Copy Link
Add to Bookmark
Report
Default Newsletter Issue 06
Default newsletter Issue #6
http://default.net-security.org
28.09.1999 Help Net Security
http://www.net-security.org
TABLE OF CONTENTS
-----------------
I. Editorial
II. Default mirrors
III. Defaced pages
IV. Ech0 Security Scanner - What's that again ?
V. Y2K: hoaxes and scams
VI. Infection & Vactination
VII. Hi, my name is...
VIII. Virology 101: A primer to computer viruses
IX. More from the ACPO front
X. Network Solutions Stumbles on WebMail Offering
XI. Securing your Mac
XII. Why NT isn't what it is claimed to be
XIII. Freedom of the speech related incidents
XIV. Meet the underground
I. Editorial
-----------------
Hey there. It's us again :) Ok let's start with the obvious: Default skipped
a week. And as much as I (Thejian) would like to blame the other editors, it
was my fault. But then again, my life has been pretty damn hectic lately and
I really worked my ass off, which is no excuse of course, but it'll have to do.
I'm glad to inform you however that the problem is solved for future issues
because we have at least one more editor for the end-formatting in place now
which should take care of the problem quite effectively. This also caused a
delay in the Telecom-section, but I'm outlining a new series of articles there
which will be pretty damn good if I may say so myself, so I hope that if someone
actually reads it :)))) they will have some patience, it will be worth it.
Due to formatting problems this weeks crypto section has not been included in
this issue but is accessible at following url:
Doc version > http://default.net-security.org/6/OTP.doc
Txt version > http://default.net-security.org/6/OTP.txt
Well since I have to go release this thing, thank you all and enjoy the read.
It's yet another good one, again if I may say so myself.
For the HNS and HNS Default Crew:
Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org
Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org
Subscribing information:
mail majordomo@net-security.org with a message in the body "subscribe news youremail"
II. Default mirrors
---------------------
http://www.nwo.net/default
http://www.403-security.org/default
http://www.monitor.hr/security/default
http://www.attrition.org/~modify/texts/zines/default
http://www.projectgamma.com/archives/zines/default
http://www.dark-e.com/default
http://ech0.zort.org/default
http://www.deepquest.pf/default
If you mirror Default, please inform us, so we could add you to the list.
III. Defaced pages
-------------------
Mirrors thanks to Attrition (www.attrition.org)
Site: The Nasdaq Stock Market Web page (www.nasdaq-amex.com)
Mirror: http://default.net-security.org/6/nasdaq.jpg
Site: First American National Bank (ns1.fanb.com)
Mirror: http://default.net-security.org/6/ns1.fanb.com.htm
Site: NAACP (www.naacp.org)
Mirror: http://default.net-security.org/6/www.naacp.org.htm
Site: Bank of Uganda (www.bou.or.ug)
Mirror: http://default.net-security.org/6/www.bou.or.ug.htm
Site: Arizona Libertarian Party (www.lpaz.org)
Mirror: http://default.net-security.org/6/www.lpaz.org.htm
Site: I-Phone (www.iphone.com)
Mirror: http://default.net-security.org/6/www.iphone.com.htm
Site: Defense Contract Management District West (internet.dcmdw.dla.mil)
Mirror: http://default.net-security.org/6/internet.dcmdw.dla.mil.htm
IV. Ech0 Security Scanner - What's that again ?
-------------------------------------------------
Welcome folks. Well I ll give the readers of default a little preview what
eSS is. So you ask now what eSS stands for, well thats simpel, it stands for
Ech0 Security Scanner. It will be a unix security scanner. So what's special
on it ..?
Well special about it, is that it will be big * great * huge * with much shit
included. It will feature unix network scanning for all simple vulnerabilities
which are all-known, like qpop, pop2, pop3, cgi-scan, ftpd, telnetd, imapd, bind,
nfs, named, smtp, fingerd, up to advanced features like network maping, system
version, firewall scannig with version and many other security holes which can
be exploited. It got CKS's famous Cgi scanner implented which scans for about
50 cgi holes. All in one we hope that we can offer you a fast and strong unix
security tool/scanner with eSS.
If you are interessted in unix security/scanning and C and would like to
check out a copy of eSS when it is in beta phase just email to:
- info@ech0.de
You can also mail us if you have any questions and/or suggestions.
For more information and the news feautring Ech0 Security Scanner check out
- http://www.ech0.de
V. Y2K: as the millenium approaches
--------------------------------------
With upcoming Year 2000 and Y2K problem many new programs for its
solution are producing. With it, Y2K hoaxes are also spreading.
This article is just a compilation of several known Y2K hoaxes.
1) AOL Year 2000 Update Hoax
-------------------------------------------------------------------
Do Not DOWNLOAD !!
submitted by AngelOfWuv
It will come to you as.......
"America online year 2000 Update" it will have a
File: Y2KFIX.EXE (41229 bytes)
DL Time (115200 bps): 1 minute
DO NOT DOWNLOAD IT, ITS A VIRUS .
1) IF AOL WANTED TO UPDATE YOUR SYSTEM, THEY WOULD DO IT WHILE YOU
WERE ONLINE, NOT THIS WAY
2) IF AOL WERE TO DO IT THIS WAY THEY WOULD JUST SEND YOU AN MAIL TO
CONTACT THEIR WEBSIGHT AND THEN DOWNLOAD THE NECESSARY FILE
FORWARD TO "TOSEMAIL1"
THE REST OF IT GOES AS FOLLOWS:
Hello, I am Richard Brunner of the AOL TECH Team and we have recently
finished work on this project which is the AOL Year 2000 Update. The
function of this program is to make your AOL version completely
compatible with the year 2000 bugs that will occur on most computers.
This program will work on Windows 3.1, Windows 95, Windows 98, and
Macintosh. It has been made to be as user-friendly as possible. You
just have to:
1. Double click on the icon
2. Restart your computer and your computer and AOL will automatically
be updated. If you experience any problems with this file please
report them to this e-mail address.
