Copy Link
Add to Bookmark
Report
hwa-hn46
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99/2000=] Number 46 Volume 1 1999 Dec 12th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"This newsletter/ezine has been Declassified for the phearing impaired"
____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/
This is #46 covering Dec 6th to Dec 12th
(** #47 covers Dec 13th to 19th)
==========================================================================
"ABUSUS NON TOLLIT USUM"
==========================================================================
Mailing list members: 447 Can we bump this up somewhat? spread the word!
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _
| | | | ___ | |_
| |_| |/ _ \| __|
| _ | (_) | |_
|_| |_|\___/ \__|
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
.gov and .mil activity
proxy.gintic.gov.sg
doegate.doe.gov
sunspot.gsfc.nasa.gov
gate1.mcbh.usmc.mil
homer.nawcad.navy.mil
maggie.nawcad.navy.mil
lisa.nawcad.navy.mil
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
mc1926.mcclellan.af.mil
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good Is It Worth It Followup to see
our boys keeping up with the news... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_ ___ ___ _ ___
| | | \ \ / / \ | |__ __ ___ __/ _ \ _ __ _ __ _____ _____
| |_| |\ \ /\ / / _ \ | '_ \ / _` \ \/ / | | | '__| '_ \ / _ \ \ /\ / / __|
| _ | \ V V / ___ \ _| | | | (_| |> <| |_| | |_ | | | | __/\ V V /\__ \
|_| |_| \_/\_/_/ \_(_)_| |_|\__,_/_/\_\\___/|_(_)|_| |_|\___| \_/\_/ |___/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_ _ _ _ _____ _ _ _
| | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___
| |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __|
| _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__
|_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___|
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_____ _ _ _
| ___|__ _ __ _ __ ___ __ _| |_| |_(_)_ __ __ _
| |_ / _ \| '__| '_ ` _ \ / _` | __| __| | '_ \ / _` |
| _| (_) | | | | | | | | (_| | |_| |_| | | | | (_| |
|_| \___/|_| |_| |_| |_|\__,_|\__|\__|_|_| |_|\__, |
|___/
A Comment on FORMATTING:
Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
BTW if anyone can suggest a better editor than UEDIT for
this thing send me some email i'm finding it lacking in
certain areas. Must be able to produce standard ascii.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
__ __ _
| \/ (_)_ __ _ __ ___ _ __ ___
| |\/| | | '__| '__/ _ \| '__/ __|
| | | | | | | | | (_) | | \__ \
|_| |_|_|_| |_| \___/|_| |___/
New mirror sites
*** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ ***
http://datatwirl.intranova.net * NEW *
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.
*** Most likely to be up to date other than the main site.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ...
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
**************************************************************************
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Eris Free Net #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on from the zine and around ***
*** the zine or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Melissa conviction to stop virus writers?........................
04.0 .. Government asks hackers for Y2K break............................
05.0 .. China Upholds Death Sentence For Electronic Intruder ............
06.0 .. Symantec Discovers Another Worm .................................
07.0 .. EPIC Sues NSA Over Echelon ......................................
08.0 .. Wyoming Newspaper Attacked ......................................
09.0 .. DoD Offers Military Docs to Surfers .............................
10.0 .. NSA Funds Supercomputer Upgrade .................................
11.0 .. "I was a teenage nmapper"........................................
12.0 .. NIST Meeting Open To The Public .................................
13.0 .. NT Passes Government Security Certifications ....................
14.0 .. Mitnick's Codefendant Sentenced .................................
15.0 .. Videon Suffers Second Intrusion .................................
16.0 .. GSM Phones No Longer Secure .....................................
17.0 .. DARPA Looks At Face Recognition Technology ......................
18.0 .. More Info On the Phonemasters Revealed ..........................
19.0 .. Proactive AntiVirus Software Now Available ......................
20.0 .. South African Web Pages Defaced .................................
21.0 .. Not Just a Game Anymore .........................................
22.0 .. Y2K Fix Really An Extensible Worm ...............................
23.0 .. Distributed DoS Attacks Becoming Popular ........................
24.0 .. FBI to Remain on Alert Over Y2K .................................
25.0 .. IOPS Sets Up Y2K Watch Center ...................................
26.0 .. IDs Embedded In All Color Copies ................................
27.0 .. Valiant of Halcon Speaks ........................................
28.0 .. Scholarships for Surfing ........................................
29.0 .. Dec 8th HNN Rumours..............................................
30.0 .. Alleged Melissa Creator May Plead Guilty ........................
31.0 .. Non-Anonymous Internet Violates First Amendment .................
32.0 .. OSU Charges Two With Illegal Access .............................
33.0 .. Microsoft Files Lawsuit Against Online Pirates ..................
34.0 .. CERT Releases Distributed Attack Paper ..........................
35.0 .. PWC Finds Serious Weaknesses in Pension Fund Company ............
36.0 .. Freaks Macintosh Archives CD ....................................
37.0 .. Nortell Releases Personal Hardware Firewall .....................
38.0 .. sSh/Dap interview by Sla5h.......................................
39.0 .. Melissa Creator Pleads Guilty ...................................
40.0 .. Privacy of US Military Officers Breached ........................
41.0 .. Commerce Dept. Introduces New Security Initiative ...............
42.0 .. Attrition Celebrates One Year Birthday ..........................
43.0 .. Russian Echelon? ................................................
44.0 .. Russian Bug Did Frequency-Hopping ...............................
45.0 .. Security Focus Newsletter #18....................................
=-------------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
____
/ ___| ___ _ _ _ __ ___ ___ ___
\___ \ / _ \| | | | '__/ __/ _ Y __|
___) | (_) | |_| | | | (_| __|__ \
|____/ \___/ \__,_|_| \___\___|___/
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ s
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _ _
/ ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___
\___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __|
___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \
|____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
ATTRITION.ORG's Website defacement mirror and announcement lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/mirror/attrition/
http://www.attrition.org/security/lists.html
--
defaced [web page defacement announce list]
This is a public LOW VOLUME (1) mail list to circulate news/info on
defaced web sites. To subscribe to Defaced, send mail to
majordomo@attrition.org with "subscribe defaced" in the BODY of
the mail.
There will be two types of posts to this list:
1. brief announcements as we learn of a web defacement.
this will include the site, date, and who signed the
hack. we will also include a URL of a mirror of the hack.
2. at the end of the day, a summary will be posted
of all the hacks of the day. these can be found
on the mirror site listed under 'relevant links'
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: mcintyre@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
(1) It is low volume on a normal day. On days of many defacements,
traffic may be increased. On a few days, it is a virtual mail
flood. You have been warned. ;)
-=-
--
defaced summary [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced domains on a given day. To subscribe to Defaced-Summary, send mail to
majordomo@attrition.org with "subscribe defaced-summary" in the BODY of
the mail.
There will be ONE type of post to this list:
1. a single nightly piece of mail listing all reported
domains. the same information can be found on
http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
defaced GM [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced government and military domains on a given day. To subscribe to
Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm"
in the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
--
defaced alpha [web page defacement announce list]
This is a low traffic mail list to announce via alpha-numeric
pagers, all publicly defaced government and military domains
on a given day. To subscribe to Defaced-Alpha, send mail to
majordomo@attrition.org with "subscribe defaced-alpha" in
the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the information
will only include domain names. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks. Further, it is designed for
quick response and aimed at law enforcement agencies like
DCIS and the FBI.
To subscribe to this list, a special mail will be sent to YOUR
alpha-numeric pager. A specific response must be made within
12 hours of receiving the mail to be subscribed. If the response
is not received, it is assumed the mail was not sent to your
pager.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
Win2k Security Advice Mailing List (new added Nov 30th)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To subscribe:
send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body
to listserv@listserv.ntsecurity.net
Welcome to Win2K Security Advice! Thank you for subscribing. If you have any
questions or comments about the list please feel free to contact the list
moderator, Steve Manzuik, at steve@win2ksecadvice.net.
To see what you've missed recently on the list, or to research an item
of interest, be sure to visit the Web-based archives located at:
http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec
==============
NTSecurity.net brings the security community a brand new (Oct 99) and
much-requested Windows security mailing list. This new moderated mailing list,
Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open
discussion of Windows-related security issues.
With a firm and unwavering commitment towards timely full disclosure, this
new resource promises to become a great forum for open discussion
regarding security-related bugs, vulnerabilities, potential exploits, virus,
worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community
and we openly invite all security minded individuals, be they white hat,
gray hat, or black hat, to join the new mailing list.
While Win2KSecAdvice was named in the spirit of Microsoft's impending product
line name change, and meant to reflect the list's security focus both now and
in the long run, it is by no means limited to security topics centered around
Windows 2000. Any security issues that pertain to Windows-based networking are
relevant for discussion, including all Windows operating systems, MS Office,
MS BackOffice, and all related third party applications and hardware.
The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to
a security r
isk, it's relevant to the list.
The list archives are available on the Web at http://www.ntsecurity.net,
which include a List Charter and FAQ, as well as Web-based searchable list
archives for your research endeavors.
SAVE THIS INFO FOR YOUR REFERENCE:
To post to the list simply send your email to
win2ksecadvice@listserv.ntsecurity.net
To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to
listserv@listserv.ntsecurity.net
Regards,
Steve Manzuik, List Moderator
Win2K Security Advice
steve@win2ksecadvice.net
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ ___ ___ _____ _ ___
| | | \ \ / / \ | ___/ \ / _ \
| |_| |\ \ /\ / / _ \ | |_ / _ \| | | |
| _ | \ V V / ___ \ _| _/ ___ \ |_| |
|_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
thedeuce ytcracker
Folks from #hwa.hax0r,news and #fawkerz
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ AMD demostrates 900 MHz chips
December 17, 1999
"Advanced Micro Devices Inc. has demonstrated two different versions of its Athlon microprocessor running at 900
MHz. One uses the company's standard 0.18-micron process with aluminum interconnects, while the second is
produced at the same line width but comes from AMD's Dresden, Germany, fab and features copper interconnects."
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* *still sick* ! this will prolly be a shorter issue than
* normal like last weeks, so enjoy what there is and we'll
* be back on track soon... sorry for the lack of quality
* I'm striving to catch up so I can provide you with the
* info you're used to getting in these issues, the last
* couple are definately not my best works.... hang in
* there... This issue 'features' an interview with the
* now defunct sSh... check it out, and I still want
* articles so send em in!... cruciphux@dok.org
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Melissa conviction to stop virus writers?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Spikeman
http://www.zdnet.com/filters/printerfriendly/0,6061,2406928-2,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Melissa conviction to stop virus writers?
By Robert Lemos, ZDNN
December 9, 1999 5:25 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2406928,00.html
Law enforcement officials and computer security specialists say that David L. Smith's conviction in
the Melissa virus case -- the first successful prosecution of a virus writer in the United States --
will have a strong chilling effect on other authors of malicious code.
"We are hoping that the sentence has a significant deterrent impact," said Robert J. Cleary, the
U.S. attorney for the District of New Jersey, who led the federal prosecution. "I think this will
have the effect we want. Those predisposed to white-collar crimes really do balance risk versus
reward."
Smith, 31, pleaded guilty in both state and federal courts on Thursday, agreeing that the virus he
wrote and released -- named "Melissa" after a Florida stripper -- caused $80 million in damages
(the minimum monetary amount needed in order to trigger stiffer federal sentencing guidelines).
Smith is expected to receive anywhere between a four- and five-year sentence in the federal case
and up to a 10-year sentence in the state case, accompanied by total fines of up to $400,000. As
part of the plea agreement, state prosecutors have recommended that the sentences run
concurrently.
"The sentencing guidelines attempt to minimize disparity. If that works here, then anyone else that
sends a virus out that does $80 million in damage should expect a similar sentence," said Cleary.
Melissa's March madness
The Melissa macro computer virus hit companies on Friday, March 26 after being released to a
Usenet newsgroup as part of a list of porn sites contained in a Word document infected with the
virus.
The virus, which mailed itself out to the first 50 addresses listed in the address book of Microsoft's
Outlook e-mail client, caused a massive spike in e-mail traffic, flooding corporate e-mail servers.
Companies such as Microsoft Corp. (Nasdaq:MSFT), Intel Corp. (Nasdaq:INTC), Lockheed
Martin Corp. (NYSE:LMT) and Lucent Technologies Inc. (NYSE:LU) shut down their gateways
to the Internet in the face of the threat.
Smith -- then a resident of Aberdeen, N.J. -- was arrested on April 1 by New Jersey authorities.
"This becomes a landmark case, because it's the first time the (U.S.) federal government has
successfully prosecuted a computer virus writer," said Dr. Peter Tippett, chief technologist at
computer security firm ICSA.net, which helped the U.S. prosecutors estimate the damages caused
by Melissa.
Deterrent effect
Tippett and others point to a virus case in England as potential proof that such a deterrent could
work.
In November 1995, the UK courts sentenced Chris Pile -- known
underground as the Black Baron -- to 18 months in jail. The 26-year-old,
self-taught programmer admitted to five counts of unauthorized access to
computers to facilitate crime and five unauthorized modifications of computer
software over a two-year period.
Since that time, no major viruses have come out of the UK, said Tippett.
Smith appeared in Monmouth County, N.J., Superior Court at 10 a.m. ET
on Thursday, followed by his appearance at the U.S. District Court in
Newark at 1:30 p.m. ET to answer to federal charges in the case. In both
courtrooms, Smith admitted his guilt and agreed with the damages.
When the judge in the Monmouth County court case asked if Smith agreed that it caused $80
million in damage to computer systems nationwide, Smith replied, "I certainly agree. It did result in
those consequences -- without question."
Edward Borden, Smith's attorney in the case, could not be reached for comment.
@HWA
04.0 Government asks hackers for Y2K break
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.zdnet.com/zdnn/stories/news/0,4586,2408969,00.html
Contributed by Duro
Government asks hackers for Y2K break
President Clinton's Y2K guru asks for a hack
moratorium during the New Millennium
weekend.
By Jim Wolf, Reuters
December 14, 1999 10:52 AM PT
WASHINGTON -- President Clinton's top aide on Y2K
matters has urged computer hackers to exercise
self-restraint until after year 2000 technology fears
largely have passed.
In an unusual plea for mercy, John Koskinen, chairman of
the President's Council on Year 2000 Conversion, said
that some people regard piercing computer network
security to be a "great public service" because it calls
attention to security cracks.
"Hopefully those people will recognize
we're going to have enough things
going on that (New Year's) weekend
that this will not be a particularly good
weekend to demonstrate the need for
more information security," he said on
Monday.
"If you want to, in fact, make those points, my hope is
(you'll) make them the following weekend," when Y2K
confusion is expected to have subsided, Koskinen said in
reply to a reporter's question.
One major concern of authorities is that confusion during
the century date change could mask a wide range of
malicious anti-U.S. activity, including possible
computer-based attacks by hostile nations or guerrillas.
Michael Vatis, the FBI agent who serves as the nation's
top "cyber-cop," said last week that the interagency outfit
he heads -- the National Infrastructure Protection Center
-- would be on alert although it had no hard evidence of
any planned attacks.
"It's natural to expect there might be people doing stupid
things with computers," he said of possible cyber attacks
timed to exploit any high-tech confusion sparked by the
century date change.
Increased vigilance" urged
Bruce McConnell, a former White House information
technology expert who now runs the U.N.-sponsored
International Y2K Cooperation Center, said viruses timed
to trigger on Jan. 1 appeared to be spreading, notably
hidden in e-mail attachments.
"Clearly the end of the year is a
time for increased vigilance with
respect to computer security,"
McConnell said in a telephone
interview.
Adding to the confusion may be
so-called denial-of-service attacks
aimed at swamping government or private sector Web
sites, according to Clark Staten, executive director of the
Chicago-based Emergency Response and Research
Institute.
Last week, the U.S. Office of Personnel Management
announced it would interrupt its Internet services for
"several hours" during the New Year's weekend as a
guard against hackers, power surges and other possible
Y2K headaches. The agency said it would bar access
during that limited period to the many data banks
normally available on its Web site.
The Defense Department and the U.S. Agriculture
Department said last week they also were considering
such precautions.
Growing number of computer viruses seen
Anti-virus software makers have reported a growing
number of computer viruses timed to go off on or about
Jan. 1, when systems engineered to recognize only the
last two digits in a date field may confuse 2000 with
1900.
"We are starting to see an increased frequency of viruses
related to the year 2000. Some of them are timed to
trigger on January first," said Narendar Mangalam,
director of security strategy for Computer Associates, an
Islandia, New York-based business computing firm.
The CERT Coordination Center, a Defense
Department-funded computer security project at Carnegie
Mellon University in Pittsburgh, said it did not consider
Y2K viruses a greater threat than the many others it has
tracked.
"There may be viruses that are particularly virulent that I'm
not familiar with that are set to go off on January first,"
Shawn Hernan, CERT's team leader for vulnerability
handling, said in a telephone interview.
"In general, though, if you are susceptible to viruses that
are spreading to be triggered on January first, you're
going to be susceptible to those that are triggered to go
off on January second and January third, and so on and
so forth," he said.
The best defense, Hernan said, was keeping up to date
with anti-virus software updates, avoiding running
programs of unknown origin, maintaining backups, paying
attention to anomalies and reporting them to network
security administrators.
@HWA
05.0 China Upholds Death Sentence For Electronic Intruder
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ryan and Zorro
The death sentence, imposed as punishment for Hao
Jingwen last year, was upheld by The Yangzhou
Intermediate People's Court in eastern Jiangsu province.
Jingwen, together with his brother Hao Jinglong,
electronically broke into the system of a state run bank
that one of them worked at and transferred somewhere
between $31,000 and $87,000US (reports vary) into an
account they opened under false names. The elder of
the two brothers, Hao Jinglong, received life in prison
instead of the death penalty for assisting the police in
their investigation.
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/19991203/tc/china_hacker_1.html
Associated Press - via Yahoo
http://dailynews.yahoo.com/h/ap/19991203/wl/china_death_sentences_1.html
Friday December 3 11:47 PM ET
China Upholds Death Sentence for Computer Hacker
BEIJING (Reuters) - A Chinese court has upheld the death sentence for a
man who hacked into the computer system of a state bank to steal money,
the Financial News reported on Saturday.
