization messages and sends them to a remote host in the local network (this
is a really good idea for a system administrator) and to a line printer which is connected
to the /dev/ttya. the fourth line logs all syslog messages into a file called syslog.log.
then we have an instruction which logs all line printer debugging messages and sends them
to two users: root and operator (if they are logged in). the last line logs all emergency
errors from all services and sends them across the system to all online users.
syslog is a great security service. it administrated correctly you can make it a powerful
audit tool. i recommend that you enable remote host logging to two or more computers in
your network (but remember that this chokes up traffic).
ACULOG -- each time you make a telephone call with your modem (dial-out call) it can be
recorded. this is activated by the command 'tip' or 'cu' (also, Berkeley version of UUCP
command). the entry is stored into a file called /etc/remote.
--
root (Tue Jul 20 08:50:22 1999) <network2, , /dev/cua> call completed
hacker (Tue Jul 20 11:03:10 1999) <mil dialout, 01283-9993, /dev/cua> call completed
--
in the first example, root made a call and connected directly to the modem. the user hacker
called the specific dial-out number. we see that both calls were completed.
this log utility is useful but isn't very detailed. for example, you don't have the duration
of the call.
SULOG -- newer version of the 'su' program log directly to their own log file called sulog
instead of using the messages log file. under System V Unix you can set some options for
sulog in a file called /etc/default/su:
--
# file to log all su attempts
SULOG=/var/adm/sulog
# device to log all su attempts
CONSOLE=/dev/console
# log using the syslog facility?
SYSLOG=yes
--
here is an example file from a computer running Ultrix V4.2A:
--
BADSU: hacker /dev/ttyqc Tue Jul 20 15:24:00 1999
BADSU: hacker /dev/ttyqc Tue Jul 20 15:25:24 1999
SU: hacker /dev/ttyqc Tue Jul 20 15:30:13 1999
--
we can see two bad superuser attempts and one good -- the hacker finally guesses the 'su'
password.
XFERLOG -- if you use the Washington University FTP server, then you can enable session
logging to a file called xferlog which is located in the /var/adm directory (the location
is defined by the configuration variable _PATH_XFERLOG in the header file PATHNAMES.H).
here is an example log:
--
Tue Jul 20 20:22:04 1999 some.address 3920288 /etc/passwd a _ o a hacker@fake.com ftp
Tue Jul 20 21:45:33 1999 some.address 23043 /etc/host.deny a _ o a hacker@fake.com ftp
--
to explain this log file. the first entry is the date and time. then we have the hostname
and the size of the transfered file. after that is the file path, then file type (a = ASCII
or b = binary). then we have special action flag (T = tar archive, C = compressed, U =
uncompressed, _ = undefined), then the direction (o = outgoing, i = incoming). then user
type (a = anonymous + e-mail address, g = guest, r = local user with password) and then
service used (FTP by default).
also, remember that there are files like access_log (NCSA HTTPD server logger), maillog
(mail utility logger), etc. all of these depend on what software you have installed so
take a closer look at your manuals to see which log utilities you have on your system.
another things is Network Services logging -- inetd. you can add a '-t' (trace) flag to log
every TCP/UDP connection made to your host. the log will appear in /var/adm/messages.
other than this you can use TCP Wrappers and log all incoming connections.
as you can see, there is a huge variety of system log utilities. some are more important
than others, but all should be activated. don't hesitate to be paranoid -- most of the times
it will save you the effort of catching a hacker.
Shell history files:
--------------------*
other than logs previously described, shell history files are also a security measurement.
newer shells keep a record of all commands you typed into a hidden file in your home
directory. BASH shell uses .bash_history, KSH and SH shells use .sh_history, CSH and ZSH
use .history. SH ($ prompt) and CSH (% prompt) do not use history saving by default,
therefore it is a good idea for a hacker to first change the shell to SH or CSH.
other than this, a hacker should link the history file with /dev/null (using the command
'ln -s /dev/null .bash_history' for BASH shell). if no other option is left one should
simply delete the history file, or modify it from another shell which doesn't save the
command history (SH or CSH as stated above).