-------------------------------------------------------------------
Y2KFIX.EXE wasn't found anywhere on The Internet. This is just a example
of mass mail hoax. Purpose of it is to spread panic to big number of
inexperienced computer users. When people get this kind of messages
they don't even read it they just forward it to all contacts on their list.
2) Y2KCOUNT trojan horse
-------------------------------------------------------------------
To All Microsoft Users,
We are excited to announce Microsoft Year 2000 counter. Start the countdown
now. Let us all get in the 21 Century. Let us lead the way to the future and
we will get you there FASTER and SAFER.
Thank you,
Microsoft Corporation
-------------------------------------------------------------------
This e-mail arrives with attached trojan horse named Y2KCOUNT.EXE which:
It drops several files into WINDOWS\SYSTEM folder:
PROCLIB.EXE
PROCLIB.DLL
PROCLIB16.DLL
NTSVSRV.DLL
It appends NTSVSRV.DLL into the DRIVERS= line under [BOOT] section of SYSTEM.INI
file. This modification loads the trojan every time the system boots up.
It modifies the registry entry ...\Shell\OpenHomePage\Command to @="C:\WINDOWS\
SYSTEM\PROCLIB.EXE" This modification loads PROCLIB.EXE upon web/internet access.
Upon the next system reboot, it will also rename the WSOCK32.DLL file to NLHVLD.DLL
and replace it with PROCLIB16.DLL. This allows the trojan to hook network
(specifically internet) connection activity.
3) "Windows will fail" hoax
-------------------------------------------------------------------
"Every copy of Windows will fail on January
1st unless you fix it now, to fix it..."
1.Click on "My Computer".
2.Click on "Control Panel".
3.Click on "Regional Settings".
4.Click on the "Date" tab. Where it says,
"Short Date Sample" look and see if it shows a
"two Digit" year. Of course it does. That's the
default setting for Windows 95, 98 and NT. This
date RIGHT HERE is the date that feeds
application software and WILL NOT rollover in
the year 2000. It will rollover to 00.
5.Click on the button across from "Short Date
Style" and select the option that shows
mm/dd/yyyy. Be sure your selection has four Y's showing, not two.
6.Click "Apply" and then click on "OK" at the bottom.
Easy enough to fix. However, every single installation
of Windows worldwide is defaulted to fail Y2K rollover.
"Thanks and have a great day"
-------------------------------------------------------------------
This is a standard e-mail hoax. More information could be found on:
http://www.microsoft.com/y2k/hoax/y2khoax.htm
4) Cadillac hoax
-------------------------------------------------------------------
Dear **** *********,
We regret to inform you that your product purchased from an authorized
General Motors Dealership is not compatible with the Year 2000 Problem.
Steps are being taken to resolve this problem and the solutions are in
the making.
The onboard computer in Cadillac models made from 1974 to 1992 are not
designed to recognize the year 2000 as the year 2000. Problems may arise
in the climate control and repair maintenance modules.
Modifications may be made to your Cadillac's onboard computer. The nearest
authorized service center is [deleted] located at [deleted]. You can
contact this service center at [deleted].
The service to be performed on your model is free of charge, and we
apologize for any inconveniences that this may cause you.
Sincerely,
General Motors, Inc.
Cadillac of America
-------------------------------------------------------------------
This message was sent to comp.software.year-2000 on Saturday, January 23.
Image of the actual letter that was used in the hoax could be found on:
http://default.net-security.org/6/cadillac_1.jpg
Problems of this hoax written by one hoax analyst:
* though a logo decorates the top of the page, no address is associated with it
* the letter is not dated
* it asserts that the product "is not compatible with the Year 2000 Problem";
but nothing is compatible with the Year 2000 Problem: compatibility must be
with the year 2000, not with the Y2K problem
* the year 1974 does seem much too early for any automobile to have been made
with an on-board computer
* the first sentence of the second paragraph is ungrammatical: "The onboard
computer... are not designed...."
* the recipient is directed to the nearest service center for modifications to
the computer, though the first paragraph had asserted that steps "are being
taken" and a fix "is in the making", implying that the modification has not
yet been readied
* only a street address (no city) is given for the nearest service center
5) Fix2001.exe worm
-------------------------------------------------------------------
Estimado Cliente:
Rogamos actualizar y/o verificar su Sistema Operativo para el correcto
funcionamiento de Internet a partir del A_o 2000. Si Ud. es usuario de
Windows 95 / 98 puede hacerlo mediante el Software provisto por Microsoft
(C) llamado -Fix2001- que se encuentra adjunto en este E-Mail o bien puede
ser descargado del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM Si
Ud. es usuario de otros Sistemas Operativos, por favor, no deje de consultar
con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.
Internet Customer:
We will be glad if you verify your Operative System(s) before Year 2000 to
avoid problems with your Internet Connections. If you are a Windows 95 / 98
user, you can check your system using the Fix2001 application that is attached
to this E-Mail or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM If you are using another Operative System, please don't
wait until Year 2000, ask your OS Technical Support.
Thanks.
Administrator
-------------------------------------------------------------------
W95.Fix2001 is an internet worm. It arrives on an e-mail as a MIME-encoded
attachment called Fix2001.exe. The subject of the received e-mail is "Internet
problem year 2000". It is sent by a person called "Administrator".
More information on this worm and its removal could be found here:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FIX2001
Conclusion:
Hoaxes were always around. New Millennium just gave inspiration to hoax
makers. Always be careful and try to read the whole mail you get, because
every hoax has its error, a clue that says: "I am a fake". Just DON'T
forward this kind of letters to your contacts, because then you will
do what the hoax maker wants you to do. It is silly that when newspapers
get this kind of hoax, they publish about it as it is real - yet another
problem of unqualified journalists.
