Copy Link
Add to Bookmark
Report
hwa-hn31
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 31 Volume 1 1999 Aug 29th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
Well http://welcome.to/HWA.hax0r.news/ is still down and out of reach, I
have an email in to the admins of the V3 redirector site to see if I can't
get access back to my redirector but i'm not hopeful. Meanwhile you can
get us at www.csoft.net/~hwa
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
This week features an article by Dragos Ruiu entitleed
"Stealth Coordinated Attack HOWTO" and is a very well
written piece that sysadmins and hackers alike will find
very informative, its a must-read (section #42) - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #31
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #31
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. DOJ contemplates secret searches.................................
04.0 .. First net convict will do no time................................
05.0 .. NORTON ANTIVIRUS 2000 IS OUT.....................................
06.0 .. SSL CPU CONSUMPTION CAUSES CONCERNS..............................
07.0 .. Bug in Bill Gate's Anus?.........................................
08.0 .. CESA Causing Outrage In Libertarians ............................
09.0 .. ReDaTtAcK Arrested, Questioned, Charged, Released................
10.0 .. Some GPS Systems Fail With Date Rollover ........................
11.0 .. Security Search Engine MindSec Goes Online ......................
12.0 .. CIA Ex-Director Security Clearance Revoked ......................
13.0 .. GAO Releases Report on Risk Assement ............................
14.0 .. CESA Drives People to Freedom ...................................
15.0 .. Who's doing the Scanning? .......................................
16.0 .. Japanese police go after copyright infringers....................
17.0 .. Anti-Gay Web domain Returned to Original Owner ..................
18.0 .. EXPLOIT-DEV Mailing List Started ................................
19.0 .. NetBus - Product Under Siege ....................................
20.0 .. Worst Security Hole Ever? .......................................
21.0 .. IRC Banned in Malaysia ..........................................
22.0 .. I want my, I want my, I want my HNN - more goodies from HNN......
23.0 .. Melissa Creator Admits Guilt ....................................
24.0 .. cDc Responds to Allegations About HKBs ..........................
25.0 .. $50G Offered in 'Hacker Challenge' Publicity Stunt ..............
26.0 .. NSA Recruiting In the Underground ...............................
27.0 .. Distributed.net Fingers Thief ...................................
28.0 .. Hacktivism Email List ...........................................
29.0 .. Mitnick in Car Accident .........................................
30.0 .. Hong Kong Police Create Computer Crime Squad ....................
31.0 .. Outlook Holes Demonstrated at USENIX ............................
32.0 .. Feds Overflowing with Siezed Equipment ..........................
33.0 .. Computer Hackers Sentence Spotlights High-Tech Crime Prosecutions
34.0 .. Triads Linked to Info Vandalism - Alleged CoverUp by RCMP .......
35.0 .. DoD Preps to Fight InfoCriminals Both Foreign and Domestic ......
36.0 .. Another Big Hole Found in NT ....................................
37.0 .. Korea to Block All Porn .........................................
38.0 .. Grammatically Challenged InfoCriminal Defaces Site ..............
39.0 .. Bank Emails Virus to Investors ..................................
40.0 .. IS YAHOO SPAM OR ANTI-SPAM ORIENTED?.............................
41.0 .. "NINES PROBLEM"..................................................
42.0 .. Stealth Coordinated Attack HOWTO by Dragos Ruiu..................
43.0 .. TAIWAN CIRCLES WAGONS IN CYBER-WARFARE...........................
44.0 .. UK WEBHOSTING COMPANY HIT BY VIRUS...............................
45.0 .. NETSCAPE ISSUES WEB-SERVER FIX...................................
46.0 .. CWI CRACKS 512 BIT KEY...........................................
47.0 .. MOUNTING AN ANTI-VIRUS DEFENSE...................................
48.0 .. RETROSPECTIVE ON CRACKING CONTESTS...............................
49.0 .. SHOUTCAST COMPROMISED............................................
50.0 .. AUDIT OFFICE BLASTS AGENCIES' SERIOUS SECURITY FLAWS.............
51.0 .. ISS X-FORCE ADVISORY ON LOTUS NOTES DOMINO SERVER 4.6............
52.0 .. TECHNOLOGY KEY TO TRACKING DOWN INTERNET CRIME...................
53.0 .. GOVT HOME-INVASION BILL DRIVES US PC USERS TO CANADA.............
54.0 .. HACKERS SCANNING FOR TROUBLE.....................................
55.0 .. Canada Net they've built a super fast network, but what to do with it?
56.0 .. Security focus BUGTRAQ summary...................................
57.0 .. A typical script kiddie attack scenerio against HTTP server......
58.0 .. NMAP - Scan Analysis (v2)........................................
59.0 .. Security Focus: Incidents Summary................................
60.0 .. Security Focus: Jobs.............................................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA.. .................
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix
Ken Williams/tattooman of PacketStorm, hang in there Ken...:(
& Kevin Mitnick (Happy Birthday)
kewl sites:
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ******
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ DEFAULT #3 RELEASED
The cool DEFAULT newsletter by Help net-security.org is up to issue#3 check it out
by BHZ, Friday 27th August 1999 on 3:01 pm CET
Third issue of our newsletter is out. You can read abot following topics: Y2K week in
review + Outlook Express Year 2000 Update, Look into basic cryptography, Freedom
Network, IP Masquerading, Macintosh security, Trojan forensics, Scams - Getting
something by all means, Freedom of the speech review and part two of excellent
Intrusion and detection article. Download > default3.txt or default3.zip.
http://default.net-security.org/dl/default3.txt
http://default.net-security.org/dl/default3.zip
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(No mail worthy of posting here this issue,)
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
Since theres nothing to print here, here's the Mentor's last words direct from Phrack7
file 003 complete and unabridged... send in your mail/questions etc! - Ed
==Phrack Inc.==
Volume One, Issue 7, Phile #3 of 10
The following was written shortly after my arrest. I am currently
groupless, having resigned from the Racketeers, so ignore the signoff...
The Conscience of a Hacker... by The Mentor... 1/8/86
Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "No, Ms.
Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless. We've been dominated by sadists, or
ignored by the apathetic. The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
you call us criminals. We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist without skin color,
without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us
and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me
for.
I am a hacker, and this is my manifesto. You may stop this indiv-
idual, but you can't stop us all... after all, we're all alike.
+++The Mentor+++
Racketeers
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/* This issue includes an article by Dragos Ruiu that is well worth the read
* it is entitled "Stealth Coordinated Attack HOWTO" as mentioned in the header
* and outlines various attack methods employed by todays hacker used to scope
* out and penetrate your systems. The article can be found in section 42.0
*
* As always we welcome your stories, articles and poetry, please send them with any
* information about yourself you see fit or would like included to the address below...
*
* Please, send your submissions to: hwa@press.usmc.net thank you.
*
* Cruciphux
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 DOJ contemplates secret searches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
SECRET SEARCHES FROM DOJ
by BHZ, Tuesday 24th August 1999 on 2:34 pm CET
InfoWar published a briefing on public policy issues written by Center for Democracy
and Technology (www.cdt.org). "The Justice Department is planning to ask Congress
for new authority allowing federal agents armed with search warrants to secretly break
into homes and offices to obtain decryption keys or passwords or to implant 'recovery
devices' or otherwise modify computers to ensure that any encrypted messages or
files can be read by the government". Read the briefing here.
8/23/99
DOJ Proposes Secret Searches
C D T P O L I C Y P O S T
A BRIEFING ON PUBLIC POLICY ISSUES
AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
Volume 5, Number 19 August 20, 1999
CONTENTS:
(1) Justice Department Proposes Secret Searches of Homes, Offices
(2) If the Government Wants Your Data, It Should Come to You For It
(3) Proposal Also Sets Standards for Access to Escrowed Keys
(4) Subscription Information
(5) About the Center for Democracy and Technology
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of ari@cdt.org This document is also available at:
http://www.cdt.org/publications/pp_5.19.html
(1) JUSTICE DEPARTMENT PROPOSES SECRET SEARCHES OF HOMES, OFFICES
The Justice Department is planning to ask Congress for new authority allowing federal agents armed with search warrants to secretly break into homes
and offices to obtain decryption keys or passwords or to implant "recovery devices" or otherwise modify computers to ensure that any encrypted messages
or files can be read by the government.
With this dramatic proposal, the Clinton Administration is basically saying: "If you don't give your key in advance to a third party, we will secretly enter
your house to take it if we suspect criminal conduct."
The full text of the Justice Department proposal, a section-by-section analysis prepared by DOJ lawyers, and related materials are available at:
http://www.cdt.org/crypto/CESA.
The proposal has been circulating within the Clinton Administration since late June. On August 5, the Office of Management and Budget circulated it for
final interagency review. In the normal course, after all potentially interested agencies have been consulted, the proposal would be transmitted to Capitol
Hill, where it could be introduced by any Member, or offered as an amendment to pending legislation.
(2) IF THE GOVERNMENT WANTS YOUR DATA, IT SHOULD COME TO YOU FOR IT
The proposal is intended to eliminate a core element of our civil liberties. Normally, under the Fourth Amendment in the Bill of Rights, when the
government wants to search your home or office, the government must obtain a court order issued by a judge based on a finding of probable cause to
believe that a crime is being committed AND the government must provide you with contemporaneous notice of the search -- show you the warrant and
leave an inventory of the items seized.
This notice requirement has ancient roots. It is based on the notion that the judicial warrant (issued on the basis of the government agent's untested
assertions presented to a judge in private) does not provide adequate protection against abuse. Notice is important because it gives you the opportunity to
observe the conduct of the government agents and protect your rights. If the agents are exceeding the scope of the warrant, for example, you can even
rush down to the courthouse and ask a judge to stop the search. And after the search, you can exercise your rights for return of your property and
otherwise defend yourself.
Over time, our society has tolerated exceptions to this rule. For example, the government can enter secretly to plant bugs to pick up oral communications or
to bug your phone, but that is quite rare. Most wiretaps do not involve entry into the home. A few courts in a few cases have allowed so-called "sneak and
peek" searches, in which government agents can enter surreptitiously, provided they don't take anything. And in the name of foreign counterintelligence, the
government has long conducted "black bag jobs," such as the one in which they searched the home and computer of CIA employee Aldrich Ames.
The new DOJ proposal is a huge expansion of these previously narrowly defined exceptions. The proposal takes extraordinary cases at the fringes of the
law and makes them routine, given the increasingly ubiquitous nature of computers.
Thus, the encryption debate, which up until now has been about privacy and security in cyberspace, is becoming a struggle over the sanctity of the home.
(3) PROPOSAL ALSO SETS STANDARDS FOR ACCESS TO ESCROWED KEYS
The proposal also includes detailed procedures for government access to keys and other forms of decryption assistance stored with third parties. Again, the
essence of the DOJ proposal is government access to keys without the knowledge or cooperation of the crypto user.
The DOJ claims that these key recovery provisions provide greater protection for lawful users of encryption, by making it clear that a third party holding a
decryption key or other recovery information cannot disclose it or use it except in accordance with the procedures set forth in the Act. The DOJ-drafted
procedures are complicated and unique, turning on unanswered questions of what is "generally applicable law" and what is a "constitutionally protected
expectation of privacy." They fall far short of protections proposed by Sen. Patrick J. Leahy (D-VT) in the Electronic Rights for the Twenty-First Century
(E-RIGHTS) bill, S. 854, described at http://www.cdt.org/crypto/legis_106/ERIGHTS/
In any case, few individuals use third party key recovery, and there seems to be little individual or corporate interest in key recovery for communications,
so even the strictest procedures for access to escrowed keys would be vastly outweighed by the proposed secret searches of homes and offices.
In the small comfort department, the DOJ proposal makes it clear that key escrow or third party key recovery would not be mandatory.
(4) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post
news distribution list. CDT Policy Posts, the regular news publication of the Center for Democracy and Technology, are received by Internet users,
industry leaders, policymakers, the news media and activists, and have become the leading source for information about critical free speech and privacy
issues affecting the Internet and other interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
majordomo@cdt.org
In the BODY of the message (leave the SUBJECT LINE BLANK), type
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the above address with NOTHING IN THE SUBJECT LINE and a BODY TEXT of:
unsubscribe policy-posts
(5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and
advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: http://www.cdt.org/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
End Policy Post 5.19
Aleksandr Gembinski
Webmaster etc.
Center for Democracy and Technology
1634 Eye Street, NW
11th Floor
Washington, DC 20006
(v) +1.202.637.9800
(f) +1.202.637.0968
http://www.cdt.org/
@HWA
04.0 FIRST NET CONVICT WILL DO NO TIME
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Monday 23rd August 1999 on 9:30 pm CET
The University of Oregon student who last Friday pled guilty to felony cyber-crime
charges and in so doing became the first-ever person convicted under the No
Electronic Theft (NET) Act, will not do any jail time. The student will be sentenced
Nov. 2 - and although he faces a maximum of three years in jail for his conviction on
one count of "criminal infringement or reproduction" of commercial software - his plea
arrangement assures that he will not see the inside of a jail cell, altough he still is
saddled with a felony conviction according to the deputy chief of DOJ's computer
crime division. Story on Newsbytes
First NET Convict Will Do No Time - Update
By David McGuire, Newsbytes
WASHINGTON, DC, U.S.A.,
23 Aug 1999, 12:31 PM CST
A University of Oregon student convicted of distributing pirated software over the Internet will not spend any
time in jail under a plea agreement with Department of Justice attorneys.
The student last Friday pled guilty to felony cyber-crime charges and in so doing became the first-ever person convicted
under the decade-old the No Electronic Theft (NET) Act, Newsbytes reported last week.
The student was accused of pilfering thousands of business and entertainment programs and posting them, free-of-charge,
on his Website, said David Greene, deputy chief of Justice's computer crime division.
Before the NET Act was passed, prosecutors had to prove that cyber- thieves received "commercial benefits" from their
thefts in order to win convictions. But the NET Act closed that loophole.
The student will be sentenced Nov. 2 - and although he faces a maximum of three years in jail for his conviction on one
count of "criminal infringement or reproduction" of commercial software - his plea arrangement assures that he will not see
the inside of a jail cell, Greene said.
Still, he is saddled with a felony conviction, and Greene hopes coverage of the case will deter other software pirates, he
said.
Earlier this year, some congressional Republicans questioned why there had been no Department of Justice prosecutions
under the NET Act. DoJ called yesterday's conviction a clear message that Justice is enforcing the law.
"We are not going to bring hundreds of these cases," Greene said. But DoJ is "trying to discourage (computer piracy) as a
hobby."
While such thefts may seem comparatively innocuous, they have "done some real damage to software companies," Greene
said.
Reported by Newsbytes.com, http://www.newsbytes.com .
12:31 CST
Reposted 12:31 CST
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2318386,00.html?chkpt=hpqs014
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Feds convict first Internet pirate
By Reuters
August 20, 1999 5:22 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2318386,00.html?chkpt=hpqs014
WASHINGTON -- An Oregon college student who gave away music, movies and software on
the Web has become the first person convicted of a felony under a law punishing Internet
copyright piracy, the government said Friday.
Jeffrey Gerard Levy, 22, a senior at the University of Oregon in Eugene, pleaded guilty
to violating the No Electronic Theft Act of 1997, the U.S. Justice Department announced.
The Justice Department said Levy admitted that in January of this year he "illegally posted
computer software programs, musical recordings, entertainment software programs and digitally
recorded movies on his Internet Web site, allowing the general public to download and copy
these copyrighted products."
A Justice Department official said there was no evidence that Levy had made any profit from
the freely available works.
Anybody who distributes 10 or more copyrighted works with a value of more than $2,500 can
face up to three years in prison and a fine of up to $250,000.
Levy faces sentencing Nov. 2.
@HWA
05.0 NORTON ANTIVIRUS 2000 IS OUT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 24th August 1999 on 3:17 pm CET
Symantec (www.symantec.com) published Norton Utilities 2000, Norton AntiVirus
2000, and Norton CleanSweep 2000. Norton AntiVirus 2000 has two new features -
support for automatic scanning of incoming e-mail attachments from POP-based
applications such and it can automatically eliminate viruses in multiple compressed
file levels, such as a Zip file inside another Zip file.
@HWA
06.0 SSL CPU CONSUMPTION CAUSES CONCERNS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 24th August 1999 on 11:50 am CET
A recently released study by research and consulting firm Networkshop, found that
various combinations of servers, processors, operating systems and online content
used in conjunction with Secure Sockets Layer (SSL) can hamper the performance of
Web servers. SSL helps secure e-commerce transactions, but these new findings
suggest that its CPU consumption may end up impeding those same transactions.
Full story
SSL's CPU appetite causes concern
Amy Rogers
Washington, D.C. - Secure Sockets Layer (SSL) technology helps secure
E-business transactions, but its voracious consumption of CPU space may end
up impeding those same transactions.
In a study released this summer, research and consulting firm Networkshop,
Ottawa, found that various combinations of servers, processors, operating
systems and online content used in conjunction with SSL can hamper the
performance of Web servers.
Networkshop paired Linux, Windows NT and Sun Microsystems Inc. Solaris
with Web servers including Apache, Stronghold and Microsoft Corp.'s Internet
Information Server.
Windows NT plus Intel Corp. processors tended to better handle the task of
processing SSL's complex algorithms, he said.
Slow performance could lead to frustrated or lost customers, so VARs
implementing E-business solutions might want to examine several types of
products that offload encryption processing from the server itself to another
device.
These products include PC cards or server cards, such as Rainbow
Technologies Inc.'s CryptoSwift; encryption-offloading units that sit on the
network, such as those from nCipher Corp.; and so-called Internet Commerce
Appliances, such as IPivot Inc.'s Commerce Director 8000. Such devices,
including IPivot's Commerce Accelerator 1000, an entry-level version of
Commerce Director, free up Web servers to perform tasks other than crunching
numbers.
CryptoSwift offloads 200 SSL transactions per second, said Bob Bova, director
of business development at Rainbow Technologies, Irvine, Calif. Rainbow is
seeking resellers that add "significant value to security technology" to add to its
stable of partners. Already 15 VARs and integrators are on board, he said.
Copyright ® 1999 CMP Media Inc.
07.0
Bug in Bill Gate's Anus?
~~~~~~~~~~~~~~~~~~~~~~~~
Aug 27th
SmoG sent this in...
http://support.microsoft.com/isapi/support/pass.idc?Product=Bill%20Gates%20Anus
In case it has been replaced by the time you read this the following headlined
a bug report form on Microsoft's tech support page
"Do you think you've found a bug in Microsoft Bill Gates Anus?"
With the submission form following the header...
@HWA
08.0 CESA Causing Outrage In Libertarians
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague
The 'Cyberspace Electronic Security Act', which HNN
has previously reported on, is drawing much criticism
and causing outrage amongst civil libertarians and
high-tech industry trade groups. They say that the act
not only violates Civil Rights, but "would make police
break-ins far more common than they are now." While
law enforcement agencies claim that encryption is
detrimental to their job of tracking criminals and crime,
most seem to feel that it is just another way the
current administration will attempt to impose 'big
brother' monitoring powers over American citizens.
MSNBC
http://www.msnbc.com/news/302945.asp
Furor rising over PC wiretap plan
Civil libertarians, trade groups outraged by DOJ proposal that
would booby-trap PCs. But will Congress go ballistic?
By Maria Seminerio
ZDNN
Aug. 20 A U.S. Department of Justice proposal
to make it easier for police to break into homes
and access computers is drawing a furious
reaction from civil libertarians and high-tech
industry trade groups.
THE DRAFT LEGISLATION, for which the DOJ
hopes to find a sponsor in Congress, is dubbed the
Cyberspace Electronic Security Act. The law would make it
easier for law enforcement officials to obtain from judges a
now-rarely-used authorization to break into a suspects
home and plant a hidden listening device.
But in this case, the computer equivalent of the
listening device is the authorization for investigators to
disable data-scrambling encryption programs on PCs. (In
order to actually copy data from the computer, police
would still need a separate warrant from a judge.)
DOJ wants clearance to bug PCs
(The proposal) strikes at the heart of the Bill of
Rights, said David Sobel, general counsel for the Electronic
Privacy Information Center.
Noting that judges in all federal and state courts
combined only issued 50 warrants for so-called
surreptitious physical entries last year, Sobel said
extending such authorization to cases involving computer
files would make police break-ins far more common than
they are now.
BOOBY-TRAP YOUR COMPUTER
The proposal would basically allow investigators to
booby-trap your computer ahead of time by disabling
encryption, he said.
The proposal was most likely spurred by the frustration
investigators have experienced when finding encrypted data
on computers used by suspected drug dealers and other
criminals, he added.
DOJ officials did not respond to requests for interviews
Friday. But in a letter to House Speaker Dennis Hastert,
Acting Assistant Attorney General Jon Jennings said the
new law would aid investigators when information needs to
be deciphered in a timely manner.
While under existing law, law enforcement is provided
with different means to collect evidence of illegal activity,
these means are rendered wholly insufficient when
encryption is used, wrote Jennings in the letter.
In the context of law enforcement operations, stopping
a terrorist attack or seeking to recover a kidnapped child,
time is of the essence and may mean the difference between
success and catastrophic failure.
While existing means of obtaining evidence would
remain applicable in a fully-encrypted world, the failure to
provide law enforcement with the necessary ability to obtain
the plain-text version of the evidence makes existing
authorities useless, he wrote.
EPIC: CONGRESS WILL GO BALLISTIC
Noting that the proposal would need to find a sponsor
in Congress and then be passed into law before it could
take effect, EPICs Sobel said it could encounter resistance
by lawmakers.
I think people in Congress are going to go ballistic
over this, particularly since its coming right on the heels of
the FIDNET controversy, he said. FIDNET the
controversial proposal to monitor government and some
private networks for hacking activity came to light earlier
this summer and remains in limbo.
Barry Steinhardt, president of the American Civil
Liberties Union, said that the Federal Bureau of
Investigation has often misused its powers in the past, and
could do so again under the DOJ proposal.
Theres every reason to believe theyre not just going
to look at the Mob using the powers sought under the
proposal, Steinhardt said. Theyll use this power to
interfere with protected speech.
Also condemning the plan were the Computer and
Communications Industry Association, the Center for
Democracy and Technology, and Americans for Computer
Privacy.
CLINTON ADMIN: BIG BROTHER?
The plan is an unprecedented attempt by the Clinton
administration to impose big brother monitoring powers
over American citizens, ACP officials said in a statement.
The fact is that current laws provide law enforcement
broad powers to obtain information.
This is another attempt by law enforcement to do an
end-run (around encryption), said Ed Black, president of
the CCIA. It offers a real temptation for investigators to
overreach and overextend the current limits on searches
and seizures, he said.
Anybodys vulnerable, Black added. (This)
resembles something the KGB would propose.
@HWA
09.0 ReDaTtAcK Arrested, Questioned, Charged, Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Wizzy24
After electronically breaking into the General Bank of
Belgium, ReDaTtAcK has been apprehended. He was
traced via his cell phone and then arrested and later
released. He has not been charged with computer
intrusion as Belgium has no such law. Instead he will be
charged with electronic eavesdropping charges after
breaking into SkyNet a Belgian ISP run by the state
owned telephone company Belgacom. ReDaTtAcK has
stated that he will continue to do what he does.
The Standard - Dutch
http://www.standaard.be
@HWA
10.0 Some GPS Systems Fail With Date Rollover
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
While the GPS satellites themselves and most GPS
receivers continued to function normally some units
failed when the GPS date rolled over this past weekend.
Many Japanese users of in car navigation systems
experienced complete systems failure when the date
rolled over. Four Japanese manufacturers of GPS
systems have completed updating a little over half of
the GPS systems sold in the country since 1996.
Yahoo News
http://dailynews.yahoo.com/h/nm/19990822/tc/gps_japan_1.html
Sunday August 22 1:10 AM ET
Irate Japanese Car Drivers Hit By GPS Bug
TOKYO (Reuters) - A steady stream of irate customers called Japanese car navigation makers Sunday after their
automotive directional devices failed due to a computer flaw.
The screens on some car navigation systems went blank while others froze up as a computer bug struck Global Positioning System (GPS)
devices, electronics company Pioneer Electronic Corp said. Pioneer, one of several car navigation system makers battling the bug, had
received several hundred phone calls since the problem started at 9 a.m., a spokeswoman said.
About 450 Pioneer workers manned telephone lines and staffed service centers over the weekend to help customers with the GPS problem, she said.
Some 95,000 car navigation units sold in Japan may be unable to cope with an internal date change in the system, the Ministry of International Trade and Industry
said.
Four Japanese manufacturers of GPS systems have completed updating only about 170,000 of the estimated 260,000 units sold in Japan since 1996 and believed to
be still in operation.
Japanese drivers are heavily reliant on the navigational devices because most streets in urban centers such as Tokyo are unnamed and follow curving paths laid out
among a tangle of property lines.
Japan's Maritime Safety Agency has received reports that ships with older GPS systems are in or near territorial waters but has not received any distress calls as of
Sunday noon, a spokesman said.
At midnight GMT, the 24 satellites of the Global Positioning System, which provide navigational data from 17,700 kilometers (11,000 miles) out in space, switched
their timing system back to zero.
The rollover is because the system, which uses radio signals from satellites to provide navigation data, was designed to ignore calendar dates but keep precise time
measured in seconds and weeks.
Only 1,024 weeks were allotted from January 6, 1980, before the system is reset to zero.
@HWA
11.0 Security Search Engine MindSec Goes Online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Erik
www.mindsec.com goes live today, providing a search
engine to search 90 different sites that are security and
administration related. MindSec will also have product
reviews on admin and security applications and
hardware.
MindSec
http://www.mindsec.com
@HWA
12.0 CIA Ex-Director Security Clearance Revoked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Erik
John Deutch, former director of the CIA, has had his
security clearance revoked after it was found that he
kept classified material on his home PC.
Yahoo News
http://dailynews.yahoo.com/h/nm/19990822/tc/cia_3.html
Sunday August 22 12:02 AM ET
CIA Suspends Ex-Director Deutch Security Clearance
WASHINGTON (Reuters) - The CIA has suspended security clearance for its former director, John Deutch, who was found to have kept
classified material on a computer at his home.
A CIA statement Friday said clearance for Deutch, the Central Intelligence Agency director for 20 months up to December 1996, had been
suspended ``for an indefinite period of time.''
The decision followed a review of the case by the current director, George Tenet, and a decision by the Justice Department in April not to prosecute Deutch.
The statement said that although a report by the CIA's Inspector General ``found no evidence that national security information was lost, the potential for damage to
U.S. security existed.''
Newsweek reported in April that 31 classified documents were discovered on a computer at his home in a routine check after Deutch, a pillar of the Washington
establishment for decades, left the agency.
Deutch issued a statement through the CIA Friday saying: ''...I erred in using CIA-issued computers that were not configured for classified work to compose
classified documents and memoranda.''
He said: ``Although I accept responsibility for my mistake, I want to make clear that I never considered the information to be at risk or intended to violate security
precautions. But good intentions simply are not enough. Strict compliance is the standard.''
Earlier this year Deutch was appointed to head a commission reviewing security at science laboratories after reports of Chinese spying at nuclear facilities but he
withdrew as reports of his own misuse of classified materials emerged.
@HWA
13.0 GAO Releases Report on Risk Assement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
In an attempt to give federal agencies some sort of
guideline on how to secure their systems the
Government Accounting Office has released the
Information Security Risk Assessment: Practices of
Leading Organizations report. The report details security
programs used by four unnamed organizations, which
included oil, financial and computer companies and one
federal regulatory agency. The report goes on to
identify seven critical factors of a successful ongoing
security risk-assessment program.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0823/fcw-newsgao-08-23-99.html
General Accounting Office
http://www.gao.gov
FCW;
AUGUST 23, 1999
GAO report tries to sort out risk-assessment
confusion
BY DIANE FRANK (diane_frank@fcw.com)
Facing growing security threats to increasingly complex government
computer systems, the General Accounting Office last week released a report
to help federal agencies determine how vulnerable their systems are and how
to make them more secure.
Although GAO's report, "Information Security Risk Assessment: Practices of
Leading Organizations," does not present specific suggestions for agencies to
determine how to secure systems from cyberattacks, it identifies seven critical
factors of a successful ongoing security risk-assessment program, including
defining and documenting procedures and results.
The report details programs put in place by four unnamed organizations, which
included oil, financial and computer companies and one federal regulatory
agency. GAO did not name the organizations because it feared that hackers
might target them. The report also includes diagrams detailing the
risk-assessment process for each organization and a description of how they
made their decisions.
For example, the regulatory agency conducts risk assessments "to determine
the applicable security controls," the GAO reported. "This is done by
determining which of a pre-defined set of controls is appropriate for individual
business operations and comparing what is appropriate to controls already in
place to identify and address gaps."
The best practices outlined in the report will be helpful, especially at smaller
civilian agencies that do not have the resources that department-level agencies
have, said John Gilligan, chief information officer at the Energy Department
and co-chairman of security on the CIO Council's Critical Infrastructure,
Privacy and Security Committee.
"I think it will be useful for people who are charged with risk management to
have examples of what others are doing," he said.
This is especially true because security and risk assessment are not
one-size-fits-all concepts, said Mike Lortz, vulnerability assessment product
manager at Internet Security Systems Inc. "The process needs to be different
from agency to agency...but the agencies need to be able to use something as
a guideline," he said.
GAO intends the report to be a supplement to last year's executive guide on
information security management. Risk assessment is only one of the five areas
outlined in last year's guide, but GAO decided to focus its latest guide on that
area because it is what most people in government seem to be worried about,
GAO said.
"When we did the original guide, during the exposure draft period we got
some comments that [said] we should dig deeper into some of these areas,
and more comments mentioned risk assessment than any others," said Jean
Boltz, assistant director of governmentwide and defense information systems
within GAO's Accounting and Information Management Division.
Agencies have been confused about how to conduct risk assessment and
apply that to the security needs they have, Boltz said, especially after the
Office of Management and Budget revised its computer security regulations in
1996 and eliminated the requirement to perform risk assessments. Agencies
have been confused about what to do because, although OMB no longer
requires risk assessments, it still requires agencies to measure their systems'
vulnerability to cyberattacks and unauthorized access and then base their
security architecture on that knowledge, Boltz said.
Agencies' confusion about risk assessment has heightened because of the
increasing use of the Internet and because computer systems are becoming
more interdependent, Gilligan said. "Risk assessment is a big deal because it
has not been institutionalized," Gilligan said. "In the past, there had been great
emphasis on doing risk assessment, but [it] tended over time to not be used or
not be done well."
@HWA
14.0 CESA Drives People to Freedom
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Jordan
The Cyberspace Electronic Security Act, a recent
proposal, which if it became law, would allow law
enforcement agents to break into your personal PC, is
forcing people to seek out ways to protect themselves.