The Yangzhou Intermediate People's Court in eastern Jiangsu province
rejected the appeal of Hao Jingwen, upholding a death sentence imposed
last year, the newspaper said. Hao Jingwen and his brother Hao Jinglong
hacked into the computer network of the Industrial and Commercial Bank
of China and shifted 720,000 yuan ($87,000) into accounts they had opened
under false names, it said.
They withdrew 260,000 yuan from the bank accounts in September last year,
the newspaper said.
Hao Jinglong, who was also originally sentenced to death, received a
suspended death sentence in return for his testimony, it said.
($1.0 - 8.28 yuan)
AP;
Friday December 3 10:25 PM ET
Chinese Bank Hacker Gets Death
BEIJING - A court in the southern city of Yangzhou has sentenced one man
to death and his elder brother to life imprisonment for hacking into a
bank's computer system to steal $31,500, the state-run newspaper Beijing
Morning Post said Saturday.
An appeal by the two brothers was rejected after a higher court upheld the
recent decision by the Yangzhou Intermediate Court, the report said.
It said Hao Jingwen and Hao Jinglong used a homemade computer to hack into
the Industrial and Commercial Bank of China's system, where they set up fake
bank accounts.
By the time they were caught, they had withdrawn $30,266 in embezzled funds.
Police recovered all but $1,200 of it, the report said.
It said the Hao Jinglong, the elder brother, got a lighter sentence because
he had aided the police in their investigation.
In a separate report, the newspaper Guangming Daily said Lin Guodi, the
director of the Machinery Bureau in central Hunan province, was sentenced
Friday to death for taking $638,000 in bribes. Lin's son, Lin Ruhai was given
a life sentence and his wife, Zhao Youjuan, got a six-year jail term, it said.
Lin and his son lost their appeals, it said.
The reports did not say in either case if the death sentences had been carried
out.
@HWA
06.0 Symantec Discovers Another Worm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Nicola_Hibberd and no0ne
The W32.Mypics worm has four payloads. It emails itself
to fifty people in your address book, changes the web
browsers home page to a porn site and then attempts
to reformat the local hard drive. Also on Jan 1, 2000 the
worm attempts to overwrite the the checksum data in
the host computer's CMOS. Symantic, the discoverer of
the worm says that this is the fifth such virus it has
found with a payload that triggers at the start of the
new year. This worm appears to only infect people
running email clients from Microsoft.
ZDNet UK
http://www.zdnet.co.uk/news/1999/48/ns-11935.html
Newsbytes - via CNNfn
http://www.cnnfn.com/news/technology/newsbytes/140247.html
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/19991206/tc/yk_virus_3.html
Fri, 03 Dec 1999 16:38:00 GMT
Will Knight
Symantec discover the nasty 'W32.Mypics worm'
A new mega-virus that combines three potentially devastating
characteristics has been found in the wild by the research
laboratories at Symantec Anti-Virus
Once the W32.Mypics worm arrives at an Outlook inbox, it sends
itself out to 50 people in the address book and attempts to convert
the Web browser's home page to a porn site. It also does its level
best to format the local hard drive.
Although Symantec has received only a small number of reports of
Mypics, Aled Miles managing director for Symantec UK and
Ireland says now is a crucial period in the development of the virus
that was found in the wild at 4.48 GMT Friday. "If it's going to
break, it's going to do it soon," he warns. "This sort of thing
happens very quickly."
Miles also believes Mypics represents a worrying new trend in
virus technology. "The capability of viruses is increasing greatly,
that's they key thing. There's a lot of talk about hype but you only
need one of these to cause a lot of damage."
Another daunting prospect raised by Miles: "What happens if two
or three of these happens at the same time? Time is definitely
condensing. Is this going to be a trend continuing up to and
beyond the New Year?"
A update for Symantec's anti-virus software that combats Mypics
can be downloaded from the company's labs .
http://www.sarc.com/avcenter/venc/data/w32.mypics.worm.html
-=-
Dangerous Y2K Worm Starts Weekend With A Bang
December 03, 1999: 4:59 p.m. ET
CUPERTINO, CALIFORNIA, U.S.A. (NB) -- By Steve Gold,
Newsbytes. Symantec's [NASDAQ:SYMC] Anti-virus
Research Center reported this morning that it has
discovered a new worm virus that reformats PC users' hard
disks and switches their Web browser home page to an
adult site.
Yunsun Wee, a spokesperson for Symantec, told
Newsbytes that the Y2K virus is no relation to the MiniZip
worm virus that hit PC users earlier this week and is far
more deadly.
"This is the fifth Y2K virus we've come across so far, but
it's the most deadly in that it can reformat a user's hard
disk, as well as cause other problems," she said.
Wee added that the virus was discovered overnight by the
company's SARC operation, and, as a result, the company
issued a public warning via the business wire service this
morning.
"Unlike MiniZip, which everyone reported on earlier this
week, and which was actually discovered some days earlier,
we wanted to ensure that we got the warning message out
as quickly as possible," she said.
Symantec says that the virus disguises itself as a Y2K
problem, and is received as an e-mail attachment disguised
as a picture.
Once the program infects the host PC, it attempts to
send itself using Microsoft Outlook to up to 50 people in the
users' Microsoft Outlook address book. It also changes the
home page in Internet Explorer to a site containing adult
content.
Additionally, Symantec warns, on Jan. 1, 2000, the
program will overwrite the checksum data in the host
computer's CMOS (complimentary metal oxide
semiconductor) memory so when the system is rebooted
the user will think that there may be a Y2K-related problem
with the computer's BIOS (basic input/output system).
The firm says that, once the PC is restarted, the virus will
attempt to format the local hard drives and erase all data.
Symantec says that the W32/Mypics.worm can be easily
spotted, since it arrives in an e-mail, with no subject line.
The body of the message reads, "Here's some pictures for
you!" with a Pics4You.exe" attachment that is
approximately 34,304 bytes in size.
Once the user opens the attachment, the worm loads
itself into memory and executes by sending out copies of
itself attached to e-mail addressed to up to 50 people in the
user's address list.
In addition, Symantec says that the code modifies the
system registry to load its dropped file "cbios.com" on
system startup and also changes the user's home page in
Internet Explorer to
http://www.geocities.com/siliconvalley/vista/8279/index.html,
a Web site that contains some adult content.
The firm advises PC users not to attempt to open the
attached document. Symantec anti-virus users should also
download a new definition set - available immediately
through the company's LiveUpdate feature or from the
Symantec Web site at
http://www/symantec.com/avcenter/download.html .
Reported by Newsbytes.com, http://www.newsbytes.com
.
10:22 CST Reposted 15:49 CST
(19991203/Press Contact: Yunsun Wee, Symantec
-=-
Monday December 6 2:43 AM ET
Virus Trackers Report Bug Aimed at Y2K
SAN FRANCISCO (Reuters) - The computer world's mischief makers struck
this week with the first in what is expected to be a wave of viruses
set to go off Jan. 1, 2000, computer experts said on Friday.
A virus was discovered in computer systems of a number of companies, set
to go off at New Year's and erase data from users' hard drives, security
experts reported.
``This is the first Y2K virus we've seen that has really infected a
number of people,'' said Sal Viveros, of Network Associates Inc.
(NasdaqNM:NETA - news) , the largest computer security firm in the world.
Anti-virus firm Symantec Corp.(NasdaqNM:SYMC - news) director of research
Vincent Weafer said, ``This is the kickoff for the Y2k -- which is going
to be like the Super Bowl for virus writers.''
The new virus, called W32/Mypics.worm, is set to disable computers as
people try to start them up Jan. 1. The virus writer apparently is hoping
to mislead users into thinking they've been hit by the much-publicized Y2K
software bug, which is caused by computers' inability to read the ``00''
of year 2000.
The virus is sent by e-mail with no subject line to a target user. Inside
the e-mail is a message saying ``Here's some pictures for you!'' Clicking
on the picture launches the damaging virus, or worm, a kind of virus that
does damage but doesn't continue to propagate itself inside the host computer.
Like the earlier Melissa ``worm,'' the new infection uses the target
computer's Microsoft Outlook mailing list to send itself to 50 people via
e-mail.
It can be detected ahead of the Jan. 1 ``payload date'' through use of an
anti-virus software, or by noting a suspicious switch in the default page
of the user's Web browser.
Computer security firm Symantech, the company that first sounded the alarm
about the Y2K bug, said it has found five different Y2K viruses in recent
days, but none reaching the level of the W32/Mypics.worm, which it classed
as a ``medium to high-risk virus.''
Simon Perry, Computer Associate International Inc.'s (NYSE:CA - news) eTrust
Business Manager said, ``As the year 2000 quickly approaches, we are starting
to see an increased frequency of dangerous viruses.''
The year has already been marked by a wave of destructive infections,
including the CIH, or Chernobyl Virus, which wiped out data on thousands of
hard disk drives, and Melissa, which was one of the most widespread infections
ever, though not as damaging to individual computers.
A concerted effort to sound the alarm by computer protection services has
tended to dampen the spread of the viruses, though some see their alarms as
self-serving, since most recommend a dose of their medicine, anti-virus
software, as the cure.
``Once a virus is in the wild, and it's on everyone's detection lists, it tends
to chill a bit. But that doesn't mean it's not still a threat,'' said David
Perry, security firm Trend Micro Inc. (NasdaqSC:TIMC - news) pubic information
director.
The most basic advice the security experts give is to avoid opening unsolicited
e-mails. ``Don't take candy from strangers,'' said Perry, ``and don't open
suspicious e-mails on your computer.''
@HWA
07.0 EPIC Sues NSA Over Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by blueghost, knobdicker, and Alien Plaque
The Electronics Privacy Information Center (EPIC) has
filed suit against the National Security Agency (NSA) in
federal court in an attempt to gain more information
about the agency's spy network dubbed Echelon, and to
what extent the agency has been spying on American
citizens. The NSA has 30 days to respond to the court
filing. (I applaud EPIC for going after the NSA, however
the courts have been very favorable to the NSA in past
cases, so I personally doubt that much will come of
this, but it's definitely worth a shot.)
Electronic Privacy Information center
http://www.epic.org/
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/1129/web-lawsuit-12-3-99.html
ZDNet
http://www.zdnet.com/zdnn/stories/news/0,4586,2404126,00.html?chkpt=zdnntop
DECEMBER 3, 1999 . . . 17:35
Lawsuit claims NSA spying on Americans
BY DANIEL VERTON (dan_verton@fcw.com)
The privacy watchdog group Electronic Privacy Information Center today
filed a lawsuit in federal court that aims to force the National Security Agency
to release sensitive documents thought to contain evidence of surveillance
operations against U.S. citizens.
EPIC wants to obtain documents recently denied to Congress by NSA's
General Counsel on the grounds of attorney/client privilege. NSA also has
failed to reply to a Freedom of Information Act request filed by EPIC to
obtain the documents.
The lawsuit centers on documents that are said to detail the operations of the
so-called Echelon global surveillance network. Details surrounding Echelon
came to light last year when the European Union launched a full-scale
investigation into privacy abuses against European citizens by the NSA
["European Union may investigate U.S. global spy computer network,"
fcw.com, Nov. 17, 1998].
EPIC director Marc Rotenberg said in a statement released to the press, "The
charter of the National Security Agency does not authorize domestic
intelligence-gathering. Yet we have reason to believe that the NSA is engaged
in the indiscriminate acquisition and interception of domestic communications
taking place over the Internet."
A spokesperson for the agency said, "NSA operates in strict accordance with
U.S. laws and regulations in protecting the privacy rights of U.S. persons. Its
activities are conducted with the highest constitutional, legal and ethical
standards."
Echelon, a Cold War-vintage global spy system, is believed to consist of a
worldwide network of clandestine listening posts capable of intercepting
electronic communications such as e-mail, telephone conversations, faxes,
satellite transmissions, microwave links and fiber-optic communications traffic.
EPIC is planning a major study of the Echelon network to be published next
year that looks at the operations of signals intelligence agencies around the
world, such as the NSA.
"We expect that Congress will hold hearings on this early next year and we
plan to pursue our case very aggressively," Rotenberg told FCW. "If the NSA
is intercepting Internet communications of U.S. citizens -- and we believe they
are -- then it is a critical question of Constitutional government to determine
whether they are acting within the law or outside of it."
@HWA
08.0 Wyoming Newspaper Attacked
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Alien Plague
George Russell James, 26, of Laramie, Wyoming has
been charged with one felony count of crime against
computer users. James is accused of several
unauthorized entries into Trib.com which is run by the
Casper Star-Tribune. According to the Trib.com staff,
the entries are said to have caused slowed online
response time over a couple of days and disrupted the
provider's news and information Web site. (From the
information posted in this article it would seem that
they don't have a very strong case against this guy.
Unfortunately he will probably plead guilty instead of
fighting these accusations.)
The Billings Gazette
http://www.billingsgazette.com/wyoming/991204_wyo02.html
Laramie man charged with hacking into major Internet
provider
CASPER, Wyo. (AP) - A Laramie man has been
charged with hacking into one of Wyoming's
primary Internet service providers.
George Russell James, 26, surrendered at the
Albany County Courthouse on Friday and was
charged with one felony count of crimes against
computer users, according to the state Division of
Criminal Investigation.
James is accused of several unauthorized entries
into trib.com, according to the Casper Star-Tribune,
which administers the service.
Police searched James' apartment Thursday and
seized a personal computer and other evidence,
said Steve Miller, deputy director of the state
Division of Criminal Investigation.
They also found about one-eighth ounce of
marijuana and charged James with possession of a
controlled substance, he said.
"Without going into a lot of detail, basically there are
a lot of electronic footprints you can often trace
back to the individual," he said of how James was
pinpointed.
Trib.com staff said the tampering slowed online
response time over a couple of days and disrupted
the provider's news and information Web site.
"We haven't been able to manipulate the programs
like we normally do, which has made stories
awkward to read," Web site designer Fred Jacquot
said.
Some subscribers who logged onto the site
Thursday may have found pages with incomplete
information or graphic artwork, he said.
Larry Ash, systems administrator for trib.com, said
the problems resulted from a two-fold attack on the
system.
First, the alleged hacker tapped into the trib.com
server, which meant the entire system needed to be
checked for possible flaws.
"We spent a lot of time tearing down the old system
and building it up again from scratch," he said.
Then on Thursday, a program from a site in London
jammed the trib.com network and slowed service to
a crawl. The "denial of service attack" flooded the
system with thousands of information requests.
"It's kind of like a water main that is split into lots of
smaller pipes," said trib.com programmer Steve
Claflin. "If one person draws all the water, no one
else can get any."
The trib.com system was so tied up processing the
information and repairing itself after the break-in that
it could not respond as quickly to regular tasks.
Star-Tribune publisher Rob Hurless said trib.com
staff were still checking computer logs Thursday to
find out exactly what happened during the break-in.
The network was nearly back to normal operating
speed Thursday afternoon, he said.
Miller said the trib.com break-in was among an
increasing number of computer-related crimes DCI
has looked into recently.
He said the agency, in cooperation with federal and
local law enforcement agencies, has investigated
18 reports of computer crimes in Wyoming,
including seven in the last month.
"It's pretty crazy right now," Miller said. "I don't know
if hacking is increasing or people are just identifying
it more rapidly and reporting it."
Updated: Saturday, December 4, 1999
Copyright © The Billings Gazette, a division of Lee Enterprises.
@HWA
09.0 DoD Offers Military Docs to Surfers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Department of Defense has made available over
100,000 documents on categories ranging from nuclear
technology to explosives to communications security.
There also seems to be a good chunk of information on
TEMPEST. It is unknown how long this site will remain
publicly available. Grab it while you can.
Defense Automation and Production Service
http://assist.daps.mil
(Site appears locked up when I tried it... -Ed)
@HWA
10.0 NSA Funds Supercomputer Upgrade
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by biggranger
The National Security Agency is funding the upgrade of
the San Diego Supercomputer Center from a Tera
MTA-8 system to a MTA-16 system made by Tera
Computer Company. The MTA-16 is based on a
multithreaded architecture and retails for between 7 and
10 million dollars.
Tera Computer Company
http://www.tera.com/www/press/mta16.html
Tera Press Release;
Tera Computer Company Receives First Purchase Order for a
Tera MTA-16 System
Funding Provided by National Security Agency
Contacts:
Lippert/Heilshorn & Assoc.
Lillian Armstrong/David Barnard, CFA
lillian@lhai-sf.com,david@lhai-sf.com
415/433-3777
Keith Lippert
212/838-3777
Tera Computer Company
Ken Johnson/Jim Rottsolk, 206/701-2000
ken@tera.com,jim@tera.com
or
Terren S. Peizer, Chairman: 310/444-3222
SEATTLE, WASHINGTON, November 10, 1999 - Tera Computer
Company (NASDAQ NM: TERA) today announced that it has received
its first purchase order for a Tera MTA-16 system. This order represents
an upgrade to the existing 8-processor Multithreaded Architecture (MTA)
supercomputer now in use at the San Diego Supercomputer Center
(SDSC). This upgrade, which doubles the size of SDSC's MTA system
from 8 processors and 8 gigabytes of shared memory to 16 processors
and 16 gigabytes of shared memory, is specially priced at $2.5 million.
Initial purchases of Tera MTA-16 systems are typically priced at $7-10
million, depending upon configuration. Delivery of the SDSC MTA-16 is
expected by year-end 1999.
This order follows SDSC's successful evaluation of the MTA-8, which
was initially funded by the National Science Foundation and the Defense
Advanced Research Projects Agency. Funding for the MTA-16 upgrade
is being provided by the National Security Agency (NSA). The MTA-16
system will be used to run computationally demanding applications of
interest to users, including medical researchers, graphics experts and
computational chemists.
"Tera's multithreaded approach to parallel processing is of great interest
not only to SDSC, but also to the entire high-end computing community,"
said Sid Karin, Director of SDSC. "The performance achieved on our
eight-processor MTA supports the argument that hardware multithreading
will be the future of high-end computing. By doubling the size of our MTA,
we expect to run some applications on it faster than on any other machine
at SDSC. We further expect that this will allow us to transition some of our
production workload to the MTA."