EOF
Berislav Kucan
aka BHZ, bhz@net-security.org
VI. Infection & Vactination
-----------------------------
This week we have all the info you could ever want on the new version of
DeepThroat. Yes we even have more then one trojan this week! We also
have some updates on Back Orifice 2000 plugins. Finally we have our
review of The Cleaner.=20
DeepThroat 3.1.0 was just released on September 5th. This version fixes
many of the bugs that were found in the initial 3.0 release. While I
have not tested, there are possible bug problems. Though shortly after
the release |Cold| announced he would not be working on Deep Throat for
sometime if he ever does. Since he has at least temporarily stopped, he
released the source code to the server(Delphi). But not the code for the
client. He also released info on the backdoor in this backdoor program.
If you try to connect to a normal 2.1 server you can enter:
awhothefuckdoyouthinkiamgoddamnit1 as your password. Same with the 3.x
servers only you enter: whothefuckdoyouthinkiamgoddamnit3. Also recently
due to demand there is a new secure server with no universal password.
Yes the long awaited SubSeven 2.0 has just been released. Version 2.0
comes with a lot of new stuff. Now it can not only intercept ICQ
messages it can intercept AIM and Microsoft Messenger messages. It can
also get the ICQ and AIM user lists and passwords. Like NetMetro below
there is a Matrix feature, black screen and green you know.. SubSeven
2.0 has a few other new features to that are not so important. Also
there is a completely new editserver. EditServer 2.0 now is setup like a
wizard. You have to keep hitting next, I personally liked the old one
where you had everything on one screen. But anyways it has a 3 new
features. One features makes it so the port and password can never be
changed. Another deletes the original server file after it is ran the
first time. The third feature password protects the server from other
edit servers. So, you can not read the info from a server you have been
infected with. If you ever happen to be infected with a 2.0 server you
can send it to zemac@dark-e.com. We can remove the password at for you.
Lastly subSeven has a new way to infect people. The _Not_ Known way.
Sounds scary doesn't it? Actually it's not scary at all it's just
another way Microsoft allows programs to load through the registry.
Our next trojan is NetMetro. This is actually a decent trojan with some
potential future. Most of it's features are normal ones that all the
trojans come with now. But, it did have two interesting ones. The first
one is Tic-Tac-Toe! You can play the server in Tic-Tac-Toe, which is
just cool. Plus to make it better the client can cheat by taking away
the server's turn. The other different feature is the Matrix screen. The
server's screen goes back and says "The matrix has you", at this point
the server is helpless. NetMetro also runs on Windows NT, which is a
rare thing. The client has a remove button, so it would appear it
infects computers, but I could not see it actually infect. So, at this
time the removal info is unknown if it actually does infect.
-More info visit:
http://www.dark-e.com/archive/trojans/netmetro/index.html
Illusion Mailer 0.05 is a new trojan with a new idea. This trojan
allows completely anonymous email to be sent to anyone. It works by
infecting the someone with server file. Then you connect to them via the
client, enter an email address you want to send to and fill out the
email. Then the email is sent and cannot be traced, since the IP will be
the server computer's IP.
Guess what we even have another trojan. This one is called Fuck You
AVP. What a wonderful name that is. Actually this is a nasty trojan.
When downloading the trojan, and running the client you infect yourself
with SubSeven 1.8. Maybe this is a sign not to use trojans or trust them
at least. Anyways once running the client your computer tells the person
your IP via ICQ and Email. Plus unknown to you but you start advertising
it in an IRC channel. As for the real trojan we do not have a clean
copy. We do know it runs on port 1212.
There have been 4 Back Orifice 2000 plugins released since last time we
discussed them. Our first plugin is called Rattler. Rattler emails the
Back Orifice 2000 server's location to someone. Unlike ButtTrompet it
does not email every time the server goes online it emails every time a
new IP address is used by the server. Next we have RC6Encrypt. This is
another encryption plugin for Back Orifice 2000. It gives 384 bit
encryption. Serphent Encryption is guess what another encryption plugin.
This plugin allows fast use of the non-export restricted 256 bit
SERPHENT encryption. The last plugin we have is BO STCPIO. This makes
Back Orifice 2000 packets very hard to detect. It encrypts the packet
header using whatever encryption plugin that is installed. Also one last
thing on Back Orifice 2000 that we just learned about, is the US
Distribution has been discontinued. The US encryption export laws and
cost of the only US download server.
Okay we all know there are tons of trojans out there for anyone to use.
So, what do you do if you want to protect yourself from them? Simple get
a trojan remover. Of course there are a few out there and the good ones
all cost money. So we are reviewing them one by one to let you know how
effective they are. This week we are checking out The Cleaner. The
cleaner is a solid trojan scanner. It has good speed and a large
database. If you need something to scan your entire computer then you
should get The Cleaner. It does lack some useful features such as
background scanning. So, you will have to leave your computer alone for
30 minutes or so to scan. We have also been able to look at the new beta
version of The Cleaner. The features appear to remain the same it has a
remote update which is cool, and a better looking GUI.
Zemac
zemac@dark-e.com
http://www.dark-e.com
VII. Hi, my name is...
-----------------------------
Greetings! For those of you who have never heard of me before, my name
is Doug Muth, among my many interests, computer viruses are one of them.
I was contacted by the folks at Default some time ago about the
possibility of writing some articles about computer viruses for the
newsletter, and as Douglas Adams would do, I immediately accepted before
they realized they had the wrong person! :-)
So, a little about myself. Hmm... I first got interested in computer
viruses back in 1992 with the Michelangelo scare, which was quite
interesting as I didn't even own a computer back then! So I headed over
to the local library and checked about 5 different books relating to
viruses and computer security, and learned a great deal with that simple
action. About a year later, I got into BBSing, and about a year after
that in 1994 I found Fido Net's Anti-Virus echos and after awhile of
lurking there, started to realize that I know more about viruses than the
average person, so I participated and tried to help users out.