One of the methods people have been looking at is
Freedom from Zero Knowledge Systems. While the
software is still in Beta it promises complete anonymity
on the internet. Freedom Beta 3 is nearing completion
and is slated for release during the first week in
September. The new beta will have increased
functionality, stability and ease of use.
Freedom
http://www.zks.net/clickthrough/click.asp?partner_id=542
Zero Knowledge CESA Info Page
http://www.zeroknowledge.com/cesa/
CNN
http://www.cnn.com/TECH/computing/9908/18/freedom/
Total digital privacy may be
on the horizon
August 18, 1999
Web posted at: 5:32 p.m. EDT (2132 GMT)
In this story:
How it works
Freedom gets high marks
U.S. encryption policy has its pros and
cons
RELATED STORIES, SITES
By Robin Lloyd
CNN Interactive Senior Writer
(CNN) -- If American software
developers were to touch any of the
code in the 10,000 released beta
versions of an Internet privacy
solution that is getting good
preliminary marks, they would be
subject to prosecution.
In fact, if Zero-Knowledge Systems
were based in the United States, it
would be illegal for the company to
export its Internet privacy software,
dubbed 'Freedom.'
Instead, the Montreal-based start-up,
headed up by 26-year-old Austin Hill, is set to release the first product of its
kind -- a comprehensive Internet privacy package that offers multiple online
pseudonyms and Byzantine encrypted rerouting that even Zero-Knowledge
couldn't crack if it wanted to.
No more cookies, e-mail trails and digital identity stealing. At least, that's the
idea. More than a dozen "cookie killers" already exist, along with several
e-mail and browser anonymity services such as anonymizer.com.
Those all rely on what Hill calls a "trust-me" mechanism. A third party server
holds users' identity and data. Freedom makes it so the end-user has sole
possession of that data.
"If there was a gun to my head, I still could not reveal or break the privacy
of my users," Hill says.
The user has the only "key" to their pseudonyms, which can be linked to
independent e-mail addresses, geographic locations and encryption keys.
Freedom is designed to protect the e-mail, chats, browsing and newsgroup
searches of anyone from a Chinese dissident posting pro-democracy
messages to an employee checking out listings for Alcoholics Anonymous.
The software can encrypt private chats and newsgroup discussions, ensures
anonymous Web browsing and can even block spam, Hill says. Each digital
identity relies on full strength encryption that ranges from 128 to 4,096 bits.
Freedom 1.0, which works only on Windows platforms, is set for release in
late October or early November. It will be downloadable for $49.95.
Macintosh and Linux versions are due out next year. Freedom doesn't work
with America Online, however, since AOL is an online service separate from
the Internet.
Zero-Knowledge released 1,000 beta copies of Freedom at the DefCon 7
convention in Las Vegas last month. Since then, it has released thousands
more via its Web site. A total of 50,000 people have requested copies since
then.
How it works
Web users leave traces of their identity behind every time they visit a Web
site or send e-mail. To get a sense of the process, visit the Center for
Democracy and Technology's site and use its demo.
Freedom allows users to set up separate pseudonyms for different aspects
of their lives -- an identity for an online chat about health care, another for
interactions with friends and family, others for Internet browsing and finally a
'true' identity for e-commerce.
Zero-Knowledge is working on an e-commerce identity protection solution
for future versions.
Freedom scrambles data coming from a user's PC and hides the source and
destination of Internet traffic routed through the service.
The message or data packet is first sent to Zero-Knowledge's servers where
it is wrapped in a layer of encryption.
That initiates a delivery process where the data bounces from one
independently owned relay station to the next and can only be opened by
one specific user who then forwards it to another specific user, with that
process repeating several times.
Eventually a data packet goes to its intended target but neither snoopers, nor
the final recipient, have any way of tracing its origins.
Third-party protections, the approach relied upon by Freedom's
predecessors, can be hacked or bought away when the company makes a
new acquisition, as was the case when Double Click acquired Abacus, Hill
said. Or, civil lawsuits can force ISPs to turn over their records.
Freedom gets high marks
David Sobel, general counsel for the Electronic Privacy Information Center,
and Ari Schwartz, a policy analyst with the Center for Democracy and
Technology, agree that Freedom is a good solution.
"I suspect that it is one of the best solutions that we've seen," Sobel said.
Freedom's strength comes from Hill's philosophical commitment to
preserving privacy and anonymity on the Internet, Sobel said.
Schwartz underlined the Center's stance on Internet privacy -- software
solutions combined with self-regulation among service providers and
legislation will be needed to protect privacy online.
The U.S. Congress has introduced several bills this session relating to online
privacy but advocates say they may not go far enough.
A CDT report concludes that online privacy is the exception, not the rule, in
the private sector.
U.S. encryption policy has its pros and cons
The U.S. policy that prohibits encryption exports and labor is based on
protecting security codes produced and cracked by the FBI and other
national security agencies.
The downside is that we may lose out on what has turned into a $1.5 billion
cryptography business for Canada, where limits are less strict, Hill says.
The U.S. approach could backfire and result in a brain drain of encryption
experts, EPIC's Sobel said.
"The end result will be that American companies will lose leadership in this
field," he said, "and it is not going to result in encryption being out of the
hands of anyone our government might be concerned about."
@HWA
15.0 Who's doing the Scanning?
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Netsentry.net and all IPs in the 38.x.x.x range appear to
be systematically scanned. Owners of machines in that
range, which is controlled by PSINet want action to be
taken, but what action? So far scanning is not illegal, so
what can be done? And who is doing the scans and
why?
MSNBC
http://www.msnbc.com/news/302835.asp
Scanning for trouble
Relentless computer probes cause concern, but no damage
yet
By Bob Sullivan
MSNBC
Aug. 23 Dragos Ruiu was just minding his own
business, a Vancouver software start-up, when it
started. Day after day, relentlessly, someone or
some group out there on the Internet is banging
away at his servers, sneaking in and gaining full
access. A security expert, he knows whats
happening: Hes being probed. Is this mere sport,
or a casing, like a bank robber who visits the
bank several times to study its security systems
before the heist?
EVERY DAY they come, they lurk then they leave
without doing damage. And Ruiu is powerless to stop it. Every
method he has tried, they have trumped. Theyre toying with
him. They must feel like gods, he says.
They come at him through clients computers, through
Canadian ISPs, once even through one of the largest Canadian
banks. They hack into Linux boxes, NT boxes, Unix boxes.
Hack by day or night. No matter.
And all for no apparent reason. They look, but dont
touch.
Ah, the life of a network administrator these days. There
are thousands of ways to break into a computer, and there are
now several downloadable software packages designed to
scan the Internet for Web sites and servers that have just one
flaw.
According to Peter Tippett at computer security research
firm ICSA, a new box connected to the Net will almost
certainly be scanned before one week goes by. And the
amount of scanning activity has doubled in the past six months.
Thats about when the scanning started for Brandon
Pepelea, a former employee at PSINet who says his collection
of Web sites has been scanned systematically several times a
week since January. In another example of a victimless probe,
Pepelea thinks someone or something has been banging
through all the Internet addresses between 38.240.x.x and
38.200.x.x, a so-called Class-B range of addresses that
constitute about 16,000 possible computers.
In his case, the scans were unsuccessful. Whoever or
whatever it is, they havent been able to break into Pepeleas
computers. Still, the relentless, systematic nature of the probe
has him spooked. Hes been demanding that PSINet, which
owns all the addresses in the 38.x.x.x range, chase down the
scanner and prosecute.
I dont think they understand how serious it is, Pepelea
said. The threat not so much being the nature of the scan but
the scope of the scan
If youre between 38.240 and 38.200
youve had the scans. Theyve walked through and gotten to
you.
NOSE FOR TROUBLE
The attack itself involves use of the Simple Network
Management Protocol, frequently used on network routers.
Pepelea owns machines between the 38.240 and 38.200
address range, and concluded scans spanned that range by
studying patterns of hits to his own and his clients machines.
Dancing
tantalizingly over
the edge of the
law, they show an
ability to do far
more damage.
This is not the first time Pepelea, now CEO of a small
security company he calls Designers Dream, has done a
hefty amount of personal cybersleuthing. Last December, he
compiled information on a virus writer named VicodinES, and
shared it with the FBI, the CIA and other law enforcement
agencies. His tips fell on deaf ears, and VicodinES, who the
world now knows as Dave Smith, went on to release the
Melissa virus. Pepeleas hell bent on being heard this time
around. Once again, nobody cares, he laments.
PSINet said early last week the scans were being
generated by an account serviced by the company, and that it
had dealt with the matter by canceling the account. But by
Friday, the company had canceled three more accounts in an
effort to stop the probes. While officials there say they take the
matter seriously, they are not convinced its an organized
hacker attack.
Its not possible to characterize whether this is a mistake,
a malicious event, was planned, or it just happened, said Cole
Libby, Director of Network Engineering. For example, it could
a wrongly configured piece of hardware searching a section of
the Internet for a new printer. There are lots of examples of
technology out of control in the world.
NO HARM, NO FOUL?
Scanning, the cyberspace equivalent of walking down
Main Street and jiggling handles to see who leaves the front
door unlocked, brings up murky legal issues. Entering
someone elses computer is illegal, but scanning, which
amounts to asking a computer how its been set up, probably
isnt. Pepelea says PSINet told him to pursue legal action
against his cyberpest but for what? Meanwhile, Pepelea
thinks PSINet should be liable if any real trouble ever comes
from his suspected hacker, particularly since the Net provider
was warned.
Thats not likely, says Internet law expert Dorsey
Morrow. PSINet would almost certainly face no criminal
liability for the actions of a hacker on their network, and
wouldnt likely face civil liability either.
As long as they can show We were doing everything we
can. Weve got security policies in place. Were using the
latest software. That mounts up to a pretty good defense,
Morrow said.
So theres no consequences for scanning, either to the
hacker or the company that provides the means. But what of
Ruius hackers, who go just one step further than Pepeleas
scanners? They scan, then enter, lurk around, and leave.
Dancing tantalizingly over the edge of the law, they show an
ability to do far more damage.
Their methods are painstakingly deliberate, designed to
avoid detection. They launch attacks from multiple sites,
sometimes sending no more than a packet per day from any
site, in order to hide the kind of suspicious activity protective
sniffer programs look for.
We saw one new machine coming at us every five
minutes, Ruiu said. They must have felt like gods because
they could break into any machine they wanted.
That includes a collection of Canadian ISPs, and even one
major Canadian bank, the hackers broke into. When he
called, Ruiu often had a tough time convincing victimized ISP
administrators theyd been hacked.
The reaction of ISPs was disbelief, he said. One didnt
believe us until a marketing guy had his laptop taken out and it
started sending weird packets.
Ruiu is convinced the hacks are coming from a
coordinated team, because of their speed and variety. But
while the cat-and-mouse game continues, he can only
speculate on motive. His company, a 15-person startup called
Netsentry.net, is hardly a big target. So Ruiu thinks his outside
efforts in the security community are likely to blame. He
recently worked on project called Trinux, which aimed to
create a security-enhanced version of Linux that fits on one
floppy disk. Among his partners was Ken Williams, who until
recently ran Packet Storm Security, perhaps the most popular
reference site in the hacker community.
I suspect these guys are targeting security software, he
said, but added they have not revealed their intentions. This is
really bugging me. The lack of a motive really disturbs me
it
gave me the creeps.
The attacks have also been humbling for Ruiu, who has
spent a lot of time chasing the hackers when he could be
working to get his business off the ground.
There are a lot of assumptions were all making about
Internet security that we shouldnt, he said. Theres a lot of
things we dont know.
For example, these hackers made a habit of hijacking
machines Ruius computers normally talked to, then initiated
attacks from these supposedly friendly computers. That
made them almost impossible to detect.
If they get a machine thats close to your machine, thats
almost as bad as taking over your Web server. Its a great
place to launch an attack on your firewall, he said.
Nothing about Ruiu or Pepeleas stories surprised
ICSAs Tippett, who expects security problems to get worse
before they get better.
Its the wild, wild West out there, he said. The tools
are pervasive and so common. The chance of getting caught is
pretty slim
Our neighbors are now very close and enough of
them dont have a great social conscience.
A more extensive report on the one of these attacks,
written by Ruiu, can be found at www.securityfocus.com.
If you have more information about this story, e-mail
tipoff@msnbc.com.
@HWA
16.0 Japanese Police Go After Copyright Infringers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Hosimi
The Akita Prefectural Police are investigating the
activities of a civil servant who allegedly posted
accounting software and MP3s to the internet in
violation of copyright law. The suspect had all of his
computer equipment confiscated last month.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/79863
Akita Prefecture Police Pursue Internet Crime
August 24, 1999 (TOKYO) -- The Akita Prefectural Police on Aug. 19 sent papers alleging unauthorized
Internet program delivery to the Akita District Prosecutor's Office, for prosecution.
The case is being pursued by the Kisakata Police Station.
In the case, a male civil servant residing in Akita Prefecture is believed to have been engaged in
unauthorized free delivery of personal computer programs and digital music data over the Internet.
The man is suspected of infringing on the right of public transmission under the Copyright Law.
According to the prefectural police, the man had registered accounting software of Obic Business
Consultants Ltd. and MP3-based musical data on his home PC. He is suspected of having posted these
programs on the Internet so that PC users can download them free of charge.<BR><BR>In June, the
Kisakata Police Station investigated the man's house and confiscated his PCs and peripheral equipment.
The police decided to send papers pertaining to the case to the district public prosecutor's office
because the free delivery of PC software was deemed to be illegal, it said.
The Japan Society of Rights of Authors and Composers has already accused the man of unauthorized delivery
of musical data.
The Akita Prefectural Police's task force specializing in high-tech crimes played a significant role in
this investigation. To combat the increasing number of high-tech crimes, the National Police Agency is
calling on prefectural police stations to organize task forces specializing in high-tech crimes, starting
in the current fiscal year. The task force set up by the Akita police has reportedly contributed
substantially to analysis of communications records and other matters related to the case.
(BizTech News Dept.)
@HWA
17.0 Anti-Gay Web domain Returned to Original Owner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Code Kid
Last week the web domain registration of
www.godhatesfags.com was altered to point to the
same people who own the www.godlovesfags.com. The
change was accomplished by someone using an
anonymous remailer with the internic registration
database. The admins of www.godlovesfags.com has
returned the domain to the original owner.
CNN
http://cnn.com/TECH/computing/9908/23/hack.folo/index.html
Anti-gay site goes back to
rightful owners
August 23, 1999
Web posted at: 4:52 PM EDT (2052 GMT)
By D. Ian Hopper
CNN Interactive Technology Editor
As slowly as it came, the road to love
veered back to hate on an anti-gay
Web site run by Pastor Fred Phelps
of the Westboro Baptist Church in
Topeka, Kansas.
Last Wednesday, domain name
registrar Network Solutions Internic
directory was fooled to associate the
godhatesfags.com domain name with
the server containing
godlovesfags.com, a pro-gay site.
Kris Haight, a systems administrator
at Sugar-River.Net, a New Hampshire Internet service provider, still
maintains that he did not make the change himself, and was the beneficiary of
a still-anonymous hacker. His site received about 70,000 page views after
the switch, which had only received a total of 7,500 page views prior to
Wednesday.
Haight finally relinquished the name on Friday, after pressure from his
employer and his employers service provider, a larger Internet provider
which sells connectivity to the smaller ISP. According to Haight, a lawyer
from the Phelps organization contacted the larger provider, Destek
Networking Group of Nashua, New Hampshire, and threatened action.
Destek then contacted Haight.
Haight then attempted to contact Phelps, leaving a message telling Phelps to
check his e-mail for a notice from Internic that the domain name was pointed
back to the original host server.
Phelps' organization refused to confirm the call to Destek, and continued to
downplay the incident. It hasnt hurt us one iota, said Shirley
Phelps-Roper, Fred Phelps daughter and a lawyer for the organization. It
demonstrated to the world that fags are what we said they are. These
experiences confirm what the scripture says about them. They are lawless;
nothing is sacred with them.
T. Parsinnen, owner of Sugar-River.Net and Haights employer, said he
knew nothing of the change until after it happened. We received an e-mail
giving a server change to godhatesfags, Parsinnen explained, But I didnt
notice anything in particular. I thought, Oh, thats Kriss domain, I dont
have to do anything about it. It was so close that it didnt register to me
what it actually was.
The next day, Kris told him what he did. I said, Youre going to have to
give that back, and he said he would.
Parssinen said he doesnt anticipate any legal action and will continue to host
the godlovesfags Web site. Haight is leaving the company for another job
opportunity. According to Parssinen, its just in time. To demonstrate to
everybody that we had nothing to do with what took place, we would have
been forced to terminate his employment.
A mystery remains, though. Who made the switch?
Parssinen said he doesnt think Haight knew how to do it himself, and Haight
refuses to give any more information about the e-mail that told him to watch
for the switch, other than it was from an anonymous remailer. Theres plenty
of speculation, however, ranging from a Phelps ploy to sabotage himself in
order to get more media attention, to a result of the recent Chaos
Communication Camp in Germany, to a challenge made to hackers to
reassign a set of domain names.
Nevertheless, Network Solutions spokesperson Nancy Huddleston said that
there are three levels of domain name security, and relatively few choose the
highest level, password encryption. With that level, this sort of domain
redirection wouldnt have been nearly as easy to do. We just sent another
alert to our users telling them about the three levels of security, Huddleston
said.
Even with more security, it seems almost inevitable that high-profile and
controversial sites will continue to be a prime target for attention-hungry
hackers. Phelps-Roper has resigned herself to that fact, reporting that the
godhatesfags site has been a target many times before, usually with
denial-of-service attacks.
You know theres 365 days in a year, Phelps-Roper said, If were down
3, were still up the rest. We dont really care.
(Gotta love their attitude, this kills me... bahahaha - Ed)
@HWA
18.0 EXPLOIT-DEV Mailing List Started
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ryan
In an effort to promote discussion on potential or
undeveloped holes a new mailing list has been created
by the folks at Security Focus. The list will be dedicated
to interactively developing exploits.
Security Focus
http://www.securityfocus.com/forums/exploit-dev/faq.html
We are pleased to host a new security mailing list that may be of
interest BUGTRAQ subscribers.
What is EXPLOIT-DEV?
There are many forums for reporting security bugs and distributing exploit
code or examples. A prime example of such a forum is the BUGTRAQ
mailing-list. However, nearly all of these forums exist mostly for the
dissemination of fully-researched reports, and they leave little room
for discussion. In addition, many bugs are spotted not written-up,
due to lack of interest, time, or expertise.
The EXPLOIT-DEV list exists to allow people to report potential or
undeveloped holes. The idea is to help people who lack expertise, time,
or information about how to exploit a hole do so.
The EXPLOIT-DEV list is dedicated to the concept of full disclosure. We
believe that release of exploit code serves the security community overall.
Since the list is dedicated to interactively developing exploits, there will
there will generally NOT be an opportunity to warn software vendors or
authors. In many cases it will not be clear that there is a problem until
the exploit or description is finalized, at which point all list subscribers
will know. It is very appropriate to notify vendors or authors as soon as
it is clear there is a problem.
For more information read http://www.securityfocus.com/forums/exploit-dev/faq.html
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of:
SUBS EXPLOIT-DEV Firstname Lastname
--
Elias Levy
Security Focus
http://www.securityfocus.com/
@HWA
19.0 NetBus - Product Under Siege
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Judd
UltraAccess.net, the company that makes NetBus Pro, is
lashing out against Anti-Virus vendors for restricting
sales of its product by labeling the software as a virus.
Net Bus Pro 2.1 is a remote administration tool similar to
Back Orifice that allows an administrator to control a
remote system. UltraAccess.net is claiming that AV
vendors like Symantec think that NetBus is competition
for their remote administration software and that is why
it is being flagged by the AV software. UltraAccess says
that unless some sort of agreement can be reached
they may purse legal action against AV companies for
defamation and restraint of trade.
UltraAccess.net
http://www.ultraaccess.net
@HWA
20.0 Worst Security Hole Ever?
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
This new hole in Internet Explorer 5 allows an
infocriminal to place a program on a victim's hard disk
that will be executed at the next reboot. The bug can
be exploited from a user opening a web page or reading
an email. The problem is located with an Active X
control called "Object for constructing type libraries for
scriptlets". Microsoft is working on a fix, in the meantime
users are urged to turn off Active X within their
browsers. (Sure glad I use Netscape.)
George Guninski's Home Page - Demo and Source Code Available
http://www.nat.bg/~joro/
Internet News
http://www.internetnews.com/prod-news/print/0,1089,9_188461,00.html
New IE5 Security Bug the Worst Ever?
August 24, 1999
Brian McWilliams, InternetNews.com Correspondent
Product News Archives
Bulgarian browser bugmeister Georgi Guninski is at it again. The 27-year-old
independent computer consultant has discovered a new security flaw affecting
Internet Explorer 5, which enables a malicious hacker to place a program on the
victim's hard disk, to be executed at the next reboot.
Guninski is credited by Microsoft with discovering and publicizing a number of
significant security flaws in its Internet Explorer browser in the past year. While he's
also spotted several security bugs in Netscape's Navigator, Guninski is especially
fond of poking holes in Active X, the scripting technology used in IE.
"I think this is the most significant of my discoveries and the most dangerous also,"
Guninski told InternetNews Radio. "It allows a Web page or e-mail message to
take control of the computer and do anything."
According to Guninski, the attack can be launched by causing IE5 users to click on
a hyperlink on a web page, but it also can be transmitted by e-mail to users of
Microsoft's Outlook 98. The exploit places an executable program in an HTML
Application file in a Window 95 or 98 computer's start-up folder. When the victim
reboots his or her computer, the program will execute.
Guninski said the problem lies in an Active X control called "Object for
constructing type libraries for scriptlets". He has posted a demo and source code of
the exploit at his Web site.
Microsoft officials were not immediately available for comment. Guninski asserts
that the company has reproduced the bug and plans to issue a patch. In the
meantime, concerned IE5 users can protect themselves by going into security tab of
the browser's Internet Options menu, and disabling ActiveX controls or plug-ins.
@HWA
21.0 IRC Banned in Malaysia
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague
Undernet, EFnet and DALNet, Internet Relay Chat
Networks, had banned users from Malaysia for seven
days last week. Both of Malaysia's Internet service
providers Jaring and TMNet ISPs had been banned from
using the networks effectively cutting off the entire
country. The ban was due to users in the country
abusing the networks services. After discussions with
both ISPs the ban was lifted last Friday.
South China Morning Post
http://www.technologypost.com/internet/Daily/19990824110643506.asp?Section=Mai
INTERNET
Malaysians banned
from global IRC
network
NEWSBYTES
Undernet, a worldwide Internet Relay Chat (IRC)
network that allows people to connect to its
privately-run computer servers free of charge to
communicate in real time over the Internet, has banned
Internet users from both of Malaysia's only two Internet
service providers (ISPs) for abusing its services.
Although Undernet is one of many IRC networks, it is
one of the largest and joins two of the other largest -
DALNet and EFnet - in instituting temporary or
permanent bans on Internet users logging on from the
Jaring or TMNet ISPs in Malaysia.
Bans typically run for several hours to days or weeks
depending on the network and the level of abuse and
the response of ISPs to complaints from IRC network
administrators.
Within the IRC community, abusive behaviour ranges
from repeated offensive behaviour toward other users,
automatically flooding chat rooms with multiple
messages, running robot programs and launching denial
of service attacks against other users or the servers
themselves (basically, trying to hack the system and
bring it down).
Because Internet users often connect from dial-up
connections it is impossible for IRC networks to identify
and ban an individual user as they can just log out and
return with a different IP address.
This is where IRC administrators ask ISPs for
assistance with serious offenders who do not respond to
IRC operators requests to cease online.
Since the ISP can connect an IP address at any point in
time to a particular user, they are in a position to pass
on a warning or even account termination if hacking is
against the ISP's terms of service, which is the case for
most ISPs worldwide.
IRC networks do not usually take the next step and ban
a whole ISP's domain, and so all of its users guilty and
innocent, unless the ISP is unresponsive to abuse
reports.
Undernet found that Jaring and TMNet administrators
ignored abuse reports and so they were forced to ban
all users from both services for seven days last week.
"In the last few months alone, over 182,300 global bans
have been set against various address's in the *@*.my
domain," read an Undernet.org e-mail sent to Jaring and
TMNet.
"We simply cannot afford to absorb the costs of these
attacks any longer.
"We must either reach some form of working,
responsible relationship with the administrators of the
various *.my providers, or these bans will become
permanent.
"Basically, we are only asking that they support and
enforce their own policies they have in place already."
Undernet lowered the bans against Jaring on Friday
after some discussion between the two organisations.
The network presented the ISP with a list of requests
and suggestions for abuse management. TMNet, the
ISP arm of national telco Telekom Malaysia, had not
contacted Undernet on Friday and on Sunday a
permanent ban was placed on the TM.net.my IP space.
Undernet officials said that the bans were not about
Malaysian Internet users being particularly worse
behaved than any other country's. They said it was
about "irresponsible and unresponsive administration of
the Malaysian ISPs".
"We are not singling out Malaysia, but it is in general is
the most abusive domain currently accessing the
Undernet," said Undernet.
"Malaysian IP space and resources are being used to
launch denial of service attacks and the last attack
against one of our routing servers was the straw that
broke the camel's back."
Undernet estimated it costs its hosts US$2.2 million in
bandwidth alone to run the Undernet network each
year. At times more than 30,000 users are connected
simultaneously from all around the world.
@HWA
22.0 I want my, I want my, I want my HNN - more goodies from HNN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Monday HNN announced that the new Java HNN News
Ticker is available on the Affiliate Resources page.
Today we are happy to announce several new ways
which you can receive your HNN. With our new XML
backend we now have channels on My Netscape and My
Userland. This is in addition to our box on Slashdot and
our previously announced PQA for the Wireless Palm
Pilot. We've got even more features in the works so
keep your eyes open.
I want my HNN
http://www.hackernews.com/misc/myhnn.html
@HWA
23.0 Melissa Creator Admits Guilt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
David L. Smith, the man who has been charged with
creating and disseminating the Melissa virus, admitted
to investigators that he did it, according to court
papers. Lawyers for the defense dispute that an
admission of guilt was made. Smith has pleaded not
guilty to charges of interrupting public communication,
conspiracy, theft of computer service, and wrongful
access to computer systems. David Smith remains free
on $100,000 bail.
C|Net
http://www.news.com/News/Item/0,4,40912,00.html?st.ne.fd.mdh.ni
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,85786-135501-944958-0,00.html
CNN
http://www.cnn.com/US/9908/25/melissa.virus.ap/index.html
C|Net;
Court papers: Smith admits to creating Melissa virus
By Erich Luening
Staff Writer, CNET News.com
August 25, 1999, 8:25 a.m. PT
update The New Jersey man charged with creating the Melissa virus, which disrupted
computers around the world, admitted to investigators that he did it, according to court papers.
On April 1, David L. Smith was arrested by federal and state officials and charged with creating and
disseminating the Melissa virus that began spreading across the Internet March 26.
Smith, 30, a resident of Aberdeen Township, New Jersey, was arrested at the home of his brother in
Eatontown, New Jersey. Smith was tracked down with the help of America Online and by traced phone calls.
A spokesman for the New Jersey Attorney General's office told CNET's News.com that the prosecution "expects to see some
kind of resolution by September." He would not elaborate further.
A brief filed in state superior court by supervising deputy attorney general Christopher G. Bubb said Smith waived his Miranda
rights and spoke to investigators when police arrived at his apartment, according to a courthouse spokesperson.
Smith admitted to writing the "Melissa" macro virus, illegally accessing America Online for the purpose of posting the virus onto
the Internet, and destroying the personal computer he used to post the virus, Bubb stated.
The state attorney filed his brief in response to a motion made by Smiths attorney Edward F. Borden Jr. seeking certain
prosecution documents.
The FBI continues to provide assistance to New Jersey prosocuters in the case. Federal charges have not been levied against
Smith. "The decision to bring federal charges against Smith is at the descretion of the U.S. Attorney," said FBI spokesperson
Debbie Weierman.
In April, Smith pleaded not guilty to charges of interrupting public communication, conspiracy to commit the offense, and the
attempt to commit the offense. He also pleaded not guilty to charges of two lesser offenses: theft of computer service and
wrongful access to computer systems.
If convicted on the state charges, Smith faces a maximum of 40 years in prison and fines of $480,000.
AOL tipped the New Jersey attorney general's office to the virus's originator. AOL said it had tracked the source through a
listserver to Monmouth County, New Jersey.
Since his arrest, Smith has changed attorneys.
The Melissa virus was first introduced on an "alt.sex" newsgroup using the AOL account of Scott Steinmetz, whose username
was "skyroket." Steinmetz, a civil engineer in Lynnwood, Washington, told CNET News.com that he had nothing to do with writing
or introducing the virus.
The virus used a combination of Microsoft's Outlook and Word programs to spread, taking advantage of users' email address book
entries to gain the appearance of coming from a known person.
Smith remains free on $100,000 bail.
Nando Times;
Accused admitted creating 'Melissa' virus, prosecutor says
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century.
FREEHOLD, N.J. (August 25, 1999 10:57 a.m. EDT http://www.nandotimes.com) - The man charged with creating the Melissa computer virus that
clogged e-mail systems around the world last spring admitted he created the bug, a prosecutor alleges in court papers.
David L. Smith, a former computer programmer, was arrested in April.
A brief filed in state Superior Court by Supervising Deputy Attorney General Christopher G. Bubb says Smith waived his Miranda rights and spoke to
investigators when police arrived at his apartment.
"Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally accessing America Online for the purpose of posting the virus onto
cyberspace, and destroying the personal computers he used to post 'Melissa,'" Bubb wrote.
Defense lawyer Edward P. Borden Jr. told the Asbury Park Press of Neptune that he disputes Bubb's assertions. He refused to comment further, the
newspaper reported Wednesday.
The Melissa virus was disguised as an e-mail marked "important message" from a friend or colleague of each recipient. It caused affected computers
to create and send 50 additional infected messages. The volume of messages generated slowed some systems to a crawl.
Authorities say the virus was named after a topless dancer in Florida.
Bubb's brief was filed in response to a defense motion seeking additional prosecution documents.
Borden says he needs the prosecution documents to file a motion to suppress evidence seized during the search of Smith's apartm
ent. A hearing on
his motion was to be held Wednesday afternoon.
Smith is charged with interruption of public communications, conspiracy and theft of computer service. The maximum penalty for the offense is 40
years in prison.
He remains free on $100,000 bail.
CNN;
Prosecutor says man
admitted creating 'Melissa'
computer virus
August 25, 1999
Web posted at: 10:49 AM EDT (1449 GMT)
FREEHOLD, New Jersey (AP) --
The man charged with creating the
Melissa computer virus that clogged
e-mail systems around the world
admitted he created the bug, a
prosecutor alleges in court papers.
David L. Smith, a former computer
programmer, was arrested in April.