Jim Rottsolk, President and CEO of Tera Computer concluded, "The sale
of an MTA-16 represents another significant milestone in our push toward
full-scale commercialization of the MTA technology. The benefits of this
transaction go beyond the purchase alone, as we will have access to the
SDSC MTA-16 system, and plan to use it to demonstrate
high-performance applications of interest to the industrial customer base,
such as MSC NASTRAN and LS-DYNA3D. The currently installed base
of vector processing supercomputers represents an attractive and timely
market opportunity for the Tera MTA-16."
According to the International Data Corporation, there are approximately
200 SGI/Cray Research vector supercomputers installed worldwide,
constituting a large portion of the customer base of industrial
supercomputing users. With an average selling price of approximately $10
million each, this installed base is valued at $2 billion. Of those 200
systems, about 60 T90s have been installed in the last three years, with the
balance of that installed base representing previous generation systems
such as the Cray C90.
Tera also announced that its Progress Report: Summer 1999 video is now
available on VHS or CD-copies can be requested by visiting the Tera
website at www.tera.com. Among those interviewed on this video are Sid
Karin, SDSC's Director; Wayne Pfeiffer, SDSC's Deputy Director;
Richard Charles, Greg Johnson, and Allan Snavely, three SDSC scientists;
and Professor David McQueen, a medical researcher at New York
University's Courant Institute.
About Tera Computer Company
Tera Computer Company designs, builds and sells high performance
general-purpose parallel computer systems. Tera believes its Multithreaded
Architecture system represents the next wave in supercomputer technology
because of its unique ability to provide high performance, broad
applicability and ease of programming in a single system. For more
information about Tera and its MTA systems, contact Tera at 411 First
Avenue South, Suite 600, Seattle, WA 98104-2860. Phone:
206/701-2000. Fax: 206/701-2500. E-mail: info@tera.com, or
www.tera.com.
Safe Harbor Statement
This press release contains forward-looking statements, among other
things, Tera's plans to build larger MTA systems and the successful running
of key applications on the MTA-16. There are certain factors that could
cause Tera's execution plans to differ materially from those anticipated by
the statements above. Among such factors are risks associated with
building larger MTA systems, necessary modifications to software and
hardware systems, timely availability of commercially acceptable
components from third party suppliers and successful porting of third party
applications. For a discussion of such risks, and other risks that could
affect Tera's future performance, please see "Risk Factors" in Tera's most
recent SEC Form 10-Q.
@HWA
11.0 "I was a teenage nmapper"
~~~~~~~~~~~~~~~~~~~~~~~~~
http://geekmafia.dynip.com/~xm/
I was a teenage nmapper.
Perhaps the best place to start this story is with a disclaimer. Because
of possible legal implications and verbal agreements between the
sysadmin of an organization I am affiliated with, the companies involved
and myself, I am not going to disclose any real information.
The story begins at a large organization. I am a voluntary network /
network security consultant at times here. However, I am legally
forbidden to "attempt to bypass security restrictions on the network ...
or to aid others in doing so by providing information (logins,
passwords, etc.) to do so with." However, the very nature of my informal
position involves me violating this agreement, with the permission of
the network admins. In the past, I have scanned the entire external
address block from my own personal network with permission. I recently
uncovered an unprotected webserver containing a network informational
chart listing unprotected netbios shares containing extremely sensitive
data. I attempted to see if these were exploitable without touching any
sensitive materials. After reporting my findings to the network admins,
I was given a little lecture about how I should have contacted them
before attempting something that potentially volatile.
The organization where these events took place currently relies on a
filtering Internet proxy to provide web access to its ~1000 users. The
company that manufactures the proxy maintains the machine it runs on (an
UltraSPARC IV running SunOS 5.7). Previously they have been given
some security alerts by me through the admin at my school. The proxy
maker was once a small startup but was recently acquired by a fairly
prominent software maker, so they have become increasingly corporate
since they began work with our organization.
One day in mid/late November (1999), I was doing a little halfhearted
blackbox audit of one of the cgis in the package. I discovered a serious
vulnerability that could allow anyone to read any file on the system (by
transversing up directories using "../../../../etc/motd" as a
parameter to a file argument in the cgi). I quickly reported this to my
sysadmin who passed in on to the company. I wanted to report the bug on
BugTraq but I was warned that this would be a violation of the agreement
I had signed (So I didn't).
Meanwhile, I head home that day (Friday) and casually fire up nmap (nmap
-sS -O -v -v www.company.com) to see what they're running (out of
curiosity). On Monday afternoon, the sysadmin calls me into his office.
Apparently, the company freaked out when they saw me scanning
them. During the code audit of the hole, they realized that the scope of
the bug was far greater than I had uncovered (I assume a buffer overflow
but the engineer I spoke to couldn't comment). They were about to email
me a thank-you when they saw the incoming scan. The company responded by
basically scanning me back and probing a few key services: sendmail
(actually postfix), finger and web. They realized that the "attack"
against their network was coming from a machine belonging to the guy who
had just discovered a huge hole in their network. Not knowing if I
realized the total potential of the hole in their system, they pulled
the plug on their network connection and made hard copies of all
relevant info. They consulted their legal counsel in their parent
company.
Under Rhode Island, Massachusetts and federal law, my benign, simple
stealth port scan was perfectly legal. However, since the webserver I
scanned was located in Virginia (home of ambiguous anti-spam laws), I
may have violated the Virginia Internet Policy Act (or some other
AOL/NSI-backed civil-liberty violating,
anti-freespeach^H^H^H^H^H^H^H^H^H^Hspam law). To quote CNET:
"... Aiming in part to ease congestion on networks owned by Internet
service providers such as AOL and MCI WorldCom, the commission wants
unsolicited bulk email or communication that is "fraudulent,
unauthorized, or otherwise illegal [to be] prosecuted just as it
would in any other medium." Virginia's "computer trespassing" law, which
means using an ISP's equipment without permission, also should be
updated, the Act states."
Anyway, I was informed about this on Monday afternoon. I was quickly on
the phone with Russell, a very friendly Cisco / TCPIP-oriented guy at
the company. He said they had decided not to pursue legal action and we
discusses security issues. He was quite friendly and even invited
me to visit the proxy maker's offices if I was in the area.
What did we learn?
Nmap -D www.microsoft.com,www.aol.com,www.yahoo.com,ME
Corporate takeovers of small guys suck Don't disclose information
except through BugTraq.
If anyone has comments on the technical accuracy, legal accuracy, content
or wants to point me at some resources email xm@geekmafia.dynip.com.
@HWA
12.0 NIST Meeting Open To The Public
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The next meeting of the Computer System Security and
Privacy Advisory Board of the National Institute of
Standards and Technology will be open to the public.
The meeting will be held from December 7, thru
December 9, 1999. The meeting will be held in Lecture
Room B of the NIST Administration Building in
Gaithersburg, Maryland.
Computer System Security and Privacy Advisory Board
http://csrc.nist.gov/csspab/
Federal Register: December 2, 1999 - via Crytome
http://cryptome.org/csspab120299.txt
@HWA
13.0 NT Passes Government Security Certifications
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http:&
#47;/www.hackernews.com/
contributed by Evil Wench and KnobDicker
Windows NT has been certified as compliant with
Federal Information Processing Standard 140-1 (FIPS
140-1) and the C2 level of the Trusted Computer
System Evaluation Criteria (TCSEC). Windows 95, 98
and 2000 have also received FIPS 140-1 certification.
The C2 certification only applies to stand-alone,
non-networked machines. Operating systems used by
the Department of Defense are supposed to carry a
security rating of C2 or higher, despite the fact that
DoD has used NT since 1996. This ends a long battle for
Microsoft to achieve this security certification. (We still
say "C2 my ass.")
Government Executive Magazine
http://www.govexec.com/dailyfed/1299/120699j1.htm
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2404702,00.html?chkpt=zdnntop
HNN Archive for January 13, 1999
http://www.hackernews.com/arch.html?011399
NW Fusion - NT Failed FIPS a Year Ago
http://www.nwfusion.com/news/1999/0222fips.html
L0pht Heavy Industries - More Info Regarding Government Certifications
http://www.l0pht.com/cyberul.html
December 6, 1999
DAILY BRIEFING
Microsoft wins government
security certifications
By Joshua Dean
jdean@govexec.com
Microsoft Corp.'s Windows NT Server and desktop operating
systemsproducts that are heavily used at many federal
agencieslast week received two important security
certifications from the federal government.
The Windows NT 4.0 network operating system was certified
as compliant with Federal Information Processing Standard
140-1 (FIPS 140-1) and the C2 level of the Trusted
Computer System Evaluation Criteria (TCSEC). The desktop
operating systems Windows 95 and Windows 98 and the
forthcoming Windows 2000 also won FIPS 140-1
certification.
"FIPS 140-1 is the certification which is more important," said
Rick Therrien, leading edge services deputy in the Office of the
Navy's Chief Information Officer. "FIPS 140-1 deals with
information interchange on computers that are networked, as
well as secure e-mail, authenticating onto a network and
accessing secure Web sites."
Therrien estimates that the Navy uses Windows NT on more
than 400,000 computers globally. In addition, the Marine
Corps just converted from Banyan Systems Inc.'s Vines
network software to Windows NT 4.0.
FIPS 140-1 was created by the National Institute of Standards
and Technology. It lays out security requirements for the
cryptography module within an operating system.
Windows NT 4.0 was also tested by a private laboratory and
certified by the National Computer Security Center, a unit of
the National Security Agency, as achieving the C2 level of
security. C2 products have demonstrated they can:
Identify and authenticate system users
Limit data access to only approved users
Audit system and user actions
Prevent access to files that have been deleted by others
Therrien cautioned that while certification for Windows NT 4.0
is reassuring, "no operating system is 100 percent secure. What
you have now is a way to calculate risks. We now have a way
to quantify where our risks are. Without certification, there
would be much more guesswork involved."
Microsoft's new operating system, Windows 2000, is
scheduled to be released in February.
The network configuration used in evaluating the security of the
NT 4.0 network operating system, as updated with Service
Pack 6a consisted of single- and multi-processor Proliant
servers from Compaq Computer Corp., along with Compaq
PCs and printers and storage subsystems from
Hewlett-Packard Co.
-=-
ZDnet;
Microsoft wins high-level security rating
After more than a year, Microsoft obtains the
NSA's key C2 rating for NT 4.0.
By Mary Jo Foley, Sm@rt Reseller
UPDATED December 6, 1999 4:18 PM PT
As Microsoft closes in on completing development of
its next-generation Windows 2000 operating system,
it finally has managed to receive the elusive C2
security rating for its NT 4.0 operating system.
On Dec. 2, Microsoft Corp. (Nasdaq:MSFT) announced it
had received the C2 rating for NT 4.0 Server and
Workstation. Prior to last Friday, Microsoft had received
the C2 rating only for NT 3.5.
C2 is a basic security rating that
is one of several evaluations
awarded by the National Security
Agency, based on its Trusted
Computer System Evaluation
Criteria, or "Orange Book" criteria.
Information systems purchased
by the Department of Defense are
supposed to carry at least a C2 rating.
Microsoft has been in pursuit of the C2 rating for NT 4 for
more than a year. Originally, Microsoft had hired an
independent contractor named Edward Curry to help the
company obtain a C2 rating for NT 3.5 in the mid-1980s.
But in 1995, Microsoft ended Curry's contract for reasons
the company declined to divulge publicly.
Curry brought to the
Department of Defense's
attention late last year the fact
that Microsoft had not
obtained C2 certification for
any release of NT beyond 3.5.
In March of this year, while continuing to make known his
concerns regarding Microsoft's alleged lack of
operating-system security, Curry died suddenly of a
stroke.
Prior to Curry's death, Microsoft hired Science
Applications International Corp. (SAIC) to continue its C2
certification efforts. A year ago, SAIC was predicting
Microsoft would pass its first C2 milestone within weeks.
Microsoft officials have said they expect to be able to
submit immediately Windows 2000 for evaluation under a
newly merged U.S./U.K. security evaluation process,
called Common Criteria Consolidation.
@HWA
14.0 Mitnick's Codefendant Sentenced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ryan
Lewis DePayne has been sentenced by US District Judge
Mariana Pfaelzer to six months of home detention with
five years of probation, 225 hours of community service
and a fine of $2,500. DePayne pleaded guilty earlier this
year to a single count of wire fraud for his involvement
in a scheme with Kevin Mitnick to defraud Nokia of
proprietary software for mobile phones.
ZD Net
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2404937,00.html
Mitnick Codefendant Sentenced
Accused hacker faces probation,
community service, and fine.
By Iolande Bloxsom December 6, 1999
Kevin Mitnick's codefendant, Lewis
DePayne, was sentenced today in federal
court in Los Angeles. Unlike the imprisoned
hacker, DePayne was not restricted in his
use of computers.
US District Judge Mariana Pfaelzer
sentenced DePayne to five years of
probation, which includes six months of
home detention. He will also be required
to serve 225 hours of community service
(to be determined by the probation office)
and to pay a $2,500 fine and the cost of
any home detention.
DePayne pled guilty on April 16 of this
year to a single count of wire fraud.
According to the plea agreement, in May
of 1994 he and Mitnick participated in a
scheme to defraud Nokia of proprietary
software for mobile phones. DePayne
admitted to placing a call to a Nokia office
in Florida pretending to be a Nokia
supervisor named K.P. Wileska.
In the plea agreement, the approximate
value of the software was set at
$240,000. However, the judge ordered
DePayne to pay only about one tenth of
that amount as a fine. In Mitnick's case,
Judge Pfaelzer set the fine higher, at
$4,125, but still significantly lower than
the prosecution's suggested restitution of
$1.5 million.
@HWA
15.0 Videon Suffers Second Intrusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by r@ven
Videon Internet, based in Winnipeg Canada, has
suffered its second major intrusion in one week.
Sensitive account information, including e-mail
passwords, evidently were compromised. A complaint
has been filed with the Winnipeg Police Service's
commercial crimes unit. The company has has shut
down their email server "for the security of Videon
customers".
Winnipeg Free Press
http://205.200.191.20/cgi-bin/LiveIQue.acgi$rec=4241?local
Videon security blown again
Customers without e-mail after latest hack attack
Sun, Dec 5, 1999
By Paul McKie
Staff Reporter
THOUSANDS of Videon customers who pay a premium price for high-speed
Internet access are without e-mail today after another hacker broke into
the system.
Videon general manager Debra Jonasson-Young confirmed the company was once
again the victim of a hacker who had access to sensitive account
information, including e-mail passwords.
"We were hacked last week. This is a different hack. I want to make it
perfectly clear -- we were hacked both times," said Jonasson-Young.
The second security breach was discovered Friday afternoon and a complaint
has been filed with the Winnipeg Police Service's commercial crimes unit,
Jonasson-Young said. A decision was made to shut down the @Home e-mail
server at 1:30 a.m. yesterday for the security of Videon customers.
Jonasson-Young said she didn't know how long the server would be down.
Customers still have web access, however, and can continue to surf the
Internet.
She said Videon is continuing to work with an outside security agency to
remedy the situation and has been advised not to bring the server back up
until it is secure. She couldn't say when the e-mail server would be
operational again.
One Videon customer, who requested anonymity, said he was astounded when
he discovered the Videon Internet system had been hacked again and he
hadn't been warned.
"A week ago when it happened, they promised it would never happen again,"
he said. The customer, one of 2,700 who use the service, called Videon
yesterday to get his new password after his old password was compromised.
"The lady said she was sorry, another breach had happened," he said.
"There are just too many things Videon does wrong . . . they're pretty
screwed up over there."
Jonasson-Young said cable-modem customers were informed of the latest
breach when they called in yesterday. But she said Videon was also
beginning a call-out campaign to affected users. She said that last week
the company e-mailed customers, but that wasn't an option this time
with the mail server down.
She noted the Internet is a public-domain area that presents a myriad of
security problems. "There's always a risk that something can happen, no
matter what kind of line you're on," Jonasson-Young said .
Videon's competitors beg to disagree. Reg Parkin, corporate security
manager for Manitoba Telecom Services, agreed that when word gets out that
a site has been hacked, others will always try it again.
However, Parkin said that at MTS, where Internet access is through phone
lines, personal information is kept in a different site not accessible
through the Internet.
He said the trick to security is having several layers, like an onion
skin, so that if any one layer is stripped away, there's still protection
in place. "I don't recall there ever being a breach. There have been
attempts," he said.
Videon isn't the only victim of hackers. Last summer, the mighty Microsoft
had its Hotmail system, with 50 million users, infiltrated.
Parkin said that because of such incidents, security has to be constantly
evolving. "It's more vigilance. If you wait for something to happen and
react to it, you're in trouble," he said.
Jonasson-Young said she's aware of the knocks against Videon and the
company is trying to correct them. "We're under the spotlight right now;
we recognize that."
But she said people must also recognize that both the company and the
customers are victims.
"It's been a crime perpetrated against us," she said.
@HWA
16.0 GSM Phones No Longer Secure
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by C0nd0r
Alex Biryukov and Adi Shamir two Israeli researchers
have discovered design flaws in the algorithm A5/1
which is present in digital GSM phones. This algorithm is
used in phones made by Motorola, Ericsson, and
Siemens. Over 330 million GSM phones are in use around
the world. While this research does indicate how the
encryption may be broken, actually intercepting that
signal is not explained.
Wired
http://wired.lycos.com/news/print/0,1294,32900,00.html
Cell Phone Crypto Penetrated
by Declan McCullagh
10:55 a.m. 6.Dec.1999 PST
Israeli researchers have discovered design flaws that allow the
descrambling of supposedly private conversations carried by hundreds of
millions of wireless phones.
Alex Biryukov and Adi Shamir describe in a paper to be published this week
how a PC with 128 MB RAM and large hard drives can penetrate the security
of a phone call or data transmission in less than one second.
The flawed algorithm appears in digital GSM phones made by companies such
as Motorola, Ericsson, and Siemens, and used by well over 100 million
customers in Europe and the United States. Recent estimates say there are
over 230 million users worldwide who account for 65 percent of the
digital wireless market.