In 1995, I made the move from BBSes onto the Internet and joined the
Usenet equivelent of Fido Net's echos, known as comp.virus. Sometime
afterwords, I noted that there didn't seem to be very many webpages on
the Internet which discussed viruses in a manner which someone who isn't
familliar with them could understand. So, after having ingested way too
much caffene, I proceeded to create one. It now resides
<http://www.claws-and-paws.com/virus/> for those who are interested.
Anyway, as for the articles which I'll be writing for the newsletter, not
being a member of the hacking community, I'm not entirely sure of what
everyone's background is on virology. I'll try and start out with a
simple article and gradually get into more detail. I will also try to
highlight any particular nasty viruses which have either just been
released or are still "in the wild", or infecting systems outside of
those owned by virus researchers.
If anyone has any suggestions for what they would like to see in a future
article or needs further explanation of something I mention in an
existing one, feel free to drop me a line directly. My e-mail address is
<dmuth@ot.com>.
Cheers!
VIII. Virology 101: A primer to computer viruses
-------------------------------------------------------------
So, what IS a computer virus? Like its biological counterpart, a virus
is a piece of computer code (as opposed to genetic code) which can hide
itself inside of one program and infect other programs when the host is
run. The most important thing to remember about ANY virus is that it is
just another program, and as such can only do what any other program can
do. This means that it can format your hard drive, since that's
something which a program can do, it can send e-mail (thanks to
Microsoft's lack of security on their software), but it can't do things
such as damage your hardware, unless you have an ancient ST-506 hard
drive that lets you move the heads off the platter or some similar cheesy
hardware.
Now, there's a few different kinds of viruses, since there are 3
different mediums for viruses to travel in: Files, Boot records, and
Documents.
File infectors do just that, they infect executable files. Back on the
old MS-DOS systems, .EXE and .COM files would be infected, as well as the
occaisional virus being able to infect .OVL files, which are loaded by an
executable, similar to Win 95's DLLs or UNIX's shared libraries. Some of
the nastier ones (like Dark Avenger) would load themselves into memory
and remain there, even after the host program was finished executing.
You can imagine what happens next, the next time an executable file so
much as has its attributes checked, it gets infected. Of course, not all
viruses are this nasty. There are others (such as DeathDragon) which,
when executed infect one or more other files and exit, running the
original (host) program. Furthermore, there is a subclass of file
infectors which infect PE EXE files, the format used by Windows 95/98
and Windows NT.
Boot infectors are a little more interesting. On hard drives they can
either infect the Master Boot Record (MBR) or one of the boot sectors of
an individual partition. (More on the difference in a future article!)
They travel via floppy disks which have their boot sector infected. A
system is normally infected by booting from an infected floppy, at which
point the virus code is copied to the hard drive. The MBR may or may not
be replaced by the virus. This can lead to interesting complications
like not being able to "see" your hard drive when booting from a floppy,
such as is the case with the Monkey family. That's why the command FDISK
/MBR is *not* your friend! A fair amount of boot infectors are
"stealthed", which means they can hide themselves from normal software
and some anti-virus programs. That's why booting from a floppy is
usually necessary to disinfect your system from a boot sector infector.
Of course now you are wondering how you can disinfect your system in this
manner if you are infected with Monkey and can't see your harddrive?
That will be the subject of a future column as well.
Lastly, there are the macro infectors, which infect documents of a
particular application which supports macro langauges. The most popular
application that macro infectors are written for is Microsoft Word 97.
Of course, other products (most of which are written by Microsoft, heh!)
which have their own macro langauges can be infected as well. The
general concept with document infectors is that Microsoft's lax security
allows macros in a given document to be executed as soon as it loaded.
At that point, a macro infector can do whatever it wants. It usually
infects a "global" area of the application, which contains macros that
are executed upon startup, so that when the application is restarted (not
that it would /ever/ happen with a Microsoft product) the virus is
started up as well.
Finally, there are some infectors known as multi-partite, which means
they can infect more than one medium. A good example here is One-half,
which infects files as well as boot records. As if that isn't bad
enough, it goes so far as to start encrypting files on the hard disk, so
if you disinfect the virus, you loose the decryption key as well and your
data is lost!
If I have written this article properly, I think I have succeeded in
getting everyone's attention, and maybe even stressing out a few people.
Good, because viruses aren't fun and games, they are serious problems in
today's computing world! They cost businesses thousands of dollars
when dealing with an infection because some employee decided to not to scan
the game they brought in from home!
Take care, and stay bug free!
Doug Muth
dmuth@ot.com
IX. More from the ACPO front
------------------------------
Hi again All: Natasha again from http://www.antichildporn.org.
This is going to be a bit different from my past articles. In fact I
pose a question to the Internet community.
As you know, we're attempting to element Child Porn on the Internet. The
issue we are concerned about is how far to go with this with out
infringing on our first amendment rights, or jeopardizing our freedom of
speech.
Let's take an imaginary situation. We find a verified Child Porn site in
*say Russia where we have no legal resources to help us prosecute the
individual that is dispensing this filth. What steps can we take to
eliminate this site, and prosecute the Admin? We don't hack a site,
that's only a quick fix, and we don't condone illegal activities at
ACPO.
Remember all this is hypothetical, what *if we could block transmission
to that site? Would you consider that an infringement of our first
amendment rights? Remember these pictures are of Children under 13 years
of age in sexual acts with people and some even with animals. Don't the
children used/abused in the pictures have any rights? Is, or should
Pedophiles first amendment rights come before the children's?
Here's another what *if. What if we could find a way to investigate the
people that signed up with these pay sites? What if the credit card
companies would work with law enforcement and ACPO? Would you feel that
that information should be held as confidential information and to be
valued as such? What about your privacy issues?
Well, that should be enough what ifs for now, but these are questions we
are thinking we might have to deal with and would like you're feed back.
You can mail me at natasha@infovlad.net or post on our BBS your thoughts
http://www.antichildporn.org You'll find the BBS there.