A brief filed in state Superior Court by Supervising Deputy Attorney General
Christopher G. Bubb says Smith waived his Miranda rights and spoke to
investigators when police arrived at his apartment.
"Smith admitted, among other things, to writing the 'Melissa' macro virus,
illegally accessing America Online for the purpose of posting the virus onto
cyberspace, and destroying the personal computers he used to post
'Melissa,' " Bubb wrote.
Defense lawyer Edward P. Borden Jr. told the Asbury Park Press of
Neptune that he disputes Bubb's assertions. He refused to comment further,
the newspaper reported today.
The Melissa virus was disguised as an e-mail marked "important message"
from a friend or colleague of each recipient. It caused affected computers to
create and send 50 additional infected messages. The volume of messages
generated slowed some systems to a crawl.
Authorities say the virus was named after a topless dancer in Florida.
Bubb's brief was filed in response to a defense motion seeking additional
prosecution documents.
Borden says he needs the prosecution documents to file a motion to
suppress evidence seized during the search of Smith's apartment. A hearing
on his motion was to be held Wednesday afternoon.
Smith is charged with interruption of public communications, conspiracy and
theft of computer service. The maximum penalty for the offense is 40 years
in prison.
He remains free on $100,000 bail.
@HWA
24.0 cDc Responds to Allegations About HKBs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Oxblood Ruffin, from the Cult of the Dead Cow, gives an
interview about the existence of the Hong Kong
Blondes. The HKBs are a group of Chinese dissidents
who are trying to destabilize the Chinese Government
through the Internet. Last week a report was issued
that there was no evidence to support their existence
and concluded that therefore they must not exist.
IT Daily
http://www.itdaily.com/daily.lasso?-database=dailybasepublic&-layout=today&-response=itdailyfree.htm&-recid=39830&-search
Thursday, August 25, 1999
Cult claims Hong Kong hackers are real
threat
US hackers respond to itdaily.com story
By Neil Taylor
Leading US hacker group the Cult of the Dead Cow has told itdaily.com that elusive Chinese hackers
the Hong Kong Blondes are operating in Asia.
According to the CDC, the Blondes are a group of Chinese dissidents who aim to destabilise the
Chinese Government through the Internet. Along with an offshoot named the Yellow Pages, the
group threatened to use information warfare to attack China's information infrastructure. The group
threatened to attack both Chinese state-owned organisations and Western companies investing in the
country.
When the group was first reported, the CDC claimed to be training the Blondes in encryption and
intrusion techniques.
A recent investigation by itdaily.com found no evidence of the group's existence. Despite
approaching the Hong Kong ISP Association, the Hong Kong Government, Police, universities,
security experts and hackers alike, nobody contacted by itdaily.com knew anything about the group.
However, CDC foreign minister OXblood Ruffin told itdaily.com that the Hong Kong Blondes are
for real, and that they are operating in Asia. The chief organisers, nicknamed Blondie Wong and
Lemon Li, were last reported to be based in India.
"The Blondes do exist, although the CDC has truncated our official relationship with them," said
Ruffin. "The Yellow Pages on the other hand briefly existed but were shut down by me."
Ruffin said that the reason the group has been so low-key is that they operate secretly to avoid
compromising members in China "They're hyper secure. They're organised in cells of three members
with no one but Blondie and Lemon knowing the entire membership."
The CDC has portrayed the Hong Kong Blondes as "hacktivists"; meaning they break into
computer networks for political ends. "The Yellow Pages got together and they were gonna do
support work to draw attention to social justice issues in China linked to current trading practices on
the Western side..."
Ruffin said that he later learned that the group planned to shut down the networks of a number of
large US corporations, at which point he decided to disband the group and disassociate himself with
the Hong Kong Blondes.
"The American public would not have supported any such adventure and it would have worked
seriously against the cause," he said.
He added that the CDC no longer maintains any relationship with the group.
As previously reported in itdaily.com, the first and only Hong Kong Blondes interview was leaked
to the press by the CDC just one month before the group released its well-known remote
administration tool Back Orifice. BO can be installed on a Windows PC without the user's knowledge,
giving full control over the machine to unauthorised third parties.
Since then, Back Orifice has become widespread internationally, particularly in China.
There is still no evidence beyond the word of OXblood Ruffin that the Hong Kong Blondes do, in
fact, exist, but as Ruffin's e-mail signature notes: "First we take the networks, then we take Peking."
@HWA
25.0 $50G Offered in 'Hacker Challenge' Publicity Stunt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Yazmon
Global Markets Research (GMR), a UK company, has
offered $50,000(US) to anyone who can break their
proprietary email system within three months. The
company designed 1on1 e-mail "to guarantee complete
confidentiality", the program uses 2048 bit encryption
while email is in transit and can autodelete email after it
has been read.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_430000/430084.stm
1 on 1 Mail
http://1on1mail.com
HNN has stated its feelings about these 'Hacker
Challenges' before. These should not be considered
adequate testing methods. Reasons, 1) Most people
with the knowledge to break systems like this are busy
making bigger money elsewhere, 2) The real bad guys
don't want to give away their secrets, 3) this is not a
controlled environment conducive to good research.
If companies want publicity and a good test of their
security then they should hire someone like NMRC, Phar
Lap, L0pht, eEye, or any other independent third party
security experts to review their software.
NMRC.....: http://www.nmrc.org
Phar Lap.: http://www.pharlap.com/
L0pht....: http://www.l0pht.com
eEye.....: http://www.eeye.com/
BBC:
Thursday, August 26, 1999 Published at 08:15 GMT 09:15 UK
Sci/Tech
The self-destructing e-mail
Providing secure e-mail is a growing business
A new program can send e-mail messages which
self-destruct after a set time.
Its developers claim this will protect senders from having
ill-judged electronic words used against them later.
The most high-profile instance came last year when
Microsoft's Bill Gates had to defend himself against his
own e-mails in a US antitrust case.
Hack it if you can
UK company Global Markets Research (GMR) designed
1on1 e-mail "to guarantee complete confidentiality".
It uses 2,048-bit public key encryption to secure the
message in transit and GMR have such confidence in it
that they are offering $50,000 to anyone who can hack
into a message within three months.
The self-destruct feature is called autoshredder and the
package also prevents recipients from just cutting and
pasting out of it. "That would be pointless," GMR's
technical director, Steven James told New Scientist
magazine.
1on1mail also ensures that the e-mail is not stored
anywhere on the recipient's computer. Finally, when the
message self-destructs, it is overwritten on the disk, so
it cannot be undeleted later.
Gimmick jibe
However, critics have been quick to give their views.
"2,048-bit encryption is ridiculous," cryptographer Bruce
Schneier told technical news Website ZDNN. "It is
irrelevant. The security is determined by the password
anyway. If the user picks a bad one, the security is
bad."
Hushmail, a rival encrypted e-mail service, dismissed the
self-destruct feature as a gimmick.
Another fear is that e-mails used to send viruses or
trojans could destroy themselves along with any
evidence.
@HWA
26.0 NSA Recruiting In the Underground
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ender
The National Security Agency has been actively
recruiting at least one member of the underground
community. Ender Wiggin, editor of OSAll web site has
received offers for free tuition to a four year college,
salary, and room and board, in exchange for working for
the NSA for five years after graduation. After noticing
the NSA was visiting his web site he sent an inquiring
email and then received the offer to join this program.
OSALL - NSA and Kids
http://www.aviary-mag.com/News/NSA_and_Kids/nsa_and_kids.html
OSALL - Ender and CNN
http://www.aviary-mag.com/News/CNN/cnn.html
The NSA is actively recruiting high school kids, offering to
pay for college -- and a salary to boot.
The NSA and Kids
Mike Hudack
Editor-in-Chief
They were visiting the Web site daily. Every day they downloaded all
the new files and left. Who were they? The National Security Agency.
The NSA was created in the fifties with a mandate to read other nations´
mail and keep our mail from being read. Since then they´ve moved into
computer security in addition to their original cryptology.
Curious, I sent an e-mail to the registered custodian of the address
visiting the site. It must have been referred around the mulberry bush
because someone else answered. "Do you know about our college
programs?" this new person asked... I didn´t.
Apparently the NSA actively recruits students in high school (only local
to Fort Meade) and college. The NSA employee asked for my address
and received it.
About two weeks later I received a hand-addressed manila envelope
(which has been broadcast on CNN) containing a series of glossy
recruitment brochures touting an "opportunity the brightest students
cannot afford to miss."
They had no idea about my academic qualifications when they told me
about the program -- or at least I didn´t tell them. My academic
credentials are, however, quite good with the exception of attendance.
About a week after I received the brochures I received another e-mail
from this NSA employee who I was now recognizing as a recruiting
officer. He told me that I could "definately get into the program," and
that I would be able to go to "any college [I] want," suggesting they
could get me into the colleges.
Since then he´s e-mailed me almost weekly asking if I´ve applied.
This happened to me almost half a year ago now, and I´ve since spoken
to others who have been the subject of recruiting efforts. One teenager
told me "they were very enthusiastic. Kept telling me how I could get
paid for going to college... They sounded like the Army." And well they
should -- they are part of the Department of Defense.
The offer is pretty simple, and anyone can apply. If you plan to study
computer science, electrical or computer engineering, mathematics or
language in college, the NSA will allow you to apply. You must have at
least a 1200 on your SATs and a 3.0 GPA. In return for four years of
college, a salary, room and board, you must work for NSA for five
years post-graduation.
Most of the people the NSA is targetting in this recruiting program seem
to have problems with the idea. Most, including me, disagree with the
NSA´s cryptology policies (read: key escrow and export limitations).
Likewise, however, the opportunity is certainly an amazing one.
Related Links:
National Security Agency
http://www.nsa.gov
NSA Names Schools
http://www.aviary-mag.com/News/Old_News/NSA_Colleges/nsa_colleges.html
Ender & CNN
Mike Hudack
Editor-in-Chief
Mike Hudack, aka Ender Wiggin, editor of OSAll, was profiled on the
Cable News Network beginning on Monday. The entire profile will run
on Saturday on CNN at 1:30pm eastern time.
The story focuses on the fact that I´ve been actively recruited by the
National Security Agency. To find out more about it you´ll have to
watch :-)
A segment of the story originally ran on CNN Headline News on
Monday, repeating every half hour. Subsequently it ran on CNN
World Today at 10pm eastern. It ran again on CNN´s morning show
on Tuesday morning.
The idea behind the story is to make a positive impact on the media and
public´s understanding of hackers. It is meant to "break the hacker
stereotype." As a CNN anchor said, you "may remember the movie
War Games. Now the government is remaking the image of hackers."
I will be interviewed by FOX News on Wednsday night to air on Labor
Day Weekend. The focus of the FOX story will be similiar -- with a
focus on breaking the hacker stereotype and emphasizing the positive
side of hackers. Likewise, I have been in discussions with an NBC
channel for a similiar story.
I´ve previously been quoted or pictured in magazines such as US News
& World Report and PC World on security subjects. The US News
article was likewise focused on changing the attitude about hackers.
Since the CNN story started running I´ve been swamped by hundreds
of e-mails from everyone from venture capitalists to former NSA
employees. All have been very supportive, and I thank them very
much.
Related Links:
OSAll BBSystem
http://www.aviary-mag.com/bbsystem
National Security Agency
http://www.nsa.gov
Cable News Network
http://www.cnn.com
CNN Transcript of Partial Segment
http://cnn.com/TRANSCRIPTS/9908/23/wt.06.html
FOX News Network
http://www.foxnews.com
NBC
http://www.nbc.com
US News & World Report
http://www.usnews.com
PC World Magazine
http://www.pcworld.com
Transcript:
World Today
Teenage Hacker Gets Attention of NSA
Aired August 23, 1999 - 10:51 p.m. ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS
FINAL FORM AND MAY BE UPDATED.
JOIE CHEN, CNN ANCHOR: Perhaps you'll remember the movie "War
Games," which told the story of a cyberwhiz who was pursued by the
Pentagon and CIA because of his hacking activities. Now some parallels in
the life of a real-life teen now being targeted by a key security agency.
The details from CNN's Ann Kellan.
(BEGIN VIDEOTAPE)
ANN KELLAN, CNN CORRESPONDENT (voice-over): He's your
typical teenager -- hangs out with friends, loves pizza, argues with his
parents that he really is old enough to drive. So why would the government's
top-secret national security agency, the NSA, be interested in Mike Hudak?
This 16-year-old is a computer whiz kid, a hacker.
MIKE HUDAK III, COMPUTER HACKER: Most hackers are not
malicious. They're good people.
KELLAN: Mike was 12 when he bought his first computer and immediately,
and legally, hacked it.
HUDAK: One of the first things I did with it is I took it apart and then put it
back together. And I was praying, you know, and it worked.
KELLAN: He even set up his own hacker news Web site. The NSA
noticed it.
HUDAK: They visited my site every day, and I can tell from site logs. So I
e-mailed them, and they e-mailed me back, telling me about their recruitment
program.
KELLAN: The NSA wouldn't comment on camera, but off-camera says it
recruits students like Mike and will pay four years college tuition, room and
board, even pay a salary. In exchange, students work summers and at least
five years after college for the NSA.
HUDAK: Don't use all caps. Turn off caps lock.
KELLAN: It's tempting for someone like Mike, who babysits everyday after
school and during the summer to make a buck. But then he wonders if he
can work for the NSA when he disagrees with some its policies.
HUDAK: I would have to think long and hard before I did it.
KELLAN: Not your typical computer hacker stereotype.
HUDAK: This made it into the dictionary this year.
KELLAN: Mike's parents are proud of his accomplishments, but dad wants
mike to be a doctor.
MIKE HUDAK II, MIKE'S FATHER: I love what he's doing now, but I
think with his ability he could be a hell of a surgeon.
HUDAK: No, I've always -- the sight of blood has always made me weak
in the knees.
KELLAN: Mike, at 16, wants a career where fun and money go hand in
hand.
Ann Kellan, CNN, Fairfield, Connecticut.
(END VIDEOTAPE)
TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL
800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM
LOCATED AT www.fdch.com
-=-
http://cnn.com/TECH/computing/9908/26/t_t/teen.hacker/index.html
Federal agency recruits hacker
teens
August 26, 1999
Web posted at: 11:21 a.m. EDT (1521 GMT)
FAIRFIELD, Connecticut (CNN) -- What image comes to mind when you
hear the word hacker?
If it's someone evil or malicious, somebody breaking into computers
illegally, you're only partly right.
For instance, Mike Hudack is your typical teenager. He hangs out with
friends, loves pizza and argues with his parents that he really is old enough to
drive.
So why would the National Security Agency be interested in him? Because
this 16-year-old is a computer whiz, a hacker.
"Not every hacker, not everyone who calls themselves a hacker, is a bad
person," Mike says. "Most hackers are not malicious. They are good people."
Mike was 12 years old when he bought his first computer.
"And I took it home, and I loved it so much," Mike says. "One of the first
things I did with it is I took it apart and then put it back together."
He even set up his own hacker news Web site, offering security advice to
government agencies. That is how he got the NSA's attention.
"They visited my site every day and I e-mailed them, they e-mailed me back,
telling me about their recruitment program," Mike says.
The NSA says it recruits students like Mike and will pay four years of college
tuition, room and board and even a salary.
In exchange, students work summers and at least five years after college for
the NSA.
It's tempting for someone like Mike who baby-sits every day after school and
during the summer to make a buck.
But he wonders if he can work for the NSA, given that he disagrees with
some its policies.
"I would have to think long and hard before I did it," Mike says.
@HWA
27.0 Distributed.net Fingers Thief
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
On two separate occasions stolen laptops where
recovered with the help of the distributed.net RC5
client. The idiotic thieves did not reformat the hard
drives of the stolen systems like they should have and
instead started using them on the internet with the
original software installed. Distributed.net was then able
to match the original email address from the clients with
the machines new IP numbers to trace the thieves.
Wired
http://www.wired.com/news/news/technology/story/21431.html
Not everyone thinks this is a good thing. Some feel that
Distributed.net erred by giving out its web logs without
a warrant.
MindSec
http://www.mindsec.com/misc/distnet.html
Wired;
Net Address Helps Finger Felons
by Andy Patrizio
2:00 p.m. 25.Aug.99.PDT
Running the RC5 client on your computer is not only a nifty way to win a few thousand dollars,
it could also help find your PC if it is stolen.
The RC5 client is used in a contest where people put their PCs to work in an attempt to break
RSA Data Securities' 64-bit encryption.
On two occasions, computers running the RC5 client were stolen, but the crooks were caught because
they didn't realize that the computers could be traced.
RSA, a leading developer of data encryption, issued a US$10,000 challenge two years ago to break
its 64-bit encryption security.
There are 18 quintillion key possibilities with 64-bit encryption, and after two years and 197,000
participants, only 11.8 percent of the keys have been tested.
RC5 runs during idle CPU cycles. It periodically connects to Distributed.net servers to return
processed encryption keys and to retrieve new ones.
When the thieves started to use the computers, RC5 continued to process keys and connect to
Distributed.net servers, sending in completed work and fetching new keys. And when the stolen
computer communicated with the server, it logged in using the thief's IP address.
The Distributed.net administrators tracked down the IP address back to the thieves' ISPs, and in turn
were able to determine who was using that IP address when the keys were sent.
In separate incidents, in May 1998 in Sweden, and this year at Oregon State University in Corvallis,
Oregon, police were able to recover the computers, said David McNett, a programmer who runs Distributed.net.
"We have a joke in the admin channel that Distributed.net is like LoJack for your computer." LoJack is a
device placed in cars that allows police to determine their location if the vehicles are stolen.
"It's certainly an unanticipated side effect of running the client, but a good one."
The other side of the coin
Mindsec;
Wired News Article http://www.wired.com/news/news/technology/story/21431.html
Mindsec.com has noted that services like distributed.net, and Seti@home, that let you have a background
client running, which will periodically send in your finished blocks, or some data that they are processing,
as well as the IP you came from, and your email address. It sends the email address you provide to it for
statistics and tracking purposes. When that is done, binded to your IP address, it effectively lets them see
where you are coming from.
Well that is not a problem, that is fine. Except when two things happen, the first would be when
distributed.net, without being served a warrant, just gives logs to a regular person, who wants them. It is
great that the person got their stolen computer back, and the person who stole it was arrested, however it
should have gone through legal channels, and they should have been served a warrant. The second, what if they
are served a warrant to track someone? Well, there is nothing you can do about that, except to use a fake email
address, or an account that you never access from anywhere else, and use a proxy server to connect to them. If
you just use a fake email account, and use it ONLY with distributed.net, you would be OK, since there is no
way someone would know what that account is. However if someone found it, poof, you have been tracked.
These are things you should keep in mind, they are important and serious. They are a big part in computer
privacy, and Mindsec.com fully support Computer Privacy, and Privacy in general.
When we spoke to the administrative contact at distributed.net, he said that they gave out the logs just to
help them out. he also stated "The logs are no different than any web server that logs your IP". I corrected
him in the fact that web servers do not cross reference to a database of email addresses. I am sure they meant
no harm, and I hope they will realize that this is bad and never do it again. They were contacted by the people
who had their computers stolen, and they did the research for them. It is unclear if it was distributed.net who
spoke to the ISP of the thief, or if it was turned over the the police first.
Late Addition: Just to clarify to the people who are mailing and saying that they don't see the problem. Go
sign up to be on distributed.net. What authentication does it do to find out who you are? None, so how can
someone go after the fact and try to say "Well that is me". I am sure I could say "I am Joe Johnson, my laptop
got stolen, this is my email address, could you give me the logs?". If distributed.net even asked for any kind of
verification of who they were, besides their email address, and sending email to the same account that the rc5
client was using, how is that secure verification? If "Hacker X" wanted to track down "Hacker B", they hack that
persons account, and if that was already enough to track them, they could find them in almost real time, to their
IP address, thanks to distributed.net. I like the idea behind distributed computing, most people like the idea.
But the way it logs and such are serious, it either needs real verification, via pgp of some sort.. I would say
they need to just not give out their logs without a warrant, but nobody can trust them after this.
@HWA
28.0 Hacktivism Email List
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by grugnog
An email list to discuss news about recent hactivists
events and analysis about hacktivism and for discussion
possibly leading to a better understanding of what
'hacktivism' means (as a word and in a tactical, ethical
and practical sense).
Hacktivism list
http://www.tao.ca/~grugnog/hacktivism/
@HWA
29.0 Mitnick in Car Accident
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by maverick212
While being transported from the San Bernardino Jail to
the Los Angeles Metropolitan Detention Center the
vehicle Kevin Mitnick was riding in was involved in a
multi car pile up. The accident occurred on Highway 60
between 8:30 and 9 a.m.. Kevin was thrown against a
metal divider within the vehicle and suffered minor head
and neck injuries. Although Kevin and the other
prisoners were shackled in chains no seat bealts were
used. After the accident Kevin was transported back to
the San Bernardino Jail.
FREE KEVIN
http://www.freekevin.com/
Wired
http://www.wired.com/news/news/politics/story/21455.html
Mitnick Hurt in Car Crash
by Douglas Thomas
4:30 p.m. 26.Aug.99.PDT
LOS ANGELES -- Convicted hacker Kevin Mitnick sustained minor head and neck injuries Wednesday morning in a multi-car accident while he was
being transferred to a facility that satisfied his dietary requirements.
Mitnick, being transferred in anticipation of a court ruling which would order Mitnick moved to a facility that served kosher meals, was thrown
against a metal divider.
See also: Life Not Kosher for Mitnick
Mitnick and an unknown number of other inmates -- shackled in chains but with no safety restraining devices -- were being transported from the
San Bernardino Jail to the Los Angeles Metropolitan Detention Center. The crash occurred on Highway 60 between 8:30 and 9 a.m.
"I really slammed my head when I hit the metal divider," Mitnick said in a telephone interview on Thursday.
X-rays proved negative, although Mitnick continues to complain of headaches, nausea, and shoulder and neck pain.
Insult soon added to his injuries: After spending several hours waiting to be admitted to the MDC, Mitnick was transferred back to the San
Bernardino facility, which does not serve kosher food.
Mitnick wound up spending most of Wednesday night waiting on the floor of a holding cell to be readmitted. He was finally booked into the facility
at 3:30 a.m. Thursday.
Mitnick said he has yet to be seen by a San Bernardino facility nurse, and has had no access to any painkiller, including Tylenol. "I don't think they
have any idea what happened," Mitnick said, referring to the lack of medical attention.
Although unwilling to comment on legal action regarding the accident, Mitnick's attorneys did say that they immediately sent a letter to the U.S.
Marshals Service requesting that Mitnick be moved to a federal facility. They say a federal facility could provide him access to kosher food and to
medical treatments in keeping with federal guidelines.
U.S. Marshals were unavailable for comment.
"This has definitely been one of the worst days in custody," Mitnick said.
(If that was his worst day he's been doing alright, noone has made him their girlfriend yet ... - Ed)
@HWA
30.0 Hong Kong Police Create Computer Crime Squad
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
The Hong Police have announced plans to form the
Computer Crime Investigation Cadre to help tackle
computer crime at district levels. Members of the squad
will be selected from officer training course being run by
the Commercial Crime Bureau.
South China Morning Post
http://www.technologypost.com/enterprise/Daily/19990826112510135.asp?Section=Main
Published on Thursday, August 26, 1999
ENTERPRISE
HK police to establish
computer crime team
NEWSBYTES
The Hong Kong police yesterday announced plans to
form a special team of officers with expert knowledge in
the area of computer crime to help battle criminals that
are increasingly turning to electronic means to commit
crimes.
The new squad will consist of an unspecified number of
officers who will be called in to help colleagues when
criminals employ sophisticated computer techniques in
committing their crimes.
"The surge in computer use, the increase of related
criminal cases and other emerging issues in various
regions over the past year have resulted in a challenge
which the 17 members of the section now find it difficult
to cope with, without resorting to help from their Force
colleagues," explained Commercial Crime Bureau Chief
Superintendent, Victor Lo Yik-kee.
"That is what Cadre members will be for," added Mr
Lo. "Once qualified and recognised, they can help
provide support services to their own formations in
handling cases of computer-related crimes while officers
of the Section can continue to play the role of a
co-ordinator and provide assistance when needed."
The first members of the squad are expected to be
recruited by September. The Commercial Crime Bureau
is already running a training course for officers from
across the course, said the force, and this course is
being used to select members of the new Computer
Crime Investigation Cadre which will help tackle
computer crime at District levels.
The training course follows a similar two day meeting at
the Police Training School in July when over 180
officers of different ranks and members of the
Immigration Department and the Customs and Excise
Department attended seminars on computer crime and
undertook a written test to judge their knowledge of the
subject.
Copyright (c) Post-Newsweek Business Information, Inc.
All rights reserved.
@HWA
31.0 Outlook Holes Demonstrated at USENIX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Richard Smith, president of Phar Lap Software, recently
gave a presentation at the 8th Usenix Security
Symposium detailing over a dozen major holes in
Windows Outlook. Some holes would give infocriminals
complete access to your desktop computer.
Wired
http://www.wired.com/news/print_version/business/story/21442.html?wnpg=all
Locking Windows' Backdoors
by Declan McCullagh
3:00 a.m. 26.Aug.99.PDT
WASHINGTON, DC -- If you use Microsoft Outlook, be warned. Over a dozen bugs in Windows 98 let malicious virus writers and meddlesome peeping
Toms view or erase any file on your hard drive.
At a computer security conference Wednesday afternoon, an expert demonstrated how malcontents can send apparently innocuous email with
hidden commands that -- if opened using certain email programs -- will give an intruder complete access to a Windows computer.
See also: Same Hole, Different Exploit
"We've got some serious problems here, folks. We've got some really bad backdoors on the computers we have on our desktops," said Richard
Smith, president of Cambridge, Massachusetts-based Phar Lap Software, who identified the person accused of writing the Melissa virus.
During his presentation at the 8th Usenix Security Symposium, Smith demonstrated some new security flaws he and his collaborators have identified
in their spare time. One recently unearthed and not-yet-fixed Win98 glitch lets an email opened in Outlook execute any DOS command -- including
reformatting your hard drive or uploading its contents to a remote Web site.
The solution? Consumers could switch to a non-Microsoft operating system. Another option, Smith suggested, is for customers to begin asking
computer companies to turn off features that let email messages execute other programs.
"It's prudent to avoid systems in which we can have executable content," said Peter Neumann, the conference's keynote speaker and a researcher
at SRI International. "There is no way you can have any assurance whatsoever that it will work."
Many of the problems security experts have identified stem from the design choices Microsoft made when developing Windows 95 and 98, which are
much more vulnerable to intrusions than Linux, Unix, or even Macintosh systems.
One gaping security hole is Microsoft's complicated ActiveX technology, which lets remote Web pages or email messages execute programs that
manufacturers claim are trustworthy. But sometimes they're not. With a little programming, a nefarious person can send email or create a Web page
that activates Active X functions that delete files, modify them, or even send their contents to any address on the Internet.
As security experts have identified these flaws, Microsoft has tried to fix them, and Smith said some have been eliminated from early versions of
Windows 2000. But the millions of people using current versions of Windows 98 and Outlook are still at risk, he said, unless they switch off ActiveX.
Not only Microsoft is to blame. Netscape has acknowledged security glitches in its browser. Unrepaired versions of Qualcomm's Eudora 4 let
executable programs masquerade as links.
Computer makers, too, have been shipping buggy software. Hewlett Packard has included two ActiveX controls on about 5 million Pavilion
computers, Smith said, that let HTML email messages opened in Outlook or Eudora take control of the computer. An intruder can silently insert a
virus, disable security features, view documents, or crash the system.
Some Compaq Presario computers suffer from a similar security risk. As configured from the factory, the computers trust all applications provided by
Compaq -- one of which can execute whatever program an email message orders it to run.
"Compaq gave every hacker in the world a way to run programs," Smith said.
To improve the security of Outlook, go to the Security tab in the program's Options dialog box and select "restricted sites zone." Then, in the
Internet Options Windows control panel, go to "Restricted sites/Custom level" and scroll down and disable "Active Scripting."
@HWA
32.0 Feds Overflowing with Siezed Equipment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by netmask
Hundreds of computer systems are piling up and cases
are going untried because the FBI lacks the resources
to examine confiscated equipment. Under federal law
investigators may keep property seized as possible
evidence until the statute of limitation for the given
crime expires, generally five years for computer crime
cases.
New York Times- Registration Required
http://www.nytimes.com/library/tech/99/08/cyber/cyberlaw/27law.html
Investigators Face a Glut of Confiscated
Computers
By MATT RICHTEL
hen the FBI raided the family home of Paul Maidman, 18, in late
May, they seized his computer as possible evidence of online
criminal activity and took it to a high-tech forensics lab in Dallas. The
Waldwick, N.J., teenager, who has yet to be arrested or charged with a
crime, is concerned that it could take a long time to learn his fate -- and
that of his computer.
The FBI and prosecutors on cases
like Maidman's say he could be
waiting a while. Maidman is one of
hundreds of people whose computers
are in federal and state custody. Law
enforcement officials say they lack the
time, resources and sometimes
expertise to examine all of the PCs
that are piling up.
For example, at the headquarters of a federal cybercrime task force in
Dallas, more than 100 hard drives await examination, but only three
forensics experts are available to look at them, said Paul E. Coggins, the
United States Attorney in Dallas. The computers were seized in cases
involving a range of alleged crimes, including fraud, embezzlement, child
pornography and computer break-ins.
"We've had hackers who are ready to plead guilty, but we're slowed
down because we lack the resources" to scour through the evidence,
Coggins said, adding that few forensics agents have been trained to find
and understand incriminating data on hard drives. "It's hard to find people
to begin with who not only have the interest but the competence," he
said.
It is unclear how widespread this problem is among state and federal
agencies. But Coggins said that numerous agencies, both state and
federal, seek the advice and assistance of the three forensics investigators
in Dallas, suggesting there is insufficient expertise in many jurisdictions.
"We are desperate for resources to process these cases," said Matthew
E. Yarbrough, an assistant United States Attorney based in Dallas who is
one of 25 federal prosecutors assigned by Congress to pursue
cybercrime cases full-time.
Supporters of hackers and the hacker ethos, which champions
non-malicious computer tinkering, say the situation is worrisome. They
fear that computer users who are innocent, or who may never be charged
with a crime, may be deprived of thousands of dollars worth of
equipment far longer than necessary.
As evidence, they point to a recent study by a
senior fellow at the Electronic Privacy
Information Center which found the prosecution
rate for computer crime to be lower than that
for other types of crime. That suggests to critics
that investigators are unfairly targeting innocent
people. Federal law enforcement officials counter that, in part because of
the complexity of evidence gathering, the computer crimes are
complicated to prosecute.