Although the paper describes how the GSM scrambling algorithm can be
deciphered if a call is intercepted, plucking a transmission from the air
is not yet practical for individuals to do.
James Moran, the fraud and security director of the GSM Association in
Dublin, says that "nowhere in the world has it been demonstrated --an
ability to intercept a call on the GSM network. That's a fact.... To our
knowledge there's no hardware capable of intercepting."
The GSM Association, an industry group, touts the standards as "designed
to conform to the most stringent standards of security possible from the
outset [and] unchallenged as the world's most secure public digital
wireless system."
Not any more.
Shamir says the paper he co-authored with a Weizmann Institute of Science
colleague in Rehovot, Israel, describes a successful attack on the A5/1
algorithm, which is used for GSM voice and data confidentiality. It builds
on the results of previous attempts to attack the cipher.
"It's quite a complex idea, in which we fight on many fronts to accumulate
several small improvements which together make a big difference, so the
paper is not easy to read or write," Shamir, a co-inventor of the RSA
public key crypto system in 1977, said in an email to Wired News.
A group of Silicon Valley cypherpunks has organized previous efforts to
highlight what they view as the poor security of GSM encryption standards.
In April 1998 they reported that it was possible to clone a GSM phone,
which the US Cellular Telecommunications Industry Association dismissed as
more theoretical than practical. The North American GSM Alliance similarly
dismissed cloning as a serious threat in a statement.
Earlier this year, the group, which includes Marc Briceno, Ian Goldberg,
and David Wagner, described how to penetrate the less-secure GSM A5/2
algorithm used in some Pacific rim countries in less than a second. In May
1999 they released the source code to A5/1, which the Weizmann
Institute computer scientists used in their analysis of the cipher.
"Because of Biryukov and Shamir's real-time attack against A5/1 and our
group's 15 millisecond attack against A5/2, all the GSM voice privacy
ciphers used worldwide can be broken by an attacker with just a single PC
and some radio hardware," Briceno said.
"Since the voice privacy encryption is performed by the handset, only
replacing the handset would address the flaws found in the recent
attacks," he said.
The GSM Alliance's Moran said he needed time to review the paper, which
has not yet been released. But he said it would be a topic of a discussion
at the next GSM security working group meeting on 16 December.
Previously the GSM encryption algorithms have come under fire for being
developed in secret away from public scrutiny -- but most experts say high
security can only come from published code.
Moran said "it wasn't the attitude at the time to publish algorithms" when
the A5 ciphers was developed in 1989, but current ones being created will
be published for peer review.
@HWA
17.0 DARPA Looks At Face Recognition Technology
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Face recognition technology has been around for a
while. Cameras mounted on street lamps in a few British
cities have been picking faces out of the crowd for over
a year. Now DARPA is interested in using this technology
in conjunction with other biometric technology such as
thermal signature of the blood vessels in the head and
the shape of a person's ear to create a more accurate
and complete system.
Scientific American
http://www.sciam.com/1999/1299issue/1299techbus5.html
HNN Archive for October 20, 1998
http://www.hackernews.com/arch.html?102098
Defense Technology
SEEN BEFORE
To guard against terrorism, the Pentagon looks to image-recognition
technology
In the East London borough of Newham, a surveillance network of more than
200 cameras keeps watch on pedestrians and passersby, employing a
facial-recognition system that can automatically pick out known criminals
and alert local authorities to their presence. Not surprisingly, civil
liberties groups oppose the system--Privacy International, a human-rights
group, gave the Newham council a "Big Brother" award last year on the 50th
anniversary of the publication of George Orwell's famous novel. The
council, however, claims overwhelming support from citizens who are more
concerned about crime than about government intrusions. It could count as
one of its supporters the U.S. Department of Defense, which is keeping
tabs on the Newham system as well as on other, related technologies. The
department hopes that some combination of "biometrics" will vastly improve
its ability to protect its facilities worldwide.
For the military, biometrics usually means technologies that can identify
computer users by recognizing their fingerprints or voices or by scanning
their irises or retinas. But after a terrorist truck bomb blew up the
Khobar Towers U.S. military barracks in Saudi Arabia in 1996, killing 19,
the Pentagon elevated to the top of its priority list the need for "force
protection"--namely, keeping troops abroad safe from attack. That spurred
the Defense Advanced Research Projects Agency, essentially a Pentagon
hobby shop, to action. Building on some ongoing work with video
surveillance and modeling techniques, as well as on commercial (but still
experimental) technologies such as those used to identify automatic-teller
machine customers by scanning their faces, DARPA set out to investigate
the potential for a network of biometric sensors to monitor the outsides
of military facilities.
The result is a program known as Image Understanding for Force Protection
(IUFP), which the agency hopes to get started in 2001. Described by the
Pentagon as "an aggressive research and development effort," IUFP is
supposed to improve site surveillance capabilities by "creating new
technologies for identifying humans at a distance."
Biometric systems in use with ATM machines and computers have two
advantages over what DARPA has in mind: proximity and cooperation. For
military purposes, biometric sensors and networks must be able to "see"
and identify subjects from distances of between 100 and 500 feet--subjects
who probably don't want to be identified. In addition, they must be
capable of picking faces out of crowds in urban environments, keeping
track of repeat visitors who, according to DARPA's George Lukes, "might be
casing the joint," and alerting users to the presence of known or
suspected terrorists. Databases could even be shared by different
facilities, informing security officials, for example, that the same
person is showing up repeatedly near different potential targets.
The software behind Newham's anticrime system that has drawn DARPA
interest is called FaceIt, from New JerseyÇbased Visionics Corporation.
FaceIt scans the visages of people and searches for matches in a video
library of known criminals. When the system spots one of those faces, the
authorities are contacted. A military version might work the same way.
Over the past year, according to a DARPA document recently sent to
Congress, "several new technical approaches have been identified" that
could provide improved face recognition at longer distances, as well as
extend the range of iris-recognition systems.
DARPA believes, however, that combining several types of technologies
could form a network that is more capable than a single system. New
concepts it is exploring include the thermal signature of the blood
vessels in the head, which some researchers suspect is as unique to a
person as his or her fingerprints; the shape of a person's ear; and even
"the kinetics of their gait," in DARPA's words. "There are some unique
characteristics to how people move that allow you to recognize them,"
explains DARPA's David Gunning. After conducting a "thorough analysis" of
existing technologies, the agency says it is "ready to begin immediately
with the new developments." The Pentagon hopes to spend $11.7 million in
2000 on the IUFP program--a good deal of money for a DARPA effort.
The potential for an integrated network of identification techniques has
understandably generated significant interest among defense and
intelligence agencies that are prime targets for terrorists. "There's a
lot of enthusiasm," Gunning says--after all, through the marriage of
recognition systems and surveillance technologies, DARPA thinks it has a
handle on how to keep track of "one of the few detectable precursors" to
terrorist attacks.
--Daniel G. Dupont
@HWA
18.0 More Info On the Phonemasters Revealed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Maggie
They were arrested almost five years ago but the
massive inroads made into the nations
telecommunications systems is only now becoming fully
clear. The Phonemasters coordinated what is being
called one of the largest computer intrusion schemes in
U.S. history. As the case finnally draws to a close and
the various members of the group receive their
sentences a few new tidbits of information are coming
out. (We are still amazed at how little press coverage
this case has gotten.)
Union Tribune
http://www.uniontrib.com/news/uniontrib/sun/news/news_1n5hacker.html
(Story has moved, couldn't locate it online - Ed)
HNN Archive for October 4, 1999
http://www.hackernews.com/arch.html?100499
@HWA
19.0 Proactive AntiVirus Software Now Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Finjan Software has introduced a proactive first-strike
security solution, SurfinShield Corporate, claims to block
worms and other malicious code by monitoring the
behavior of programs rather than relying on a known
virus signature. By using a proactive monitoring
technique to 'sandbox' programs and monitor their
behavior SurfinShield can instantly block programs that
violate a security policy, such as attempting to delete a
user's files.
PR Newswire
http://library.northernlight.com/FB19991206040000127.html?cb=0&dx=1006&sc=0#doc
Finjan Software
http://www.finjan.com/
TROJAN WORM ATTACKS CLOUD THE FUTURE OF REACTIVE ANTI-VIRUS SOFTWARE
FINJAN'S PROACTIVE FIRST-STRIKE SECURITY SOFTWARE STOPS MALICIOUS CODE By
Monitoring Code Behavior and Requires No Database Updates
Story Filed: Monday, December 06, 1999 7:30 AM EST
SAN JOSE, Calif., Dec 6, 1999 /PRNewswire via COMTEX/ -- As last week's
MiniZip worm proved, current anti-virus software technology is not able to
protect users from first-strike attacks by malicious code in the Internet
age. Compression or "packer" tools such as NeoLite can be used to
change the signature of known Trojan horse programs, making them invisible
to anti-virus software. Finjan Software's proactive first-strike security
solution, SurfinShield Corporate, blocks worms such as MiniZip by
monitoring the behavior of programs rather than relying on a known virus
signature.
"If you take the ten-thousand plus known Trojans multiplied by the ten or
more available compressor utilities, you're looking at more than 100, 000
Trojan horses that can pass right through anti-virus software today
-- without writing a single new attack," said Bill Lyons, president and
CEO of Finjan Software, Inc. "Without a doubt, whether it's MiniZip 2 or a
new Trojan worm, more of these types of attacks are coming."
Compression Tools Packers are legitimate compression tools that can
compress windows executable (."EXE") files, much like how people use the
well-known WinZip product to compress document or graphics files before
e-mailing. However, with these packer tools, the resulting
compressed executable will bypass any static anti-virus scanning engine
because the virus signature is changed and the anti-virus software will
not recognize it.
There are dozens of commercial and free compression tools that can be used
to hide known Trojan horses and worms from anti-virus software, including
AS-pack, PECompact, Petite, PKLite, NeoLite, Shrinker and WWpack32.
The real risk is that anyone now can take one of these packer tools and
easily develop new attacks with known Trojan horse programs. With easy to
use "point and click" interfaces, there is no more need for programming
skills. One simply takes an old attack, compresses it with the
packer tool of choice and creates a brand new attack.
Why Anti-Virus is Not Enough Millions of dollars can be lost due to
deleted files and lost productivity in the first 24 hours when a malicious
code attack first strikes. Anti-virus companies and security experts agree
that anti-virus software cannot stop these new types of attacks:
"The problem with anti-virus software is that it's inherently reactive,"
said Dan Schrader, vice president of new technology at Trend Micro Inc.
"We have artificial intelligence for identifying viruses, but virus
writers are good at getting around heuristics." (source:
Computerworld)
Sal Viveros, Network Associates, Inc. marketing manager insisted no
available anti-virus product could have detected MiniZip. "It is
impossible to detect beforehand all the different variables out there they
use to write a malicious attack," said Viveros. (source:
Computerworld)
"We're at a turning point right now," said Carey Nachenberg, chief
scientist for the Symantec Anti-virus Research Center. "We need to
re-examine our anti-virus software, and companies need to re-examine their
anti-virus strategies." (source: ZDNet News)
"The pattern matching security offered by most anti-virus software
providers is antiquated. It's akin to practicing medicine with leeches,"
said Dr. Gary McGraw, vice president of corporate technology at Reliable
Software Technologies. "To be truly effective, modern security
approaches must be proactive, not reactive."
New Approach Needed: First-Strike Security Finjan's SurfinShield Corporate
software uses a proactive monitoring technique to "sandbox" programs and
monitor their behavior and instantly block programs that violate a
security policy, such as attempting to delete a user's files.
Finjan's product acts as a filtering mechanism between a PC's operating
system and the program, to monitor and block malicious behavior.
"By itself, anti-virus software is not an effective defense against new
attacks because of its reactive nature," said Donna Slattery, security
analyst with The Hurwitz Group. "Companies should supplement their
anti-virus protection with proactive solutions like Finjan's
first-strike security software."
Finjan educated its customers and partners this morning about compression
tools (alert is below).
About Finjan Software Finjan Software is the leader in First-Strike
Security(TM) software, delivering proactive security solutions that
protect companies and computer users from first-strike malicious code
attacks. Finjan allows companies to conduct e-business and
e-commerce safely with best-of-breed security products that enforce
multiple lines of defense and protect critical data. Finjan is a privately
held company based in San Jose, Calif. For more information, visit
www.finjan.com.
Finjan Software, Inc.
Compression Tools Alert 12/6/99
Finjan customers and partners,
As MiniZip showed us last week, compression and packer tools are now being
used to pass Trojan executable files through anti-virus software and
successfully launch new attacks. We thought it might be helpful to show
you what we've found out about these tools.
Compression Tools (aka "Packers")
OVERVIEW Compression tools or "packers" can compress windows executable
(."EXE") files much like the well-known WinZip product. The resulting
compressed executable will bypass any static anti-virus scanning engine
(because the virus signature is compressed). However, these programs
allow a compressed file to decompress and run automatically without
requiring the same utility to open it.
MiniZip Worm was a "packed" version of the ExploreZip worm that struck in
June 1999. The only difference is that MiniZip was compressed with a
commercial utility called NeoLite. NeoLite is a publicly available "point
and click" software program ($25) that can be used to "cloak" known
Trojan executables.
There are many different commercial and free packers available on the Web,
including:
ASPack Cexe PECompact PE-Pack Petite PKLite Shrinker UPX
WWpack
With an estimated 10,000-plus known Trojan horses, times a minimum of 10
packer tools, hackers can select from more than 100,000 Trojans to create
new attacks that may bypass your anti-virus software. And with these easy
to use compression tools, it no longer requires programming
experience to create new attacks.
It appears that the immediate reaction by anti-virus vendors to stop
MiniZip is to block the NeoLite pattern. Finjan believes that there may be
legal issues with regards to blocking commercial applications from
operating at the desktop. Unfortunately, the only approach that is
plausible, based on present AV technology, may be to spot the NeoLite or
other compression pattern, decompress, and compare the result to the
original pattern (e.g., ExploreZip). A major problem, however, comes from
recursive attacks; that is, wrappers around wrappers, where a Trojan worm
is packed multiple times with other packers. The negative affect of
resolving and analyzing such files is a massive performance hit. That's
why we believe that behavior blocking is the more appropriate answer.
HOW TO PROTECT YOURSELF Supplement your anti-virus software with
first-strike security solutions. Finjan's SurfinShield Corporate will
protect users from new "packed" Trojan executables through its proactive
monitoring technology that "sandboxes" executables and blocks any
executable program that violate security policies.
By monitoring actual code behavior, Finjan's SurfinShield Corporate
protects PCs without requiring users to download any software patch or
pattern update.
SOURCE Finjan Software (C) 1999 PR Newswire. All rights reserved.
http://www.prnewswire.com
CONTACT: Sharon Sim-Krause of Shandwick International, 650-596-5880,
ext. 4278, or skrause@shandwick.com, for Finjan Software; or Dave Kroll of
Finjan Software, 408-324-0228, ext. 307, or dave@finjan.com
WEB PAGE: http://www.finjan.com GEOGRAPHY: California
INDUSTRY CODE: CPR MLM
Copyright © 1999, PR Newswire, all rights reserved.
@HWA
20.0 South African Web Pages Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Zilly
The website of the SA Police Service (SAPS) along with
a dozen other local sites was defaced last Sunday. The
SAPS said it believed security measures were sufficient
to prevent access to confidential information. The
South African Law Commission is working on a new
computer crimes act which is expected to have
proposals for this sort of crime.
Business Day
http://WWW.BDAY.CO.ZA/99/1206/news/news2.htm
Hackers deface police
website with
obscenities
Simphiwe Xako
COMPUTER hackers claiming responsibility for two
recent attacks on Statistics SA's website have vandalised
several other internet pages, including the website of the
SA Police Service (SAPS).
The hackers, operating under the name "B1nary
Outlawz", alerted newspapers to their most recent
attacks with e-mail messages yesterday, one of which
contains obscenities directed at Telkom. These messages
characterised the attacks on the Stats SA website.
"SA Police website hacked by B10Z - www.saps.co.za.
Another high-profile hack by the B10Z crew
www.statssa.gov.za, www.eskom.co.za,
www.saps.co.za," one e-mail said.
Text and links on the default page of the SAPS website
were replaced by obscenities directed at the police. The
SAPS insignia was distorted and the hackers' insignia
superimposed on it.
About a dozen other locally-based websites were
targeted in a similar way.
A Telkom representative, who asked not to be named,
said she did not believe the hackers had anything against
Telkom in particular, but targeted large companies in
general. "This is a case of juvenile (delinquents seeking)
approval. You can even see (it in) the type of language
they use," she said.
The SAPS could not confirm the extent of the attack on
its website last night, but said it believed security
measures were sufficient to prevent access to confidential
information.
Supt Welma Nortje of the SAPS's management services
said: "We have a daily backup system to ensure that
information remains highly confidential."
Detectives would investigate the attack and trace the
culprits.
The SA Law Commission is working on a discussion
document on a new computer crimes act which is
expected to include proposals on ways of dealing with
computer hackers.
@HWA
21.0 Not Just a Game Anymore
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian Martin
The response to Brian Martin's previous article Is it
Worth It proved so overwhelming that a more thorough
article was warranted. This time Mr. Martin takes an in
depth look at just what laws apply and who investigates
web page defacements.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
Not Just a Game Anymore
By: Brian Martin
This is a followup to a previous article titlted Is it worth it?
Dispelling the myths of law enforcement and hacking, released on
November 22, 1999 via Hacker News Network.
Included with this article are several sanitized copies of various
documents pertaining to computer crime investigations. Names,
dates and locations have been changed.
Some of the information in this article may be a bit redundant
from the last article, but is done in order to present a self
standing article that is as complete as possible. Some of the links
to agency homepages have been changed to point to their true
home page, not just the system hosting the page.
Topics:
More on Search and Seizure
The Search
The Seizure
Statute of Limitations
What exactly is illegal?