Thanks again for this forum.
Natasha Grigori
Founder ACPO http://www.antichildporn.org/
natasha@infovlad.net
X. Network Solutions Stumbles on WebMail Offering
----------------------------------------------------
Many of you may have heard of the situation with Network Solutions
Incorporated (NSI), either from online news sources or from the email sent
out by NSI themselves. NSI, in offering a new service, has committed a
blunder that has many major technology news sources talking.
Network Solutions ('the dot com people'), also known as InterNIC, is the
company responsible for the registration of domain names ending in .com,
..net, .org, and .edu. Starting this past Wednesday, many adminstrative
contacts for registered domains received mail from netsol1@integram.org, a
Virginia-based company that handles bulk mailing for NSI, stating that
Network Solutions has created a new web-based email service similar to
those offered by companies such as Hotmail and Yahoo, called Dot Com Now
Mail (http://mail.dotcomnow.com/). Those who had registered domains with
Network Solutions (customers of NSI) or Premier Program members (those who
registered through NSI associates like Pair) got a special treat -- NSI
went ahead and created accounts for every customer who has registered a
domain name with them.
This in itself would be little more than irritating at worst and
appreciated by some at best, were it not for the way NSI went about making
these accounts available. To begin with, the account name is generally
the last name of the domain's administrative contact (with a number
appended, if several people had the same last name). Predictable enough;
if my name is Joe Example, my account name is probably example, or
example1234. However, the account's password -- which Network Solutions
emailed out, unsolicited, in plain text -- is the same as your account
name with the letters 'nsi' on the end. If your account name is example,
you can log in with the password examplensi.
It gets better. When you log in to your account (or anyone else's, since
if you have the account name from a quick whois lookup of any domain you
like -- perhaps plus a short string of numbers -- the password's an easy
guess), you're logging in on their web page in the clear -- no encryption,
no SSL, nothing. Also, the password is truncated at eight characters, so
if your account name is eight characters long or more, the password's the
exact same as the account name. Again, for instance, if your account name
is example and your password is examplensi, you can log in as examplen; if
your account name is example1234, your password is effectively example1.
The password, then, is extrmely insecure.
It gets better: you cannot decline this 'service', nor can you terminate
your own account online...you have to call Network Solutions, and at the
time of this writing I am unaware if they are willing to delete accounts
over the phone.
For more information, Slashdot has an article and responses available at
http://slashdot.org/articles/99/09/16/0054246.shtml, and Attrition has
released an advisory at
http://www.attrition.org/news/content/99-09-16.001.html. Network
Solutions has yet to respond to the questions raised by this move;
however, as of Thursday afternoon, they started redirecting
http://www.netsol.com/ to http://www.networksolutions.com/, NSI's home
site. The problem still exists, though, and anyone who cares to give it a
try can check http://mail.dotcomnow.com/ and log in.
It is true that this new account does not allow you to make DNS changes or
grant you additional permissions, and it is also true that it's easy
enough to go to -any- web-based email service and register a name that
might be used to impersonate another person or company, but many issues
persist -- the default password for these unwanted, unsolicited accounts
is far too easy, many of these accounts will surely be compromised or
taken over before the legitimate user can access them, many people forget
to change their initial passwords, and a great deal of damage can be done
even if the accounts can't be used to impersonate someone or gain access
to domain registration information. Presumably, each account is tied to a
person, in NSI's database -- if Joe Example owns the domain example.com,
and the account example@dotcomnow.com is associated with Joe's name in
NSI's database, then any time that email address is used for illegal
purposes, NSI will come looking for Joe. So if Joe Example's account is
taken over before he can even get to it, and that account is used to spam
thousands of addresses with ads for child porn, or used to sign up for a
web mail service on which illegal material is posted, or used to send out
death threats to unsuspecting recipients (yes, the dotcomnow.com mail does
include the original source IP address in the headers, but that isn't much
of a deterrent), Joe Example could get involved in a very unfortunate
situation.
I cannot recommend strongly enough that if you own a domain and have
received mail from Network Solutions regarding this matter, you log in
immediately, change your password to a random string of letters, numbers,
and characters, and never use it again...and at the first opportunity, you
call NSI and demand that they delete the account.
/dev/null
null@default.net-security.org
XI. Securing your Mac
-----------------------
A basical security begins with possibility or not log when your in front
of a computer, I must admit that Apple was not concerned by this during
the past year. The policy was easy one computer one person, at work or at
home should the other people get acces to your box? Not sure you want your
boss to read your mails or even take a look to files your store on your mac.
One of most known product was atease, it was working with logon profiles
and restricted access to make, read, or change setings on the computer.
Often used in schools, or any other access it suffered of several bus
allowing to bypass certain rights. Many other products are arrived on the
market with different kind of restrictions. Use of profiles, startup password,
or virtual partioning with encryption. But all those product are external to
the OS itself. Well...not for a long time. Apple will introduce MacOs 9 very
soon with incredible features:
voice fingerprinting, users profiles, and key chains. One of the first OS that
will introduce biometric logging. User profile to give some to priviledge to
users, and key chain that will keep all your password in one place with one
password.This was already used years ago in system 7 pro. At this you have to
choose with the access you want to grant. A few files or folders, a whole hard
disk, a partion?
To restrict an access to a folder, a 5 cents trick would set the attribute of
a folder or a file to invisible. Fastfind the searchengine. Using applescript
could automate the task, or create a application-like. More seriously, the best
solution would be to use encryption.PGP does a great job on conventionnal
encryption, plus it's free (http://www.pgpi.com). PGP is really easy to use.
It includes a suite of very usefull tools.Encryption of mail files, wiping
of files with setup of the numbers of pass, pgpdisk and tunneling (X509
protocol). Usually up to 8 pass it's almost impossible to recover datas even
using a data bench. The other usefull tool is pgpdisk. It creats a pgp
partition, the partion is actualy a virtual one, it's only a encrypted file
with the a size u predefine from few k to several giga. Pgp is a all in one,
free, and the most reliable software to secure the access to your files or
disk. Several other reliable solutions exist for corporate environement.