When it comes to holding confiscated property, the investigators have the
law on their side. Under federal law, they may keep property seized as
possible evidence until the statute of limitation for the given crime expires
-- with non-capital offenses, generally five years after the crime is
committed. Defense lawyers concede it is not unusual for law
enforcement to keep property as possible evidence in an ongoing
investigation for several years.
"It's not abnormal, but it is a big deal for the innocent person whose
expensive equipment is taken from them," said Jennifer S. Granick, a San
Francisco lawyer who represents hackers.
"Whether the seizure of the property is justified, we can't know now," she
said. "But in time, when the affidavits are unsealed, then we'll know
whether there was good cause or sound reason to deprive these people,
or whether the seizures are part of anti-hacker hysteria."
The issue dates back to a debate in 1990 over a government
investigation called "Operation Sun Devil," targeting members of the
Legion of Doom, a hacker group. As part of the investigation, agents
confiscated computers at Steve Jackson Games, a small company in
Austin, Tex., in search of a rule book for a game. Investigators thought
the book might be a how-to guide for computer criminals.
Without his computers, Jackson was nearly forced out of business. He
took the Secret Service to court and won on two of three counts, forcing
the Secret Service to pay more than $300,000 in damages and legal fees.
Today, federal investigators say they make an effort to return computers
to a business whose equipment may have been used by an employee
without its knowledge, or machines that are needed to keep a legitimate
business in operation. One way investigators accomplish this is by taking
a snapshot of the hard drive, copying all of the data and then returning the
original to its owner.
But Yarbrough, the assistant United States Attorney, said returning
personal computers to people suspected of wrongdoing is another
matter. He said their computers may be instruments used in a crime, and
would not be returned any more than a gun would in a similar situation.
Yarbrough said that it is not a valid use of limited government resources
to spend time copying the hard drives of a suspect's computer just to be
able to return it to them. "We don't give the gun back to a bad guy, and
we don't give the computer back to a bad guy," he said.
But Ms. Granick disagreed, arguing that while it is necessary to hold a
gun as evidence, hard drives are different. "You can't copy the gun and
have it be good evidence in court. You need to have the actual gun," she
said.
Hackers and others are allowed under federal law to
petition the government to return their property. But
some say they worry that if they do so, they risk
irritating investigators and making things harder on
themselves. "I don't want to make any problems," said
Maidman, the 18-year-old from New Jersey. "I'd
really like my stuff back, but I don't want to upset
them."
Maidman's home was raided in June during a broad sweep by federal
agents against computer criminals and phone "phreakers" -- people who
hijack time and resources from phone companies. At the time, Coggins's
office issued 16 warrants in 12 jurisdictions; the FBI said at the time that
the investigation targeted the theft of passwords and credit cards, among
other possible charges.
Coggins said the investigation is ongoing. But he said the government also
has to set priorities, and that with limited resources, the hacking cases
sometimes take a back seat to economic espionage or other major
crimes that require high-tech forensics research.
The federal government is not alone in its frustration. State governments
say they too are toiling under limited resources and expertise in dealing
with computer-based evidence. Kevin Higgins, chief Deputy Attorney
General for the state of Nevada, said that the spread of computers
among more ordinary criminals is making matters worse; even
methamphetamine dealers carry electronic organizers with the names of
their associates, he said.
"These days there's a debate over whether even to seize computers," he
said. "You've pretty much got to have a room just to store them in."
Carl S. Kaplan is on vacation.
@HWA
33.0 Computer Hackers Sentence Spotlights High-Tech Crime Prosecutions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.epic.org/staff/banisar/hacker.html
Computer Hackers Sentence Spotlights High-Tech Crime Prosecutions
By David Banisar, Contributing Editor
Criminal Justice Weekly,
Notorious computer hacker Kevin Mitnick, once described as "Cyberspaces Most Wanted," is scheduled to be sentenced this month in U.S. District Court (C.D.
Cal) to 46 months in prison after pleading guilty to computer fraud and abuse in April 1999 for breaking into dozens of computers around the United States. The
sentencing will end a five-year, highly publicized chase and prosecution of the best-known hacker in the country. It raises many questions about the ability of law
enforcement to handle cases involving new technologies and the prosecutions of those accused of computer crimes.
Cyberspaces Most Wanted?
The case has been the subject of worldwide media attention, which Mitnicks supporters say has blown his exploits out of proportion. The New York Times led the
coverage, describing him in a 1994 front-page story as "Cyberspaces Most Wanted." The Times stories increased interest in the case, and Mitnick was tracked
down and arrested in North Carolina in 1995. He was charged with 25 counts of computer fraud, wire fraud, and wiretapping, but none of these alleged crimes
were mentioned in the Times series. In previous prosecutions, Mitnicks relationship with computers has been described by mental health experts as "obsessive." In
the current federal prosecution and a pending state case in California, he has not been accused of using computers for personal gain.
Prosecutors apparently decided to use his case as a warning to others. Since his arrest, he has been held without bail and repeated requests for a bail reduction
hearing have been denied. Prosecutors refused to give him access to a computer with the eight gigabytes of evidence they planned to use against him, claiming that he
could use it to break into more systems, even without a phone line and modem. He was once put into solitary confinement when prosecutors claimed that he was
converting an AM/FM radio into a transmitter.
Mitnick pleaded guilty to five felony charges following over four years of pretrial detention. He is now eligible for release to a halfway house, having already served
most of his time. The probation office has recommended that unsupervised use of computers, modems, or cellular phones be prohibited as a condition of supervised
release.
Mitnick still faces a California state charge of computer fraud for telephoning the California DMV in 1992 to persuade an employee there to fax him the drivers
license information of a suspected informant. According to Carolyn Hagin, an attorney at the law offices of famed hippie lawyer Tony Serra, the attorney who is
representing Mitnick in state court, an attempt to lower bail from $1 million was denied by a Los Angeles Superior Court judge on July 9, who admitted that media
portrayals of Mitnick convinced him to deny bail. Meanwhile, John Markoff, the New York Times reporter whose gripping front-page stories made Mitnick a
celebrity, landed a book contract one week after Mitnicks capture worth a reported $750,000. Takedown, a movie starring Tom Berringer, is scheduled to be
released later this year.
The Long Arm of the Law
The primary federal statute regarding computer crime is the Computer Fraud and Abuse Act (18 USC § 1030). The Act, originally adopted in 1984 and
substantially amended in 1986 and 1990, prohibits the unauthorized access or exceeding of the users permitted access to computers run by government agencies,
financial institutions, or computers used in interstate or foreign commerce, such as those connected to the Internet. It also prohibits releasing viruses or other
programs that can secretly access computers and cause damage.
The penalties for a first offense range from one year for accessing computers without intending to cause damage and without financial gain, to five years for
intentionally damaging computers or stealing information for material gain. A maximum of ten years can be imposed for using the access to obtain information
protected "for reasons of national defense or foreign relations."
There are several other statutes included in the U.S. Department of Justice Computer Crime Program category: those involving trafficking in access devices such as
passwords, cell phone cloning devices, or credit card numbers (18 U.S.C. § 1029), and mail and wire fraud (18 U.S.C. § 1343). Every state also has its own
computer statute.
Referrals Increasing, Most Cases Rejected
Federal agency referrals for prosecution of computer crimes have increased substantially over the past several years, but actual prosecutions are fairly rare.
According to U.S. Justice Department data obtained under the Freedom of Information Act by the Transactional Records Access Clearinghouse (TRAC) of
Syracuse University, the DOJ prosecuted 83 cases out of 417 referred in 1998 under the Computer Fraud program category.
Referrals have more than tripled since 1992 and 1993. Each year between 1992 and 1998, the DOJ has declined to prosecute between 64 and 78 percent of these
cases. Forty percent of the cases were declined because of lack of evidence of criminal intent, weak or insufficient admissible evidence, or no apparent violation of
federal law.
In 1998, 47 persons were convicted of computer crimes and 10 were found not guilty. Twenty were sentenced to prison. That year, the average sentence for those
convicted was five months, and over half received no jail time. Since 1992, 196 persons have been convicted and 84 persons have been sentenced to prison for
computer crimes.
Average sentences imposed for federal computer fraud and abuse violations have ranged from four to 18 months. In most years, over half of those convicted served
actual time behind bars. The longest sentence was against profit-oriented hacker Kevin Poulsen, who was sentenced in 1995 to 71 months for manipulating the
phone system to win radio contests. Like Mitnick, he was held without bail for five years. In his case, the prosecution initially charged him with obtaining classified
information as a justification for denying bail and then dropped the charge before trial.
Currently, there is no federal sentencing guideline specifically applicable to the Computer Fraud and Abuse Act (18 U.S.C. §§ 1029-1030). In 1993, the U.S.
Sentencing Commissions Computer Fraud Working Group examined the application of existing federal sentencing guidelines as applied to the statute. The working
group found that for most cases, the fraud guideline, Section 2F1.1, adequately addressed most offenses. It recommended against creating a new guideline for
computer fraud because of the difficulty in measuring harm, the possibility of charging decisions that could lead to the same actions being prosecuted differently, and
the lack of empirical support (case law) for creating a separate guideline. The working group is presently drafting guidelines on losses for software piracy as required
by Congress under the No Electronic Theft (NET) Act (PL 105-147, 1997).
The FBI claims that there were nearly $400 million in losses between 1996 and 1998 due to computer fraud, but these numbers are difficult to verify. Mark Rasch, a
former federal prosecutor and now senior vice-president of Global Integrity Corp., a Virginia computer security consulting firm, notes that the issue of damages in
these types of cases "drives the sentencing guidelines" and are "tremendously fact specific."
In many cases, the numbers appear to be grossly inflated. In 1990, the federal government brought a case against Craig Neidorf, the publisher of Phrack magazine,
an underground online newsletter, for publishing the "source code" to BellSouths emergency 911 system. Prosecutors claimed that with the code, which they valued
at $57,000, hackers could shutdown the 911 system in the United States. Three days into the trial, Neidorfs attorneys showed that the document was actually a
memo on procedures available for sale from BellSouths own catalog for $13, and the case was dropped. BellSouth had included in its figures the cost of the
workstation used to write the memo and the salary of the author.
In Mitnicks case, the companies whose computers he broke into, including Sun Microsystems and Nokia, claim that he caused nearly $300 million in damages by
accessing their systems and stealing software. Several of the companies listed the entire cost for developing the software, rather than actual losses. Recently, Sun
Microsystems, which claimed Mitnick stole source code worth $80 million, recently began selling the same code to students and software developers for $100. Phil
Karn, a senior engineer at Qualcomm Inc., a San Diego-based cellular phone manufacturer, whose offices were broken into by Mitnick, told the Los Angeles Times
that "the real damage was loss of productivity and hassles . . . I dont want to condone what Mitnick did, but hes really not public enemy No. 1." Assistant U.S.
Attorney David Schindler is demanding Mitnick pay $1.5 million in restitution. His sentencing hearing has been put off several times while this issue is being
negotiated, but supporters say that without access to computers, Mitnick is unlikely to ever be able to earn enough money to pay restitution, no matter what the
amount.
A Cyberspace War or a New Red Scare?
While Mitnick cooled his heels awaiting trial, a new public fear of computers, and the potential impact of computer hackers on individual lives and national security
has emerged. In 1998, President Clinton signed Executive Order PDD 63, Critical Infrastructure Protection. Following the Executive Order, a number of
government agencies including the FBI, DOJ, and the National Security Agency (NSA), pressed for limits on security programs that include encryption, which can
protect communications from interception, and new powers to access telecommunications providers, such as telephone companies to protect them from
cyberattacks.
The New York Times reported on July 28 that the National Security Council has proposed a Federal Intrusion Detection Network (Fidnet) that would monitor
traffic on the Internet to look for patterns of computer intrusions. Data on the traffic would be stored at the National Infrastructure Protection Center, an interagency
task force run by the FBI.
Thomas Guidoboni of Michaels, Wishmer and Bonner, Washington, D.C., who has represented several persons accused of computer crimes, says there is a
paranoia about hackers. "Everyone is frightened of what they can do. . . . It scares people to think their computers can be broken into."
The NSC proposal, which could have profound privacy and civil liberties implications, has been criticized both inside and outside the government and is unlikely to
be adopted. But the combination of the growth of the Internet, fear, and bureaucratic demands for more power to protect systems ensure that there will be more
prosecutions in the coming years.
David Banisar is a Washington, DC, area attorney specializing in computer and communications law. He is the co-author of The Electronic Privacy
Papers (John Wiley and Sons, 1997) and a Senior Fellow at the Electronic Privacy Information Center. He is a contributing editor to Criminal Justice
Weekly.
Editors note:
Since the publication of this article, Mitnick was sentenced to 46 months in jail and ordered to pay $4,100 in restitution. The pending case against him in the state of
California was also dropped.
@HWA
34.0 Triads Linked to Info Vandalism - Alleged CoverUp by RCMP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Hex_Edit
Classified documents from the Royal Canadian Mounted
Police allege that Chinese nationals with links the Triads,
(Chinese Mafia) have broken into the computer system
at Canadian High Commission in Hong Kong. The
Computer Assisted Immigration Processing System is
supposed to have had over 788 files deleted. The
intrusions may have taken place as long as seven years
ago. It is believed that the RCMP is covering up the
events.
National Post
http://www.nationalpost.com/home.asp?f=990826/63514
Vancouver Province
http:/
/www.vancouverprovince.com/newsite/news/990826/2775271.html
National Post;
Triads linked to hacking at
Canadian mission
Files deleted, blank visa forms missing in
Hong Kong
Fabian Dawson
The Province
VANCOUVER - Chinese nationals linked to organized crime
have broken into the immigration computer at the Canadian High
Commission in Hong Kong, classified documents allege.
At least 788 files from the Computer Assisted Immigration
Processing System (CAIPS) were deleted, and up to 2,000 blank
visa forms have disappeared, according to the documents.
The core allegation is that certain people paid locally engaged high
commission staff to delete their backgrounds in the computer
system to hide their links with Triads -- the Chinese Mafia.
A related concern is that the stolen visa forms have been used by
possibly hundreds of people, including criminals, to enter Canada
illegally.
For seven years, the RCMP, Immigration Canada and the
Department of External Affairs are alleged to have kept a lid on
the case, which several sources call a ''breach of national
security.''
Two key figures in the investigation suspect the RCMP is covering
up criminal acts and negligence at Canada's immigration office in
Hong Kong.
Details of the case are contained in reports filed by Robert Read,
an RCMP corporal in Ottawa, and Brian McAdam, a former
immigration control officer at the high commission in Hong Kong.
''I believe there has been a massive conspiracy to cover up the
whole issue,'' Cpl. Read said. In a report marked ''Top Secret,''
he wrote: ''The loss of control of CAIPS ... loss of control over
immigration from Hong Kong ... from 1986 to 1992 is a most
serious breach of national security."
Cpl. Read, who has written orders from his boss, Inspector Jean
Dube, not to talk to the media, said: ''I am going public because
there needs to be a public inquiry into this whole thing.''
Officials would not confirm or deny the existence of an
investigation.
In fact, the investigation began in 1992, when the Department of
External Affairs sent to Hong Kong an electronic data processing
officer, David Balser, and RCMP Sergeant John Conohan.
According to Cpl. Read and Mr. McAdam, the two carried out a
cursory investigation. Neither Mr. Balser nor Mr. Conohan
recommended further investigations or criminal charges, despite
Mr. McAdam's reports, which indicated security breaches by
locally employed staff and the discovery of fake Canada
Immigration stamps in one of their desks.
Mr. Conohan was also told about local staff who had given
themselves unauthorized, top-level security clearance to access
the computer, according to one of Cpl. Read's reports.
Mr. Conohan reported that the suspect in whose desk the fake
stamps were found had fled to Taiwan, despite being given
information that she was living in B.C., some of the reports allege.
Documents also show that a second suspect, who operated the
CAIPS computer, fled her job in September, 1993, because of
gambling debts owed to Triads.
Mr. Balser's report is described by investigators familiar with the
allegations as ''unintelligible bureaucratese.''
He makes no express mention of the deleted files, fake stamps or
missing blank visas, which were included in Mr. McAdam's
reports.
Mr. Balser does talk about the potential for security breaches and
recommends that locally engaged staff not be given high security
clearance. He hints that someone could misuse blank visas, which
were left lying in open cardboard boxes, but does not report
allegations that at least 2,000 blank immigrant visas were found to
be missing.
Mr. Read alleges that Mr. Balser has told him on the record that
he was ordered to ''obfuscate'' his report. Mr. Balser is now
retired and could not be reached for comment.
Unable to get any answers to his concerns, Mr. McAdam
continued with his complaints and a series of RCMP investigators
were given the case and then abruptly transferred.
The Canadian Security Intelligence Service, was also brought in to
investigate Chinese espionage and together with the RCMP
launched Operation Sidewinder in 1995.
That operation, which was to look at the influence of Chinese
officials and tycoons at the Hong Kong mission, was also halted.
The investigation into the penetration of CAIPS is now being
conducted by Sergeant Sergio Pasin of the immigration and
passport section of the RCMP.
''If the RCMP does not tell the government that a disaster has
occurred, the government cannot decide how to react to it, cannot
decide when to tell the people of Canada what has occurred,''
said Cpl.
-=-
Vancouver Province;
'A breach of national
security'
Files at Canada's diplomatic mission in Hong Kong were
infiltrated Fabian Dawson, Staff Reporter The Province
Chinese nationals linked to organized crime have broken into the
immigration computer at Canada's diplomatic mission in Hong Kong,
classified documents obtained by The Province allege.
At least 788 files from the Computer-Assisted Immigration Processing
System (CAIPS) were deleted, and up to 2,000 blank visa forms have
disappeared, according to the documents.
The core allegations are:
- That certain people paid locally engaged staff of the Canadian
commission (now the consulate-general) to delete their backgrounds in the
computer system to hide their links with triads -- the Chinese Mafia.
- That the visa forms have been used by possibly hundreds of people,
including criminals, to enter Canada illegally.
For seven years, the RCMP, Immigration Canada and the department of
external affairs are alleged to have kept a lid on the case, unwilling to
reveal the extent of what several sources call a "breach of national
security."
Two key figures in the investigation suspect the RCMP is covering up
criminal acts and negligence at Canada's immigration office in Hong Kong.
Details of the case are contained in reports filed by Robert Read, an
RCMP corporal in Ottawa, and Brian McAdam, a former immigration
control officer at the Canadian commission in Hong Kong.
"I believe there has been a massive conspiracy to cover up the whole
issue," Read said.
In a report marked Top Secret, he wrote: "The loss of control of CAIPS .
. . loss of control over immigration from Hong Kong . . . from 1986 to
1992 is a most serious breach of national security."
Read, who has written orders from his boss, Insp. Jean Dube, not to talk
to the media, told The Province: "I am going public because there needs to
be a public inquiry into this whole thing."
Official spokesmen would not confirm or deny the existence of an
investigation.
In fact, the investigation began in 1992, when the department of external
affairs sent to Hong Kong an electronic data processing officer, David
Balser, and RCMP Sgt. John Conohan.
Read and McAdam say the two men carried out a cursory investigation.
Despite evidence indicating security breaches by locally employed staff and
the discovery of fake Immigration Canada stamps in one of their desks,
neither recommended further investigations.
Conohan was also told about local staff who had given themselves
unauthorized, top-level security clearance to access the computer,
according to one of Read's reports.
The sergeant reported that the suspect in whose desk the fake stamps
were found had fled to Taiwan, despite having been given information that
she was living in B.C., some of the reports allege.
Documents also show that a second suspect, a woman who operated the
CAIPS computer, fled her job in September 1993 because of gambling
debts owed to triads.
Balser's report, a copy of which The Province has obtained, is described
by sources familiar with the allegations as "unintelligible bureaucratese."
He makes no express mention of the deleted files, fake stamps, missing
blank visas or the disappearing local staff.
Balser does talk about the potential for security breaches and recommends
that locally engaged staff not be given high security clearance.
And he hints that someone could misuse blank visas, which were left lying
in open cardboard boxes, but does not report allegations that at least
2,000 blank immigrant visas were found to be missing.
Read, a Mountie for 24 years, alleged that Balser has told him on the
record that he (Balser) was ordered to "obfuscate" his report. Balser is
now retired.
Unable to get any answers to his concerns, McAdam continued with his
complaints. A series of RCMP investigators were given the case and then
abruptly transferred.
The Canadian Security and Intelligence Service, Canada's spy agency, was
brought in to investigate Chinese espionage. Together with the RCMP,
CSIS launched Operation Sidewinder in 1995. That operation, which was
to look at the influence of Chinese officials and tycoons at the Hong Kong
mission, was also abruptly halted.
The investigation into the penetration of CAIPS is now being conducted by
Sgt. Sergio Pasin of the immigration and passport section of the RCMP in
Ottawa.
"There is enough evidence in this case and in my other reports to initiate a
public inquiry . . . but for some reason nobody wants to do anything," said
McAdam.
"If the RCMP does not tell the government that a disaster has occurred,"
said Read, "the government cannot decide how to react to it, cannot
decide when to tell the people of Canada what has occurred.
"They have Balser's report, McAdam's testimony, the missing files in Hong
Kong . . . and my report.
"Why won't they do anything?"
@HWA
35.0 DoD Preps to Fight InfoCriminals Both Foreign and Domestic
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by mmuliin3
The Joint Task Force on Computer Network Defense
came to full strength in June and is in now ready
monitor the nations defense networks for cyber attack
regardless of where that attack may originate from. The
JTF-CND works out of Global Network Operations and
Security Center at Defense Information Systems Agency
headquarters in Arlington, Va. and is under the control
of Space Command. (Interesting quote in this article
"We don't get real worried about Web page hacks," said
Army Col. Larry Frank, chief of operations. "That's an
appearance issue." - Somehow I don't think he gets it.
Government Computer News
http://www.gcn.com/vol18_no27/news/440-1.html
August 23, 1999
DOD set to fight hackers both foreign and domestic
Task force monitors network to give department another layer of protection against cyberterrorism
By William Jackson
GCN Staff
When the Defense Departments Joint Task Force on Computer Network Defense opened for business last
December, it found plenty to do.
We have been at cyberwar for the last half-year, deputy Defense secretary John Hamre said. At least we had
a place to work on it.
Hamre spoke at ceremonies this month to mark the task forces coming to full strength in June. Since then, an
interservice staffsupported by the DOD Computer Emergency Response Team, an intelligence cell and law
enforcement liaisonshas been monitoring the Defense Information Infrastructure around the clock. The task
force works out of the Global Network Operations and Security Center at Defense Information Systems Agency
headquarters in Arlington, Va.
So far, none of the cyberthreats has proved serious. But Hamre said DODs primary mission is to prepare for the
next battle, buying the infrastructure in advance that we know we are going to need at some time.
Hamre has testified to Congress about the threat of what he called an electronic Pearl Harboran attack on the
nations information infrastructure. He said he was referring not to a devastating surprise attack but rather to
military preparedness.
It wasnt that we got hit, but that we were ready to respond, Hamre said.
Warning signs
Until recently, DOD has not been ready to respond to a full-scale electronic
attack. Air Force Maj. Gen. John Campbell, DISA vice director and task
force commander, said the network defense unit grew out of the Eligible
Receiver 97 exercise in 1997, in which National Security Agency teams
waltzed into DOD systems using off-the-Internet hacking tools.
No one was then in charge of defending DOD networks, and it showed,
Campbell said. Awareness was reinforced by the monthlong Solar Sunrise
assault on DOD systems by a pair of teen-agers last year.
Today, we are really serious about protecting our networks and our
systems, Campbell said.
Although the task force is physically at DISA headquarters, organizationally it is part of the Space Command,
reporting to the commander-in-chief at Peterson Air Force Base, Colo. The task force uses DISAs global
network management capability to monitor and analyze problems on DOD systems and coordinate responses.
We dont fix the computers; we look at the operational side, said Army Col. Larry Frank, chief of operations.
The other thing we bring to the table is command authority. DISA has no authority over any of the services.
The task force this spring encountered the Melissa computer virus, which spread rapidly by e-mail and
threatened to swamp some DOD systems. The virus struck on a Friday, giving a two-day weekend buffer. The
Defense CERT responded with a patch to block the virus within 12 hours.
We were lucky it wasnt very damaging, Frank said.
The task force was aware of hacks against DOD Web sites during the air
war in Kosovo, but they were not operationally significant, Frank said,
because DOD does not rely on the Web to carry out its missions.
We dont get real worried about Web page hacks, he said. Thats an
appearance issue.
The task force has a judge advocate on staff liaison officers from DOD
criminal investigative agencies.
It also maintains a working relationship with the FBI and other law
enforcement agencies. Most attacks come from the outside, Frank said,
and dealing with them is a law enforcement issue.
An attack from beyond U.S. borders might become an intelligence issue.
National jurisdictions are blurred in cyberspace, Frank said.
@HWA
36.0 Another Big Hole Found in NT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by newbie
NTA Monitor Ltd has discovered that Windows NT with
SP4 is vulnerable to Predictable IP Sequence Numbering,
also known as IP Spoofing. IP Spoofing is a technique
used to to make it appear that a user has a different IP
address than he is supposed to have.
NTA Monitor
http://www.nta-monitor.com/news/NT4-SP4.htm
Microsoft
http://support.microsoft.com/support/kb/articles/Q192/2/92.ASP
NTA Monitor
Leading Security testers NTA Monitor Discover Security Flaw in Microsoft NT4 SP4
25 August 1999
NTA Monitor Ltd have discovered a flaw (known as Predictable TCP Sequence Numbering) in Microsoft NT 4 when used with Service Pack 4 (SP4), which
means that it is vulnerable to a range of attacks known as IP spoofing. Microsofts web site has referred to SP4 correcting a similar problem with NT4 SP3, but it
is now apparent that although there has indeed been a change to the sequence numbering method used, the new method is no more secure than SP3.
NTA Monitor Ltd came across the issue in the course of an external test (also known as a Penetration Test) of the security of an Internet gateway for one of its
over 100 corporate customers, performing the Regular Monitor test service. NTA Monitor reported to the customer the fact that one of their public servers
appeared from other tests to be NT based, but had a different predictable IP sequence problem. Following confirmation from the customer that NT4 SP4 was in
use, NTA then performed bench testing to confirm that the problem is generic to the product.
Further discussions with Microsoft took place over several weeks, and Microsoft have now confirmed NTA Monitors findings.
Microsoft will be addressing this issue and making it public so that systems administrators with NT4 SP4 in use can review what action they should take in light of
this new risk.
Each user needs to weigh up the risks from this flaw in their own particular network environment, and the impact from a potential security breach. Individual
decisions will need to be made as to whether to temporarily disable NT4 SP4 servers from Internet usage, or move to alternative non-NT platforms, or to continue
as is, with heightened observation of the servers.
NT4 is widely used on the Internet by organisations for public-facing servers such as Email hosts (using for example Microsoft Exchange) or Web servers (
Microsofts Internet information Server (IIS) has large number of users).
This flaw allows an attacker to communicate with the victim device whilst appearing to be another system, such as a trusted host or another system inside the
organisations network, and thus to circumvent the devices protections against external Internet systems.
The simplest exploit possible would be sending perfectly untraceable fake email - which will be received by staff at the victim site and be indistinguishable from a
genuine email from the faked email From: address.
More serious exploits would include obtaining a remote log-in to systems as if from the organisations inside networks, and once achieved with further scope to
attempt to take full control of the victim system.
NTA Monitor will be posting news of this problem on a number of the Internet security mail lists and newsgroups.
Says NTA Monitors Testing Development Director Roy Hills:
"Although here at NTA Monitor we do a huge amount of security testing of corporate Internet security, we are not a security research company - and
so we were initially surprised to find such a flaw. It appears that no one else has spotted this before, and begs the question as to whether Microsoft
themselves did any testing after releasing SP4 for NT4...
"However, it simply highlights a message that we make every day - that active security testing is the only way to find out whether an organisation s
Internet perimeter is really providing the intended security - and this testing should be regular - monthly or quarterly.
"Every VP or Director of IT should ask to see their organisation's last Internet security test report.
"In fact many organisations have never had their security tested, and those that have tend to rely on an annual test - which is quite ineffective when you
consider the fact that there are typically 5 or 6 significant new Internet security risks every month, providing remote exploitation attacks on widely used
Internet software products."
@HWA
37.0 Korea to Block All Porn
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lamer
The Commission on Youth Protection in South Korea
yesterday said it will ask to have the 26 local Internet
service providers (ISPs) to ban access to all
pornography. ISPs defying the government ban will be
punished with up to two years in prison or 20 million won
in fines, plus the cancellation of their business licenses.
The Korea Herald
http://www.koreaherald.co.kr/news/1999/08/__02/19990826_0211.htm
Gov't to block online porn from abroad
The government has decided to ban pornographic material from being provided
by foreign servers over the Internet.
The Commission on Youth Protection, which folds under the Prime Minister's
Office, said yesterday it will seek to have about 26 local Internet service providers
(ISPs), such as KORNET, BORANet and NETSGO, block pornographic sites
provided through foreign servers.
Existing laws ban pornographic material by domestic servers. But between 50
and 100 sites carried by foreign servers have been virtually unrestrained, and
officials noted that domestic pornographic program providers have used the foreign
servers, exploiting the loophole that limit domestic laws from being able to govern
foreign-based servers.
The special measure involves two steps that aim to make lewd material
inaccessible to all Internet users in Korea.
"The idea is to make hard-core, violent and perverted pornography illegal for all
users, just as we do with printed material," Nam Hyung-ki, a commission member,
said.
To that end, the commission said that it will first ask the minister of information
and communications to decree an administrative order to the nation's ISPs to block
foreign pornographic sites early next year.
At the same time, the commission will require ISPs to develop technical devices
and measures, such as real-name user-ID systems, to sort out the minors among its
users. Both commission officials and industry insiders said that such a measure will
take some time to take root, suggesting that an all-out ban on Internet pornography
is a more likely scenario in the near future.
ISPs defying the government ban will be punished with up to two years in prison
or 20 million won in fines, plus the cancellation of their business licenses.
Meanwhile, industry insiders welcomed the announcement, but doubted that the
measures would be effective.
"It is technically possible, I guess, to block pornographic sites to minors. But
there will always be some loophole, some minor who will use his or her parents'
name to click on," an employee at one of the nation's 20 ISPs said.
Updated: 08/26/1999
by Kim Ji-soo Staff reporter
@HWA
38.0 Grammatically Challenged InfoCriminal Defaces Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Tucson Unified School District's web site was
defaced by what reporters have called a 'grammatically
challenged' individual. The defacement left obscenities,
misspellings, and grammar errors throughout the page.
Local officials are investigating.
Arizona Daily Star
http://www.azstarnet.com/public/dnews/121-8392.html
<this link is dead - Ed>
39.0 Bank Emails Virus to Investors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Yazmon
Last Friday Fuji Bank Ltd in Japan accidently emailed a
computer virus to a few global investors. A
spokesperson for Fugi said that the email came from a
machine that is not normally used and therefore was
outside what they normally monitor. The virus, on the
14th day of each month would display the message "big
stupid jerk".