More on Punishment
Investigating Agencies:
Federal Bureau of Investigations (FBI)
Defense Criminal Investigative Service (DCIS)
NASA Office of the Inspector General (NASA OIG)
Naval Criminal Investigative Service (NCIS)
U.S. Army Criminal Investigation Command (USACIDC)
Royal Canadian Mounted Police (RCMP)
Defense Computer Forensic Laboratory (DCFL)
Appendix and Additional Information
A - Search and Seizure Warrant
B - Search and Seizure Warrant, Attachment A (apartment)
C - Search and Seizure Warrant, Attachment A (colocated
machine)
D - Search and Seizure Warrant, Attachment C
E - Warrant for Arrest>
F - Indictment
G - USDOJ Press Release
More on Search and Seizure
Before any Law Enforcement (LE) officer/agent may step foot in
your place of living, they must obtain a search warrant that gives
them explicit permission to do so. The warrant will list the
physical address of the premises to be searched, a description of
the establishment, a time frame for the search and seizure, and a
list of acceptable material that may be seized. The warrant is
likely to be issued by your District Court to the agent in charge of
the investigation.
Rather than explain each part of the search and seizure warrant,
I have included a sanitized vrsion of one with this article. From
my experience and communication with others, the warrant
included can be taken as a very typical and standard version
used throughout the U.S. Appendix A includes the first page of
the warrant which details the premisis to be searched, dates,
who will conduct the seizure and more. Appendix B is a copy of
Attachment A which is a wordy description of the premises to be
searched. Appendix C is a copy of Attachment C which lists all
material covered under the search and seizure guidelines.
Appendix A - Search and Seizure Warrant
Appendix B - Search and Seizure Warrant, Attachment A
(apartment)
Appendix C - Search and Seizure Warrant, Attachment A
(colocated machine)
Appendix D - Search and Seizure Warrant, Attachment C
Some notes and observations about the material contained in
Appendix A. Outlined on the warrant, the agents may conduct
the search and seizure either between the hours of 6:00am -
10:00pm, OR "at any time in the day or night as I find reasonable
cause has been established". One of the two options should be
struck through and initialed by the Judicial Officer. Also included
is a date that the search must be executed by.
The Search
Being subjected to an FBI search and seizure is an interesting
experience to say the least. No official wording on any warrant
can come close to explaining the experience. Typically arriving at
your residence between 6:00 and 8:00am, almost a dozen agents
are ready to toss your apartment to fufill the warrant. After being
greeted at gunpoint and your residence secured, the agents will
mark each room with a postit note and number. These numbers
correspond to the receipt they leave you detailing what material
was taken from each room.
In keeping with standard search and seizure practice, not much is
left unturned. Some of the places you can expect the agents to
search:
Under the bed, between the sheets, between the
frame/box
Behind each and every hanging picture, especially framed
Under/Behind dressers and furniture
In the reservoir of your toilet
Any attic or crawl space
Every drawer, cupboard, container, shelf or other storage
area
Inside the refridgerator/freezer
Under/Inside any cushion with removable insides
Between the pages of books
In air vents or other commonly used places to conseal
items
If this does not help paint a picture that agents are rather
thorough, let me clear it up. They are quite thorough. Do they
find everything? Not all the time. In some cases agents even miss
items out in the open that they might normally take. To balance
this, they almost always take a considerable amount of material
that is completely irrelevant or esoteric.
For the most part, you can also dismiss any notions you may
have about hiding items before the raid. When they knock on the
door, they will not give you time to do anything short of opening
the door and complying with their demands. If they have any idea
that you may be destroying evidence, they are empowered with
the ability to forcibly enter your residence, physically detain you,
and carry on.
The search and seizure will not be short by any means. You can
expect it to last anywhere from a few hours to a full day. During
this time you will be questioned by a number of agents regarding
anything and everything they might think to ask. I don't know if it
is intentional and designed to throw you off, but they may ask
extremely bizarre questions that lead you to wonder about their
intelligence. During this questioning do one of two things.
Refuse to answer ALL questions until your lawyer is
present.
Answer questions honestly.
Lying to law enforcement agents may seem like a clever thing to
do at the time, but it is much more likely to hurt you in the long
run. If caught in a single lie during questioning, it will further
encourage the agents to question you more. They also have the
option of charging you with obstruction of justice if so inclined.
When an agent gets it through their head that you are guilty, bad
news for you regardless of your guilt or innocense.
It is extremely important that you realize your rights. UNDER NO
CIRCUMSTANCE do you have to answer questions without the
presence of your lawyer. No matter what the LE agent says,
suggests, or implies, this is a fundamental right. In many cases,
raid victims are not being charged with a crime. Because of this,
their rights are not read to them. Just because you aren't under
arrest does not mean those rights are waived! The courts have
recently found that police can be sued if they discourage raid
victims from consulting a lawyer. More on this ruling can be found
in this Washington Post article.
The Seizure
What can LE Agents take from you? EVERYTHING. You can't
argue about it either. While they may take material that is not
explicitly covered under the warrant and may later be forced to
give it back to you, that doesn't help you when they are
rummaging through your house. Re-read the list of material that
are covered under Attachment C again and think about how
broad it is.
It is safe to say that absolutely anything remotely computer
related is covered under the warrant. There are a few things that
are also covered under the guidelines that tend to surprise people
when confiscated.
"electronic organizers": these include ones with mini
keyboards like the Sharp organizers, as well as touch
screen like Palm Pilots.
"personal diaries": even your little black journal detailing
sexual exploits, or a notepad with poetry.
"books, newspaper, and magazine articles concerning
hacking": this includes ANY computer book in your
residence. Newspapers or magazines that have security or
hacker articles are included.
"cassette tapes, video cassette tapes, and magnetic
tapes": If it isn't a store bought tape, it is subject to
seizure. Doesn't matter if it contains episodes of the
Beavers or pornography.
"fax machines": despite a fax machine typically not having
the ability to store information long term, it is fair game.
"indicia of occupancy or tenancy..": Any paperwork or proof
that you own or rent your place. Any sales receipts, billing
records or anything else close.
"other items ... in violation of Title 18..": Perhaps the worst
listing of them all, this allows them to take just about
anything else they may deem necessary.
Statute of Limitations
Another often asked question is how long the feds can
investigate you. As long as they want. For most cases, LE can
investigate a crime for up to five years after it was committed.
This is known as the Statute of Limitations and means how long
they can investigate and press charges against you for the crime.
Hypothetically that is. If the crime is serious, several agents have
assured me that the U.S. Government will find a way to stretch
that timeframe.
Regardless, if the agents have not made a case against you, the
government attorney's will not press charges. Even so, you can
expect them to hold onto any seized equipment until the
conclusion of their investigation. If they go so far as seizing
equipment and not pressing charges, you can expect to get your
stuff back 1,825 days after it was taken, just to spite you.
What exactly is illegal?
Thanks to the vague (or was it intentional?) wording of the Title
18 laws, several actions you may consider harmless could fall into
murky legal territory. As a DCIS agent recently said in a
conversation about the last article, "Even if you telnet to a
machine and type anything in, that can be attempted intrusion!".
As fascist as that may sound, it is true. Any activity or
connections to a remote machine without authorization may be
illegal. Because it is partially based on intent and partially based
on your activities, this is still somewhat uncharted territory. While
it is highly unlikely you will be charged for portscanning a
machine, repeated poking at an open port could be enough to
spark interest in your activities.
Another term often used by agents and lawyers is "illegal access
device" (IAD). What has turned into another all encompassing
term, this can be used for a wide variety of things in a case
against you. Some of the few things that fall into this category:
login/passwd: Any login and password for any type of
system be it unix, VAX/VMS, voice mail or something else.
ESN/MIN: Cloning cell phones is illegal as you know, but
each ESN/MIN pair counts as one IAD.
CC/Exp: Each Credit Card w/ Expiration Date. Remember, it
takes both pieces to purchase anything.
Access keycard: Find an access device in the dumpster?
Pick it up after someone dropped it? This allows access
(illegally) into a building.
Employee ID: Like an access keycard, these are often used
to bypass controlled access points or visual checks at
guard desks.
Consider that when some hackers are busted, they are caught
with a list of thousands of logins and passwords to systems
around the world. Disturbing to think that each one can be used
as a felony charge against you. When federal agents hold up to a
thousand felony charges over your head, it is often enough to
make you want to cut a deal. This is one reason that strong
encryption is the friend of hackers.
More on Punishment
The punishment for hacking crimes is growing. Convicted hackers
five years ago could expect a light slap on the wrist, a few hours
of community service, and not much else. These days, a single
felony count of computer hacking can lead to 15 months in jail
along with restitution in the tens of thousands of dollars.
Looking at a verbose list of restrictions placed on Kevin Mitnick,
examine them closely and consider what they really entail.
While the following restrictions may not be applied to every case,
consider that they have been applied to one convicted hacker.
Further consider that as such, these restrictions may be used as
case law in future court hearings. The following restrictions are
taken from a larger document concerning Kevin Mitnick and the
restrictions.
http://www.kevinmitnick.com/081898writ.html#release_conditions
A. Absent prior express written approval from the Probation Officer,
the Petitioner shall not possess or use, for any purpose, the
following:
1. any computer hardware equipment;
2. any computer software programs;
3. modems;
4. any computer related peripheral or support equipment;
5. portable laptop computer, 'personal information assistants,'
and derivatives;
6. cellular telephones;
7. televisions or other instruments of communication equipped with
on-line, internet, world-wide web or other computer network
access;
8. any other electronic equipment, presently available or new
technology that becomes available, that can be converted to
or has as its function the ability to act as a computer system
or to access a computer system, computer network or
telecommunications network (except defendant may possess a
'land line' telephone);
B. The defendant shall not be employed in or perform services for any
entity engaged in the computer, computer software, or
telecommunications business and shall not be employed in any
capacity wherein he has access to computers or computer related
equipment or software;
C. The defendant shall not access computers, computer networks or other
forms of wireless communications himself or through third parties;
D. The defendant shall not acts as a consultant or advisor to
individuals or groups engaged in any computer related activity;
E. The defendant shall not acquire or possess any computer codes
(including computer passwords), cellular phone access codes or other
access devices that enable the defendant to use, acquire, exchange
or alter information in a computer or telecommunications database
system;
F. The defendant shall not use any data encryption device, program or
technique for computers;
G. The defendant shall not alter or possess any altered telephone,
telephone equipment or any other communications related equipment.
For a period of THREE years, being subjected to these
restrictions. Not only does your primary hobby go away, your
means for stable income are at serious risk. Think of every job
you could hold with these restrictions and life does not look so
pleasant. Even working at Taco Bell requires the use of
computerized registers. Telemarketing and other menial tasks that
once were viable methods of income also go away. Jobs that
consist mostly of physical labor become about the only option left
to you. Don't forget, many companies will not hire convicted
felons, even for physical labor.
Court ordered restitution will be a new world of difficulty. Many
people fail to realize that not only are restitution amounts fairly
significant, but they must be paid back in a timely fashion. Oh
yeah, remember that you are not likely to hold a job that pays
more than six bucks an hour. So how much is US$50,000 when it
comes down to it? Consider that you might be able to earn
US$25,000 a year if you are fortunte. Giving up your entire salary
would allow you to pay it off in two years. If you can live off of
US$15,000 (poverty level), you could then pay back the
restitution in only five years. Five years of living at a poverty
level.
Is defacing a web page and putting up a message "hackerX 0wnz
j00" REALLY worth it?Not Just a Game Anymore
By: Brian Martin
This is a followup to a previous article titlted Is it worth it?
Dispelling the myths of law enforcement and hacking, released on
November 22, 1999 via Hacker News Network.
Included with this article are several sanitized copies of various
documents pertaining to computer crime investigations. Names,
dates and locations have been changed.
Some of the information in this article may be a bit redundant
from the last article, but is done in order to present a self
standing article that is as complete as possible. Some of the links
to agency homepages have been changed to point to their true
home page, not just the system hosting the page.
Topics:
More on Search and Seizure
The Search
The Seizure
Statute of Limitations
What exactly is illegal?
More on Punishment
Investigating Agencies:
Federal Bureau of Investigations (FBI)
Defense Criminal Investigative Service (DCIS)
NASA Office of the Inspector General (NASA OIG)
Naval Criminal Investigative Service (NCIS)
U.S. Army Criminal Investigation Command (USACIDC)
Royal Canadian Mounted Police (RCMP)
Defense Computer Forensic Laboratory (DCFL)
Appendix and Additional Information
A - Search and Seizure Warrant
B - Search and Seizure Warrant, Attachment A (apartment)
C - Search and Seizure Warrant, Attachment A (colocated
machine)
D - Search and Seizure Warrant, Attachment C
E - Warrant for Arrest>
F - Indictment
G - USDOJ Press Release
More on Search and Seizure
Before any Law Enforcement (LE) officer/agent may step foot in
your place of living, they must obtain a search warrant that gives
them explicit permission to do so. The warrant will list the
physical address of the premises to be searched, a description of
the establishment, a time frame for the search and seizure, and a
list of acceptable material that may be seized. The warrant is
likely to be issued by your District Court to the agent in charge of
the investigation.
Rather than explain each part of the search and seizure warrant,
I have included a sanitized vrsion of one with this article. From
my experience and communication with others, the warrant
included can be taken as a very typical and standard version
used throughout the U.S. Appendix A includes the first page of
the warrant which details the premisis to be searched, dates,
who will conduct the seizure and more. Appendix B is a copy of
Attachment A which is a wordy description of the premises to be
searched. Appendix C is a copy of Attachment C which lists all
material covered under the search and seizure guidelines.
Appendix A - Search and Seizure Warrant
Appendix B - Search and Seizure Warrant, Attachment A
(apartment)
Appendix C - Search and Seizure Warrant, Attachment A
(colocated machine)
Appendix D - Search and Seizure Warrant, Attachment C
Some notes and observations about the material contained in
Appendix A. Outlined on the warrant, the agents may conduct
the search and seizure either between the hours of 6:00am -
10:00pm, OR "at any time in the day or night as I find reasonable
cause has been established". One of the two options should be
struck through and initialed by the Judicial Officer. Also included
is a date that the search must be executed by.
The Search
Being subjected to an FBI search and seizure is an interesting
experience to say the least. No official wording on any warrant
can come close to explaining the experience. Typically arriving at
your residence between 6:00 and 8:00am, almost a dozen agents
are ready to toss your apartment to fufill the warrant. After being
greeted at gunpoint and your residence secured, the agents will
mark each room with a postit note and number. These numbers
correspond to the receipt they leave you detailing what material
was taken from each room.
In keeping with standard search and seizure practice, not much is
left unturned. Some of the places you can expect the agents to
search:
Under the bed, between the sheets, between the
frame/box
Behind each and every hanging picture, especially framed
Under/Behind dressers and furniture
In the reservoir of your toilet
Any attic or crawl space
Every drawer, cupboard, container, shelf or other storage
area
Inside the refridgerator/freezer
Under/Inside any cushion with removable insides
Between the pages of books
In air vents or other commonly used places to conseal
items
If this does not help paint a picture that agents are rather
thorough, let me clear it up. They are quite thorough. Do they
find everything? Not all the time. In some cases agents even miss
items out in the open that they might normally take. To balance
this, they a
lmost always take a considerable amount of material
that is completely irrelevant or esoteric.
For the most part, you can also dismiss any notions you may
have about hiding items before the raid. When they knock on the
door, they will not give you time to do anything short of opening
the door and complying with their demands. If they have any idea
that you may be destroying evidence, they are empowered with
the ability to forcibly enter your residence, physically detain you,
and carry on.
The search and seizure will not be short by any means. You can
expect it to last anywhere from a few hours to a full day. During
this time you will be questioned by a number of agents regarding
anything and everything they might think to ask. I don't know if it
is intentional and designed to throw you off, but they may ask
extremely bizarre questions that lead you to wonder about their
intelligence. During this questioning do one of two things.
Refuse to answer ALL questions until your lawyer is
present.
Answer questions honestly.
Lying to law enforcement agents may seem like a clever thing to
do at the time, but it is much more likely to hurt you in the long
run. If caught in a single lie during questioning, it will further
encourage the agents to question you more. They also have the
option of charging you with obstruction of justice if so inclined.
When an agent gets it through their head that you are guilty, bad
news for you regardless of your guilt or innocense.
It is extremely important that you realize your rights. UNDER NO
CIRCUMSTANCE do you have to answer questions without the
presence of your lawyer. No matter what the LE agent says,
suggests, or implies, this is a fundamental right. In many cases,
raid victims are not being charged with a crime. Because of this,
their rights are not read to them. Just because you aren't under
arrest does not mean those rights are waived! The courts have
recently found that police can be sued if they discourage raid
victims from consulting a lawyer. More on this ruling can be found
in this Washington Post article.
The Seizure
What can LE Agents take from you? EVERYTHING. You can't
argue about it either. While they may take material that is not
explicitly covered under the warrant and may later be forced to
give it back to you, that doesn't help you when they are
rummaging through your house. Re-read the list of material that
are covered under Attachment C again and think about how
broad it is.
It is safe to say that absolutely anything remotely computer
related is covered under the warrant. There are a few things that
are also covered under the guidelines that tend to surprise people
when confiscated.
"electronic organizers": these include ones with mini
keyboards like the Sharp organizers, as well as touch
screen like Palm Pilots.
"personal diaries": even your little black journal detailing
sexual exploits, or a notepad with poetry.
"books, newspaper, and magazine articles concerning
hacking": this includes ANY computer book in your
residence. Newspapers or magazines that have security or
hacker articles are included.
"cassette tapes, video cassette tapes, and magnetic
tapes": If it isn't a store bought tape, it is subject to
seizure. Doesn't matter if it contains episodes of the
Beavers or pornography.
"fax machines": despite a fax machine typically not having
the ability to store information long term, it is fair game.
"indicia of occupancy or tenancy..": Any paperwork or proof
that you own or rent your place. Any sales receipts, billing
records or anything else close.
"other items ... in violation of Title 18..": Perhaps the worst
listing of them all, this allows them to take just about
anything else they may deem necessary.
Statute of Limitations
Another often asked question is how long the feds can
investigate you. As long as they want. For most cases, LE can
investigate a crime for up to five years after it was committed.
This is known as the Statute of Limitations and means how long
they can investigate and press charges against you for the crime.
Hypothetically that is. If the crime is serious, several agents have
assured me that the U.S. Government will find a way to stretch
that timeframe.