Empower (http://www.empowerpro.com) was often use in companies, it's to me
the best of all. It allow many restrictions, from
the startup password, desktop restrictions (system folder, or folders), and
use of RSA algorythm. The main advantage of this kind of tool is that it doesn't
affect the user way of working. No actions are required by the user, and only a
master password (from a group of predifined adminisrator) can modify those
restrictions. Empower,File guard those software do the same: files and folders
protection ( can be usefull against virus), encryption, startup passwords and
much more. Few freeware or shareware solutions exist but usualy those commercial
are very relyable. The main security problem is to know what you what to protect,
and how it could affect the less possible to work. The encryption used are
powerfull enought (rsa, des, idea). Don't hesitate to spend few dollars to
ensure the access to your mac, or use pgp which is a great product but ask you
many handlings, but on the other hand you have more tools. Make sure you define
your needs before trying all those products because some has to be installed before
you OS that you'll have to format first.
by Deepquest
deepquest@netscape.net
http://www.deepquest.pf
XII. Why NT isn't what it is claimed to be.
-------------------------------------------
disclaimer: personal opinion by dev :)
I was quite often impressed by people's psychology. The only thing
I admit to uncle Bill is that he knew how to sell the software (not
nowadays, but even before, when Windows 3 refused to be installed
on other DOS versions than MS-DOS :)
The real life example is Microsoft Windows NT. The commercials would
actually make you think NT is not just Unix, but all other you ever
wanted to have on your desk. And later, when you see computer *professionals*
talking about advanced computing on Windows platforms, especially when you
don't understand them, you definitely say ``Yes.''. Special rates exists for
users in low-budget countries, where like 94% of the software is illegaly
distributed, and you can't hide you just love your new toy.
Now the psychology. You never ask yourself if that software really
so good, the commercials forced you to believe NT kicks ass and you
don't want to even discuss it. Also, the commercials made their type
of users, which will never ask more than a system can offer them.
I remember a 6 yrs old IBM's slogan they used to propagate OS/2: ``Don't
operate within the system limits. Move to a higher level''.
Ok, you messed a bit with your NT and you call yourself *computer professional*.
More and more you are beeing invited to fix friends' computers. Concerning
you personal habbits, you usually work under the administrator account (``who
gives a fuck about priviledges, the box is mine after all''),change desktop
theme on a daily basis, run mIRC and other professional programs.
Now the bad part you never wanted to say out loud, or how the continuos
Microsoft's propaganda fooled you (again, right?):
Almost every system modification requires machine restart. But you
don't mind. You feel you are doing something professional. You have
to restart the whole OS so it can update your great changes. Now,
if it is a server or something, system downtime is more like a curse.
And when it goes into your habbit... On Unix/Linux machines, you have
to restart the computer ONLY when 1) hardware fails, b) you change
your kernel. The first is most likely not to happen, and kernel is
something completely unknown to Windows users, since Microsoft doesn't really
want computer gurus. Only (l)users. After all, I doubt their kernel is decent
enough to be freely available in source code
(even in binary :). For more information on kernels (lol), check out years
old MS-DOS 6 book where it says ``it's the hart of every operating system''.
Interesting enough, that's the last place where I saw ``kernel'' in Microsoft's
world. However, the starting statement means means I can change network IPs,
activate /deactivate network interfaces, completely scramble system configuration,
and with no restart. New utilities/services are ready to operate when they are
installed. Sound card drivers seem so small in that Linux world. I can start/stop
sound support on multiple sound cards on the fly (funny, heh?). Modifications
are updated automatically or I just have to say specific service to re-read the
configuration files. What is more, all I ever wanted is documented under my
/usr/doc directory. But who cares, I am the professional and my box isn't any
kind of public server, so I can afford the downtime.
And I still love my ''Recycle bin''.
More downtime. Once you set up your home box and look at the nice Microsoft CD
cover (but there's always something new for a professional to explore),
BSOD - Blue Screen Of Death appears on your screen. Now what the fuck, you
think! Damn Windows. You just throw a curse (restart it) and that's it. Did
you ever think there are other, better systems? Nooo. How can it be, everyone's
screaming Microsoft, Microsoft, they must have done the great job, I'm sure the
price of their products is even underestimated. I like mIRC, after all...
Well, NT fans usually argue with me when I mention them the uptime.
It's like, ``No, my Windows machine is up for a week''. Hm, no need
to say they left it idle just to go for the uptime. However, I met
hard nuts who had their NTs up for 4 months. ``Now what do you say?''- they ask
me, supposing I will appologize. Well, for them, and everyone who didn't know,
let's just say I know a company with a UNIX machine. Interesting enough, at the
time I saw it, it's uptime has been 7.5 years.
NT (initial) price, licenses and usage in real world. How much are
you willing to pay for an NT? A 350MHz platform with 256MB RAM would
be decent enough. Let's say you want the maximum number of licenses,
its like over 4,000$ just for the base system. Now, server can't run
without the office suite, can it? Professional/Developer version looks nice.
You have old computers, they are more like terminals. Terminal server is on
the way. Some of you are very advanced, you need Microsoft Visual Studio. And
there's always certain ammount for the registered mIRC. That guy Khaled Mardam-Gay
just rocks (No harm was ment here, mr. Khaled, I just saw that in someone's
VERSION reply). You pay professionals to set up the server, buy some other
Windows licenses for other machines and finally you are broke, can't even
pay attention :)
Now, what kind of system is that, with ``per seat'' licenses? I think
50 licenses is the max , you can't pay more even if you'd like to.
And compare that to thousands of users on unix servers every day.
The fact is, NT is not even a server in common sense. Server in general is
the machine that gives others to use its resources. Or, clients are supposed
to take advantage of server's processing power. On real UNIX systems, that
involves a lot of real terminals which consist of a monitor/keyboard pair,
and they do nothing but provide (in short) more monitors for the same machine,
the server can take all the load.