Financial Times
http://www.ft.com/hippocampus/q14554e.htm
Fuji Bank bugs investors with rude e-mail
By Gillian Tett and Alexandra Nusbaum in Tokyo
One of Japan's biggest banks
has embarrassed itself - and
risked insulting some of its key
investors - by e-mailing a
computer virus to dozens of fund
managers worldwide.
The e-mailed memo was part of a
public relations offensive by Fuji
Bank, which last week announced plans for a merger
with Industrial Bank of Japan and Dai-Ichi Kangyo Bank
to create the world's largest banking group.
The bug will make recipients' computers display a
message from Fuji Bank on the 14th day of each month
telling the viewer in English that he or she is "a big
stupid jerk!". It also changes some of the names in the
e-mail to "Dr Mountain Dew".
Fuji yesterday admitted it had inadvertently sent out a
virus to dozens of global investors in a memo describing
the three-way alliance. When it discovered what had
happened, it sent a second e-mail warning recipients
about the bug and the insulting message.
"I have never received anything like this from a Japanese
bank before," said Brian Waterhouse, analyst at HSBC
Securities.
"I have also never heard of a case of a Japanese bank
having a computer bug problem before. But I suppose
that's a sign of technological change, and them catching
up with the rest of the banking world."
A Fuji official said yesterday: "This computer bug is
absolutely no joke . . . we have never seen anything like
this before. We are determined that this will never
happen again."
The bank said it had eliminated the virus from its own
software. It denied suggestions that the bug might have
been the work of employees opposed to restructuring,
saying it had come from "outside sources".
Fuji had produced the merger announcement in such a
hurry that it had taken the unusual step of outsourcing
some of its information technology procedures rather
than relying on its own staff.
@HWA
40.0 IS YAHOO SPAM OR ANTI-SPAM ORIENTED?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Friday 27th August 1999 on 10:12 pm CET
Is Yahoo for spam or against it? According to Wired reporter Chris Oakes , they play
on the both sides of the coin. "Yahoo distributes the advice to users of its Yahoo
Store electronic storefront hosting service. The Web site instructs users on how to
send out unsolicited email to target promotional partners for their Yahoo-hosted
storefronts." Read very interesting article on it below
http://www.wired.com/news/news/technology/story/21461.html
Yahoo Two-Faced on Spam
by Chris Oakes
3:00 a.m. 27.Aug.99.PDT
Can the Web's most popular site be anti-spam and pro-spam all at the same time?
Anti-spammers say the contradiction is alive and well at Yahoo.
See also: Yahoo: Keep Your Homestead
"Anytime you're saying 'look for a list of people and send them an unsolicited message,' that's spam," said Peter Seebach, president, of tiny ISP
Plethora.net in St. Paul Minnesota.
Yahoo distributes the advice to users of its Yahoo Store electronic storefront hosting service. The Web site instructs users on how to send out
unsolicited email to target promotional partners for their Yahoo-hosted storefronts.
Seebach said he encountered the advisory pages on Yahoo after being led to the Yahoo pages by way of an anti-spam mailing list.
"Step one is to build a list of sites that you want to get links from," reads the page, which is entitled "Build Traffic with Incentives." It reads:
...For example, if you are selling products related to show dogs, search for show dog in all the search engines. Add those sites to your
list, then follow the links to find others.
The instructions then recommend emailing the webmasters to try to get them to link.
But using Yahoo's email service to spam these folks is a no-no, the instructions warn:
"Note: Don't use your Yahoo! Mail account to do this, because all unsolicited commercial email is forbidden by the Yahoo! Mail terms of
service."
"Although this type of mail isn't really spam in the usual sense of the word, it is unsolicited, and your account could be canceled for it if
someone complains."
Is there a contradiction here?
"We're not advocating a form message or mass distribution," said Tim Brady, executive producer of Yahoo. "What we're advocating is to use search
engines to find related sites, write those sites down, and contact them. Probably somewhere in there, there's a judgment call."
Seebach said these stances are all the more alarming because they contradict the company's overall opposition to spam.
"In a lot other contexts, Yahoo has been fairly solidly anti-spam. So it's sort of surprising."
But Brady said there is no disparity in its policies. "Yahoo Store's terms of service forbid spam, and we have shut down sites for spam. There have
only been a couple of cases."
"I think our policies are consistent."
But to Seebach, there is no question about the nature of Yahoo's advice. "They didn't say 'find one person.' They said 'find people' -- plural -- and
they acknowledge that they'd [the Yahoo Mail service] kick people off for it. The community standard is that that's considered spam."
Elsewhere in the customer advice, Yahoo Store also instructs users on how to get search engines to display a Yahoo Store site address higher in
the list of search results. This activity, widely considered to be corrupting search results, is similarly disdained by the Net community.
Nick Nicholas, executive director of the Mail Abuse Prevention System noted that Yahoo's recommendations on search results are once again
contradictory.
"It's particular surprising to have that come from Yahoo. Because people are trying this all the time with sites like Yahoo."
But Brady said the search advice is sound and not seeking to trick search engines.
"We're clearly not advocating putting any irrelevant words in there. It's more of an education about how search engines work. If you have your
front page and it's all graphics and your competitor's is all text -- and your trying to understand why your competitors come up first in a search
engine -- this is a great education. It's design guidelines."
He did acknowledge that the company may need to adjust the language of the instructions.
"We remain strongly anti-spam and nothing we suggest or promote is in any way spam like we believe.... But I can see where potentially there's a
bit of a gray area here."
A gray area is problematic when it comes to stemming the growth of the Net's huge spam problem, said J.D. Falk, board member of the Coalition
Against Unsolicited Commercial Email.
"The problem with a gray area is that there's so many spammers out there that anybody in the gray area -- some people are going to consider it
spam. My advice is to stay completely out of gray area until the complete mass of spam dies down."
Editors note: By late Thursday, after this story was written, the page described above was changed. Yahoo removed the paragraph encouraging
mass email and the note warning users not to use Yahoo for such mailings. Because the article was accurate when written, Wired News stands by
the story.
@HWA
41.0 "NINES PROBLEM"
~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Friday 27th August 1999 on 9:51 pm CET
Everybody is panicking over Y2K bug who will hit us in 4 months. But did you hear for
nines problem? At issue is the impact of an old programming convention that used
four nines in a row -- 9999 -- to tell computers to stop processing data or to perform a
special task. Read about it on Wired.
http://www.zdnet.com/zdnn/stories/news/0,4586,2322320,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Will 9/9/99 create Y2K-like havoc?
By Jim Wolf, Reuters
August 27, 1999 7:16 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2322320,00.html
WASHINGTON -- A computer glitch that could cause system failures on Sept. 9 -- 9/9/99 -- is
about to get a lot of attention.
In a kind of dry run for the Year 2000 glitch, authorities and computer scientists worldwide will be
scrutinizing networks on that Thursday for any fallout from the so-called "Nines Problem."
At issue is the impact of an old programming convention that used four nines in a row -- 9999 --
to tell computers to stop processing data or to perform a special task.
End of file
In the relatively unlikely case that systems misread Sept. 9 as 9999 -- without zeros as in 09/09 --
they might confuse the nines with what programmers call an "end of file" marker.
Four nines in the date field could also trigger a grand total or a sorting operation, said Jim Kelton,
president of Software Unlimited, an Irvine, California, software consulting firm specialized in
networks and Y2K.
"All nines could be interpreted as almost anything," he said. For instance, the nines might cause
computers to disregard data received after Sept. 9, causing a cutoff in the updating of bank
records.
The glitch, which the financial industry has been fixing as part of its $9 billion Y2K preparations,
could figure in customized applications written in decades-old computer languages such as
FORTRAN, COBOL and RPG, experts say.
Robert Banghart, director of development at Unisolve, a Costa Mesa, California, software firm
working on the Y2K glitch, said a string of nines long had been used to tell computers to ''end a
routine,'' or no longer execute certain instructions.
Rehearsal for preparedness
In a worst-case scenario, four nines in a date field could spark problems not unlike Y2K, a coding
glitch that threatens to keep ill-prepared computers from distinguishing the year 2000 from the
year 1900.
The U.N.-backed International Y2K Cooperation Center, a global clearing house for millennium
bug data, is using Sept. 9 to rehearse a plan aimed at keeping up-to-the-minute tabs on how the
world is faring as it enters 2000.
"It's a dry run for the rollover date," said Lisa Pelegrin, spokeswoman for the Washington-based,
World Bank-funded center. "We will be testing our reporting system."
That reporting system, to be updated in real time on the center's Web site, www.iy2kcc.org,
ultimately will reflect the input of 170 or more national Y2K coordinators.
On the center's Sept. 9 shakeout run, about 15 countries are expected to take part. For the most
part, they are members of its steering committee -- Britain, Bulgaria, Chile, Gambia, Iceland,
Japan, Mexico, Morocco, Netherlands, Philippines, South Korea and the United States.
New Zealand and Australia, also active backers, are due to report in. Graeme Inchley, Australia's
Y2K coordinator, told Reuters that he was ``absolutely convinced'' Sept. 9 would go by without a
hitch.
First test for Y2K center
Sept. 9 also will mark the first test of a $40 million-dollar U.S. inter-agency Y2K center meant to
give U.S. decision makers a round-the-clock view of Y2K problems in their areas of
responsibility.
Likewise, on Sept. 8 and 9, the North American Electric Reliability Council, an industry group,
will rehearse an emergency scenario to test operating, communications and contingency responses
for the Y2K transition.
"If all goes well in this drill, the electric utilities can pat themselves on the back; if not, they may be
tempted to blame the 'nines','' said Janis Gogan, an information technology expert at Bentley
College in Waltham, Mass.
Mitch Ratcliffe, editorial director of publisher Ziff Davis's Y2K Web site, rated Sept. 9's chance
of triggering problems as extremely low because the date would have to be misrepresented --
without zeros as in 09/09 -- "in a way that defies logic."
"The Nines Problem is almost totally a myth," he said.
@HWA
42.0 Stealth Coordinated Attack HOWTO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This was emailed to us by the author and is a very well written piece full of important information for
the sysadmin and hacker alike, definately a must-read by all. - Ed
Contributed by Dragos Ruiu
note: this was written before the l0pht antisniff annoucement was made so that's why the future tense.
And I'm not talking about route table hijacking as the DHCP vulnerability :-).... cheers, --dr)
Cautionary Tales: Stealth Coordinated Attack HOWTO
By Dragos Ruiu
A lot has been written in the popular media about the effects of hostile coordinated traffic attacks
(hacking), and, as a sysadmin, I find my systems increasingly under attack by hostile sources. Two years
ago, we got mapped and port-scanned for vulnerabilities once a month. One year ago the scan frequency was
up to once a week, and these days we get scanned several times a day with real attack attempts at least
once a week. The Internet is becoming an increasingly hostile place and the traditional defenses and
documentation of attack systems seems woefully inadequate. With this article, I hope to remedy some of the
false misconceptions of security that some admins have. Yes, I hope that descriptions of these attack
techniques scare you into beefing up security on your home PC, at your office, everywhere. Over the last
fifteen or so years, as a sysadmin of network connected systems, I have seen the knowledge of computer
technologies propagate across the spectrum of human population, bringing with it the traditional demographic
including the stupid people, the malicious people as well as the helpful and the apathetic people.
With the burst of Internet technology over the last few years there has also been a burst of new computer
adoption, increasing pervasiveness of computing and networks and increasing occurrences and danger/damage
caused by hostile computer use. While I don't believe for a second the over-inflated, hyped-up estimates of
the cost of these hacker intrusions bandied in the media, I can vouch that the problem is real. As the chief
technical weenie of our company, NetSentry Technology, I've been manning the front line defenses of our company
net equipment. I've also been documenting the increasingly hostile nature of attacks on our network and would
like to share some of my experiences in this area. The technical level of the attacks is increasing at an
alarming pace, and I haven't seen any documentation of these new attack techniques yet, so here are some
cautionary tales culled from our real-life experiences. My hope is that after reading this you will re-examine
your own network security. Most organizations are woefully under-protected.
The ISPs are having increasing difficulties in responding to customer requests for assistance in intrusion cases
and the police are even further under-staffed and out-gunned technologically. So increasingly, it leaves companies
to fend for themselves to secure their systems. Here is what you have to worry about.
I wish I could take credit for all the techniques described here, but a majority of them were derived from
analysis of traffic used for hostile attacks on us. Credit belongs to the anonymous hackers that have taken a run
at our defenses. I write the following from the point of view of the attacker to emphasize the point that security
is vastly neglected at most sites and because I want to ask, what will you do when faced with these attacks? And
what can you do with your current defensive equipment? Not much, I wager.
The phases of a successful attack are A) Reconnaissance, B) Vulnerability identification, C) Penetration,
D) Control, E) Embedding, F) Data extraction/modification, and G) Attack relay.
A) Reconnaissance
The first part of a successful attack is to get to know the network topology in the region surrounding your
target and the parties it communicates to. This is also an important part of the penetration of each successive
layer of your target's networks. Currently, the best publicly available tool for net topology identification is
Fyodor's excellent "nmap" program and derivatives. The objective of the reconnaissance is to understand as much
about the target and to identify attack destinations defenses and potential attack relay bases.
In private circulation, the following tools exist or will soon exist:
Attack Tool: Coordinated multi-site scanners. Mapping software that distributes the mapping "probe" packets to be
sent to the destination addresses and nearby sites over a number of geographically dispersed attack sites, and
trickles them out at low rates to avoid detection so that there never is a lot of traffic at any one time or from
any particular site (see stealth section). The results of the pokes and probes at the target that these systems
send is summed and collated to build a picture of what equipment the target has installed. There was a lot of
noise in the press earlier this year as some of the crude versions of these coordinated scan tools were aimed at
US military sites, but either the operators of these tools have improved them to the point where the relatively
immature military defense systems no longer identify these scans, or the military has found some other threat to
highlight in the press and use to get funding.
Attack Tool: Sniffer Detectors. Sniffers produce unique traffic patterns that may be detected. They also provide
some interesting penetration vulnerabilities, as their network interfaces are placed in promiscuous mode, allowing
all packets past the address filters to be processed by network stacks and applications. Some attack methods
directly target security systems, which, ironically enough, are often notoriously insecure themselves. Once the
security system is penetrated, all kinds of nice information like traffic patterns and passwords may be gleaned,
and evidence of your attacks can be conveniently removed. And because of promiscuous listening in the sniffer you
can even take it out with traffic destined for a different system.
Attack Tool: DNS Zone transfer. A DNS zone lists the externally accessible points a company maintains. A nice map
of the externally visible systems that your target has put on the Internet and a great attack point list. Not many
sysadmins go over the name server records closely enough to detect this, however the more advanced intrusion
detection systems are getting better at identifying these kinds of transfers as pre-cursors to an attack.
The important information to gather is the DNS names and addresses of the target's hosts and neighbors. Then you
must further identify the OS and open port configuration of each of your target's systems. The latter is determined
using site scanners and analyzing the responses that a site delivers. Current tools such as "nmap" and "queso" are
getting very good at determining device, OS version and some network application configuration information from
careful analysis of the timing and contents of responses to probing or mapping traffic. The OS and port
configuration are used to identify systems that could have software packages with vulnerabilities and bugs open
for exploits.
Knowing who your target's ISPs are by analysis of address use can provide useful attack bases for your onslaught
Getting into their ISP's equipment and servers first could enable you to get important information about them and
if you can subvert equipment installed on the same network links as your target can let you glean important
information such as traffic patterns of your target. All without your target even suspecting. It may also be
easier to penetrate the ISP than a secure target. Some ISPs such as @Home even keep extensive (but often out of
date) databases listing customer's hardware and software configurations as well as other info, which if accessed
can mitigate some of the dangers of triggering intrusion detection systems with your site scanning traffic.
Once the traffic patterns of the target's external traffic are known, a basic technique to take out a secure target
is to first take over a less secure target that your main target talks to, and then come in to your main target
under the cover of that site's usual traffic. Any site your target talks to periodically, including popular web
sites, employee's dial-up accounts, and system traffic, such as network time protocol (NTP) clocks, are all
candidates for attack relays. Sprinkling in your attack traffic with large web downloads and ftp transfers will
make it more difficult for security personnel to use sniffing and detection tools to identify your attack, as
scrolling through reams of logs and captured data can often be more time consuming than possible with most network
staffing levels. Taking out and controlling your target's conversation peers can provide you with useful channels
through your target's defensive firewalls and detection systems. Your traffic will look on all the scanners like
that web-site the Joe in IT is surfing to, but will provide you with a nice channel right past all the firewalls to
a machine inside the core of your target's net.
One useful target is the DNS caches and servers that your target uses at your ISP. Accessing the DNS logs can give
you the addresses of all the sites that your target talks to, and furthermore, careful analysis can even give
indication of when the activity happened, or is happening, offering excellent potential for cover.
As we'll talk about later, owning the DNS server can have many benefits. In general the DNS servers are ripe with
hacking opportunities.
Another useful target is the ISP DHCP server, which is used to dynamically assign IP addresses to clients on
connection, as it can be used to identify periods of system activity from the logs, and also periodically
establishes connections to the client systems as the address leases expire. A common DHCP vulnerability also
allows client system takeover from this ISP host. DHCP address lease expiry also provides a nice way to signal
embedded attack software at pre-determined times to do things like wake up in the middle of the night and send
data when no-one is looking.
An often available source of useful relay bases for attacks is other systems in the same ISP client pool (on the
same modem bank, other ADSL users on the same DSLAM, or cablemodem users on the same segment), which are in many
cases default configuration, open like Swiss cheese, Windows systems - typically with file-sharing turned on and
personal web services enabled, a combination that sports a plethora of available vulnerabilities to exploit. After
taking out the easy "marshmallow" soft client PC, the adjacent main target can then be attacked using local subnet
attacks, offering again some potentially powerful techniques for hiding from and exploiting your target's security
systems. In easy cases, the equipment rack will bridge broadcast traffic between the "marshmallow" and the target,
allowing use of address resolution traffic such as ARP and DHCP to be used for system attacks and control. For
stealth, these kinds of attack bases are excellent too, because the broadcast traffic is largely repetitive, very
voluminous, and mostly uninteresting, which, combined with a great immaturity among the security tools for this
kind of traffic, make it a ripe vulnerability area. Local area broadcasts can also be used as another "mapping"
system too, even in passive listening to traffic at the nearby "marshmallow". By recording the address lookup
broadcasts from your target, you can build up that traffic pattern information so that you can sneak into the site
undetected.
Another often overlooked source of mapping and reconnaissance information (and break-ins) is the management systems
the ISP may be maintaining. The Simple Network Management Protocol (SNMP) that most of these systems use is a bit
too simple and is ripe with vulnerabilities, rich with information (including complete remote sniffers useable to
pick up passwords in some RMON MIB equipment) and lame about security.
The most powerful relay base for attacks is the ISP's router system. Once you control the paths of your target's
packets, you really have them at your mercy, as you can silently redirect any of their traffic to your attack
relay bases without them knowing, and other fun tricks. However, most ISPs guard their Ciscos and other routers
as the most valuable resource with the most defenses, so this is really a target for the most daring and brilliant
attacks.
B) Vulnerability Identification
The objective of the mapping phase is to find externally accessible traffic paths into your target's net systems.
Over the last year it has been easy to see what are the most popular scriptware for the so called script-kiddies:
the low-tech, mostly teen, hackers who just download pre-compiled exploits and run it blindly against targets.
The standard script-kiddy technique is to set up a broad address sweep broadcast of probe traffic, to the whole
section of the Internet that seeks some sort of response from the target, that would indicate that software is
installed with the vulnerability the exploit is using.
The classic vulnerabilities that we frequently see sweeps for are:
o FTP Server Exploits. Especially vulnerable are servers with anonymous write access.
o NFS and SMB share vulnerabilities.
o Holes in POP and IMAP mail delivery servers.
o Vulnerabilities in the "bind" name daemon software.
o Web server CGI exploits (Apache, MS IIS).
o Installed control daemons such as BackOrifice.
The scans for these holes are so common these days that it is difficult for most sites to even catalog origins of
such scans. These kinds of scans are so commonplace that, as long as traffic volume and frequency is controlled, it
is possible to conduct them with relative impunity. But the attacker has to be prepared for the case of zealous
sysadmins who contact ISPs and complain about port-scans. Never port-scan from a node you are not prepared to have
disconnected, seized or otherwise lost. Here, the best policy is to use the least useful and network connected
systems in your attack fleet of controlled systems as they may be lost or jammed and blocked by firewall software
when the hostile mapping probe traffic is detected. Mapping traffic stands out like a sore thumb when pointed at
systems not running the vulnerable software - if the target has the tools to analyze this kind of attack (i.e.
Abacus Sentry). If attacking a net-savvy sysadmin, he will be able to detect things like IMAP probes against
servers not running mail software. However, even these days, targets with effective intrusion detection systems
are few and far between. And sysadmins with enough time to examine, properly and frequently, all their logging
systems are even fewer.
At the sites that have management and security systems, these are ripe targets too. Penetrating the security system
has the best advantage of rendering the target effectively blind. I have seen experienced sysadmins dismiss
unquestionable, hard evidence of tampering because their beloved and trusted, but thoroughly compromised, security
sniffer shows them that there is nothing to worry about - or doesn't even show that kind of data at all. The other
factors in the attacker's favor are the egos of the network designer and IT group. Every sysadmin thinks their
defensive plan is carefully thought out and "their" system couldn't possibly be penetrated. Here at NetSentry we
used to contact operators of systems that had been compromised and were now being used for attacks against us. But
after many hours of fruitless attempts to convince maintenance personnel, who, if you did reach them, often didn't
even understand the attack traffic their own site was launching, insisted that it "couldn't possibly be our system,
it must be your equipment or monitors that are wrong."
I remember very vividly one ISP we contacted: when we were watching, in pretty much real time, as the attackers were
compromising system by system at their site and using each as a base for attacks against us, how their support person
and security specialist looked at some local system when we called and decided that we couldn't possibly be correct.
An hour later, as the ISP's systems being used as attack relays switched from probing to all out denial of service
flooding and attacks, we called back and everyone had happily gone home for the night there. We never did bother to
call them again and as far as we know the attacker still owns all their systems. The only guys who really took one of
our attempts at warnings seriously was the security department at a regional bank, who came in on a Saturday to put
sniffers on the line - but they were a notable exception.
The best targets are those that are the most widely known, used, and difficult to take off-line or re-locate. Mail,
DNS, Web and FTP servers all fall into this category. With these servers, sites that notice suspicious traffic will
often not off-line them because they are critical to network operations. And even if they take them off line and
restore them from backup, or otherwise keep you out, they are often forced to bring the servers back with the same
vulnerability as was available for initial entry because user complaints about the unavailability of network
resources override the attempts to identify and close the hole.
Like penetrating the sniffer and management systems, the mail servers also provide excellent opportunities at
invisibility, by letting you monitor internal conversations, what aspects of the intrusion have been detected and
what countermeasures are being mandated.
C) Penetration
The most successful hack is the one where the target doesn't even know it has been penetrated. The next best thing
is that when the intrusion is detected, they won't know where it's coming from. Since the source may be detected,
it's better to use attack relays so the attacker's anonymity can be maintained. The general technique is to quickly
find some clueless newbie who has put his home system or office server on the net with major vulnerabilities, and
use that as a relay. Never use a system with your name or organization attached to it to attack.
Use several levels of indirection and make sure you cross several geographical and political boundaries to hide your
trail. ISPs in the same country often will not share log information and this gets even more difficult across borders.
I listened with sympathy when I heard a poor overworked security colleague who works for the Canadian RCMP describe
the nine month process (!) for the paperwork to request log files from U.S. ISPs. The police and ISP security
departments often have their hands tied by procedure and policy and general understaffing. The more organizational and
geographic boundaries that your attack redirection trail can cross, the more safe and anonymous you will be.
People complain about the lack of anonymity on the net, but for those that cross that line into unauthorized systems
use, there is altogether too much anonymity. It's often almost impossible to follow a chain of connections through
multiple ISPs and countries. The hidden are truly anonymous on the net. Sysadmins should give up now on the romantic
idea that you will be able to track down who is attacking you - it's just another bunch of random numeric addresses,
and even if you trace it down to an ISP, their logs will only point to another ISP and so on.
If the attacker can knock out the target's intrusion and sniffing facilities then you can proceed the rampage though
their network with relative impunity, but even if you don't have the technology to compromise such systems, there are
a number of techniques you can use to make your attack more stealthy.
Attack Tools: Firewall tunnels. There are a wide variety of virtual private network and proxy programs, which you can
use to relay your traffic to inside a protected network and not make the traffic appear on an intrusion detection
system. Literally dozens of such firewall "borers", such as HTTPtunnel, are available now in source and binary form.
These tunnel programs relay your traffic through the firewall and IDS systems by making it look like innocuous
transfers to and from your "mole" system to common web-sites and other forms of traffic "chameleoning" to make it
look unexceptional. These tunnels embed your attack and control traffic inside this relatively innocent looking
traffic to seem like HTTP or partial TCP fragments. These tunnels can also encrypt your traffic, making it more
difficult for your target to identify the penetration methods.
Most sites employ hard-shell, layered network security. That is to say the links external to the organization have
firewalls and net proxies to restrict access to the inside network. The standard technique is to have a hardened
Demilitarized Zone (DMZ) made up of firewalls and security IDS systems. The most secure sites will have multiple
servers and systems dedicated to these roles, but the majority of installations often rely on one inadequate server
for this gatekeeper function. And once you are through this shell, which is checked most often by maintenance
personnel, you are usually into the internal network that has almost no security. Another often overlooked security
breach is to use floppy based Linux distributions such as the Trinux project, or client software for common Windows
and NT systems, to carry in such a tunnel program physically into the organization where it can be surreptitiously
installed on a system inside the "hard" shell. This "mole" or tunnel can then penetrate the security from the inside
where vulnerabilities are seldom checked. >From this attack relay base, you can proceed to scan the internal systems
and take over other servers, further embedding your control of their infrastructure.
Firewalls are hardened quite well these days. But even so, some firewall operations can be predicted and broken, in
areas like the port number sequences of outbound connections. With predictable sequence number connections, firewall
connections c
an be hijacked and attack sequences passed through the defenses. And while firewalls are often tough,
many sysadmins make mistakes and leave vulnerabilities open on the host the firewall runs on (like running Microsoft
IIS on the firewall), allowing penetration and access to both the internal and external Ethernet interfaces on the
box for malicious software to bridge packets between the two. Once the host with network interfaces on both segments
is penetrated, packet hijack software can grab the packet and relay it to the other interface before the firewall
software even sees it, essentially providing you with an invisible back-door into the target.
Some forms of firewall penetration do not even involve bypassing the firewall. One interesting attack technique it
to identify frequently visited sites by the target, taint the DNS database with a forged update to their DNS server
or cache so that the next time the target client contacts the frequently visited site, the traffic is pointed to one
of your attack systems instead. This attack relay system can conveniently embed your attack exploit in relayed copies
of the original web site. With modern Java enabled browsers, the client naively executes any code the supposedly well
known site, which is in reality your attack relay, sends. The data is sent in response to a client's request through
the firewall and walks right past the intrusion detectors, virtually indistinguishable from ordinary data. This
attack mode is also available by taking over the target ISP's router or DNS server.
Other forms of stealth involve penetrating SNMP traffic statistics or nearby systems at their ISP or other peer
clients to identify traffic activity. The design flaw of the Internet that makes identifying forged source addresses
a difficult problem can also let you hide the origin of the attacks (so called "spoofing"). If attack traffic is sent
from (or spoofed to look like) a source that is currently sending a lot of data to the target, it makes it that much
more difficult to spot the attacks. This buries the attack packet amongst reams of other voluminous data. It quickly
scrolls the attack packets off the screen of sniffers and makes network security staff at the other end go through
the tedious "find the needle in the haystack" procedure of sorting and filtering megabytes and megabytes of capture
data if they suspect the attack. Most of the time they will not have the patience to exhaustively search for attacks
by scrolling though the captures and logs, again rendering you invisible.
After penetration, further attack software can be embedded in ordinary traffic to transfer it into the target's
systems. Patience is the key here. The lower the data rate that can be used to get the information in and out, the
lower your chances of being detected are. Spreading out your packets, so only a few per hour are transmitted, makes
your hack very difficult to detect with today's tools. (However, we have developed some special tools to counter
this kind of attack.)
One of the more devious penetration methods we observed was a system that trickled data in and out in the normally
unused padding at the end of user data packets. On normal sniffers and detectors, the packets looked completely
innocent, as even those tools did not display the padding "garbage" used for the hack. This padding was used to
install malicious software by trickling the attack executable into the target a little bit at a time, a few bytes
with every packet.
Another interesting stealthy attack system that will negate most firewalls is to embed your hacking control channel
for your attack bot software and results and information back from the bot in addressing translation requests, that
by definition need to be passed on by firewalls. One such clever system we experienced was an attacker who penetrated
another nearby client node on an ADSL system. They then penetrated one of our systems (a sniffer of all things) and
installed a key-stroke logger that encoded the keystrokes typed at the console into the address field of Address
Resolution Protocol (ARP) lookup messages, which were happily passed through the firewall and relayed to the attacker
at the nearby system outside the firewall on the same subnet that received the ARP encoded keystrokes. This key logger
even delayed, encrypted and grouped keystroke transmissions to make detection more difficult. We have also seen
keyboard loggers that were clever enough to store your keystrokes on disk, in case the system was disconnected from
the network (like a laptop) for a while and then trickled them out later when the net connection was re-established.
Key loggers provide easy access to most authentication tokens, scrambling keys and passwords.
The basic form of penetration is to use stack smashes which take advantage of basic low level coding bugs in a piece
of applications software or an operating system component. The form of a stack smash exploit is to utilize a data
coding that allows variable length data that you send to be erroneously copied into fixed length buffers or variables,
and writing into data past the end of the buffer. Since this data can overrun the stack, you can overwrite a return
address for the currently executing function and make the processors CPU jump to and execute arbitrary code of your
choosing. If the bug exists in a privileged piece of software, these instructions that you jump to are virtually
unlimited, allowing you to do literally anything with the penetrated computer.
The problem with this form of attack is that it often requires detailed knowledge of the operating system and memory
map of the target. Often this form of attack will have to be coded in multiple ways to account even for the version
of OS and software package being penetrated. The drawback for the attacker and the advantage for the defender is that
usually stack smashes involves "groping" around blindly, sending multiple variants with different offsets and values
until the appropriate magic version number that works correctly and responds back is found. In some cases an incorrect
variant can crash software and systems, necessitating lots of patience and long time delays between variants tried.