Regardless, if the agents have not made a case against you, the
government attorney's will not press charges. Even so, you can
expect them to hold onto any seized equipment until the
conclusion of their investigation. If they go so far as seizing
equipment and not pressing charges, you can expect to get your
stuff back 1,825 days after it was taken, just to spite you.
What exactly is illegal?
Thanks to the vague (or was it intentional?) wording of the Title
18 laws, several actions you may consider harmless could fall into
murky legal territory. As a DCIS agent recently said in a
conversation about the last article, "Even if you telnet to a
machine and type anything in, that can be attempted intrusion!".
As fascist as that may sound, it is true. Any activity or
connections to a remote machine without authorization may be
illegal. Because it is partially based on intent and partially based
on your activities, this is still somewhat uncharted territory. While
it is highly unlikely you will be charged for portscanning a
machine, repeated poking at an open port could be enough to
spark interest in your activities.
Another term often used by agents and lawyers is "illegal access
device" (IAD). What has turned into another all encompassing
term, this can be used for a wide variety of things in a case
against you. Some of the few things that fall into this category:
login/passwd: Any login and password for any type of
system be it unix, VAX/VMS, voice mail or something else.
ESN/MIN: Cloning cell phones is illegal as you know, but
each ESN/MIN pair counts as one IAD.
CC/Exp: Each Credit Card w/ Expiration Date. Remember, it
takes both pieces to purchase anything.
Access keycard: Find an access device in the dumpster?
Pick it up after someone dropped it? This allows access
(illegally) into a building.
Employee ID: Like an access keycard, these are often used
to bypass controlled access points or visual checks at
guard desks.
Consider that when some hackers are busted, they are caught
with a list of thousands of logins and passwords to systems
around the world. Disturbing to think that each one can be used
as a felony charge against you. When federal agents hold up to a
thousand felony charges over your head, it is often enough to
make you want to cut a deal. This is one reason that strong
encryption is the friend of hackers.
More on Punishment
The punishment for hacking crimes is growing. Convicted hackers
five years ago could expect a light slap on the wrist, a few hours
of community service, and not much else. These days, a single
felony count of computer hacking can lead to 15 months in jail
along with restitution in the tens of thousands of dollars.
Looking at a verbose list of restrictions placed on Kevin Mitnick,
examine them closely and consider what they really entail.
While the following restrictions may not be applied to every case,
consider that they have been applied to one convicted hacker.
Further consider that as such, these restrictions may be used as
case law in future court hearings. The following restrictions are
taken from a larger document concerning Kevin Mitnick and the
restrictions.
http://www.kevinmitnick.com/081898writ.html#release_conditions
A. Absent prior express written approval from the Probation Officer,
the Petitioner shall not possess or use, for any purpose, the
following:
1. any computer hardware equipment;
2. any computer software programs;
3. modems;
4. any computer related peripheral or support equipment;
5. portable laptop computer, 'personal information assistants,'
and derivatives;
6. cellular telephones;
7. televisions or other instruments of communication equipped with
on-line, internet, world-wide web or other computer network
access;
8. any other electronic equipment, presently available or new
technology that becomes available, that can be converted to
or has as its function the ability to act as a computer system
or to access a computer system, computer network or
telecommunications network (except defendant may possess a
'land line' telephone);
B. The defendant shall not be employed in or perform services for any
entity engaged in the computer, computer software, or
telecommunications business and shall not be employed in any
capacity wherein he has access to computers or computer related
equipment or software;
C. The defendant shall not access computers, computer networks or other
forms of wireless communications himself or through third parties;
D. The defendant shall not acts as a consultant or advisor to
individuals or groups engaged in any computer related activity;
E. The defendant shall not acquire or possess any computer codes
(including computer passwords), cellular phone access codes or other
access devices that enable the defendant to use, acquire, exchange
or alter information in a computer or telecommunications database
system;
F. The defendant shall not use any data encryption device, program or
technique for computers;
G. The defendant shall not alter or possess any altered telephone,
telephone equipment or any other communications related equipment.
For a period of THREE years, being subjected to these
restrictions. Not only does your primary hobby go away, your
means for stable income are at serious risk. Think of every job
you could hold with these restrictions and life does not look so
pleasant. Even working at Taco Bell requires the use of
computerized registers. Telemarketing and other menial tasks that
once were viable methods of income also go away. Jobs that
consist mostly of physical labor become about the only option left
to you. Don't forget, many companies will not hire convicted
felons, even for physical labor.
Court ordered restitution will be a new world of difficulty. Many
people fail to realize that not only are restitution amounts fairly
significant, but they must be paid back in a timely fashion. Oh
yeah, remember that you are not likely to hold a job that pays
more than six bucks an hour. So how much is US$50,000 when it
comes down to it? Consider that you might be able to earn
US$25,000 a year if you are fortunte. Giving up your entire salary
would allow you to pay it off in two years. If you can live off of
US$15,000 (poverty level), you could then pay back the
restitution in only five years. Five years of living at a poverty
level.
Is defacing a web page and putting up a message "hackerX 0wnz
j00" REALLY worth it?
@HWA
22.0 Y2K Fix Really An Extensible Worm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
W95.Babylonia seems to be a breakthrough in
virus/worm technology. It is the first known 'extensible
worm' which allows the author, or anyone else, to
remotely change the capabilities of the software after
infection. According to Symantec, the virus was
authored by a group calling itself the 29A (666 in hex)
virus writing group. The primary means of infection so
far has been through IRC where it poses as a fix to the
Y2K bug. More than 20 instances of infection have been
reported so far. There have been four plug-ins
discovered that the worm can download to extend its
capabilities.
Wired
http://wired.lycos.com/news/technology/0,1282,32956,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2405495,00.html?chkpt=zdnntop
Wired;
Virus Masquerades as Y2K Fix
Wired News Report
2:25 p.m. 7.Dec.1999 PST
Virus fighters warned Tuesday of a new
virus that is spreading in online chat
rooms disguised as a Y2K bug fix.
Computer Associates and other antivirus
software companies said W95.Babylonia is
the first "extensible worm" computer virus
of its kind and attacks users of Internet
Relay chat (IRC) rooms.
More Infostructure in Wired News
Experts said the virus is uniquely
dangerous because its author can alter
the damage or data-theft inflicted on a
daily basis.
"It is particularly dangerous due to the
virus writer's ability to change the virus'
payload remotely and after infection,"
Simon Perry, business manager for CA
Security Solutions, said in a statement.
"This virus represents a new level of virus
capability."
To become infected a user of IRC
software need only visit a chat room
where the virus is being spread.
The virus infects Windows-based
computers and can be spread by
executing a downloaded file or by another
infected machine via MIRC software, an
application used to participate in IRC chat
rooms.
According to a description on the
Computer Associates Web site, the virus
begins polling a Web site in Japan every
60 seconds, looking for updates the
author has written to extend the
capabilities of the virus. The virus can
download the updates to infected
computers, where it can reformat a hard
drive, delete files, or collect sensitive
information.
The companies report there are currently
four plug-ins that the virus can download
to extend its capabilities.
Once a user's machine is infected,
Babylonia will attempt to infect every
executable and help file in the user's
Windows environment, said Computer
Associates.
Companies offering fixes to prevent the
virus from infesting include Computer
Associates and Symantec.
According to Symantec, the virus was
authored by a group calling itself the 29A
virus writing group. More than 20
instances of infection have been
submitted to Symantec, the company
said in a statement.
-=-
ZDNet;
Experts warn of new, updatable virus
W95.Babylonia uses the Web to upgrade
itself -- and could pave the way for smarter
viruses with heavy payloads.
By Robert Lemos, ZDNet News
UPDATED December 8, 1999 7:57 AM PT
Anti-virus firms are warning of a new computer virus
that spreads through Internet chat rooms and
updates itself automatically with files from the Web.
"This is the tip of the iceberg," on
Tuesday said Eric Chien, senior
researcher for anti-virus software
maker Symantec Corp., who
stressed that the virus' capacity to
upgrade itself makes it a concern.
"Virus writers again are using
more network-centric ideas to
create viruses."
Symantec (Nasdaq: SYMC) has only encountered two
dozen reports of the virus, dubbed W95.Babylonia, since
it was discovered on Friday, Dec. 3. Another security
firm, Computer Associates Inc. (NYSE: CA), has only
encountered 15 reports so far. Currently, the virus infects
executible (.EXE) and help (.HLP) files.
While the computer virus has not spread widely and
currently has no dangerous payload, anti-virus experts
fear that a better-written clone could be more effective in
the future.
Or, just as bad for users, the virus writer could decide to
add a new payload to the virus. Unique in that it looks at
a virus-exchange Web site in Japan for updates,
Babylonia is actually just an 11KB program that spreads
itself when an infected file is opened and transfers
updates from the Web when the host machine is online.
Virus downloads four modules
The current version downloads four modules from the
Japanese virus-exchange site. The first module is just
another copy of the virus, which could update the virus.
The second module is a text file that replaces the
autoexec.bat file on the host computer with a new one
containing the message:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
---
Eu boto fogo na Babilonia!
The text identifies the writer as Vecna, which Symantec
claims is a member of a Latin America virus group known
as 29A (or 666 in hexadecimal). The Bubbleboy virus was
allegedly created by Zulu, another member of the 29A
group.
The third module sends an
e-mail message to a Hotmail
account established to count
the number of computers
infected by Babylonia. And the
fourth module contains code
that causes infected users
who use mIRC chat software
to send a copy of the virus to
everyone in the chat room
using the DCC file transfer
feature of mIRC.
In most cases, the chat
software will notify the
recipients that someone is
sending them a file. However,
users that have DCC
downloading set to
"automatic" will receive no notification. Unless the file,
which parades as a Y2K bug fix (not coincidentally called
Y2k bug fix.exe), is run, the user's computer will not be
infected with the virus.
However, any or all of these aspects of the virus could
change. The writer could add a new set of updates to the
Web to change the copies of the virus already infecting
users' machines, tweak the methods the virus uses to
spread, or even add a destructive payload.
"Tomorrow, it could be using Outlook to spread," said
Symantec's Chien, referring to a number of recent
viruses, including Melissa and ExploreZip, that have
spread by sending themselves using Microsoft (Nasdaq:
MSFT) Outlook and its address book.
Ironically, the ability to update a virus resembles the
LiveUpdate technology that Symantec uses to keep its
virus scanner in touch with the times. The ability to
upgrade is one that has been used by the software
industry for a few years to fix applications over the Net.
Problematic for home users
"At this point, it is a proof of concept," said Narender
Mangalam, director of security products for Computer
Associates. "It spreads through chat rooms, it will mainly
be a problem for home users, who tend to be more lax
about security."
The current form of the virus can be detected by
searching for a file called Babylonia.exe on any
questionable computer. In addition, computers that show
the aforementioned message at start up should be
considered infected.
Just remember, however: Tomorrow, all bets are off -- the
symptoms could change.
@HWA
23.0 Distributed DoS Attacks Becoming Popular
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
New Denial of Service tools, such as Trinoo and TFN,
have security experts concerned. These new tools can
launch a crippling attack on an Internet server with an
overwhelming number of requests from several machines
at once. CERT plans to release a report on this
'distributed attack' method later this week. Currently
there is no simple fix or patch.
USA Today
http://www.usatoday.com/usatonline/19991207/1723034s.htm
(Document not found - Ed)
@HWA
24.0 FBI to Remain on Alert Over Y2K
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Turtlex
Michael Vatis, director of the FBI's National
Infrastructure Protection Center (NIPC), has said that
the FBI would be on alert during the new year
changeover. He explained that agents would be looking
for malicious activities directed against Internet sites
although they had no hard evidence of any planned
attacks. (Hmmm, I think the key words here are "no
hard evidence".)
Reuters - Via Excite News
http://news.excite.com/news/r/991207/11/net-internet-fbi
FBI Official Says Primed for Y2K Internet Malice
Updated 11:29 AM ET December 7, 1999
LONDON (Reuters) - U.S. federal agents are prepared for malicious attacks
on Internet web sites under cover of any broader confusion during the
transition to the new millennium, a senior official said Tuesday.
Michael Vatis, director of the FBI's national infrastructure protection
center, told a meeting of international business representatives and legal
officials the bureau would be on the alert although it had no hard evidence
of any planned attacks.
"It's natural to expect there might be people doing stupid things with
computers," he said, discussing concerns that computer confusion generated
by the date change may provide cover for attacks on Internet computers.
Some devices risk crashing if their internal programming does not enable
them to recognize 2000 as part of the next century. Fears have also been
voiced that computer hackers could exploit that confusion, especially with
viruses.
@HWA
25.0 IOPS Sets Up Y2K Watch Center
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Internet Operators Group (IOPS.ORG) is planning to
coordinate real-time communications between major
global ISPs, equipment vendors and government officials
to handle any Y2K Internet problems that may arise.
IOPS will sponsor a telephone conference bridge to keep
major ISPs in continuous contact in order to report on
and resolve any Internet related incidents. The
telephone conference bridge initiative, named "Silent
Night," will begin before midnight on December 31, New
Zealand time and stay open for at least 48 hours.
PR Newswire
http://library.northernlight.com/FB19991207640000071.html?cb=0&dx=1006&sc=0#doc
INTERNET OPERATORS PREPARE FOR 'SILENT NIGHT' ON THE INTERNET DURING
MILLENNIUM ROLLOVER IOPS.ORG SPONSORS UNIQUE YEAR-END TWO-DAY Worldwide
Telephone Bridge And 'Trouble-Ticket System' to Provide Early Warning and
Technical Assistance On Y2K Internet Incidents
Story Filed: Tuesday, December 07, 1999 10:23 AM EST
RESTON, Va., Dec 7, 1999 /PRNewswire via COMTEX/ -- As the millennium
unfurls around the globe starting December 31, 1999 in New Zealand, The
Internet Operators Group (IOPS.ORG) will coordinate real-time
communications between major global Internet Service Providers,
equipment vendors and government officials to handle any Y2K Internet
problems and facilitate resolving them before they have a significant
impact, especially in the United States, where a majority of the world's
160 million Internet users reside.
IOPS will sponsor a telephone conference bridge to keep Internet operators
in continuous contact in order to report on and resolve any Internet
incidents. The telephone conference bridge initiative, named "Silent
Night," will begin before midnight on December 31, New Zealand time
(early morning EST on December 31 in the US) and stay open for at least 48
hours with ports directly to 20-25 Internet service providers, equipment
vendors and other entities.
"Although we don't expect problems, by midnight on December 31 in the US
we should be well aware of any issues that will impact the Internet,"
stated IOPS Executive Director, Ira Richer. "This is the first time that
so many major global Internet networks and equipment vendors have
cooperated in real-time to identify and resolve potential Internet
outages, security hacks and other incidents around the world."
IOPS also will use its Web-based shared "trouble-ticket" system as an
alternative communications path, should Y2K issues affect the telephone
system. An open "trouble ticket" -- a continuously updated information
form accessible to authorized users via the Web -- can provide
real-time status information and document Internet incidents and responses
among providers.
IOPS.ORG is a group of Internet Service Providers that fosters industry
cooperation in the public interest on joint technical problems and
operations concerning the global Internet ( http://www.iops.orq). Its
executive director, Richer, is an employee of Corporation for
National Research Initiatives; which hosts IOPS. Members have tested their
own Internet systems for Y2K readiness, but are preparing for possible
problems beyond the scope of their own systems.
The IOPS conference bridge and trouble ticket system will be coordinated
with the President's Council on Year 2000 Conversion's Information
Coordination Center (ICC) -- the Federal Government's central point for
monitoring system operations during the Y2K rollover. The ICC will
share information among the different economic sectors, coordinate with
international entities and provide reports to the public.
"This unprecedented cooperation between competing Internet networks and
providers will be enormously helpful to ensure United States preparedness
to meet any technical problem that could result from Y2K-related network
and telecommunication failures around the world," said John
Koskinen, Chair of the President's Council on Year 2000 Conversion. "We
are pleased to partner with IOPS members who are committed to ensuring
that US Internet users and businesses can count on a reliable Internet
infrastructure."
G. Mark Hardy, Director of Professional Services at Secure Computing
Corp., a premiere security software and consulting firm, commented,
"Script-kiddies will be trying to take advantage of Internet and software
weaknesses during the millennium cross-over, but the real hacker
pros will be out enjoying the millennium parties. Initiatives like the
IOPS "Silent Night" hotline could be extended to real-time linkups on
demand, so that Internet operators can quickly respond to major system
problems in the future, such as a massive outbreak of a new type of
virus."
IOPS' Internet Service Provider members include AT&T, BroadWing
Communications Inc., Cable&Wireless, Conxion, EarthLink, GTE
Internetworking, ICG, Qwest, and Sprint. Besides IOPS members, additional
Silent Night participants include: AboveNet, America Online, MCI
WorldCom's UUNET and its east and west coast Metropolitan Area Ethernets
(MAEs), ISPs from the North American Network Operators' Group (NANOG) and
equipment vendors including Cabletron, Cisco, Juniper Networks, Lucent
Technologies, and Marconi. IOPS also will coordinate its activities with
cooperating operators of the Domain Name System and of Internet traffic
exchange points.
About IOPS IOPS.ORG is a group of Internet service providers who work
together in the public interest to resolve and prevent network integrity
problems and address other issues that require technical coordination and
information sharing
IOPS members, for example, worked with the Internet Engineering Task Force
(IETF), the Computer Emergency Response Team (CERT), equipment suppliers
and customers to cut down on so-called "smurf" denial-of-service attacks.
Such attacks can cause a "packet storm" that could impair or disable
the target ISP's network. IOPS provided information on how networking
equipment can be configured to prevent these attacks.
SOURCE Conxion Corporation (C) 1999 PR Newswire. All rights reserved.
http://www.prnewswire.com
CONTACT: Megan O'Reilly-Lewis of Conxion Corporation, 408-566-8546,
or
megan@conxion.net; or Ira Richer of IOPS.ORG, 617-621-7152, or
Richer@cnri.reston.va.us
WEB PAGE:
http://www.iops.orq
@HWA
26.0 IDs Embedded In All Color Copies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dr. Mudge
Rumors regarding color copier IDs have been circulating
for a long time. While it has been well known fact for
years that invisible IDs are inprinted on all color copies it
has not been widely reported and has even reached the
status of myth in some laymen circles. A recent report
in the PRIVACY Forum Digest indicates that every color
photocopier and printer does in fact include a unique
identifier stegonagraphicly embedded into the image as
background noise.