In Microsoft sense, NT doesn't give them it's processing power; it
is more like all eaten up by the system itself:) (Don't tell me the
terminal server is there to achieve the same, I've met it and can
shit on it) NT doesn't have telnet (yea, yea I know...) and all it
can do is offer internet access, file and printing services. Internet
access is so poorly implemented, each service goes through a proxy,
instead of a global gateway, like the unix does it. Printing service
usually screws up on NTs, that's why HP pulled out that great computer-
printer machine that hooks up to the LAN and acts as a network printer.
Ok, you don't believe me, NT is still the kickass system. But, lemme
ask you, you heared of Hotmail, its microsoft's service. But, guess
what, Hotmail runs on Unix machines. Intel, used to be so great partner
of Bill's, uses Unixes. Popular, www.windows95.com also used Unixes. You
wanted to check out the Compaq site. ``Server busy'', now what the hell..
yes, it's NT specific:) That reminds me of an Intel employee who said ``Days
of bloatware (MS Software) are over''.
Software availability and treatment of the users. Windows software
is so private. No source code, no special documentation. All the Linux stuff
is available in source code, and everyone can see it is a high-quality work.
Guess what would happen if they would relase NT source code:))
It is implemented so it makes a difference if you click on a file
from Word or from the Explorer. Oh god, is that called *software*
these days?? When you are installing service packs, or other programs,
it is packed so nice, you don't notice it's empty inside. On WindowsXX, user
is more like an idiot. There's your monitor. I am your system. Point and click
me, be lame. Pay for an upgrade. Get some promotion material in your snailmail.
Feel protected. Be a perfect prototype of an ideal manipulation object.
What linux can do here. Use linux, get it for free, read /usr/doc,
become the professional. Meet unixes, don't say shit when you know
shit about them. Meet the powerful structure, you'll kinda despise
Microsoft after the new experience. Don't think of a unix console
like of a DOS prompt. DOS, just like Windows, doesn't belong into
the category of Operating systems (yes, by the definition).
Read the paper at www.unix-vs-nt.org, find out more. Someone told me
``I dont give a damn about your Linux, its shit. I'll use it when
I see it in every house, just like Windows''. Shit man, don't be a
lazy jerk, be one of the people who actually make it happen.
Btw, I didn't comment mIRC. It is the-top-of-lamness program, people
get excited by mIRC scripts, like they are something, and when there
is click-and-nuke, it kicks ass. Hah, a gimme a break. on Linux, I
choose from 15 ways to remotely crash my friends computer.
By messing in all computer fields, Microsoft completely ruined some
standards. It balkanized the web. Office2000 ``save to web'' option
doesn't pass any *standard conformance* HTML test. And guess how many
jerks will use the option. MSIE is not a browser, it is a crap. For
everyone who just needed office suite to pass to Linux, there is StarDivision
company working on version 5 of their StarOffice. It was like 120$ for
commercial use, but since Sun Microsystems bought them, the StarOffice is
completely free for Unix and Windows platforms. Microsoft reached the critical
mass of users, and now it is jumping on monkey's back, who's so dumb he
doesn't sees a rock coming from behind.
If you feel insulted, if you are a Windows user, I am glad. But, don't hate
Unix. You can't hate something you don't know (including me:).
Dev of net-security. net-security.org/linux
XIII. Freedom of the speech related incidents
--------------------------------------------
*******************************************************************
Civilization is the progress toward a society of privacy.
The savage's whole existence is public, ruled by the laws of his tribe.
Civilization is the process of setting man free from men.
---Ayn Rand
*******************************************************************
Every day the battle between freedom and repression rages through the global ether.
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):
*******************************************************************
Thursday, September 16:
Tibetan Nun's Jail Term
<http://www.insidechina.com/news.php3?id=92825>
Stretched To 20 Years
"It said the 23-year-old from Garu nunnery was initially sentenced to three years
imprisonment in 1992 for attempting to stage a demonstration in Lhasa with another
nun and three monks. Her sentence was extended by six years in 1993 for singing
songs about Tibetans love for their country and families in her Drapchi prison
cell, it said. She was given another eight or nine years in 1996, after she
protested to prison wardens about the Beijing-chosen Panchen Lama, the group said."
---------------------------------------------------------------------
Weekend, September 17-19
UK woman jailed for seven years in Burma for
<http://news.bbc.co.uk/hi/english/uk/newsid_450000/450339.stm>
singing democracy songs in public
"Rachel Goldwyn, 28, was sentenced to seven years with labour on Thursday for
tying herself to a lamp post in central Yangon and singing pro-democracy
slogans...Burma's ruling junta
took power in 1988 after violently suppressing pro-democracy demonstrations.
It held a general election in 1990 but refused to let parliament convene after
a landslide victory by the
democratic opposition."
Bennett accuses State Department of
<http://www.dallasnews.com/technology/0915tech111y2kglobal.htm>
witholding info...
"Sen. Robert Bennett, R-Utah, chairman of the Senate special committee on the
year 2000 problem, said after reviewing the report that the State Department
was "withholding information from the
public for fear of creating panic." "The information vacuum this helps create
may result in the very panic they are striving to avoid," Mr. Bennett said.
State Department officials said their embassies and consulates sent back
gloomier assessments in June. Those assessments were changed after being
shared with the countries being evaluated."
----------------------------------------------------------------------------
Monday, September 20
Analysis of
<http://www.epic.org/crypto/legislation/cesa/analysis.html>
The Cyberspace Electronic Security Act of 1999...
reveals another huge loophole
<http://www.wired.com/news/news/politics/story/21810.html>
that threatens privacy...