A common target for stack smashes are recent and older variants of the "bind" name daemon that is in almost universal
use to translate from symbolic DNS names and URLs into numeric IP addresses. The code and traffic structure of this
program is very complicated, difficult to debug and ripe with vulnerabilities and bugs. One 17 year-old hacker managed
to take over more than 12,000 systems over two years - before he was caught with an automated "bind" takeover worm.
Another common form of attack is to exploit the increasingly complex and powerful native data types of applications
software (especially Microsoft products that often contain several complete programming languages in things like word
processors and mail readers). Web server script exploits also fall into this category. The basic technique here is to
either hijack an existing connection and inject malicious data or to send unsolicited attack traffic that will take
over the application and eventually the system.
D) Control
Once you are into the system and have compromised a piece of software, the next bit of work is to get control of the
host. This is usually a bootstrap process, where a piece of small code, "the exploit", is first gotten into the target
and the vulnerability is used to execute the code. This code needs to contact one of your attack relay systems and
download further code and instructions. The simplest form of bootstrap is to allow remote access to a command shell
that can execute arbitrary operating system commands.
There are many forms of bootstraps, as they are often linked to the exploit itself, and some, like BackOrifice,
include a whole command interpreter. But those more advanced download a minimum of code and use existing portions of
the operating system code to build a remote control system attack bot. These advanced exploits can, in object oriented
fashion, build whole parallel network stacks and control systems that run invisibly in the background on the machines
using software already installed on the machine.
A portion of the bootstrap process during attack is to restart or patch the application that was crashed so that the
intrusion is not noticeable. Other important parts of this process include cleaning up the log files to remove
intrusion messages and hiding the attack bot so that it isn't listed in the task viewer or process list. "Scrubbing"
the log files can be easily accomplished by recording the file pointers to important log files at exploit time,
installing and bootstrapping your attack bot and then "rewinding" the log files to their pre-attack positions to
erase any evidence of the installation by overwriting the operating system file pointers in memory with your
pre-attack copies. Subsequent log entries will overwrite the evidence of the attack. Log files to be cleaned up
include sniffer capture files, system event logs, DNS and other daemon diagnostic files, IDS systems files and file
integrity checkers like Tripwire. The good attack bots make log-files almost useless for intrusion detection.
Your attack bot can control the machine up to the privilege level of the software that has been penetrated. It can
access any resource that the original software could. In many cases, this will not include super-user "root" or
"administrator" privileges and you will need to use another local exploit to break in further. One alternative
approach is to download a password cracker and dictionary to be stored in invisible files or unused portions of the
disk and let this cracker run in the background on the machine (invisibly off any task list of course), using a brute
force search for the password on the same machine. This generates little traffic, and is very difficult to detect by
the target, as the machine will work silently to crack the password for you when idle. One such attack system that
was used against us used a remarkably compact word-list and a very patient brute force cracker - to good success.
Super-user privileges are not needed all the time. Even in cases where the cracked software has been limited to
accessing only a few resources, it is often enough to use the system as an attack relay base. One of our attackers
used a "bind" exploit once on a firewall system where we had purposefully confined the non-privileged version of
"bind" program to a "chroot" jail that limited filesystem access to a very small subset of files. This didn't stop
the sophisticated attacker much, as even the ordinary user privilege "bind" already had permission to access both
internal and external Ethernet interfaces and bridge packets between the two to bypass the firewall software.
With careful design, your attack bot can allow you to encrypt, hide, download, remotely install and run arbitrary
software packages, and send traffic so that even sniffers installed on the target do not see the packets. It is
relatively straightforward to insert and remove packets from the network card, transmit and receive queues, so that
normal OS security and logging measures on the penetrated host never even detect the traffic (including bypassing
low-level transmit and receive counters). Similarly, it isn't a major technical feat to hide the bot tasks so that
they don't show up on system diagnostics. You can completely remotely control a machine and run programs on it,
upload and download data, without any indication to the user other than occasional sporadic slowness - which on
Windows is almost indistinguishable from normal performance, and Linux and NT aren't much better.
E) Embedding
After you have gotten in and have control of the target, the next step is ensuring that you can retain control even
if your actions are discovered. You need to quickly map the local net and penetrate any other system suspected of
being a sniffer or key communications links, such as mail servers, to observe any suspicion of intrusion on the part
of the target's IT staff.
The next portion of clean up is to trickle in any additional attack code into the target and whatever is needed to
make your controlling attack bot install and hide itself on disk. The point here is to allow your bot to survive a
system re-boot and retain control so that you do not have to go through the dangerous - and detectable - attack and
clean-up sequence again. Several techniques have been observed for doing this. One is to overwrite existing and
little used OS files that exist in nice, known predictable places/paths, but are seldom used (the more marginal
games that come with OS distributions, and terminal definitions for obscure terminals quickly come to mind for this
purpose). A sophisticated variation on this is to encrypt and spread your binary over many files (sometimes called
steganography). Another alternative that requires more low level programming is to use unused, empty portions of
local disks. The system then has to be modified to re-enable your bot after rebooting.
A variation on this hidden attack bot is to install a back-door that will lie dormant on the disk and install a small,
difficult to detect bot that waits until receipt of a special traffic trigger which will then set off re-assembly from
code pieces spread out on disk files and activation of the more powerful attack relay bot. This kind of traffic
trigger system could also be used to render the traffic invisible. One attack system installed itself across multiple
systems and suspended normal OS operations and triggered execution of the loaded command in the attack bot upon
receipt of a multicast trigger. The OS remained suspended until a time out or reset trigger was received, allowing
the exploit to run without any normal security and logging active. By using a multicast trigger, multiple systems can
be triggered and momentarily suspended simultaneously, and if the control bot is installed on any sniffer systems,
data recording was suspended while the attack bots execute their commands in this suspended state and send their
traffic, again rendering the whole attack invisible. Multicast traffic also has the added advantage of being not
reported in the default configuration of most sniffers, so unless the IT staff explicitly enables reporting, they
will not usually be aware of it. This kind of attack is very difficult to detect unless an operator is paying very
close attention to traffic LEDs.
One condition for the attacker to plan for is what happens to your bot if it is discovered. One attacker once used
a system that erased itself if it lost contact with the attack relay base for more than a certain period of time, or
if the system was re-booted (as would happen when a system gets off-lined because breaches are suspected). In this
way any evidence was erased whenever a penetration was suspected.
The Perl language, if installed on the target, provides a nice compact way to download very powerful programs with a
minimum of data transferred, and the standard Perl kit includes routines for embedding (hiding) your Perl script into
other binaries.
Another clever exploit is to store a piece of your attack bot bootstrap sequence on the network card itself. Most
modern network cards have 64 bytes (or more) of EEPROM that are used to store the 6 byte hardware MAC address,
leaving the majority of the space unused. More sophisticated server network cards even have more space for
downloadable firmware. The mostly unused network card EEPROM is typically loaded by OS drivers in its entirety -
usually to a fixed address static buffer. A small segment of code could be programmed into the card and executed
from this buffer by an exploit. The advantages to storing a portion of the attack code in the NIC is that it makes
tracing the activity of the exploit difficult for someone trying to reverse engineer the code, and more importantly,
a short program installed here will survive a disk formatting and OS re-install. This kind of exploit will lead to
a lot of head scratching and questions about "How the hell do they keep getting back in after a disk wipe?" at the
target.
F) Data extraction/modification
After you have established control, then you can get on with your nefarious purposes. Typically this will be data
extraction and modification on the target system. On Microsoft systems, the registry and Microsoft's own system
information utility, enable rapid gathering and dense transmission of key system configuration back to your attack
relay. Under Linux, the /proc filesystem provides the most rapid clues as to system configuration, allowing your
attack bot to build a summary of what it found on the newly penetrated server and transmit it to the relay.
Important attributes of data extraction and control of modifications for attack bots are to hide and encrypt this
data stream. It will be beneficial to spread these transmissions out over several relay destinations and have them
happen at low rates. One of the safer, stealthier data extraction systems is to embed the data in HTTP web transfers
that make up a large percentage of most site traffic these days. Putting your encrypted data deep into packets and
disguising it as JPEG or GIF binary data will help hide it. Most traffic loggers and sniffers usually capture only
the beginning of most packets, so embedding your data deep into the packet will make it all that much more difficult
to see, depending on what security tools your target is equipped with.
As was mentioned above ARP and DNS also provide methods of hiding your data transmissions. A key piece of information
on the path to hiding your attack bot data traffic amongst the target's traffic is understanding your target's traffic
patterns. You need to know when, how (what protocol) and who the target is talking to. Both Linux/Unix and Windows
come with some pre-made system tools that you can use to record these traffic patterns, without downloading much
additional software. The more sophisticated network cards under Windows come with RMON and other MIBs that can be
used to gather traffic pattern information, so that your traffic can be spoofed and modified to look like client
traffic requested by users at the target site. RedHat Linux contains many pre-installed mapping tools including
arpwatch and SNMP that can be used to monitor local traffic to see what kinds of traffic will likely escape detection
Penetrations of the target's ISP to get traffic stats can be a boon here too.
Another important kind of data hiding is to send your data in little bursts, and follow that data with a burst of
legitimate addressing or ARP traffic to scroll your attack data off the display screen of any sniffers in case you
encounter a fairly quiet traffic level at the target's system. Doing this kind of data transmission in the wee hours
of the morning will also lower the chances that there are any humans looking at status screens at the network control
center and noticing anomalies.
G) Attack Relay
The final step in attacking is to successfully use your new system as a relay base for other attacks. Building up a
large "fleet" of attack bases is its own reward - with more systems to attack from your subsequent conquests will be
more stealthy and difficult to track. But now your target relay site will likely notice if you start port-scanning
"trantor.army.mil" or other such contentious targets, so be careful (this is another real-life example scenario used
on us here). Most sysadmins will not take kindly to the possibility of getting phone calls from the U.S. military
asking why their servers are attacking them. But then again, most won't notice.
Attack-Tool: One clever exploit a hacker used on one of the "honey-pot" decoy systems we use as hacker-bait for
analysis was an SNMP triggered attack reflector. This system used two SNMP triggers to effectively hide the out-bound
attacks. The first trigger put the system into listen mode. After sending the trigger, the attacker quickly sends a
spoofed attack packet containing the attack to the relay system. The spoofed attack packet is coded to look like a
packet from the attack destination to the relay. Upon receipt of the second SNMP trigger and after a delay, the
recorded attack packet is sent back to the actual attack target with the original source and destination reversed.
In this way the sequence of the attack is seemingly reversed, with the local relay system responding with a single
packet after receipt of the single packet from the target. Unless you look carefully on most sniffers and IDS
systems, it looks like the target is attacking the relay system instead of the other way around.
A good ploy to avoid detection is to use many different attack relay or mapping systems and to avoid using the same
attack relay system twice in the same day or week with a particular target. An isolated packet here and there destined
for a strange system will not arouse many suspicions, but repeated transmissions to the same target could possibly
trigger off alarms at the relay or target - however unlikely that may be with most sysadmins asleep at the security
wheel.
Conclusion
I hope the above attack techniques scare any sysadmins reading this. As they should. Too many people these days feel
that security is keeping out the script-kiddies or installing a firewall. There are a lot of nastier things out there
on the net than the mindless script-hordes, so beware. I hope you can use this article to justify better security
measures to your boss. This stuff is out there - it's been used on us. Odds are these kinds of exploits have been
used on you and you have no knowledge of it. There are malicious minds developing new attack bots, and communities
of people dedicated to the breaching of security measures. I would even surmise that there are now organized and
funded efforts on the part of military and intelligence agencies to further develop such offensive software. One of
these days, organized crime may even wake up to this. As we are discovering, it's the law of the jungle out there on
the Net, and there are few places to turn to for assistance in case you get some malicious bozo attacking you. Often
you are left to your own devices, and with little support from your own organization, that may be technically
illiterate when it comes to network security. The only defense seems to be to stay technologically ahead of the
attackers - a constant and resource intensive process. The good news is that it's easier to play defense than
offence. Good luck.
P.S. You do have good backups, don't you?
@HWA
43.0 TAIWAN CIRCLES WAGONS IN CYBER-WARFARE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 26th August 1999 on 11:40 pm CET
A senior Ministry of National Defense official wednesday said that Taiwan is capable
of defending itself from an information technology attack by China, but will not itself
provoke a cyber war. The ministry has also set up a special task force to oversee the
island's information warfare strategy, said the director of the ministry's Electronic
Communications and Information Bureau. "China has put a lot of effort into building up
its information capabilities in the past decade," Lin said. He added that Beijing has
conducted a few military exercises to test its information warfare development. "But
Taiwan is also working on it. We are not as fragile as many people think," he said.
Read more below
From Infowar.com
http://www.infowar.com/mil_c4i/99/mil_c4i_082599c_j.shtml
China: Taiwan Circles Wagons In Cyber-warfare.
A senior Ministry of National Defense official said yesterday that Taiwan is capable of defending itself from an information technology attack by China,
but will not itself provoke a cyber war.
The ministry has also set up a special task force to oversee the island's information warfare strategy, said Lin Ching-ching, the director of the ministry's
Electronic Communications and Information Bureau. "China has put a lot of effort into building up its information capabilities in the past decade," Lin
said. He added that Beijing has conducted a few military exercises to test its information warfare development. "But Taiwan is also working on it. We
are not as fragile as many people think," he said.
A power outage that plunged four-fifths of the island into darkness on July 29 intensified Taiwanese people's fear of a Chinese military attack. But while
those fears have gone unrealized, cross-strait tensions continued to rise in early August as hackers from both sides of the strait broke into each other's
government websites to post provocative slogans and national flags.
The Internet battle also raised public questions as to whether Taiwan has the capability to handle what will be a future trend - information warfare which
is widely viewed as a major challenge to the island's information technology.
Lin allayed such concerns, saying that Taiwan has the ability to counter China's information attack and has set up a military information warfare strategic
policy committee as the highest decision-making body on the issue.
Lin said that none of the island's computer systems broke down during the blackout. Generally, man-made mistakes cause 70 percent of computer
breakdowns on the island, he said.
"We have realized that killing viruses is not our top priority and a crisis-solving center should be established," he said. But because Taiwan has a limited
national defense budget, everything must be cost-effective, said Lin.
According to Webster Chiang, the vice chairman of the Cabinet's Research, Development and Evaluation Commission, the maintenance and
development of information protection systems accounts for only one percent of the national budget.
Chang Kwang-yuan, director of the information division at the National Security Bureau, said the bureau had tracked down 165 websites as the
sources of hacking by mainland Chinese on August 7. He said the some of the websites were found to be government-operated but declined to identify
whether the intrusions were orchestrated by the Chinese government or individual hackers.
Tang Yao-chung, an information science professor at National Taiwan University, suggested that the government devote more effort to the
development of Taiwan's offensive computer warfare capabilities. "Developing coding abilities is a profitable business and should be done by private
companies," said Tang. "But decoding and building offensive strategies are the government's responsibilities."
Lin said he does not encourage provoking China by Internet hacking, but said Taiwan is capable of standing firmly.
"On a legal basis, we don't encourage taking the offensive, although we do have the ability to handle any offensive aggression by China," said Lin. The
cross-strait cyber war is likely to continue as more websites from both sides are hacked. While Taiwan is focusing on more military purchases, the
incident provided a chance for Taiwan to re-examine its information security.
ASIA INTELLIGENCE WIRE
CHINA NEWS 17/08/1999
@HWA
44.0 UK WEBHOSTING COMPANY HIT BY VIRUS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 26th August 1999 on 11:15 pm CET
UK-based Web hosting and development company Fortune Cookie Digital Media was
subject to an attack by the Backdoor-G trojan yesterday, affecting approximately 10
percent of the sites hosted according to the company. Full story
http://www.idg.net/idgns/1999/08/26/UKWebHostingCompanyHitBy.shtml
U.K. Web hosting
company hit by virus
by Douglas F. Gray, IDG News Service\London Bureau
August 26, 1999
U.K.-based Web hosting and development
company Fortune Cookie Digital Media was
subject to an attack by a "Trojan horse"
virus yesterday, affecting a number of Web
sites hosted by the company.
Approximately 10 percent of the sites
hosted by the company were infected with
the virus, according to Justin Cooke, founder
and managing director of Fortune Cookie.
Earlier media reports quoted Cooke as
stating the number as 30 percent, a figure
which he now states was "probably an
overestimation because [the situation] was
still going on."
The Trojan horse virus, called BackDoor-G,
provided access to passwords that uploaded
a second virus to the Web server, which
then infected certain default documents,
including default.htm and index.html,
according to a press release issued by the
U.K. company.
Cooke admitted that some of the Web sites
affected by the virus belonged to
"small-to-medium companies," but he
refused to name them.
The company release claimed that "all
affected Web sites were returned to normal
operation" within 20 minutes.
Fortune Cookie, in London, can be reached
at http://www.fortune-cookie.com/.
@HWA
45.0 NETSCAPE ISSUES WEB-SERVER FIX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 26th August 1999 on 10:50 pm CET
Netscape and ISS X-Force have issued a patch for the buffer overflow problem in the
Netscape Enterprise and FastTrack servers. ".. an attacker can exploit the
vulnerability and remotely upload and execute arbitrary assembly language. An
attacker can write an exploit to get the computer to do what ever they want.."
according to X-Force director Chris Rouland. Infoworld has a story, Iplanet has a
patch.
http://www.iplanet.com/downloads/patches/detail_12_86.html
@HWA
46.0 CWI CRACKS 512 BIT KEY
~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 26th August 1999 on 10:20 pm CET
Researchers of the CWI in Amsterdam, Holland, today announced that they have
been able to crack a 512 bit code. This ones more proves that this standard, which is
still used on the Internet for e-commerce transactions a lot, just doesn't cut it. The
technology they used (besides 300 workstations and Pentium II's :) will enable them
to crack any 512 bit code in the future according to CWI.
@HWA
47.0 MOUNTING AN ANTI-VIRUS DEFENSE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 26th August 1999 on 10:00 pm CET
With computer viruses on the rise, and in the wake of the 'Melissa' incident, anti-virus
software becomes a part of the security arsenal. What's needed to keep the viruses
out? Some firms present their ideas and solutions in this article.
Mounting an anti-virus defense
With computer viruses on the rise, and in the wake of the
'Melissa' incident, anti-virus software becomes a part of the
security arsenal
By Heather Harreld
Anti-virus software, which often was viewed as the
security stepchild to sibling powerhouse technologies
such as intrusion detection and firewalls, has been
elevated to a new market status following the
"Melissa" virus, which in March infected machines
worldwide via e-mail.
Once sold mainly as a single desktop solution -
which users often labored to disable or bypass -
anti-virus software is being bundled with other
security solutions designed to secure entire
enterprises from security threats. Anti-virus software
has emerged as an integral component of agency
security efforts because viruses are more easily
transmitted in today's networked world, and the viral
breeding ground of the Internet has spurred
phenomenal virus growth.
Although the majority of viruses in 1997 were
transmitted by floppy disks, the major source of virus
infections today are from e-mail attachments, which
can be used to spread a virus at alarming speed. The
Melissa virus affected more than 100,000 machines
worldwide in just days by seizing users' computers
and e-mailing copies of itself to the first 50 names in
the e-mail address book.
In 1986, there was one known computer virus; in
1990 that number had jumped to 80. From
December 1998 to January 1999, the total virus
count jumped from 20,500 to 36,500. Today, there
are about 45,000 computer viruses in existence, with
new ones appearing every day.
"A lot of the virus attacks...are starting to blur the lines between [a virus or a
vulnerability?]" said Sal Viveros, group product manager for Network
Associates Inc.'s Total Virus Defense Division.
"It is much easier for a hacker to send an e-mail attachment than it is to
penetrate a firewall. We're seeing more destructive viruses that are hitting
more people."
Network Associates offers an anti-virus package that provides virus
protection spanning the desktop, groupware and gateways, and it also has a
security suite offering anti-virus software coupled with firewalls, intrusion
detection and encryption.
Viveros said the common alerting and reporting mechanisms from the security
suite enable a network administrator to react more quickly to problems. For
example, if a hacker finds an open port and uses it to insert a virus,
intrusion-detection and anti-virus software can work in tandem to provide an
accurate picture of what is happening on a network.
"You're starting to have rules-based reactions," Viveros said. "You're taking
away the need for the network administrator to be sitting there monitoring
those different things when they happen. By setting rules, the different
components are talking to each other."
Symantec Corp. in May announced its Digital Immune System, a strategy to
capitalize on its anti-virus technology, while coupling it with intelligent tools
designed to keep systems running at peak performance. With its anti-virus
software, the company will offer tools for server management, desktop
configuration, remote system operation and disaster recovery - all from a
single console.
Chris Mills, Symantec's product manager for Digital Immune System, noted
that the strategy will include advanced anti-virus management tools that enable
a network administrator to lock down policy requirements on the desktop and
configure virus responses that automatically go into effect upon detection. In
addition, the company plans to add security mechanisms such as e-mail
scanning, Uniform Resource Locator filtering and protection from malicious
Java applets, he added.
"What [customers are] worried about are threats to their enterprise," Mills
said. "It's not strictly an anti-virus concept. We're talking about protecting
your enterprise from unknown threats that will negatively affect your
credibility, your cost and your uptime."
Worldtalk Corp. has bundled multiple security mechanisms into its secure
server product, which is being used by the Energy Department and the Food
and Drug Administration. In addition to a server-based virus detection
solution, the company also offers access control,which regulates who a user
can send e-mail to and receive e-mail from, and encryption controls.
DOE's headquarters used Worldtalk's secure server to begin containing the
potentially devastating Melissa virus before a fix was even discovered for it,
said Charlie Smith, information management consultant at DOE.
Smith said that although many other anti-virus products provide the ability to
disinfect incoming viruses before they are passed on to users, Worldtalk's
server enabled him to program a policy that would target and quarantine any
incoming e-mail with a specific message in its header.
"The quarantine allowed us to really track Melissa," Smith said. "It gave us a
history to trace back to the originator."
Bill Mann, director of product management at Worldtalk, noted that the ability
to program policies into the server also could be used to fend off potentially
damaging mobile code, such as hostile Java applets, that users unknowingly
can download from World Wide Web sites.
"Literally anything that can be done by a program can be done by mobile
code," Mann said. "It can open database connections. It can install viruses on
your PC. Mobile code gives the hackers so much more flexibility than virus
writing."
It is not only traditional anti-virus and computer security companies that are
homing in on technology to combat viruses. Companies targeting the
electronic-commerce market are bundling anti-virus software with other
computer security solutions. In July, Computer Associates International Inc.
introduced its eTrust security solution, which bundles anti-virus technology
with public-key infrastructure technology, encryption controls,
intrusion-detection scanners, firewall components, network surveillance and
authentication tools.
Kurt Ziegler, senior vice president for CA's security business, said the eTrust
network surveillance component is crucial to containing viruses because users
have not always updated their software to detect the latest viruses. Because
these identification delays can de devastating, a containment strategy is crucial,
he said.
"We include some technology that lets you identify movement, to get a
pattern," Ziegler said. "It scans the network on the inside...so you can see a
neighbor sending it to a neighbor inadvertently. Should you get an
identification...you can quickly go back over the that traffic and say who's
carrying what where."
Judith Spencer, director of the Center for Governmentwide Security at the
General Services Administration, said the Melissa virus - combined with other
incidents, such as a hacker group threat to target the federal government - has
helped increase government security awareness. She noted that though
anti-virus software is "indispensable" on systems today, it should be viewed as
only part of an agency's security arsenal.
"Integrated security solutions are a good idea," Spencer said. "[But] the way
that you implement security solutions as opposed to whether or not the
product comes bundled is more important."
Bundling anti-virus software with security mechanisms located at the perimeter
of a network is advantageous because everything coming in to the environment
is checked, and network administrators do not have to worry if end users
have updated their software, said Lance Travis, service director at
Boston-based AMR Research Inc. However, that method also has its
drawbacks, he noted.
"You're now scanning every e-mail message [and] every Web page that
comes through your firewall," Travis said. "There's a huge performance
penalty you could potentially pay."
Trend Micro Inc. is an anti-virus firm that has chosen not to bundle its
anti-virus software with other security products. Instead, the company is
designing its products so that they will interoperate with other key products
needed for security, said Dan Schrader, Trend Micro's vice president of new
technology.
Trend Micro offers an integrated border security approach, scanning for
viruses at perimeter points such as e-mail servers and Internet gateways. That
approach was designed to stop viruses and malicious code before they enter
the network.
Trend Micro's anti-virus software is being used by the Department of Housing
and Urban Development on 75 servers to support about 11,000 users. The
product was designed to eliminate the expensive and disruptive "pre-
emptive e-mail shutdown" strategy that many government agencies are forced
to deploy when threatened with viral infection, Schrader said.
"You want to identify where key Internet traffic enters your organization and
have the code scanner at those entry points," Schrader said. "Anything that
relies on the end users for best practices is doomed to fail."
Many anti-virus vendors are moving to take control of the software away from
end users, who notoriously try to bypass the software safeguard or forget to
update it to protect from new viruses. But Roger Thompson, technical director
of malicious code research at the International Computer Security
Association, noted that anti-virus software still must be multilayered.
"If an infected document is attached to an e-mail, then something at the mail
server or firewall wouldn't pick it up if the document was encrypted,"
Thompson said. "You still have to have detection on the desktops."
Anti-virus software vendors may see the demand for their products increase
even more in the future as virus-like threats to networks continue to grow.
William Orvis, security specialist at the Computer Incident Advisory
Capability at Lawrence Livermore National Laboratory, noted that he is
seeing an increasing incidence of worms - programs that crawl through
networks, automatically making and distributing copies of themselves while
installing dangerous back doors in systems as they move. As a result,
unauthorized users can remotely control a system with a back door installed.
Anti-virus software can be designed to watch networks for worms. However,
Orvis said products of the future will have to "intelligently" detect viruses that
have never been seen before, instead of relying on tracking viruses by their
"signatures," which is the most common viral-detection method today.
"We need a way that we can have smart computer code...and say, 'That is
probably a virus,' " Orvis said. "We need to learn to teach a machine to
recognize a virus."
Harreld is a free-lance writer based in Cary, N.C.
@HWA
48.0 RETROSPECTIVE ON CRACKING CONTESTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Thursday 26th August 1999 on 3:25 am CET
We covered both Windows2000 and LinuxPPC cracking contests on HNS. Linux
machine got one-tenth the number of attacks that the Microsoft server has endured.
Neither of servers was compromised, and the companies said data stored within
those servers has remained secure. ABC has an article on it. Read it here.
<insert> Microsoft and Linux PPC
Engage in Testing
One-Upsmanship
Microsoft put a bullseye on its Windows
2000 operating system by inviting hackers
to have a go at it. So far the system has
crashed, but hackers haven't gained
access. (A.Shepherd/ABCNEWS.com)
By Michael J. Martinez
ABCNEWS.com
Aug. 24 Three weeks ago, Microsoft engineers
loaded up a server with Windows 2000 beta,
connected it to the Internet and invited anyone
who wanted to test its security by trying to
break into it.
The next day two things happened: the Windows 2000
operating system crashed because of a bug, and Linux
PPC, a small company in Hales Corners, Wis., put up a
server running a Linux-based operating system and issued
the same invitation.
Since then, both servers have gone down due to
various technical problems, though neither has been
cracked; no one has been able to access the information
stored on those servers. Both Microsoft and Linux PPC
have claimed the tests demonstrate the security of their
respective operating systems, though the frequency of
problems on the Microsoft server has been a source of
jokes among Linux enthusiasts.
Microsoft Puts On a Bullseye
The new Windows 2000 operating system, due to be
released in October, will replace Windows NT as
Microsofts workstation and server operating systems for
businesses. Despite a release schedule marred by
numerous delays and in spite of the growth of popularity
of competing systems particularly those of Linux
Microsoft hopes the new operating system will be as
broadly accepted as its predecessors.
So, on Aug. 2, Microsoft loaded a 500 MHz Pentium
III server with Windows 2000 and the IIS Web server
program, and linked it to the Internet. The system lacked
a firewall impermeable software designed to protect a
systems entry points and was protected only by the
security inherent to the Windows 2000 operating system.
The next day, router failures (not hackers) caused
intermittent downtimes. The problems continued until Aug.
14, the first day without downtime on the server. Since
then, there have been three other disruptions.
On the test Web site, Microsoft managers note that no
data has been taken from the machine it still remains
secure. In addition, a number of software bugs in the
Windows 2000 software have been discovered and fixed.
Linux Chimes In
The day Microsoft announced its tests, the engineers at
Linux PPC began receiving user e-mails wondering if the
company would respond in kind. Linux PPC is different
from other Linux distributors; its OS is made for
Macintoshes instead of the usual IBM clones.
The response from our users was enormous, says
Marcia Knapp, business manager for the company. They
were confident that our software could withstand much
more than Microsofts, so we decided to put a box up.
The Linux PPC machine is a far cry from the high-end
server Microsoft is using. The company is using a 132
MHz Power Macintosh with just 160 MB of RAM, and
the machine is running an open-source Apache Web
server.
Yet the Linux machine has only gone down twice
and one of those times was because someone tripped on
a cord. The other time was because of a successful denial
of service attack the server was crashed not because
of a security breach, but because someone attempted to
overload it with meaningless data.
Under Attack
It should be noted that the Linux machine is getting
one-tenth the number of attacks that the Microsoft server
has endured and that the Windows 2000 operating
system is still in beta, and is due for more debugging once
it has been released.
Still, both sides claim the data stored within those
servers has remained secure. It may have been just
another PR stunt. But once again Microsoft comes out
looking like a giant with egg on his face egg tossed by
a tiny rival in Wisconsin.
@HWA
49.0 SHOUTCAST COMPROMISED
~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Wednesday 25th August 1999 on 10:39 pm CET
ShoutCAST (yp.shoutcast.com) - online directory of sites that offer you listening MP3
music on-line, has been compromised earlier today. Attacker just changed info for the
best ranked sites to: " [skillz] MadCamel 0wns Nullsoft Now Playing: Greetz arr0w
listeners -31337/31337 Bitrate - 666 and added an additional link to
www.rootshell.com.
@HWA
50.0 AUDIT OFFICE BLASTS AGENCIES' SERIOUS SECURITY FLAWS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Wednesday 25th August 1999 on 11:05 am CET
A damning report from the Australian National Audit Office (ANAO), entitled
"Operation of the Classification System for Protecting Sensitive Information", has
reveiled serious flaws in the IT security arrangements of six unnamed Australian
commonwealth government agencies. The audited agencies all had sensitive
information to protect, with three of the six responsible for protecting national security
information. Read more.
http://www2.idg.com.au/CWT1997.nsf/Home+page/4C49A498F5EBCD6F4A2567D70021F2FE?OpenDocument
Audit Office blasts agencies'
serious IT security flaws
By Laura Mason
25 August, 1999
SYDNEY - A damning report from Australian
National Audit Office (ANAO) has revealed
serious flaws in the IT security arrangements of six
commonwealth government agencies.