PRIVACY Forum Digest, December 6, 1999
http://www.vortex.com/privacy/priv.08.18
PRIVACY Forum Digest Monday, 6 December 1999 Volume 08 : Issue 18
(http://www.vortex.com/privacy/priv.08.18)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
IDs in Color Copies--A PRIVACY Forum Special Report
(Lauren Weinstein; PRIVACY Forum Moderator)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 08, ISSUE 18
Quote for the day:
"It's not the heat, it's the humanity!"
-- Jeff Douglas (Van Johnson)
"Brigadoon" (MGM; 1954)
----------------------------------------------------------------------
Date: Mon, 6 Dec 99 13:31 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: IDs in Color Copies--A PRIVACY Forum Special Report
Greetings. We've recently seen a tirade of stories about "hidden"
identification codes and what many would consider to be surreptitious
centralized information flowing from various popular Internet products and
packages. These have tended to highlight an important truth--whether or not
users really would be concerned about the particular identifiers or data
involved, they tend to get the most upset when they feel that an effort was
made to perform such functions "behind their backs." While it can be argued
how routine, intrusive, or even mundane and innocent a particular case may
be, it's certainly true that people feel a lot better when they know what's
going on.
This issue isn't restricted only to the Internet world. A case in point--
the recurring rumors floating around regarding the presence or absence of
identification codes in color copies (or color prints xerographically
generated from computer output systems).
A recent story involved a customer who was refused permission to make a
color copy of his driver's license (to deal with an identification problem
with his local telephone company). A Kinko's (copying center) worker
reportedly told him that such a copy was "illegal," and could be traced back
to the store through a "hidden ID."
Regardless of whether or not the Kinko's employee was being overzealous in
his interpretation of the rules, what's really going on here regarding a
so-called hidden ID code?
In fact, rumors about this, often chalked up as an "urban legend," have been
circulating for a long time. This is a bit ironic, given that in the
copier/printer industry it's been well known for years--no secret--that
"invisible" IDs *are* imprinted on virtually all color xerographic output,
from (apparently) all of the manufacturers. But for persons outside of
"the trade," this hasn't been as widely known (even though the issue goes
back to the early 90's, and the topic has appeared in publications such as
the Wall Street Journal). However, it does not appear that the
privacy-related aspects of this technology have ever been subject to
significant public discussion.
In an effort to pin down the current state of the art in this area, I had a
long and pleasant chat with one of Xerox's anti-counterfeiting experts, who
is the technical product manager for several of their color-copying
products. The conversation was quite illuminating. Please note that the
details apply only to Xerox products, though we can safely assume similar
systems from competing manufacturers, although their specific policies may
differ.
Years ago, when the potential for counterfeiting of valuable documents on
color copiers/xerographic printers became apparent in Japan (where such
machines first appeared) manufacturers were concerned about negative
governmental reaction to such technology. In an effort to stave off
legislative efforts to restrict such devices, various ID systems began being
implemented at that point. At one stage for at least one U.S.
manufacturer, this was as crude as a serial number etched on the underside
of the imaging area glass!
Modern systems, which are now reportedly implemented universally, use much
more sophisticated methods, encoding the ID effectively as "noise"
repeatedly throughout the image, making it impossible to circumvent the
system through copying or printing over a small portion of the image area,
or by cutting off portions of printed documents. Effectively, I'd term this
as sort of the printing equivalent of "spread spectrum" in radio technology.
To read these IDs, the document in question is scanned and the "noise"
decoded via a secret and proprietary algorithm. In the case of
Xerox-manufactured equipment, only Xerox has the means to do this, and they
require a court order to do so (except for some specific government
agencies, for whom they no longer require court authorizations). I'm told
that the number of requests Xerox receives for this service is on the order
of a couple a week from within the U.S.
The ID is encoded in all color copies/prints from the Xerox color
copier/printer line. It does not appear in black and white copies. The
technology has continued to evolve, and it is possible that it might be
implemented within other printing technologies as well (e.g. inkjet). At
one time there were efforts made to also include date/time stamps within the
encoded data, but these were dropped by Xerox (at least for now) due to
inconsistencies such as the printer clocks not being set properly by their
operators, rendering their value questionable.
It's interesting to note that these machines also include other
anti-counterfeiting measures, such as dumping extra cyan toner onto images
when the unit believes it has detected an attempt to specifically copy
currency. These techniques have all apparently been fairly successful--the
Secret Service has reported something on the order of a 30% drop in color
copying counterfeiting attempts since word of such measures has been
circulating in the industry. The average person might wonder who the blazes
would ever accept a xerographic copy of money in any case... but apparently
many persons are not very discerning. I'm told that the Secret Service has
examples in their files of counterfeit currency successfully passed that was
printed on *dot matrix* printers. So counterfeiting is certainly a genuine
problem.
OK, so now you know--the IDs are there. The next question is, what does
this really mean? Obviously the vast majority of uses for color copies are
completely innocuous or even directly beneficial to the public good (e.g.
whistleblowers attempting to expose a fraud against the public). Is it
acceptable for an ID to be embedded in all color copies just to catch those
cases? The answer seems to be, it depends.
In some cases, even having an ID number doesn't necessarily tell you who
currently owns the machine. While some countries (e.g. China) do keep tight
reign on the ownership and transfer of such equipment, there is no
"registration" requirement for such devices in the U.S. (though the routine
servicing realities of large units might well create something of a de-facto
registration in many situations).
Xerox points out that non-color copies (at least on their machines) have no
IDs, and that most copying applications don't need color. It is however also
true that as the prices of color copiers and printers continue to fall, it
seems only a matter of time before they become the "standard" even for home
copying, at which time the presence of IDs could cover a much vaster range
of documents and become increasingly significant from a routine privacy
standpoint.
It's also the case that we need to be watchful for the "spread" of this
technology, intended for one purpose, into other areas or broader
applications (what I call "technology creep"). We've seen this effect
repeatedly with other technologies over the years, from automated toll
collection to cell phone location tracking. While there is currently no U.S.
legislative requirement that manufacturers of copier technology include IDs
on color copies, it is also the case that these manufacturers have the clear
impression that if they do not include such IDs, legislation to require them
would be immediately forthcoming.
It is important to be vigilant to avoid such perceived or real pressures
from causing possibly intrusive technology creep in this area. In the
copier case, that ID technology being used for color copies *could* be
adapted to black and white copies and prints as well. The addition of
cheap GPS units to copiers could provide not only valid date/time stamps,
but also the physical *locations* of the units, all of which could be
invisibly encoded within the printed images.
Pressures to extend the surveillance of commercial copyright enforcement
take such concepts out of the realm of science-fiction, and into the range of
actual future possibilities. What many would consider to be currently
acceptable anti-counterfeiting technology could be easily extended into the
realm of serious privacy invasions. It would only require,
as Dr. Strangelove once said, "The will to do so."
Perhaps the most important point is that unless we as a society actively
stay aware of these technologies, however laudable their initial
applications may often be, we will be unable to participate in the debate
that is crucial to determining their future evolution. And it's in the
vacuum of technology evolving without meaningful input from society that the
most serious abuses, be they related to the Internet or that copy machine
over on your desk, are the most likely to occur.
--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy
------------------------------
End of PRIVACY Forum Digest 08.18
************************
@HWA
27.0 Valiant of Halcon Speaks
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Mark
Recently blamed for for a massive attack on the
Australian Republican Movement website the long time
underground group Halcon Technologies has remained
unusually quiet. Now one of the groups members Valiant
has offered the first interview from the group to explain
just what the hell went on down under.
QuadCon #1
http://the.wiretapped.net/security/textfiles/quadcon/quadcon-1.txt
****************************************************************************
***************************<-=- QuadCon -=->********************************
****************************************************************************
*************The Newsest Zine To Hit Australia And The World****************
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
============================================================================
December 1999 - Issue 1
============================================================================
Whats In This Issue:
# Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some
Special Tips In Trying To Prevent Your Machine From Being Hacked
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au
----------------------------------------------
BackGround:
Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown
to atleast ten members. Still growing, in October 1996 the group took on
the name Halcon Technologies and in 1997 Valiant registered a business name,
allowing them to register the halcon.com.au domain name. Although the group
was not widely known, on 22nd October 1999, Halcon was blamed for a massive
hack on the Australian Republican Movement website. Despite denials and
misquotations, the story was covered by news outlets, an example of which is
at the following URL:
http://www.halcon.com.au/arm0001.html
Following this incident, Halcon received massive amounts of publicity (most
of it was unwanted) and Valiant claims that Halcon has become the most
popular hacking group in Australia. It currently has 24 members and thousands
of supporters.
Having been misquoted once, Valiant has since denied all interviews to the press,
including an offer from Channel Nine. QuadCon is therefore proud to present
an exclusive, uncut interview with Valiant.
-------------------------------------------------------------------------------
The Interview
-------------
QuadCon: If you were a system administrator of a newly installed slackware
linux machine and you had 20 minutes to secure it what would you do?
Valiant: Go to all the available sites (www.halcon.com.au/links.html) that
cater for that, and quickly grab and install as many patches for
your software available. Close all services (especially fingerd)
that arn't needed, relocate telnet to a different port (I know it
breaches RFC's, but fuck it.) and make sure that you don't
adduser lamers. :)
QuadCon: What is the most common thing to hack to gain access to?
Valiant: Fingerd is the most exploitable feature on machines, the good old
crackers highway. Allthough these days it's neglected as a mode of
system penetration, also alot of sysadmins don't understand the point
of finger anymore and remove it anyway. As for hacking, the best
method available that I remember overusing would be a buffer overflow
in a certain software which makes calls to root. Flood the software,
bang, down it goes and you have root. :)
QuadCon: Does the name Halcon have any relavence to you and why did you choose
it for the name of the group?
Valiant: Halcon .. well, I chose that many years ago, so I can't really
remember why it was chosen, other than that it sounds funky. :P
QuadCon: How would you characterize the media coverage of you?
Valiant: Trivial and biased. They just want an 'evil hacker genious' who
brags about how he hacked NASA, they don't really like me as
basically I won't brag, and I prefer to explain how idiotic the
consumers are for purchasing fucked computers, etc, and other
consumer related problems.
QuadCon: What do you think about hacks done in your name--for instance, the
Australian Republican Movement hack?
Valiant: I wasn't expecting such media coverage on that topic, however they
have no evidence against me, and I have yet to admit to even being
born at this point in time. So fuck 'em all. :)
QuadCon: What's the biggest misconception perpetuated by Hollywood
cybermovies?
Valiant: There is no such thing as a hot female hacker named Acid Burn who has
pert tits and lips that would look very nice wrapped around my hard
disk. :)
QuadCon: In your own words, define hacker.
Valiant: There's two meanings. I fall into both. The code hacker, who lives
to program and does it the hard way, and the system hacker, who loves
finding exploitable features in systems to gain access, does so,
notifies the sysadmin and patches the hole.
QuadCon: What is your technical background. (Which platform do you prefer
PC/MAC? What is your online background? Do you do networking? Do you
know programming languages,etc.)
Valiant: At the moment my prefered operating system is Windows 98 due it's
usability and comprehensive system architecture, when it comes to
personal use, for industrial things such as networking, I prefer any
linux distribution. I am a PC user, allthough I have a few old Apple
Classics in my computer collection. I've been using the internet
through BBS gateways for ten or more years. I network when I have
to, but I used to work as a network engineer. As for programming
languages, I have a bad memory and generally have to 'relearn' things
when I need them, however it's more a refresh than a relearn. :)
QuadCon: I understand that hackers assume an online nickname to become known
by - how did you acquire your nickname?
Valiant: I was seven years old when I logged onto a BBS using an audio coupler
900 bps modem at a friends place. It asked for a handle, Valiant was
my current dungeons and dragons charracter, so I typed it in
sheepishly. I've been known by it ever since. :)
QuadCon: What do you portray system administrators are like?
Valiant: Fail-safe devices that take care of systems, that if programmed
correctly would never need human assistance. :)
QuadCon: What do you think of ALOC, another aussie hacking group?
Valiant: Who? :)
QuadCon: What currently is Halcon working on?
Valiant: Currently working on? We're currently working on the ultimate
encyclopeadia of how to be slothenly and lazy. :)
QuadCon: What would you like Halcon to be in the future?
Valiant: I don't know, that's a hard question really. I never wanted it to be
anything to begin with, time has just made it bigger than I ever
expected. Back when I was a kid and it first started, I never really
thought it would exceed a BBS group of users who were of the same
interests. Now it's allmost like a religious cult for some. :)
QuadCon: Who in the world do you dislike most?
Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a
tad over. The others should be neutered and shot. :)
QuadCon: Any last comments?
Valiant: I like being a cunt-rag.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Special Thanks
--------------
Valiant of Halcon http://www.halcon.com.au
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Support Us
----------
Please support us - we are looking for a fast permanent unix box to host
a website with all our zines on. If you believe you can help see the contact
section below. Also if you know anyone who wants or deserves to be interviewed
also see the contact section below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Contact
-------
I can be contacted on IRC irc.wiretapped.net or on the email address
marena@iinet.net.au
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 1999 QuadCon
-=-
http://www.halcon.com.au/arm0001.html
Hackers deny Republican attack
From AAP
22oct99
AN underground computer hacking group blamed for today's
sabotage of the Australian Republican Movement's head office has
denied responsibility.
The group, known both as Halcon and as the Australian Underground
and Empire Loyalist Movement, was blamed for jamming phones and
e-mails into ARM and shutting down its computer system.
Halcon hacker "Valiant" tonight denied the group was responsible for
the incident.
He said the sabotage was probably done by a "scriptkiddy", a young
teenager working alone trying to get the group's attention.
"You only need a modem and a computer, a 12-year-old could do it,"
Valiant told AAP.
"We are anti-republican, but we wouldn't take that sort of action,
we consider that lame."
ARM was also faxed a list containing 200 names of ARM staff and
supporters along with threats of violence.
Halcon is Australia's oldest underground hacking group, formed in
1993.
It has 24 current members and thousands of supporters.
@HWA
28.0 Scholarships for Surfing
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Fran
2500 one and two person teams will once again be able
to compete for scholarships to Florida State University
by Surfing the Web. Registration for is now open for the
third annual Florida State University Online Scholar
Challenge. The competition pits teams of high school
students against one another in finding answers to
tough questions online.
FSU Online Scholar Challenge
http://www.fsu.edu/~unicomm/challenge.html
High School Juniors and Seniors!
Are You an Online Scholar?
If you're a high school junior or senior, and you're good at finding information online, you
can win a four-year tuition scholarship to Florida State University, along with other great
prizes.
Florida State University's Online Scholar Challenge is an "online information scavenger
hunt."
The Challenge, now in its third year, pits high school juniors and seniors against one
another in seeking information and answering tough questions on a wide variety of topics
through the LEXIS®-NEXIS® Scholastic Universe information service.
Qualifying rounds are conducted on the Internet. The five top-scoring teams will receive
all-expense-paid trips to Florida State University April 7-8, 2000, for the FSU Online
Scholar Challenge finals.
Act Today! Registration is limited to the first 2500 teams (a team may have one or two
students).
(Follow link for further info and rules etc - Ed)
@HWA
29.0 Dec 8th HNN Rumours
~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Valiant
We aren't sure what to make of this but it would appear
that the Australian government is out to silence certian
individuals. While we have nothing to go on for
verification of this story, other than this web page, we
are hoping that some more resourceful individuals can
gather additional information.
Big Brother -is- Watching!
http://www.halcon.com.au/bigbrother.html
Big Brother -is- Watching!
This is a true story, only the names and other identifying details
have been changed to protect the innocent. The person this story is
about, who we shall name Citizen X, is still on the run from the
powers that be, even though he is innocent.
This story will be updated when-ever Citizen X can contact us.
6th of December, 1999 - Introduction to The Machine.
As I sit here writing this, I realise that out there I am on the 'most
wanted' list of Australia. I am Citizen X, for years I have been in the
Australian underground, and I am probably one of the highest profile
political hackers in Australia. Telstra and Optus have been wanting me
out of the scene for years.
My crime is that I tell the truth, my crime is that I seek the truth. For
this I am marked as a dangerous criminal mastermind by 'them'. Who
-is- Big Brother I hear you ask?
Big Brother is what we call them, the conglomeration of the
government, the federal bodies, the police (state and federal, aswell
as all the little spook divisions on the side) and also into 'them' goes
the corporations. The corporations -do- have power in the 'system'
because they have the money. We all know the government loves
them and will back them to the hilt.
Six months ago Big Brother had no idea who I was, except I made one
mistake. I trusted Australia's privacy laws and a corporation. I was
asked to call a mates school and make a bomb threat just to get him
out of class, which is pretty lame, I agree, however I wanted to see
whether our privacy existed, or whether Australia is as bad as
America when it comes to monitoring the populace and controlling
them.
A few weeks ago I was called up by a spook, he said that the call
was traced to my cellular phone and that due to the fact I gave a
fake address for the account, I am on the most wanted list. He said
that my options are to turn myself in, or be hunted down practically.
Now normally a prank call is let go of, however, when the police got
to the school they sa
id, in their over ambitious way, that they found
'seven potentially explosive devices' in the premises. Mind you there
was nothing in the school, however the moronic police made that
statement and lo, they have to stick to it. Now they need someone
to crucify so they don't lose face in front of Big Brother, they need to
find the Xibomber.
Some spook in his corporate office in Big Brother's bedroom spotted
the links between me and my political hacks, even though my hacks
promoted morals and lawful upholding of Australian citizens freedom,
they persist that now, I, Citizen X, am a dangerous criminal. I must
be caught and punished for my crimes against 'them' and for planting
seven explosive devices in a school on the other side of Australia I've
never heard of nor seen.
Don't trust the government, don't trust the system. They want to
control us, they want to keep us as mindless zombie-like consumers
who work, raise kids to follow in our footsteps, consume, and die. All
telecommunications companies are also in with 'them', I know this
now because of this situation. I cannot explain it perfectly, as it is
I've given away too much information and am risking even more
trouble from Big Brother. But let me say that, at this moment in time,
they will never catch me.