Security measures:
------------------*
i recommend that you put superuser permissions on all log files on your system. if a hacker
compromises a normal account but can't get to the root privileges this will make his life
harder. also, keep backups of your logs. this should be done daily with crontab jobs. you
can also make use of simple shell scripts such as this one:
--
#!/bin/ksh
BFILE=$(date +backup.%y.%m.%d.tar.Z)
cd /var/adm
tar cf - . | compress > ../adm.backups/$BFILE
exit 0
--
you can run this script every night. it compresses the whole /var/adm directory using 'tar'
and then uses the 'compress' command to shorten the output file. after that it puts the
result file into a directory called /var/adm.backups under a name which is called after
the time and date of that action. these backups should then be transfered to another
guarded computer inside your network or to an external media drive (CD-ROM, floppy, etc.).
the best security measure would be to put all log files to a remote computer in your
network. this computer should then be physically and remotely secured. you should put a
firewall to guard that computer:
internal, private network
computer 1 ----- computer 2 ----- computer 3 ----- computer 4 \
|
|
remote log computer
to send logs to this remote host you have to configure your syslog.conf file (as mentioned
earlier). however, you can also make two or more remote log computers. this will tighten
up security (remember, though, that this also chokes up traffic inside your network).
remember not to use same passwords, or even operating systems on these remote log computers.
other than logging to a remote computer, you can also log directly to a network printer.
to do this just put a line into syslog.conf which will redirect all logs of your choice to
the printer. also, be sure not to log to the printer solely -- use another device for backup
logging in case of an emergency.
Fooling the logs:
-----------------*
first off, every intruder should spoof his/her IP address before attacking. my method of
secure
hacking a host is as follows. first try to get an anonymous telephone line. this can
be done either by connecting your laptop computer on to a payphone or to someone's phone
line. after that, spoof your IP address. then use two or three gateway computers and finally
reach your target host. therefore, even if they log your attempts of entry they will get
nothing -- you don't exist.
basically, try to explore your host. try to get an account at the ISP where users from your
target have accounts on. that way, if you can't get root you won't be so suspicious (unless
you make something stupid).
if you enter the system first change your shell to SH or CSH (i recommend CSH). from there
alter the shell history file ('ls -al' from your home directory will show you hidden files)
and link it with /dev/null -- of course, only if it exists. you can also try an old trick:
type 'unset HISTFILE' when you enter the host -- this will stop history logging.
after that you have a variety of logs to modify. this can, however, only be done by having
superuser, root, privileges. if you don't have root you have one option left. don't alter
anything on the system (except the history file) and run 'rlogin' to 127.0.0.1 (localhost).
by doing this you will alter the lastlog file to show entry from localhost and, if you
remember, there won't be a trace in lastlog of your entry.
if you get root you have a couple of programs for log altering to choose from:
Name of the cleaner: Purpose of the program:
--------------------*--------------------------------------------------------------------*
clear.c deletes entries in utmp, wtmp, lastlog and wtmpx.
cloak2.c changes entries in utmp, wtmp and lastlog.
invisible.c overwrites values in utmp, wtmp and lastlog with predefined values.
marryv11.c edits utmp, wtmp, lastlog and acct.
hide.c changes entries in utmp.
remove.c deletes entries in utmp, wtmp and lastlog.
wipe.c deletes entries in utmp, wtmp, lastlog, acct (pacct), utmpx and
wtmpx.
note: do not use zap.c or zap2.c, these programs only put zeros in the log files. CERT
released a special program which checks for zeros, and can therefore determine that
the system was compromised by a hacker.
when you upload or create (retype -- if you're really paranoid of xferlog and similar FTP
log utilities) a log modifier or your choice (i highly recommend wipe.c because it can be
used on almost all Unix-like distributions and can modify 6 log types), simply compile it
and run with appropriate arguments (usually a username which you want to clear).
remember to check the log files after modification. do this with 'who', 'w' and 'last'
commands.
also, before leaving take a look at the syslog.conf file. you will find all sorts of things
there (of course if the service is active). take a look if there is remote host logging
involved. if there is, then try to hack into that host although many times admins leave the
same passwords for all hosts in the local network. after you enter that computer erase and
modify all logs that have to do with you, and of course alter the syslog file on the primary
host so it doesn't log remotely any more.
if you find out that they are using a printer to view the logs then first look at the active
process list ('ps' command). if you find a print action there kill it and remove the command
line for printing from the syslog.conf file (remember, however, that everything that was
printed out cannot be modified (unless you physically get to your host)).
also it would be a good idea to flood the syslog UDP port (514) if it's active (it is by
default) with a Denial of Service attack. in this way you will crash the syslog daemon and
you will stop all logging services on the target host.