Entitled 'Operation of The Classification System for
Protecting Sensitive Information' the report reveals
that the IT&T environments of the six unnamed
agencies the ANAO audited have inadequate
security protection levels.
The audited agencies all had sensitive information
to protect, with three of the six respon-sible for
protecting national security information. "Paper and
electronic files were often exposed to unauthorised
access because of various breakdowns in the
protection of information in use or in transmission,"
states the report, which was tabled this month.
Common breakdowns included "sensitive
information stored on insecure electronic networks,
and computers left on without the protection of
screen saver passwords."
All six of the agencies hold sensitive information in
both electronic and paper-based form, with two of
the six agencies operating secure networks, and
two running mainframes with large databases.
The audit found that agencies operating
mainframes, with high-volume transaction
processing, had better IT security than
organisations with a LAN based environment,
however those with mainframes were found to have
weaknesses in their LAN environment.
According to the report, "The access management
controls on local area networks (LANs) were often
not configured or implemented in accordance with
ACSI 33 (the Australian Communications
Electronic Security Instrucions 33 -- a Defence
Signal Directorate's publication).
Areas requiring attention include passwords, the
number of log-on attempts and inactive user
accounts.
These weaknesses are of concern as all the
networks carried sensitive information.
"The audit found that more attention needs to be
given to establishing effective monitoring and
review processes, particularly in relation to IT&T
audit trails to ensure security policies and
procedures are operating as management
intended," said the report.
According to ANAO, all six agencies audited are
failing to give sensitive information adequate
protection.
Dean Kingsley, Partner, Secure e-business at
Deloitte Touche Tohmatsu, commented that for
many organisations IT security, outside the context
of e commmerce, was "way down the priority list"
since it was viewed as an overhead rather than an
enabler.
@HWA
51.0 ISS X-FORCE ADVISORY ON LOTUS NOTES DOMINO SERVER 4.6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 24th August 1999 on 10:05 pm CET
ISS X-force reports a denial of service attack against the integrated messaging and
web application server, because of an overflow problem in the Notes LDAP Service.
Your are recommended to upgrade to Maintenance release 4.6.6 or 5.0. Here is the
complete advisory.
http://xforce.iss.net/alerts/advise34.php3
ISS Security Advisory
August 23, 1999
Denial of Service Attack against Lotus Notes Domino Server 4.6
Synopsis:
Lotus Domino Server is an integrated messaging and web application
server. An attacker can crash the Lotus Notes Domino server and stop
e-mail and other services that Domino provides for an organization.
Description:
There is an overflow problem in the Notes LDAP Service (NLDAP); the
service that handles the LDAP protocol. This overflow is related to the
way that NLDAP handles the ldap_search request. By sending a large amount of
data to the parameter in the ldap_search request, an attacker can cause a
PANIC in the Domino Server. This will allow an attacker to stop all Domino
services running on the affected machine.
Affected Versions: Lotus Notes Domino server 4.6.
Recommended Action: Upgrade to Maintenance release 4.6.6 or 5.0.
Additional Information:
Information in this advisory was obtained by the research of Caleb Sima
<csima@iss.net> of the ISS X-Force. ISS X-Force would like to thank Lotus
Development Corporation for their response and handling of this
vulnerability.
________
About ISS:
ISS leads the market as the source for e-business risk management
solutions, serving as a trusted security provider to thousands of
organizations including 21 of the 25 largest U.S. commercial banks and
more than 35 government agencies. With its Adaptive Security Management
approach, ISS empowers organizations to measure and manage enterprise
security risks within Intranet, extranet and electronic commerce
environments. Its award-winning SAFEsuite(r) product line of intrusion
detection, vulnerability management and decision support solutions are
vital for protection in today's world of global connectivity, enabling
organizations to proactively monitor, detect and respond to security
risks. Founded in 1994, ISS is headquartered in Atlanta, GA with
additional offices throughout the U.S. and international operations in
Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and
the UK. For more information, visit the ISS Web site at www.iss.net or
call 800-776-2362.
Copyright (c) 1999 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.
@HWA
52.0 TECHNOLOGY KEY TO TRACKING DOWN INTERNET CRIME
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 24th August 1999 on 9:45 pm CET
A recently formed working group focused on rooting out Internet-related crime may
model technologies that law enforcement agencies use to sift through the Internet to
keep tabs on online illegal activity. As we reported earlier, US president Clinton this
month established the working group to examine how law enforcement agencies can
better investigate and prosecute criminal activities conducted on the Internet. Among
other things, the group will scrutinize the ways in which the government uses
technology to crack down on Internet-related crime. The FBI is expected to take the
lead in developing technology that the federal government will use to comb the
Internet in search of criminal activity. Full story
AUGUST 23, 1999
Technology key to tracking down Internet crime
BY DOUG BROWN (dbrown@fcw.com)
A recently formed working group focused on rooting out Internet-related
crime may model technologies that law enforcement agencies use to sift
through the Internet to keep tabs on online illegal activity.
President Clinton this month established the working group, made up of top
government officials, to examine how law enforcement agencies can better
investigate and prosecute criminal activities conducted on the Internet, such as
the online sale of guns and illegal drugs, fraud and the peddling of child
pornography.
The Clinton administration decided to form the group because there was
"recognition within the government that there were some real issues"
concerning computer crime that needed to be addressed, a White House
official said. "There was an explosion [of legislation] at both the federal and
the state level, and there was concern that if we passed a lot of legislation
without taking a systematic look at this, we would end up with a haphazard
approach to the problem."
Among other things, the group will scrutinize the ways in which the
government uses technology to crack down on Internet-related crime.
Understanding the technologies agencies use now, the White House official
said, will help the administration decide how it can improve the investigation
and prosecution of online criminal activity in the future.
Some helpful technology applications may come from the FBI, a
representative from which will serve on the task force. The FBI is expected to
take the lead in developing technology that the federal government will use to
comb the Internet in search of criminal activity.
The FBI's Baltimore field office leads a project called Innocent Images, which
works to identify and arrest online sexual predators. About 20 agents are
assigned to the project full time, said Special Agent Barry Maddox, a
spokesman for the field office. Hundreds of other agents and local law
enforcement officials in cities nationwide also work with Innocent Images.
The agents join online chat groups about pedophilia or child pornography and
also pose as children to try to catch pedophiles who attempt to set up
face-to-face meetings. The program, which was established in 1995, has led
to 378 arrests and 322 convictions, Maddox said.
Advancements developed elsewhere in the FBI also may be considered by
the administration's working group. Such developments include the
soon-to-be launched computer crimes squad, which will investigate crimes
committed by hackers, and the National Infrastructure Protection Center,
which works to prevent people or groups from hacking into vital government
systems that operate such things as water supplies and transportation systems.
The group also may look at increasingly sophisticated and powerful Internet
search engines as a way to sniff out Internet-related crime, said Rich Kellett,
director of the General Services Administration's Emerging Information
Technologies Policies Division.
With some companies laboring to "store everything that is on the Internet,"
Kellett said, "you can imagine what kind of base of information you could put
together" with such databases. Combining powerful
search engines with
enormous databases would provide "interesting cross-sections of what is
going on in America, including criminal activity."
Kellett also mentioned the Search for Extraterrestrial Intelligence, a project
involving more than 800,000 computers networked together that share
information about radio signals and work together to compute algorithms in
the hope of pinpointing evidence of life in outer space. A model like this, he
said, could be used to sift through Internet data in search of criminal activity.
One problem with such massive undertakings, he said, is that "the use of all of
that information and sorting through it all has tremendous public policy issues,
in terms of privacy," Kellett said.
Daniel Boyle, SAS Institute Inc.'s director of the Defense Department and
defense intelligence, said the working group likely will consider different ways
of using data mining to deal with online criminal activity. The SAS Institute,
Cary, N.C., is a major supplier of custom software to the federal government.
With a tidal wave of data coursing through the Internet every day, it would be
impossible to successfully locate criminal activity just through pointing and
clicking a mouse, Boyle said. What is needed are data-mining software tools
that sift through data in search of anomalies or patterns - things that "don't
look quite right," he said. "They've got to find them first, and one of the
techniques is data mining."
Of use to government investigators, he said, might be "dump logs," or records
of people who have visited individual World Wide Web sites. Servers, he
said, "create volumes of these logs, [which] are tremendous and...exploding
every day." The logs are used by private companies to see who is visiting their
sites, but they also could be useful in tracking crime, he said.
Ari Schwartz, a policy analyst at the Washington, D.C.-based Center for
Democracy and Technology, cautioned working group members to keep
privacy concerns in mind when they draft their report, which is due in
December.
"This discussion could lead to a whole new set of monitoring tools," he said.
"We hope this doesn't change the way people surf the Net. We don't want to
have people think government is monitoring their lives."
Because it is so open, the Internet already has a vital monitoring system in
place: the eyes of the millions of people clicking throughout cyberspace. New
monitoring tools, he said, may be superfluous.
The government is considering a plan to monitor many non-DOD computers
for signs of intrusion. In its quest to protect government computers from
outside attacks, the proposed plan, called the Federal Intrusion Detection
Network, unnecessarily sacrifices privacy, Schwartz said.
@HWA
53.0 GOVT HOME-INVASION BILL DRIVES US PC USERS TO CANADA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 24th August 1999 on 9:20 pm CET
The recently proposed and already very much discussed US Justice Department bill
that would allow police to secretly enter homes and disable security features on
computers has driven tens of thousands of Americans to request privacy protection in
the form of the Freedom product from Canadian firm Zero-Knowledge Systems, the
company announced today. Newsbytes
Govt Home Invasion Bill Drives US PC Users To Canada
By Martin Stone, Newsbytes
MONTREAL, QUEBEC, CANADA,
24 Aug 1999, 12:09 PM CST
A proposed US Justice Department bill that would allow police to secretly enter homes and disable security features on
computers has driven tens of thousands of Americans to request privacy protection from Canadian firm Zero-Knowledge
Systems, the company announced today.
"This has created a huge wave of concern among computer users in the US," said Zero-Knowledge President Austin Hill, of
the proposed legislation.
Hill told Newsbytes that, when news of the proposed measure broke last Thursday, his office was flooded with calls and
messages from American Internet users inquiring about the availability of his company's security system, called Freedom,
which uses a sophisticated network of encoding and remote servers to obscure Internet "trails."
"We've received e-mail, telephone messages, and thousands of Freedom beta sign-ups from people looking to secure their
privacy. It's highly ironic that a Canadian company is being flooded by requests to protect American citizens from their own
government," Hill said.
Zero-Knowledge is presently beta-testing its Freedom technology, which provides total privacy for Web, e-mail, newsgroup,
and chat-room activities by encrypting data and rerouting it through independently-operated servers scattered worldwide.
Hill says an improved beta version will soon enter testing and that, based on the latest flood of interest, his company is
scaling-up to accommodate, what he says will be, "millions and millions of computer-users all over the world" once the
product hits the market later this year.
The system has been called "the only fully trustworthy privacy solution" by some privacy advocates.
According to reports published last week, the Justice Department will seek authorization through the Cyberspace Electronic
Security Act for FBI and local police to covertly enter private homes and disable computer encryption programs. The
proposal would dramatically increase police powers by allowing agents to tamper with personal computers to surreptitiously
monitor personal communications.
"It's disappointing that US consumers must look to other countries for protection from a government they feel is overstepping
its investigative authority," David Sobel, general counsel for the Electronic Privacy Information Center in Washington, told Hill
following the announcement of the proposed bill. "The United States should be in the forefront of privacy technology, not
trying to circumvent it."
Montreal-based Zero-Knowledge says it benefits from Canada's support for the development of strong privacy solutions, in
contrast with what it says is the US government's stringent controls on encryption and privacy technologies.
Hill says that, because his company's system masks electronic trails, law enforcement agencies would not be able to
identify computers from which possibly unlawful transmissions were being made, so they would be unable to identify which
house to enter under the proposed legislation. He says his system would discourage "fishing expeditions" which could result
from the projected bill.
More information on the Zero-Knowledge technology can be found at http://www.zeroknowledge.com
Reported by Newsbytes.com, http://www.newsbytes.com
12:09 CST
Reposted 18:09 CST
@HWA
54.0 HACKERS SCANNING FOR TROUBLE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 24th August 1999 on 9:00 pm CET
Every day they come, they lurk -- then they leave without doing damage. They come
through clients' computers, through Canadian ISPs, they hack into Linux boxes, NT
boxes, Unix boxes. Hack by day or night, but they only look and don't touch. These
kinds of vulnerability scan attacks are causing concern and also bring up some
murky legal issues. Dragos Ruiu wrote a report for SecurityFocus and ZDNet has a
story on it.
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Hackers scanning for trouble
By Bob Sullivan, MSNBC
August 24, 1999 5:38 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2319298,00.html
Dragos Ruiu was just minding his own business, a Vancouver software startup, when it started.
Day after day, relentlessly, someone or some group out there on the Internet is banging away at
his servers, sneaking in and gaining full access. A security expert, he knows what's happening:
He's being probed. Is this mere sport, or a "casing," like a bank robber who visits the bank several
times to study its security systems before the heist?
Every day they come, they lurk -- then they leave without doing damage. And Ruiu is powerless
to stop it. Every method he has tried, they have trumped. They're toying with him. "They must feel
like gods," he says.
They come at him through clients' computers, through Canadian ISPs, once even through one of
the largest Canadian banks. They hack into Linux boxes, NT boxes, Unix boxes. Hack by day or
night. No matter.
And all for no apparent reason. They look, but don't touch.
Ah, the life of a network administrator these days. There are thousands of ways to break into a
computer, and there are now several downloadable software packages designed to scan the
Internet for Web sites and servers that have just one flaw.
According to Peter Tippett at computer security research firm ICSA, a new box connected to the
Net will almost certainly be "scanned" before one week goes by. And the amount of scanning
activity has doubled in the past six months.
That's about when the scanning started for Brandon Pepelea, a former employee at PSINet who
says his collection of Web sites has been scanned systematically several times a week since
January. In another example of a victimless probe, Pepelea thinks someone or something has been
banging through all the Internet addresses between 38.240.x.x and 38.200.x.x, a so-called
Class-B range of addresses that constitute about 16,000 possible computers.
In his case, the scans were unsuccessful. Whoever or whatever it is, they
haven't been able to break into Pepelea's computers. Still, the relentless,
systematic nature of the probe has him spooked. He's been demanding
that PSINet, which owns all the addresses in the 38.x.x.x range, chase down the scanner and
prosecute.
"I don't think they understand how serious it is," Pepelea said. "The threat not so much being the
nature of the scan but the scope of the scan... If you're between 38.240 and 38.200 you've had
the scans. They've walked through and gotten to you."
Nose for trouble
The attack itself involves use of the Simple Network Management Protocol, frequently used on
network routers. Pepelea owns machines between the 38.240 and 38.200 address range, and
concluded scans spanned that range by studying patterns of hits to his own and his client's
machines.
This is not the first time Pepelea, now CEO of a small security company he calls "Designer's
Dream," has done a hefty amount of personal cybersleuthing. Last December, he compiled
information on a virus writer named VicodinES, and shared it with the FBI, the CIA and other law
enforcement agencies. His tips fell on deaf ears, and VicodinES, who the world now knows as
Dave Smith, went on to release the Melissa virus. Pepelea's hell bent on being heard this time
around. "Once again, nobody cares," he laments.
PSINet said early last week the scans were being generated by an account serviced by the
company, and that it had dealt with the matter by canceling the account. But by Friday, the
company had canceled three more accounts in an effort to stop the probes. While officials there
say they take the matter seriously, they are not convinced it's an organized hacker attack.
"It's not possible to characterize whether this is a mistake, a malicious event, was planned, or it
just happened," said Cole Libby, Director of Network Engineering. For example, it could a
wrongly configured piece of hardware searching a section of the Internet for a new printer. "There
are lots of examples of technology out of control in the world."
No harm, no foul?
Scanning, the cyberspace equivalent of walking down Main Street and jiggling handles to see who
leaves the front door unlocked, brings up murky legal issues. Entering someone else's computer is
illegal, but scanning, which amounts to asking a computer how it's been set up, probably isn't.
Pepelea says PSINet told him to pursue legal action against his cyberpest -- but for what?
Meanwhile, Pepelea thinks PSINet should be liable if any real trouble ever comes from his
suspected hacker, particularly since the Net provider was warned.
That's not likely, says Internet law expert Dorsey Morrow. PSINet would almost certainly face no
criminal liability for the actions of a hacker on their network, and wouldn't likely face civil liability
either.
"As long as they can show 'We were doing everything we can. We've got security policies in
place. We're using the latest software.' That mounts up to a pretty good defense," Morrow said.
So there's no consequences for scanning, either to the hacker or the company that provides the
means. But what of Ruiu's hackers, who go just one step further than Pepelea's scanners? They
scan, then enter, lurk around, and leave. Dancing tantalizingly over the edge of the law, they show
an ability to do far more damage.
Their methods are painstakingly deliberate, designed to avoid detection. They launch attacks from
multiple sites, sometimes sending no more than a packet per day from any site, in order to hide the
kind of suspicious activity protective "sniffer" programs look for.
"We saw one new machine coming at us every five minutes," Ruiu said. "They must have felt like
gods because they could break into any machine they wanted."
That includes a collection of Canadian ISPs, and even one major Canadian bank, the hackers
broke into. When he called, Ruiu often had a tough time convincing victimized ISP administrators
they'd been hacked.
"The reaction of ISPs was disbelief," he said. "One didn't believe us until a marketing guy had his
laptop taken out and it started sending weird packets."
Ruiu is convinced the hacks are coming from a coordinated team, because of their speed and
variety. But while the cat-and-mouse game continues, he can only speculate on motive. His
company, a 15-person startup called Netsentry.net, is hardly a big target. So Ruiu thinks his
outside efforts in the security community are likely to blame. He recently worked on project called
"Trinux," which aimed to create a security-enhanced version of Linux that fits on one floppy disk.
Among his partners was Ken Williams, who until recently ran Packet Storm Security, perhaps the
most popular reference site in the hacker community.
"I suspect these guys are targeting security software," he said, but added they have not revealed
their intentions. "This is really bugging me. The lack of a motive really disturbs me
it gave me the
creeps."
The attacks have also been humbling for Ruiu, who has spent a lot of time chasing the hackers
when he could be working to get his business off the ground.
"There are a lot of assumptions we're all making about Internet security that we shouldn't," he said.
"There's a lot of things we don't know."
For example, these hackers made a habit of hijacking machines Ruiu's computers normally talked
to, then initiated attacks from these supposedly "friendly" computers. That made them almost
impossible to detect.
"If they get a machine that's close to your machine, that's almost as bad as taking over your Web
server. It's a great place to launch an attack on your firewall," he said.
Nothing about Ruiu or Pepelea's stories surprised ICSA's Tippett, who expects security problems
to get worse before they get better.
"It's the wild, wild West out there," he said. "The tools are pervasive and so common. The chance
of getting caught is pretty slim
Our neighbors are now very close and enough of them don't have
a great social conscience."
A more extensive report on the one of these attacks, written by Ruiu, can be found at
www.securityfocus.com.
@HWA
55.0 Canada Net they've built a super fast network, but what to do with it?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Great Wired North
Canada Builds the Worlds
Fastest Network And
Wonders How to Use It
Canadas new CA*Net3 research network
will link government, business and
universties across the country with a 100
percent fiber-optic network
and then what? (ABCNEWS.com)
By Michael J. Martinez
ABCNEWS.com
Aug. 27 What if there were a
brand-new, fiber-optic,
blazingly fast, nationwide
computer network and no
one knew quite what to do
with it?
Using a $55 million grant from the
Canadian government, a consortium of universities and
businesses has fashioned a next-generation, Internet-style
network, stretching from Nova Scotia to British Columbia.
So speedy is CA*Net3, as the network is called, that the
entire contents of the U.S. Library of Congress could be
transmitted from one end of Canada to the other in just one
second.
In the United States, the Internet2 project can handle
that kind of load but it still takes a full minute for a
bicoastal download.
Canada hopes to use this worlds fastest nationwide
network to stake its claim to the high-tech future. Unlike
Internet2, however, CA*Net3 is finding it difficult to attract
researchers who can use the brand-new network.
Nobody knows what were going to use this for, says
Alan Greenberg, director of computing at McGill University
in Montreal. But thats the reason you build these things
so that people can find new ways to do things.
Pure Optics
Unlike other research networks, including the ARPANet
system that formed the basis for todays Internet, CA*Net3
is completely optical no telephone lines are used.
Instead, the Canadian government stretched fiber-optic
cable across the country, linking it to 11 gigapops,
network hubs that serve as switching stations for billions of
bits of data per second.
Other networks, including Internet2 and the
Next-Generation Internet project in the United States, also
use backup layers, in addition to fiber optics, to ensure that
data will continue to flow if the fiber-optic cables are cut or
disrupted. However, CA*Net3 doesnt have those backups.
Instead, data are automatically rerouted at the gigapops if a
disruption is detected. Rerouting uses network rings
loops of cable interconnected with the gigapops.
In our network rings, we automatically use both sides
of the ring in transmitting data, says Bill St. Arnaud, the
senior director of network projects for the Canadian
Network for the Advancement of Research, Industry and
Education (Canarie), which is running CA*Net3. Thus, if
one side of the loop goes down, the other side can pick up
the slack.
Rainbow of Data
CA*Net3 also employs new technology that allows
different wavelengths of light to be transmitted along the
same fiber-optic cable. By using eight colors of light, the
amount of data sent through the cable can be increased by
a factor of eight.
That means 80 gigabits of data per second can be
transmitted through CA*Net3 every second. Thats 1.4
million times faster than the download speed of a 56K
modem, and about 60 times faster than Americas Internet2
project.
And it could improve even more, St. Arnaud says.
Theoretically, an infinite number of wavelengths of light
could pass through a fiber-optic cable without interfering
with each other. Right now, researchers are working on
transmitting data on 2,000 wavelengths somewhere in
the neighborhood of 20,000 gigabits or 20 terabits.
Filling the Pipe
Now all thats needed are applications to make use of such
huge bandwidth.
Everyone is used to dealing with small bandwidth,
Greenberg says. Theyre still trying to figure out how best
to use this really big pipe theyve been handed.
A few ideas have been advanced. Canadas national
human genome project, an effort to map all the DNA in the
human body, is using CA*Net3 to link 40 powerful
computers to perform necessary calculations.
The Canadian National Film Board is also using the
network, to create an on-demand movie jukebox.
Computers linked to CA*Net3 can request one of 700
movies currently online. The film boards server controls a
robotic arm that can select and play the DVD-ROM of the
film, sending it over CA*Net3.
In the next few years, St. Arnaud hopes to link public
schools to the new network, using only fiber-optic cables
and giving schools total access to the immense amount of
bandwidth available. From there, its easy to envision
connecting every Canadian home to the optical network.
With an increase in the number of light wavelengths
available, there will be enough bandwidth for generations.
And what theyll do with it is anyones guess.
@HWA
56.0 Security Focus' BUGTRAQ summary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus News, Issue 3, 1999-08-16 to 1999-08-22
II. BUGTRAQ SUMMARY 1999-08-16 to 1999-08-22
----------------------------------------
1. SuSE identd Denial of Service Attack
Bugtraq ID: 587
Remote: Yes
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=587
Summary:
In certain distributions of SuSE Linux the in.identd daemon is started
with an option that causes one identd process waits 120 seconds
after answering the first request to answer the next request. If a
malicious remote attacker starts a large number of ident requests in
a short period of time it will force the target machine to start multiple
daemons. This can lead the machine to starve itself of memory
resulting essentially in a machine halt.
2: Microsoft IIS And PWS 8.3 Directory Name Vulnerability
Bugtraq ID: 582
Remote: Yes
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=582
Summary:
In Microsoft's IIS and PWS, requesting the 8.3 filename version of a
directory effectively bypasses the security attributes that are
referenced to the full, long version of the filename, with permissions
being based instead on those of the parent directory. Successful
exploitation of this vulnerability could lead not only to unathorized
directory listings, but also to the remote execution of
'protected' scripts.
3: Multiple Vendor 8.3 Directory Name Vulnerability
Bugtraq ID: 584
Remote: Yes
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=584
Summary:
In the Netscape, vqServer and Xitami webservers, restrictions applied to
directories with long filenames will be ignored if the 8.3
version of the filename is requested. In Serv-U, the 'cwd' and 'site exec'
commands are susceptible to a similar vulnerability. Other
Windows32-based HTTP and FTP servers may have the same or similar
vulnerabilities.
4: Microsoft Windows 98 IE5/Telnet Heap Overflow Vulnerability
Bugtraq ID: 586
Remote: Yes
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=586
Summary:
Windows 98 systems running specific versions of IE5 (5.00.2314.1003 and
5.00.2314.1003IC) are susceptible to a remote vulnerability that
allows the execution of arbitrary code on a target that views a malicious
web page. This vulnerability is due to a combination of two different
weaknesses, one in telnet.exe and one in the latest versions of IE5.
5: Oracle Intelligent Agent Vulnerability
Bugtraq ID: 585
Remote: Yes
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=585
Summary:
Oracle installations with the 'Oracle Intelligent Agent' installed have a
path related vulnerability. The problem lies in the dbsnmp
program located in $ORACLE_HOME/bin . This setuid root program calls a tcl
script ( nmiconf.tcl ) located by default in
$ORACLE_HOME/network/agent/config. The problem is that the dbsnmp script
relies on an environment variable (the path to nmiconf.tcl) which can be a
set by a user. Therefore, intruders can force the script to execute a
trojaned version of nmiconf.tcl which will run as root.
6: xmonisdn IFS/PATH Vulnerability
Bugtraq ID: 583
Remote: No
Date Published: 1999-08-16
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=583
Summary:
Xmonisdn is an X applet that shows the status of the ISDN links which
ships with the isndutils package from Debian GNU/Linux 2.1. You can
configure it to run two scripts when the left or right mouse button are
clicked on it. Xmonisdn was installed setuid root so that the scripts
could do things like add and delete the default route. However is that
while the scripts were checked for owner root and not writeable by group
or others the scripts are run via the system() library function, which
spawns a shell to run it. This means that the scripts are open to attack
via IFS and/or PATH manipulation.
Debian has made patches available at the following locations:
http://security.debian.org/dists/stable/updates/binary-alpha/isdnutils_3.0-12slink13_alpha.deb
http://security.debian.org/dists/stable/updates/binary-i386/isdnutils_3.0-12slink13_i386.deb
http://security.debian.org/dists/stable/updates/binary-sparc/isdnutils_3.0-12slink13_sparc.deb
7: Mini SQL w3-msql Vulnerability
Bugtraq ID: 591
Remote: Yes
Date Published: 1999-08-18
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=591
Summary:
Under certian versions of Mini SQL, the w3-msql CGI script allows users to
view directories which are set for private access via .htaccess files.
Version 2.0.11 of the Mini SQL Server contains a fix for this problem.
Details available at:
http://support.Hughes.com.au/cgi-bin/hughes
8: AIX Source Code Browser Buffer Overflow Vulnerability
Bugtraq ID: 590
Remote: Yes
Date Published: 1999-08-18
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=590
Summary:
A buffer overflow vulnerability has been discovered in the Source Code
Browser's Program Database Name Server Daemon (pdnsd) of versions 2 and 3
of IBM's C Set ++ for AIX. This vulnerability allows local and remote
users to gain root access. While IBM no longer supports the affected
versions, there is a workaround available at the above URL.
9: BSDI Symmetric Multiprocessing (SMP) Vulnerability
Bugtraq ID: 589
Remote: No
Date Published: 1999-08-18
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=589
Summary:
A vulnerability exists in BSDi 4.0.1 Symmetric Multiprocessing (SMP).
During high CPU usage it is possible to cause BSDi 4.0.1 (possibly others
but untested) with all current patches to stop responding and 'lock up'
when a call to fstat is made.
10: Redhat Linux tgetent() Buffer Overflow
Bugtraq ID: 588
Remote: No
Date Published: 1999-08-18
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=588
Summary:
A buffer overflow existed in libtermcap's tgetent() function, which could
cause the user to execute arbitrary code if they were able to supply their
own termcap file.
Red Hat has released a series of rpms to solve this issue. Please see
'solution' at the above URL for more information.
11: Linux in.telnetd Denial of Service Vulnerability
Bugtraq ID: 594
Remote: Yes
Date Published: 1999-08-19
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=594
Summary:
When a telnet client connects to in.telnetd, the two attempt to negotiate
a compatible terminal type (via the TERM environment variable). When the
TERM variable in the client is set before connecting, it's possible that,
depending on what TERM was set to, a denial of service can be caused.
Red Hat has released a series of rpms to solve this issue. Please see
'solution' at the above URL for more information.
12:QMS 2060 Printer Passwordless Root Vulnerability
Bugtraq ID: 593
Remote: Yes
Date Published: 1999-08-19
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=593
Summary:
Access to the QMS 2060 printer is controlled by the passwd.ftp file. This
file contains simply a list of usernames and passwords. However, even with
this file in place, root can still logon without a password entered. This
would allow the attacker to alter the passwd.ftp file, as well as the
hosts file which lists tha machines authorized to print to the QMS.
13: Microsoft JET Text I-ISAM Vulnerability
Bugtraq ID: 595
Remote: Yes
Date Published: 08/20/99
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=595
Summary:
Microsoft's JET database engine includes a functionality referred to as
Text I-ISAM. This allows the JET driver to write to a text file, for the
purpose of another application to read later. This was implemented to
allow data sharing between JET applications and other applications that
don't support Dynamic Data Exchange. The vulnerability lies in the fact
that any text file can be written to, including system files. Because of
this, a database query could be created that added destructive commands to
a startup file or script.
Microsoft has released patces for both JET 3.5x and 4.0:
3.5x:
http://www.securityfocus.com/external/http://support.microsoft.com/download/support/mslfiles/Jet35sp3.exe
4.0:
http://www.securityfocus.com/external/http://support.microsoft.com/download/support/mslfiles/Jet40sp1.exe
@HWA
57.0 A typical script kiddie attack scenerio against HTTP server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Picked up from the message board of www.securityfocus.com...