Allan Nairn, recently deported from East Timor also
<http://asia.yahoo.com/headlines/200999/world/937825740-90920110917.newsworld.html>
confirms that Indonesia's military was in charge of killings
""I actually recognised by face some of them from the streets of Dili as being
among the street-level militia leaders. But it turns out all these men were
police intelligence and they were being rotated
back .. after having fulfilled their assignments in Dili." Nairn also said
he saw a police intelligence document referring to a specific operation which
had moved out a total of 323,564 people from East Timor."
Democracy Party members, Mao Qingxiang and Shu Guang
<http://www.insidechina.com/news.php3?id=93561>
arrested for subversion...
US-based Cultural Revolution scholar and writer, Song Yongyi, who was on
leave in China
<http://www.insidechina.com/news.php3?id=93445>
arrested for "prying into state secrets"...
300 more Falun Gong members
<http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19990920023633631.asp>
arrested...
------------------------------------------------------------------
Tuesday, September 21
Is this America???...
the people in DC vote 69% in favor of marijuana legalization and the
<http://www.washingtonpost.com/wp-srv/local/daily/sept99/pmmarijuana20.htm>
RESULTS ARE SUPPRESSED FOR ALMOST A YEAR???
Telecom New Zealand has devised
<http://www.cnnfn.com/news/technology/newsbytes/136550.html>
a sneaky Internet Tax...
Lian Shengde and others speak on the
<http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19990921025737294.asp>
horrors of China's labor camps or Laogai...
""One of the obstacles to democracy is laogai, where its victims are tortured
and murdered. Its very existence is shameful. In China's mainland, human rights
are utterly crushed in the laogai, China's darkest corner." To disguise the
exact purpose of the labour camps,
each laogai camp had a public business name, the conference was told.
The Shanxi Aluminium Products company is also the Shanxi Provincial No 1
Laogai, according to the foundation. Mr Wu estimated four to six million
people were today imprisoned in 1,000 camps that are part of the system.
Since 1949, 50 million people had gone through the system, he said."
Police arrest Malaysian activists after
<http://dailynews.yahoo.com/h/ap/19990921/wl/malaysia_anwar_4.html>
pro-Anwar demonstrations
"``The government can arrest us but more leaders will rise up,'' Tian said in
a statement. ``The threats by Mahathir cannot oppress the people anymore.''"
------------------------------------------------------------------------------
Wednesday, September 22
Has the US been tapping Lebanese leaders phones and
<http://asia.yahoo.com/headlines/220999/world/938000700-90922114528.newsworld.html>
sending the details to Israel???
Financial Times journalist, 30-year-old Sander Thoenes,
<http://asia.yahoo.com/headlines/220999/world/938000460-90922114110.newsworld.html>
hacked to death and disemboweled by Indonesian militia
-----------------------------------------------------------------------------
Thursday, September 23
This one just came in... and it's OUTRAGEOUS!
VIRUS WRITING IS AN ART, NOT A CRIME.
Finnish Parliament
<http://www.helsinki-hs.net/today/230999-05.html>
outlaws writing or distributing viruses!
"This effectively means for example that anyone who keeps a virus program on
their website that is available for downloading by visitors would become liable
under the law.
Liability for punishment is not limited to cases in which actual harm or
hindrance is caused to data systems, or where the data or files of the infected
system are corrupted or destroyed in the process. The intention to harm becomes
the primary criteria for bringing charges, and this allows the authorities to
bring offenders to book even if the virus is caught before it has a chance to
operate."
In just one week...
diva aka Pasty Drone
CEO
NewsTrolls, Inc.
"Free Minds...Free Speech...NewsTrolls"
http://www.newstrolls.com
pastydrone@newstrolls.com
XIV. Meet the underground
-------------------------
For this issue I interviewed th3 un1x b0wl1n' t34m, a group which defaced
Securitynet.net and Antiterrorism.org. Compared to the indepth interview
with v00d00, this was quite a different experience. Some of you might even
argue that this shouldn't be in Default, because it kind of encourages the
hacker stereotype mainstream media already throw on us. But this section is
here
to note the diverse opinions in the scene and the different people and their
causes in there as well. So here it is, let's all just make up our own mind.
----------------
Thejian:
Could you tell us a little bit about the th3 un1x b0wl1n' t34m?
Strike:
We're just a bunch of bored teenangers trying to get some attention.
Thejian:
What do you stand for? (Heh if you consider yourselves standing
for anything at all that is)
Strike:
We don't stand for jack shit.
Thejian:
On your defacements you've lashed out to script kiddies etc, what
is a script kiddie?
Strike:
Script kiddies are kids that has some badass program that will
break into a machine for them. They're not real hackers like us.
Thejian:
Should hacking into servers be a crime when no damage is done and
no data is stolen? Is it a felony or a "service"?
Strike:
It should be a crime. Indeed. That's what makes it exciting, etc.
Thejian:
Government reactions on defacements were pretty aggressive, was
that called for?
Strike:
Heh, we just wanted to make people angry.
Thejian:
Why do you deface anyways? Is it all about the doing it for the
kicks or is there something as an underlying message, something you hope
these defaced pages will change?
Strike:
The defacements won't change jack shit. We're doing to for fun.
And attention.
Thejian:
You always hear of hacker-ethic etc, but is there such an animal?
Strike:
Fuck hacker ethics.
Thejian:
Why is it do you think that so little admins actually try to patch
their system and so many leave their systems wide open?
Strike:
They've never heard of internet security.
Thejian:
A lot of groups are claiming to go legit nowadays or are claiming
that hackers would make the best admins for systems. But when you look at
it realistically, would you hire a hacker (who defaced pages just like yours
earlier just for kicks)?
Strike:
I would never hire a hacker as my system administrator. most
hackers are pretty selfish and assholes, and they'll try to exploit you.
Thejian:
Anything you might want to tell our readers (closing shot) ?
Strike:
The world wide web sucks. We make fun of it by defacing pages.
----------------
Heh, don't say I didn't warn you :)
Xander Teunissen
aka Thejian, Help Net Security