Conclusion:
-----------*
Unix loggers are very important for every system. if you are a system administrator i highly
recommend that you make a remote log facility computer and gaurd it with a firewall inside
your network.
on the other hand, if you're exploiting the use of log files try to look for them constantly
because paranoia can be very useful.
Appendix:
---------*
I have included two files to this article: wipe-100.tgz (Wipe log cleaner version 1.00) and
lastlogReader.pl (Perl script for reading lastlog files).
http://default.net-security.org/7/wipe-100.tgz
http://default.net-security.org/7/lastlogReader.pl
airWalk
interScape Security Resources
http://interscape.net-security.org
XII. Freedom of speech - related incidents
------------------------------------------
*******************************************************************
You cannot put a rope around the neck of an idea;
you cannot put an idea up against the barrack-square wall and
riddle it with bullets; you cannot confine it in the strongest prison
cell your slaves could ever build.
--Sean O'Casey
*******************************************************************
Every day the battle between freedom and repression rages through the global ether.
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):
*******************************************************************
Thursday, September 23:
Louisiana students reject wearing
<http://www.worldnetdaily.com/bluesky_bresnahan/19990923_xex_tagged_stude.shtml>
Pepsi-logo'ed, Social Security bar code ID cards around their necks at all times...
and one student
<http://www.geocities.com/SiliconValley/Bridge/1086/School/barcodes.html>
breaks the easy encryption and shows other how easy the encryption is to break...
From the Rules
<http://www.cab.latech.edu/ruston/rhs/hand2.htm>
Concerning ID Card:
"The I.D. card must be in the possession of the student at all times while at school,
and penalties for non-possession will range from a detention assignment for a first
violation, to suspension from school for later or major violations. Refusal to submit
I.D. card is an automatic suspension, effective immediately."
--------------------------------------------------------------------------
Weekend, September 24-26
Giuliani's attempt at censorship
<http://www.nypost.com/news/14547.htm>
won't hold up in court...
"The one thing the city cannot do is use the power over the purse to
punish dangerous ideas." The experts agreed with Giuliani that the city is
under no obligation to fork over money to the Brooklyn Museum of Art - as
the U.S. Supreme Court ruled in a case of federal funding for the arts last June.
"But once it funds, and then decides to de-fund one part of the arts community - if
that decision is designed to suppress views - there's a First Amendment problem,"
said Norman Siegel of the New York Civil Liberties Union."
UK's Orwellian camera use
<http://www.newscientist.com/ns/19990925/caughtonca.html>
on mall shoppers...
81.4% of women in Arusha region in Africa have
<http://www.africanews.org/PANA/news/19990923/feat9.html>
had their genitals mutilated...
"The practice is so deeply embedded in those communities that a woman
who escapes the practice as a child would certainly be "operated on" during
her first delivery - against her will. Findings have revealed that the operation
is also carried out on very young girls, including toddlers, "so that they will
not rebel and bring shame to their families." When asked, the communities
say they perform female genital mutilation as a means of controlling women's
sexual drive so that they remain faithful to their husbands. Other reasons given,
according to the research, include the belief that the female private part is
dirty and it is more hygienic if the clitoris is removed. There are also communities
who believe that the clitoris will kill a child coming through the birth canal,
if the organ is not removed in good time. "
----------------------------------------------------------------------------
Monday, September 27
Guarani Indians of the Brazilian Jungle get an
<http://www.foxnews.com/js_index.sml?content=/scitech/092599/brazil.sml>
IT school for their village... but they still need phone lines for Internet
access...
""We usually confront religious sects and campers who invade our lands with
poisoned arrows", said Jo?o da Silva, the 85-year-old tribal chieftain. "But
computers are different. They will help us protect and defend our traditions".
Girls in tasseled skirts and boys in loincloths performed a ritual song and dance
to welcome the arrival of the PCs which they have named "ayu ryrurive" - meaning
"boxes to store language" in Guarani. "We need to learn the technology of white
men in our fight to keep and protect our lands, culture and young people," said
the chief."
Hmm...is the FBI planning to round up dissidents and blacks
<http://216.46.238.34/showinsidecover.shtml?a=1999/9/26/144339>
in their Y2K operation Mad Max???