To: Incidents
Subject: kiddie attack via http
Date: Wed Aug 18 1999 05:13:35
Author: acpizer
Message-ID:
<Pine.NEB.3.96.990818121207.5340B-100000@mach.unseen.org>
Once upon a time, I've setup a small bait, for lusers such as this one,
and it finally paid off:
Aug 12 09:44:52 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:52 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:52 snork fun-httpd: cmd buff: GET /asakaeval HTTP/1.0^M ^M
Aug 12 09:44:52 snork fun-httpd: cmd buff: GET /cgi-bin/phf/ HTTP/1.0^M
Aug 12 09:44:53 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:53 snork fun-httpd: cmd buff: GET /cgi-bin/phf/ HTTP/1.0^M
Aug 12 09:44:54 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:54 snork fun-httpd: cmd buff: GET /cgi-bin/php.cgi/
HTTP/1.0^M
Aug 12 09:44:55 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:55 snork fun-httpd: cmd buff: GET /cgi-bin/campas/ HTTP/1.0^M
Aug 12 09:44:56 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:56 snork fun-httpd: cmd buff: GET /cgi-bin/htmlscript/
HTTP/1.0^M
Aug 12 09:44:57 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:57 snork fun-httpd: cmd buff: GET /cgi-bin/aglimpse/
HTTP/1.0^M
Aug 12 09:44:58 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:44:59 snork fun-httpd: cmd buff: GET /cgi-bin/websendmail/
HTTP/1.0^Aug 12 09:45:00 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:45:00 snork fun-httpd: cmd buff: GET /cgi-bin/websendmail/
HTTP/1.0^M
Aug 12 09:45:01 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:45:01 snork fun-httpd: cmd buff: GET /info2www HTTP/1.0^M
Aug 12 09:45:03 snork fun-httpd: cmd buff: GET /cgi-bin/pfdispaly.cgi/
HTTP/1.0Aug 12 09:45:04 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:45:04 snork fun-httpd: cmd buff: GET /scripts/convert.bas/
HTTP/1.0^M
Aug 12 09:45:19 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:45:19 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:45:19 snork fun-httpd: cmd buff: GET /info2www
'(../../../../../../../bin/mail </etc/passwd|)'^M ^M
Aug 12 09:45:21 snork fun-httpd: cmd buff: GET /asakaeval HTTP/1.0^M ^M
Aug 12 09:46:07 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:46:08 snork fun-httpd: cmd buff: GET /cgi-bin/webdist.cgi/
HTTP/1.0^M
Aug 12 09:46:23 snork fun-httpd: got connection from 204.60.37.97
Aug 12 09:46:23 snork fun-httpd: cmd buff: GET
/scripts/convert.bas?../../etc/passwd HTTP/1.0^M ^M
ARIN shows this on the IP:
Southern New England Telephone (NETBLK-SNET-CIDR001)
27 Butler St.
Meriden, CT 06451-4101
US
Netname: SNET-CIDR001
Netblock: 204.60.0.0 - 204.60.255.0
Coordinator:
Devetzis, Taso N (TND-ARIN) devetzis@SNET.NET
+1 203 771 8917 (FAX) +1 203 771 2008
I don't know some of these vulnerabilities, maybe you guys could enlighten
me
on what you recognize.
Cheers.
To: Incidents
Subject: Re: kiddie attack via http
Date: Mon Aug 23 1999 18:39:22
Author: Fu V0Rt
Message-ID:<19990824023922.16516.qmail@securityfocus.com>
For details on many cgi based vunerabilities, i suggest
having a look at http://v0rt.dayrom.com.au under the
advisories section. we list alot of common cgi
vunerabilities aswell as a tool to scan for most of these
(http://v0rt.dayrom.com.au/profiler/profiler.c)
As for the /asakaeval attack, i also have not seen any
information regarding this.
As a final note, also check your access_log for entries sent
as hex, in some httpd servers they do not correct log
requests sent as hex, therefor its not obvious asto what
they are scanning for to the naked eye.
v0rt_
-------------------------------------------------------------------------------
"Probably you've only really grown up, when you can bear not being understood."
Marian Gold /Alphaville
@HWA
58.0 NMAP - Scan Analysis (v2)
~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.whitehats.com/
Hello,
This page is for anyone who cares to see the details behind an NMAP scan with the -D decoy option set. Basically I hope to answer two questions:
Does NMAP spoof every aspect of the scan, including ICMP, ACK, and OS Identification? (yes, beautifully if used properly)
Can you tell which host in a Decoy Storm is the real host? (no, if used properly)
When I created a case study of these topics earlier today I used decoy hosts that were not responsive (nonexistent IP addresses). Fyodor quickly pointed
out that this breaks one of the cardinal rules of decoy scanning. The decoys must be alive. :)
NMAP appears to correctly spoof identical packets for every operation, sending an identical packet for each source address (your local system, and each
of the decoys). My initial testing showed that only the local system sends RST's in response to successfully queried ports in a SYN scan. However, this
behavior is correct. The local system should not send RST's on behalf of the other systems, because that is exactly what they are supposed to do. My
test decoys (23.23.23.23 and 24.24.24.24) are not active hosts, and so would not generate the expected RST packets. Had I used responsive decoy
hosts, the local system source address would be indistinguishable from the others.
FIN, NULL, XMAS, and UDP scans appear to work equally well with the -D decoy option.
Hope someone finds this remotely useful or interesting.
-Max Vision
Decoys, without OS detection
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
ICMP Probe
19:44:00.294222 23.23.23.23 > www.example.com: icmp: echo request
19:44:00.304222 audit.example.com > www.example.com: icmp: echo request
19:44:00.304222 24.24.24.24 > www.example.com: icmp: echo request
ACK Probe
19:44:00.314222 23.23.23.23.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 audit.example.com.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 24.24.24.24.38159 > www.example.com.http: . ack 0 win 1024
Hey we got a live one here!@#$
19:44:00.324222 www.example.com.http > audit.example.com.38159: R 0:0(0) win 0 (DF)
SYN scan
19:44:00.394222 23.23.23.23.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.394222 audit.example.com.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.404222 24.24.24.24.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.
19:44:00.424222 www.example.com.http > audit.example.com.38139: S 3305543706:3305543706(0) ack 1559207493 win 9112 (DF)
19:44:00.424222 audit.example.com.38139 > www.example.com.http: R 1559207493:1559207493(0) win 0
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
Decoys, OS detection
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -O -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
ICMP Probe
19:29:55.854222 23.23.23.23 > www.example.com: icmp: echo request
19:29:55.864222 audit.example.com > www.example.com: icmp: echo request
19:29:55.864222 24.24.24.24 > www.example.com: icmp: echo request
ACK Probe
19:29:55.864222 23.23.23.23.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 audit.example.com.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 24.24.24.24.63836 > www.example.com.http: . ack 0 win 1024
Wooop got your nose!@#$
19:29:55.884222 www.example.com.http > audit.example.com.63836: R 0:0(0) win 0 (DF)
SYN scan
19:29:55.954222 23.23.23.23.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 audit.example.com.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 24.24.24.24.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.
19:29:55.974222 www.example.com.http > audit.example.com.63816: S 3191891171:3191891171(0) ack 1315816471 win 9112 (DF)
19:29:55.974222 audit.example.com.63816 > www.example.com.http: R 1315816471:1315816471(0) win 0
OS Detection (Solaris shown)
19:29:55.984222 23.23.23.23.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 audit.example.com.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 24.24.24.24.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 23.23.23.23.63824 > www.example.com.http: . win 1024
19:29:55.984222 audit.example.com.63824 > www.example.com.http: . win 1024
19:29:55.984222 24.24.24.24.63824 > www.example.com.http: . win 1024
19:29:55.994222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 23.23.23.23.63826 > www.example.com.http: . ack 0 win 1024
19:29:55.994222 www.example.com.http > audit.example.com.63823: S 3192034216:3192034216(0) ack 3812808642 win 8855 (DF)
19:29:55.994222 audit.example.com.63823 > www.example.com.http: R 3812808642:3812808642(0) win 0
19:29:56.004222 audit.example.com.63826 > www.example.com.http: . ack 0 win 1024
19:29:56.004222 24.24.24.24.63826 > www.example.com.http: . ack 0 win 1024
19:29:56.004222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 23.23.23.23.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 audit.example.com.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 24.24.24.24.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.014222 www.example.com.http > audit.example.com.63826: R 0:0(0) win 0 (DF)
19:29:56.024222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.024222 24.24.24.24.63816 > www.example.com.34599: udp 300
19:29:56.634222 23.23.23.23.63824 > www.example.com.http: . win 1024
19:29:56.644222 audit.example.com.63824 > www.example.com.http: . win 1024
19:29:56.644222 24.24.24.24.63824 > www.example.com.http: . win 1024
19:29:56.644222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.644222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.654222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.654222 23.23.23.23.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 audit.example.com.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 24.24.24.24.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.654222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.654222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.664222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.664222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.664222 24.24.24.24.63816 > www.example.com.34599: udp 300
Sequencing (hey with bsd TTCP and the Linux messup, who needs sequencing? :)
19:29:57.184222 23.23.23.23.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.204222 audit.example.com.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.214222 www.example.com.http > audit.example.com.63817: S 3192528068:3192528068(0) ack 3812808643 win 9112 (DF)
19:29:57.214222 audit.example.com.63817 > www.example.com.http: R 3812808643:3812808643(0) win 0
19:29:57.224222 24.24.24.24.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.244222 23.23.23.23.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.264222 audit.example.com.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.274222 www.example.com.http > audit.example.com.63818: S 3192724219:3192724219(0) ack 3812808644 win 9112 (DF)
19:29:57.274222 audit.example.com.63818 > www.example.com.http: R 3812808644:3812808644(0) win 0
19:29:57.284222 24.24.24.24.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.304222 23.23.23.23.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.324222 audit.example.com.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.334222 www.example.com.http > audit.example.com.63819: S 3192958008:3192958008(0) ack 3812808645 win 9112 (DF)
19:29:57.334222 audit.example.com.63819 > www.example.com.http: R 3812808645:3812808645(0) win 0
19:29:57.344222 24.24.24.24.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.364222 23.23.23.23.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.384222 audit.example.com.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.394222 www.example.com.http > audit.example.com.63820: S 3193157286:3193157286(0) ack 3812808646 win 9112 (DF)
19:29:57.394222 audit.example.com.63820 > www.example.com.http: R 3812808646:3812808646(0) win 0
19:29:57.404222 24.24.24.24.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.424222 23.23.23.23.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.444222 audit.example.com.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.454222 www.example.com.http > audit.example.com.63821: S 3193331920:3193331920(0) ack 3812808647 win 9112 (DF)
19:29:57.454222 audit.example.com.63821 > www.example.com.http: R 3812808647:3812808647(0) win 0
19:29:57.464222 24.24.24.24.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.484222 23.23.23.23.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.504222 audit.example.com.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.514222 www.example.com.http > audit.example.com.63822: S 3193574611:3193574611(0) ack 3812808648 win 9112 (DF)
19:29:57.514222 audit.example.com.63822 > www.example.com.http: R 3812808648:3812808648(0) win 0
19:29:57.524222 24.24.24.24.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
TCP Sequence Prediction: Class=random positive increments
Difficulty=25258 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Thanks for reading, have fun!
@HWA
59.0 Security Focus: Incidents Summary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IV. INCIDENTS SUMMARY 1999-08-16 to 1999-08-22
------------------------------------------
1. investigating
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&msg=002301bee915$8587b100$2b81fea9@tarleton.edu
2. kiddie attack via http
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&thread=Pine.NEB.3.96.990819111619.20441B-100000@mach.unseen.org
3. Asaka (was Re: kiddie attack via http)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&thread=37BC586C.42EF65E0@globalstar.com
4. Re: investigating
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-08-15&msg=Pine.GSO.4.05.9908211843310.2417-100000@toutatis.comune.modena.it
60.0 Security Focus: Jobs
~~~~~~~~~~~~~~~~~~~~
V. SECURITY JOBS 1999-08-16 to 1999-08-22
-------------------------------------
Seeking Position:
1:Contact: jam smith <suidroot@email.com>
Qualifications:http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&thread=385620377.935021596329.JavaMail.root@web09.mail.com
Date Posted: 1999-08-18
Seeking Staff:
2. Position: mid-level Network Security Engineer
Reply to: Chris Riley <riley@info-tools.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=37B825AD.8064E6F8@info-tools.com
Date Posted: 1999-08-16
3. Position: senior networking staff
Reply to: Vince Reed <vreed@mitre.org>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=v04210105b3e090fa310b@[128.29.230.9]
Date Posted: 1999-08-17
4. Position: Security Engineer
Reply to: Hal Lockhart <hal.lockhart@storagenetworks.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=9D8B3C643D2AD311BC8D00508B120BA40F5ACC@mahqexc01.storagenetworks.com
Date Posted: 1999-08-18
5. Position: Security Engineer
Reply to: Ben Keepper <bkeepper@home.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=000f01bee9f8$1903e740$d9990018@cv1.sdca.home.com
Date Posted: 1999-08-18
6. Position: Security Consultant
Reply to: Bryan Bushman <bryan.bushman@capitalone.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=0013A20F.4077@capitalone.com
Date Posted: 1999-08-18
7. Position: Network Security Administrator
Reply to: Wooldridge, Doug <doug.wooldridge@echostar.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=35AB03C74901D2119DAA00A0C9B6A1FB9576DD@exchange5.echostar.com
Date Posted: 1999-08-19
8. Position: Project Leader, Team Leader, and Security Engineers
Reply to: Eric Maiwald <maiwalde@fortrex.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-08-15&msg=Pine.GSO.3.96.990820141043.8181A-100000@ss5.fred.net
Date Posted: 1999-08-20
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
O
0
o
O O O
0
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
END of main news articles content... read on for ads, humour, hacked websites etc
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="www.2600.com</a">http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="One">http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............
An oldie but goodie, noone's sending in submissions,
c'mon you know you wanna...- Ed
A Guide to Internet Security: Becoming an Uebercracker
and Becoming an UeberAdmin to stop Uebercrackers.
Author: Christopher Klaus <cklaus@shadow.net>
Date: December 5th, 1993.
Version: 1.1
This is a paper will be broken into two parts, one showing 15 easy steps
to becoming a uebercracker and the next part showing how to become a
ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased
by Dan Farmer to refer to some elite (cr/h)acker that is practically
impossible to keep out of the networks.
Here's the steps to becoming a uebercracker.
Step 1. Relax and remain calm. Remember YOU are a Uebercracker.
Step 2. If you know a little Unix, you are way ahead of the crowd and skip
past step 3.
Step 3. You may want to buy Unix manual or book to let you know what
ls,cd,cat does.
Step 4. Read Usenet for the following groups: alt.irc, alt.security,
comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background
in uebercracker culture.
Step 5. Ask on alt.irc how to get and compile the latest IRC client and
connect to IRC.
Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way
there!)
Step 7. Now, sit on #hack and send messages to everyone in the channel
saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks
questions like "Why cant I join #warez?"
Step 8. (Important Step) Send private messages to everyone asking for new
bugs or holes. Here's a good pointer, look around your system for binary
programs suid root (look in Unix manual from step 3 if confused). After
finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
new bug in that program and you wrote a script for it. If they ask how it
works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
them to trade for their get-root scripts.
Step 9. Make them send you some scripts before you send some garbage file
(ie. a big core file). Tell them it is encrypted or it was messed up and
you need to upload your script again.
Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be
obnoxious on #hack otherwise people will look down on you and not give you
anything.)
Step 11. Hopefully you will now have atleast one or two scripts that get
you root on most Unixes. Grab root on your local machines, read your
admin's mail, or even other user's mail, even rm log files and whatever
temps you. (look in Unix manual from step 3 if confused).
Step 12. A good test for true uebercrackerness is to be able to fake mail.
Ask other uebercrackers how to fake mail (because they have had to pass the
same test). Email your admin how "layme" he is and how you got root and how
you erased his files, and have it appear coming from satan@evil.com.
Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
a uebercracker.)
Step 14. Wait a few months and have all your notes, etc ready in your room
for when the FBI, Secret Service, and other law enforcement agencies
confinscate your equipment. Call eff.org to complain how you were innocent
and how you accidently gotten someone else's account and only looked
because you were curious. (Whatever else that may help, throw at them.)
Step 15. Now for the true final supreme eliteness of all uebercrackers, you
go back to #hack and brag about how you were busted. YOU are finally a
true Uebercracker.
Now the next part of the paper is top secret. Please only pass to trusted
administrators and friends and even some trusted mailing lists, Usenet
groups, etc. (Make sure no one who is NOT in the inner circle of security
gets this.)
This is broken down on How to Become an UeberAdmin (otherwise know as a
security expert) and How to stop Uebercrackers.
Step 1. Read Unix manual ( a good idea for admins ).
Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install
sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers
now. Rdist scripts is among the favorites for getting root by
uebercrackers.
Step 3. Okay, maybe you want to actually secure your machine from the
elite Uebercrackers who can break into any site on Internet.
Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
packets. (This only applies to advanced admins who have control of the
router, but this will stop 90% of all uebercrackers from attempting your
site.)
Step 5. Apply all CERT and vendor patches to all of your machines. You have
just now killed 95% of all uebercrackers.
Step 6. Run a good password cracker to find open accounts and close them.
Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
to find if a uebercracker is knocking on your machines. Run ISS to make
sure that all your machines are reasonably secure as far as remote
configuration (ie. your NFS exports and anon FTP site.)
Step 7. If you have done all of the following, you will have stopped 99%
of all uebercrackers. Congrads! (Remember, You are the admin.)
Step 8. Now there is one percent of uebercrackers that have gained
knowledge from reading some security expert's mail (probably gained access
to his mail via NFS exports or the guest account. You know how it is, like
the mechanic that always has a broken car, or the plumber that has the
broken sink, the security expert usually has an open machine.)
Step 9. Here is the hard part is to try to convince these security experts
that they are not so above the average citizen and that by now giving out
their unknown (except for the uebercrackers) security bugs, it would be a
service to Internet. They do not have to post it on Usenet, but share
among many other trusted people and hopefully fixes will come about and
new pressure will be applied to vendors to come out with patches.
Step 10. If you have gained the confidence of enough security experts,
you will know be a looked upto as an elite security administrator that is
able to stop most uebercrackers. The final true test for being a ueberadmin
is to compile a IRC client, go onto #hack and log all the bragging and
help catch the uebercrackers. If a uebercracker does get into your system,
and he has used a new method you have never seen, you can probably tell
your other security admins and get half of the replies like - "That bug
been known for years, there just isn't any patches for it yet. Here's my
fix." and the other half of the replies will be like - "Wow. That is very
impressive. You have just moved up a big notch in my security circle."
VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups
mention anything about that security hole, Flame him for discussing it
since it could bring down Internet and all Uebercrackers will now have it
and the million other reasons to keep everything secret about security.
Well, this paper has shown the finer details of security on Internet. It has
shown both sides of the coin. Three points I would like to make that would
probably clean up most of the security problems on Internet are as the
following:
1. Vendors need to make security a little higher than zero in priority.
If most vendors shipped their Unixes already secure with most known bugs
that have been floating around since the Internet Worm (6 years ago) fixed
and patched, then most uebercrackers would be stuck as new machines get
added to Internet. (I believe Uebercracker is german for "lame copy-cat
that can get root with 3 year old bugs.") An interesting note is that
if you probably check the mail alias for "security@vendor.com", you will
find it points to /dev/null. Maybe with enough mail, it will overfill
/dev/null. (Look in manual if confused.)
2. Security experts giving up the attitude that they are above the normal
Internet user and try to give out information that could lead to pressure
by other admins to vendors to come out with fixes and patches. Most
security experts probably don't realize how far their information has
already spread.
3. And probably one of the more important points is just following the
steps I have outlined for Stopping a Uebercracker.
Resources for Security:
Many security advisories are available from anonymous ftp cert.org.
Ask archie to find tcp_wrapper, security programs. For more information
about ISS (Internet Security Scanner), email cklaus@shadow.net.
Acknowledgements:
Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott
Miles, Scott Yelich, and Henri De Valois.
Copyright:
This paper is Copyright 1993, 1994. Please distribute to only trusted
people. If you modify, alter, disassemble, reassemble, re-engineer or have
any suggestions or comments, please send them to:
cklaus@shadow.net
@HWA
SITE.1
#1 http://whitehats.com/
This is a newish security site (at least its new to me) that has many IDS signatures
online for download for use with SNORT (a gnu IDS tool) also a good discussion on the
NMAP tool's ability to scan undetected by the target host (see #58). - Ed
#2 http://www.immortalz.com/
New security site reborn with a new layout will be up within a week, check it out ...
soon to mirror the HWA zine too. ;-)
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Latest cracked pages courtesy of attrition.org
[99.08.23] NT [ ] MediaMark (www.mediamark.com)
[99.08.23] So [bl0w team] Thinking Pictures, Inc. (www.thinkpix.com)
[99.08.23] So [bl0w team] Rock.com's Rolling Stone's Web site (www.stones.com)
[99.08.23] NT [v00d00] Odin Radiators (www.odinradiators.com.au)
[99.08.23] BI [team_hM] Monica Lewinsky's site (www.monicalewinsky.com)
[99.08.23] NT [139_r00ted] Concept Reseau (www.concept-reseau.fr)
[99.08.23] Li [Uneek Tech] Ruchi Group (www.ruchigroup.com)
[99.08.23] NT [139_r00ted] Phoenix Data Systems (www.phoenixds.at)
[99.08.23] NT [139_r00ted] Concept Reseau (www.concept-reseau.fr)
[99.08.23] Li [Uneek Tech] Ruchi Group (www.ruchigroup.com)
[99.08.23] NT [139_r00ted] Phoenix Data Systems (www.phoenixds.at)
[99.08.25] NT [wkD] PC Guk (www.pcguk.com)
[99.08.25] [DISO] Nullsoft SHOUTcast (yp.shoutcast.com)
[99.08.24] Ir [Uneek Tech] Aston Packaging (www.astonpackaging.co.uk)
[99.08.24] Ir [Uneek Tech] All Art (www.allart.co.uk)
[99.08.24] NT [ ] 1st Stop Inc (www.1ststopinc.com)
[99.08.24] NT [139_r00ted] Scanres (SE) (www.scanres.se)
[99.08.24] Li [GOD] #2 Madison Square Garden (www.thegarden.com)
[99.08.26] [HwC] M Zipper (www.zipper.de)
[99.08.26] NT [aL3X] M Cindy Jackson (www.cindyjackson.co.uk)
[99.08.26] Li [stormtrooper] Red Hat Indonesia (www.redhat.or.id)
[99.08.26] Fb [ ] No Such Agency (www.nsa.org)
[99.08.26] NT [Fuby] CyberElf (www.cyberelf.com)
[99.08.26] Fb [ ] Official Web site of Limp Bizkit
(www.limpbizkit.com)
[99.08.26] So [ ] Cornell Theory Center
(cedar.tc.cornell.edu)
[99.08.26] [wkD] M Lookie Here (lookiehere.com)
[99.08.26] [ ] OE Pages (www.oe-pages.com)
[99.08.26] NT [cynic] Peter Mueller's Web Site
(www.petermueller.com)
[99.08.26] NT [v00d00] WoodSBC (www.woodsbc.com.au)
[99.08.25] [ ] TLM (www.tlm.com.br)
[99.08.25] NT [139_r00ted] M IT Media Design (www.itmediadesign.com)
[99.08.25] NT [Uneek Tech] Tomrods LTD Steel Stockholders (www.tomrods.co.uk)
[99.08.25] Ir [Uneek Tech] Sescoi (www.sescoi.co.uk)
[99.08.25] NT [Uneek Tech] Litho Supplies (www.litho.co.uk)
[99.08.26] [HwC] M Zipper (www.zipper.de)
[99.08.26] NT [aL3X] M Cindy Jackson (www.cindyjackson.co.uk)
[99.08.26] Li [stormtrooper] Red Hat Indonesia (www.redhat.or.id)
[99.08.26] Fb [ ] No Such Agency (www.nsa.org)
[99.08.26] NT [Fuby] CyberElf (www.cyberelf.com)
[99.08.26] Fb [ ] Official Web site of Limp Bizkit (www.limpbizkit.com)
[99.08.26] So [ ] Cornell Theory Center (cedar.tc.cornell.edu)
[99.08.26] [wkD] M Lookie Here (lookiehere.com)
[99.08.26] [ ] OE Pages (www.oe-pages.com)
[99.08.26] NT [cynic] Peter Mueller's Web Site (www.petermueller.com)
[99.08.26] NT [v00d00] WoodSBC (www.woodsbc.com.au)
[99.08.25] [ ] TLM (www.tlm.com.br)
[99.08.25] NT [139_r00ted] M IT Media Design (www.itmediadesign.com)
[99.08.25] NT [Uneek Tech] Tomrods LTD Steel Stockholders (www.tomrods.co.uk)
[99.08.25] Ir [Uneek Tech] Sescoi (www.sescoi.co.uk)
[99.08.25] NT [Uneek Tech] Litho Supplies (www.litho.co.uk)
Defaced: http://www.cmtc.7atc.army.mil/ (7th Army Training Command, Bavaria, Germany)
By: 139_rooted
Mirror: http://www.attrition.org/mirror/attrition/mil/www.cmtc.7atc.army.mil/
OS: NT
Hacked: http://vax.mtc.irisz.hu
By: Elfoscuro
Mirror: http://www.attrition.org/mirror/attrition/hu/vax.mtc.irisz.hu/
OS: NT
Defaced: http://www.mndm.gov.on.ca
Ontario Ministry of Northern Development and Mines
By: Sarin
Mirror: http://www.attrition.org/mirror/attrition/ca/www.mndm.gov.on.ca
OS: NT
Hacked: http://www.thegarden.com (Madison Square Garden)
By: Kindred Hackers
Mirror: http://www.attrition.org/mirror/attrition/com/www.thegarden.com/
OS: Linux
Hacked: http://www.webdoctor.com
By: Sistom
Mirror: http://www.attrition.org/mirror/attrition/com/www.webdoctor.com/
OS: Linux
Hacked: http://www.uis.wayne.edu
By: Unknown
Mirror: http://www.attrition.org/mirror/attrition/edu/www.uis.wayne.edu/
OS: NT
---
Hacked: http://www.prim-nov.si
By: Mozy
Mirror: http://www.attrition.org/mirror/attrition/si/www.prim-nov.si/
OS: NT
This is the first Web defacement for the country of Slovenia. Slovenia
is surrounded by Austria to the northwest, Hungary to the northeast,
Italy to the west, and Croatia to the southeast.
More info about Slovenia here:
http://www.odci.gov/cia/publications/factbook/si.html
---
Hacked: http://vax.mtc.irisz.hu
By: Elfoscuro
Mirror: http://www.attrition.org/mirror/attrition/hu/vax.mtc.irisz.hu/
OS: NT
Hacked: http://mp3town.com
By: w4t0
Mirror: http://www.attrition.org/mirror/attrition/com/mp3town.com/
OS: Linux
Hacked: http://www.westga.edu
By: W4t0
Mirror: http://www.attrition.org/mirror/attrition/edu/www.westga.edu/
OS: Solaris
Ontario Ministry of Northern Development and Mines
(www.mndm.gov.on.ca)
Zipper (www.zipper.de)
Cindy Jackson (www.cindyjackson.co.uk)
Red Hat Indonesia (www.redhat.or.id)
No Such Agency (www.nsa.org)
CyberElf (www.cyberelf.com)
Official Web site of Limp Bizkit (www.limpbizkit.com)
Cornell Theory Center (cedar.tc.cornell.edu)
Lookie Here (lookiehere.com)
OE Pages (www.oe-pages.com)
Peter Mueller's Web Site (www.petermueller.com)
WoodSBC (www.woodsbc.com.au)
TLM (www.tlm.com.br)
IT Media Design (www.itmediadesign.com)
Tomrods LTD Steel Stockholders (www.tomrods.co.uk)
Sescoi (www.sescoi.co.uk)
The message from the Monica Lewinsky hack;
Greetings bastards.
Over the last few months, we have been lead to believe that Slobodan Milosevic , the leader of the former Yugoslavia is the worst violator of Human Rights in the
world. Well, that isn't an entirely true statement. Although Slobodan Milosevic is a huge violator of Human Rights, there is a much bigger problem in China, and it's
been going on for decades. However, the politicians of America decide to overlook their violations just because of large campaign contributions and trade value.
Since the days of the Carter administration China has been openly abusing its people. They limit how many children a family can have , and how the people can live
their lives. The Chinese government kills anyone who opposes or speaks out against it. The Chinese government defies international Human Rights laws openly and
admits to it. The Chinese government has a worse Human Rights record than Slobodan Milosevic , yet nobody questions them. Just last month , its been reported
that political prisoners in China have been subjected to sexual tortures and later executed. In fact, earlier this month, President Clinton actually had Chinese Premier
Zhu Rongji to the white house for talks on entering the World Trade Organization.Bill Clinton even said at a press confrence with China's Premier Zhu Rongji ,"We
honor China's remarkable achievements, its greater prosperity and the greater range of personal choices available to its citizens, as well as the movement toward
local democracy". When in fact there has been no change in China's view of human rights. The Chinese Government has placed severe restrictions on freedom of
speech, the press, assembly, association, religion, privacy, as well as worker rights. Also , China has the most favored nation trade status. All of this has a lot of
people wondering why there is a war in Yugoslavia , but none in China. However the answer to that is all too apparent , greed. It is true that Slobodan Milosevic,
and his army, are carrying out horrible acts against people. They aren't being condoned at all. But, China engages in these same activities on a much larger scale, and
just because they have money it's deemed acceptable by American political and corporate interests. Bill Clinton was eager to wage war when it would take the focus
off of his bedroom practices, but he isn't so eager to do so when it will cost him valuable campaign contributions, and who knows what else. The Chinese people
have attempted to cry out for help through The Internet and televison shows. However those caught emailing anyone outside of China are immediately imprisoned .
Chinese Internet access is limited very strictly to pro-chinese sites, the government prevents anyone inside China from viewing anything else by cutting off the outside
Internet. This is comparative to Slobodan Milosevic's use of the television to only display movies and shows which he chooses, or for him to spread political lies
about other nations. However , there is one difference between China and Yugoslavia's use of censorship. China is a valuable trade nation, so there's must be all right
, at least that's the message that is sent out by the United States Government. A lot of Human Rights are asking how these two nations , with very similar tendencies
can be treated so much differently. Perhaps if China would have been the only ones in violation around the time of the Monica Lewinsky scandal things would be
different. Or perhaps if they didn't have so many large investments in American corporations and government they would be being punished for their actions. It's
terrible that Human Rights is like a commodity , to be sold to the highest bidder. In the end it all seems to be just another example of money controlling everything.
As long as someone turns a profit, it's acceptable. But what if someone were getting right, by letting your government mistreat and abuse you? You would probably
expect someone to stand up and defend you. But how can anyone expect that if they wont extend the same courtesy to someone else? Innocent people are allowed
to be executed and persecuted just because their government can pay for it. It saddens me deeply to see that more people haven't taken a stand against the Chinese.
But most people figure that since it isn't them it doesn't really happen. They think that if it were really that bad , something would have been done about it. They don't
have the time to worry about other people. They sit back and watch the Politicians of America line their pockets with the blood of the Chinese people. It's become
more and more apparent that society has no regard for the feelings and well being of others. But what if your freedom and rights were just dollars in someone else's
pocket, and you lived as the Chinese people do. Things would probably be a little different then, at least in your eyes.
another fine message brought to you by team_hM
nEoGoD
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