"The ten-year FBI veteran contends that U.S. intelligence agencies, including the
FBI, the CIA, Navy Intelligence and other intelligence services, have drawn up
plans in case a Y2K "castastrophe" hits next January. But beyond January, says
Powers, "they were also preparing for Y2K-related events to occur throughout the
year 2000. In fact, they were planning for operations as far down as June, when
the weather turns warm in certain cities." The "Mad Max" plan, named after the
1980s Mel Gibson film depicting the total breakdown of social order, is a worst-case
contingency plan, claims Powers. "The FBI expects, in this [worst] case scenario,
that people would begin to riot and loot. And specifically they believe this would
happen in urban areas among black citizens," says the retired agent."
-------------------------------------------------------------------------------
Tuesday, September 28
ABC publishes IP addresses of
<http://www.sjmercury.com/svtech/news/breaking/merc/docs/081486.htm>
chat room participants
Appeals court decides publishers cannot include freelance writers' work
<http://www.sjmercury.com/breaking/docs/022316.htm>
in their databases without permission
Over 2 million farmers in China were duped into
<http://www.insidechina.com/news.php3?id=95254>
now-collapsed investment firms ...
"The three organizations were founded in the early 1990s with the approval
of the ministry of agriculture and were designed to use interest from farmers'
investments to provide loans for machinery and equipment. More than two
million farmers invested in the organizations, attracted by interest rates in
excess of 15 percent, the center said. "But because of serious corruption at
the administrative level, much of the invested money cannot be repaid," center
spokesman Frank Lu said. More than 40 billion yuan ($4.8 billion) was deposited
by farmers across the province, of which 10 billion yuan ($1.2 billion) has been
lost, he said, adding that the government had only committed to repay one billion
yuan. As a result, more than 50 protests involving 5,000 farmers have erupted in
the province since the beginning of the month, while 10 farmers were detained by
police in Qidong county during one of the demonstrations. "
------------------------------------------------------------------------------
Wednesday, September 29
China bans Time Magazine even though
<http://www.sjmercury.com/breaking/docs/074660.htm>
Time is hosting a buisness forum in Shanghai...
"But the edition, whose masthead was emblazoned with the headline
``China's Amazing Half-Century,'' fell foul of Chinese censors by including
articles written by exiled dissidents Wei Jingsheng and Wang Dan, and the
Tibetan Dalai Lama."
And check out this quote from the same article on Summer Redstone kow-towing to the
Chinese Communist Party regarding MTV...
"Another conference delegate, Sumner Redstone, chairman of Viacom Inc,
made clear that his rock music video channel MTV would not challenge China's
Communist authorities. ``You can rest assured we are not going to take any
action with respect to our content that is displeasing to the Chinese government.''"
-----------------------------------------------------------------------------
Thursday, September 30
Wei Jingsheng emails China
<http://news.excite.com/news/r/990930/09/net-china-wei?printstory=1>
from Paris...
"Chinese dissident Wei Jingsheng sent e-mail messages to Beijing from Paris Thursday
to protest against official controls over the Internet and harassment of "cyber-dissidents"
by China. Wei, sitting before a screen in a cyber cafe in the French capital, e-mailed the
text of article 19 of the Universal Declaration of Human Rights, of which China is a
signatory and which guarantees freedom of speech, to five official or government-linked
addresses. They were the Chinese Foreign Ministry, CCTV state television, the Chinese
Internet information center and Peoples's Daily and China Daily newspapers. "They
have the power and the money but we have imagination and justice on our side," said
the exiled dissident, who now lives in the United States."
You can send
<http://www.rsf.fr/uk/alaune/opmail/mail19.html>
the same letter
----------------------------------------------------------------------------
Weekend Edition, Oct 1-3
Mourning the death of
<http://newstrolls.com/news/dev/guest/100199.htm>
80 million Chinese...
Tibetans are being forced to
<http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19991001032529583.asp>
take part in the celebrations
""Tibetans in Lhasa have been told that their pay or pension will be cut if
they fail to take part in rehearsals for celebrations of the 50th anniversary,"
the London-based Tibet Information Network said. Children and retirees had
been required to memorise patriotic songs and attend dance classes in the
run-up to the celebrations, in which they would be ordered to wave
Chinese flags, it said. "
Victorious Burmese Student Warriors, pro-democracy students, take hostages at Burmese Embassy
<http://www.scmp.com/News/Front/Article/FullText_asp_ArticleID-19991001174609704.asp>
demanding the release of all political prisoners in Burma
In just one week...
diva aka Pasty Drone
CEO
NewsTrolls, Inc.
"Free Minds...Free Speech...NewsTrolls"
http://www.newstrolls.com
pastydrone@newstrolls.com