Due to their own fuck up, they now have the need to find a sacrificial
lamb to publically crucify to make them seem 'right'. Why don't I go
public? Why don't I tell the Australian Associated Press? Simple,
because they are part of the system also. There's no escape once
the government have it in for you, other than making a new identity,
getting fake ID's made up for it, and living as the other being.
I am Citizen X, an unlawful evil sadistic serial killer hacker with
attitude, I must be caught, and I must be punished for my crimes
against society. What a crock of shit, I am a lawful hacker who likes
to tell the truth about the conspiracy behind Australia's 'system', but
hey, I may aswell be a serial killer in 'their' eyes.
This story will be updated when Citizen X can contact us.
Welcome to the Machine!
@HWA
30.0 Alleged Melissa Creator May Plead Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Alex
The accused creator of the Melissa virus, David Smith,
is scheduled to appear in Monmouth County NJ Superior
Court on Thursday. He is also scheduled to appear in
the US District Court in Newark, New Jersey later the
same day. Insiders believe that he will plead guilty to
charges of interruption of public communication, theft of
computer service, and wrongful access to computer
systems.
ZD Net
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2344196,00.html
(Note: There is an audio/video report that accompanies this article on
ZDNet - Ed)
Accused Melissa Author to
Plead Guilty
Sources close to law enforcement say
David Smith will plead guilty to state
and federal charges on Thursday.
By Alex Wellen and Luke Reiter
December 8, 1999
3:25 a.m. EST
(UPDATED 3 p.m.)
Paul Loriquet, a spokesman for the New Jersey
attorney general's office, confirmed that
accused Melissa author David Smith was
scheduled to appear before Judge John
Riccardi in Monmouth County Superior
Court at 10 a.m. EST on Thursday.
Loriquet would not comment on the
reason for Smith's appearance.
A second Smith appearance is scheduled
in the US District Court in Newark, New
Jersey, at 1:30 p.m. Smith is set to
appear before Federal District Court Judge
Joseph A. Greenway, Jr. Court documents
indicate Smith will enter a plea at that
time, according to a staff member at the
federal courthouse.
The New Jersey attorney general's office
plans to release a media advisory
regarding Smith's appearance at 4:30 p.m. on
Wednesday, Loriquet said. The advisory is
expected to contain only logistical
information on the appearances.
Edward Borden, Smith's attorney, would
not confirm the appearance or a plea late
Tuesday.
The slow road to resolution
Smith, a 31-year-old former computer
programmer, was charged in New Jersey
with interruption of public communication,
theft of computer service, and wrongful
access to computer systems in early April.
According to a source close to law
enforcement and familiar with the
investigation, New Jersey faced difficulty
prosecuting the case because companies
hit by Melissa were unwilling to step
forward and publicly admit they were
victimized by the virus.
Federal investigators were involved in this
case from its inception, but to date have
not filed formal federal charges. Among
other offenses, Smith could be charged
under the Computer Fraud and Abuse Act,
Federal Statute Title 18, USC Sec.
1030(a)(5)(A), which makes it illegal to
send code that causes damage to a
"protected" computer.
On Melissa's trail
Smith, of Aberdeen, New Jersey, was
arrested on April 1, 1999, on charges he
created and distributed the Melissa
virus-- a Word macro that swept through
the email systems of thousands of
computers in late March and brought
down mail servers around the world.
Although the virus does not corrupt files,
it resulted in significant server slowdowns,
and forced the shutdown, in some
companies, of entire email systems.
Smith reportedly admitted to investigators
at the time of his arrest that he created
the Melissa virus, according to court
papers filed by the New Jersey attorney
general's office.
Worst security breach since 1988
The virus, which authorities said was
named after a topless dancer in Florida,
spread via Microsoft's Outlook email
program and could instantly generate
dozens of outgoing email messages.
It affected tens of thousands of
workstations, propagating itself into
commercial, government, and military
email gateways and systems. An analyst
from Panda Software said Melissa caused
the worst security breach since the Morris
Worm, which took down the entire
Internet in November, 1988.
A user would contract Melissa by opening
an infected Word attachment in Office 97
or Office 2000, which would then execute
the macro.
From there, the swift-moving macro would
prompt Outlook to send an infected
document to the first 50 names in a user's
address book, with the subject line
"Important Message From [the sender's
name]." The message itself said, "Here is
that document you asked for, don't show
anyone else. ;-)."
Once the email had been sent to the first
50 names, each person who opened the
document would then send it on to 50
more and so on. The result was rapidly
overloaded servers.
In the first 48 hours alone, both Microsoft
and Intel were forced to shut down mail
servers due to Melissa. Other major
companies, including Lucent, Motorola,
Dupont, and Compaq were hit.
The VicodinES connection
Investigators looked for a link between
the Melissa author and a virus writer who
goes by the name of VicodinES who has
been considered a source of the code.
In late March, a CyberCrime investigation
revealed that Smith and VicodinES were
both linked to the same Internet service
provider in New Jersey. Further research
indicated that Smith and VicodinES shared
a number of similarities, including the
same age, location, and profession.
Smith's attorney would not respond to
that allegation. However, the New Jersey
attorney general's office said that Smith is
not VicodinES.
@HWA
31.0 Non-Anonymous Internet Violates First Amendment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Anonymity on the Internet should be protected and
deserves to be treated no differently than anonymous
pamphlets or other speech, according to a study
released today by the Cato Institute. U.S. and foreign
law enforcement officials regard anonymity as a threat
to public order and talk about limiting anonymity online.
Proposals to limit anonymous communications on the
Internet would violate free speech rights long
recognized by the Supreme Court. Anonymous and
pseudonymous speech was used to great extent by the
founding fathers such as Thomas Paine, Alexander
Hamilton, John Jay, James Madison, Samuel Adams, and
others. Today, human rights workers in numerous third
world countries have reestablished anonymity and free
speech. Given the importance of anonymity as a
component of free speech, the cost of banning
anonymous Internet speech would be enormous. It
makes no sense to treat Internet speech differently
from printed leaflets or books. (Finally some sanity in
the anonymity debate.)
Nameless in Cyberspace: Anonymity on the Internet - PDF
http://www.cato.org/pubs/briefs/bp-054es.html
@HWA
32.0 OSU Charges Two With Illegal Access
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by boomer
Oklahoma State University has charged students in
connection with an illegal entrance into a computer
system owned by General Atomics, a company based in
San Diego. General Atomics initiated the investigation on
October 18 when they noticed an OSU Internet address
illegally accessing their system.
The O'Colly
http://www.ocolly.okstate.edu/issues/1999_Fall/991208/stories/hack.html
Published: Wednesday, December 8, 1999
Two OSU students suspected of hacking
From Staff Reports
An intrusion into a Department of Energy subcontractor's computer system
has two Oklahoma State University students charged in suspicion of the crime.
Maxwell Evan Mishkin, 18, and his roommate, Gary Steven Holmes, 19, were
arrested Nov. 18, in connection with an illegal entrance into a computer
system owned by General Atomics, a company based in San Diego, according
to a press release.
Mishkin is charged with two counts of violating the Oklahoma Computer Crimes
Act. Holmes is charged as an accessory to a felony.
Both were arraigned at Payne County Courthouse Nov. 18, the release said.
Mishkin was released on $5,000 bond, and Holmes was released on $2,500 bond.
General Atomics, according to its website, is one of the world's leaders in
high technology systems development and nuclear technology.
The press release states that both students will also face disciplinary
action through the university because of violating OSU policy.
The investigation began Oct. 18, when an General Atomics security analyst
alerted OSU's Computing and Information Services that someone with an OSU
Internet address illegally accessed the General Atomics system.
The 1998 Oklahoma Computer Crimes Act states that any person gaining access,
or attempting to gain access to computer systems without authorization can
be convicted of a misdemeanor punishable by up to 30 days in county jail
and a $5,000 fine.
@HWA
33.0 Microsoft Files Lawsuit Against Online Pirates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Microsoft has filed lawsuits against auction Web sites or
online software sellers in six states that frequently use
spam to advertise. Microsoft says that it was made
aware of these illegal activities through its anti-piracy
hotline.
Wired
http://www.wired.com/news/technology/0,1282,32985,00.html
Microsoft Sues Online Pirates by Wired News Report
1:55 p.m. 8.Dec.1999 PST Microsoft has filed lawsuits against
businesses in six states to stop allegedly counterfeit sales of the
company's software.
Microsoft said it investigated the companies, which are either auction Web
sites or online software sellers that frequently use spam to advertise.
The company said it had received thousands of tips about the questionable
sales activities on its anti-piracy hotline.
The lawsuits, which sought to obtain injunctions to prevent the sellers
from continuing to offer the software, were filed Wednesday.
The organizations alleged to have counterfeited copies of Microsoft
Office, Windows, and Office Professional include Abu Salahuddin in
Morgantown, West Virginia; Capital One CDRom Warehouse, aka Internet
Marketing in Corpus Christi, Texas; KT Services, aka Vantage
Software and Pacific Ventures, in Los Angeles; Martin Johns in Fond Du
Lac, Wisconsin; NC Software in Wilmington, North Carolina; and Software
Blowouts in Hackettstown, New Jersey.
Microsoft said in a statement that by filing the suits, it hopes to help
"make holiday Internet shopping safer for millions of consumers."
According to the Business Software Alliance estimates there are 840,000
Internet sites selling counterfeit software as genuine product.
In addition to being illegal, counterfeit software also has the potential
to include viruses and miss key software codes, and it renders customers
ineligible for technical support, warranties, and upgrades, according to
the company.
"Internet piracy is growing nearly as rapidly as the Internet itself, and
it is severely harming consumers and their confidence in feeling safe to
conduct legitimate business online," said Tim Cranton, corporate attorney
in charge of Microsoft's Internet piracy efforts, in a statement.
"There is a possibility that this problem could spiral out of control, and
we need consumers to help us hold back the floodgates by being knowledgeable
online shoppers."
@HWA
34.0 CERT Releases Distributed Attack Paper
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by jgrasett
The Computer Emergency Response Team has released
the paper mentioned on HNN yesterday regarding
distributed DoS attacks. The paper examines the use of
distributed-system intruder tools and notes that better
forensic techniques and training are needed.
Results of the Distributed-Systems Intuder Tools Workshop - PDF
http://www.cert.org/reports/dsit_workshop.pdf
(CERT should be commended for using the word
'intruder' throughout this document as opposed to the
word 'hacker')
@HWA
35.0 PWC Finds Serious Weaknesses in Pension Fund Company
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Mr Man
It appears that during an audit the security auditors of
Price Waterhouse Coopers were able to break into
computers at The Pension Benefit Guaranty Corporation
in Washington using dial up lines. Once inside, the
auditors had the ability to not only create fictitious
beneficiaries and send them money, but they could also
edit or delete files and information on individuals in the
systems. Pension Benefit Guaranty Corp. is owned by
the federal government and guarantees the retirement
checks of 42 million Americans. (Hmmm, I wonder how
long those lines where vulnerable before the audit? And
how many other companies have modems dangling off
their network behind the firewall?)
NY Times
http://www.nytimes.com/library/tech/99/12/biztech/articles/08pension.html
(Subscription required to retrieve this article - Ed)
@HWA
36.0 Freaks Macintosh Archives CD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Freaky
Freaks Macintosh Archives has produced a CD that
contains all the Macintosh underground files known to
exist. The CD also contains edited versions of Freaks
talk at Defcon VII where Space Rogue officially directs
users of the Whacked Mac Archives to Freaks Macintosh
Archives. The CD is ready for pre-orders, this will assure
that you get the low 20.00 price. To Pre-Order send a
email to freaky-order@staticusers.net
Freaks Macintosh Archives
http://freaky.staticusers.net/
@HWA
37.0 Nortell Releases Personal Hardware Firewall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlaque
Users of Cable modems, DSL, ISDN and even dedicated
dial up connection are rapidly discovering the hazards of
being online all the time. To help protect these users
Nortel has introduced the personal hardware firewall
that will sit on the line between your modem and
computer. Currently 'Secure Cable' is only available for
cable modem users but other bandwidth types will be
available soon. (I hope this thing does an auto update
or it will be out of date very quickly.)
Associated Press - via Yahoo
http://dailynews.yahoo.com/h/ap/19991208/tc/cable_internet_security_1.html
PR Newswire - via Yahoo
http://biz.yahoo.com/prnews/991208/nortel_sec_1.html
Wednesday December 8 3:13 PM ET
Device Protects Internet Cable Users
NEW YORK (AP) - Nortel Networks today introduced a new device that cable
operators can use to protect their Internet subscribers from computer
hackers.
While cable TV modems provide speedier Internet service than dial-up
connections through a telephone wire, the cable link is more vulnerable
to hackers because it is usually on all the time.
Some cable-Internet subscribers protect their computers from hacker
intrusions with special software or ``firewall'' hardware.
Secure Cable, a feature of a new network connection box developed by Nortel,
is a firewall that's designed to block hacker attacks in the network, before
they reach subscriber computers.
Nortel has introduced similar devices for dial-up service and digital
subscriber line, or DSL, a high-speed link over a telephone wire that
shares the vulnerabilities of cable.
``Having these types of solutions ... makes a lot of sense,'' said Lisa
Pierce, analyst at the Giga Information Group, noting that more than 10
percent of high-speed Internet users have experienced security problems.
``The average user shouldn't have to think about these technical issues.''
The new Nortel firewall is part of its Shasta 5000 Broadband Service Node.
A node is the part of a cable network that connects a group of neighboring
subscribers to the Internet. It also enables users to subscribe to different
Internet service providers.
Nortel, based in Ontario, is one of the largest suppliers of network
hardware. It had sales of $17.6 billion last year.
-=-
PR Newswire;
Wednesday December 8, 9:01 am Eastern Time
Company Press Release
SOURCE: Nortel Networks Corporation
Nortel Networks Launches 'Secure Cable' Anti-Hacking Protection for
Residential and Small Business PC Users
On-Line Security Critical as U.S. Operators Open Their Cable Networks For
Internet Access
BOSTON, Dec. 8 /PRNewswire/ - Personal computer users subscribing to
`always-on` cable Internet access can now be protected from hackers -- an
increasing problem as cable modems become more and more popular -- thanks
to a new, mass market security solution being launched by Nortel
Networks (NYSE/TSE: NT), the company announced today.
Nortel Networks and its Shasta IP Services division are launching Secure
Cable, which offers anti-hacking protection for Internet cable subscribers
by securing each cable connection with network-based firewalls.
Because cable Internet connections are always on, personal computers
linked to cable are exposed to hacker attacks. And, as broadband becomes
more widely deployed here and abroad and cable and telecommunications
companies offer high-speed Internet access through cable or Digital
Subscriber Line (DSL), more consumers are reporting hacker attacks on
their PCs, sometimes leading to copying or destruction of sensitive data.
And the problem could get worse.
It is predicted that by 2003, more than 30 million U.S. households will be
eligible for high-speed access cable. Furthermore, more than 12 million
U.S. households will have high-speed Internet access over cable or DSL by
2003, according to industry analyst firm, The Strategis Group (Cable
Trends, June 1999). This represents a massive increase from today's 1.4
million cable and DSL Internet access subscribers throughout the country.
`At least one out of 10 high-speed Internet users will experience or be
victimized in a hacker attack,` said Ron Westfall, senior analyst, Current
Analysis. `We see an increased demand for a basic, secure access solution
for high-speed connections like cable and DSL. A basic 'door lock'
solution from Internet Service Providers would help protect customers from
simple hacker attacks and help speed the adoption of broadband. Nortel
Networks addresses the problem with a network-based firewall solution in
its Shasta 5000.`
Nortel Networks' Shasta 5000 Broadband Service Node (BSN) also provides
cable operators with an IP services platform to provide for wholesale
access to their high-speed cable networks, allowing subscribers the choice
of Internet service providers. It is the latest in a suite of
enhanced broadband services provided by Nortel Networks, which earlier
this year, launched its Secure Dial and Secure DSL solutions that are now
being used by service providers around the world.
`Nortel Networks is at the heart of the Internet revolution and is a
global leader in the cable, Internet and telephony market,` said Anthony
Alles, president and general manager of the company's Shasta IP Services
business unit. `Besides building a faster, more reliable Internet,
it also means enhancing broadband security for Internet users of DSL,
cable and other high-speed technologies, and we're achieving that for our
customers.`
Nortel Networks has a major presence in the cable industry, providing high
speed optical networks, switches and routers, head-end equipment, cable
telephony systems, cable modems, and the Shasta Broadband Services Node
for value-added cable internet services. The company and its Arris
Interactive joint venture with Antec supplies cable solutions to major
customers such as AT&T BIS, Time Warner, GTE, Comcast, Cox, Cablevision,
Rogers Communications, UPC, SPTA, Csii and Mitsui.`
Nortel Networks is a global leader in telephony, data, wireless and
wireline solutions for the Internet. The Company had 1998 revenues of
US$17.6 billion and serves carrier, service provider and enterprise
customers globally. Today, Nortel Networks is creating a
high-performance Internet that is more reliable and faster than ever
before. It is redefining the economics and quality of networking and the
Internet through Unified Networks that promise a new era of collaboration,
communications and commerce. For more information, go to
www.nortelnetworks.com.
@HWA
38.0 Interview with dap from sSh
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exclusive by Sla5h
Dap has since disbanded sSh (Sesame Street Hackers) the EFNet irc channel
#sesame is still in operation but has suffered several takeovers as is the
way with 'scriptkiddy/cracker' channels these days. This interview was done
when sSh was still active, a few weeks ago, and didn't make it to these
pages until now due to connectivity problems between the interviewer and
myself. Dap dropped the ftp info for http://www.sShackers.com/ in several
channels inviting people to 'deface' the site, which of course happened
readily. The current state of the site has this message:
ALL OF YOU GIMPS THAT SO CALLED "HACKED" THIS SITE ARE STUPID!%$@^
IF YOU HIT THIS PAGE... ITS CAUSE I GAVE YOU THE FUCKIN' FTP INFO
ALL YOU GUYS ARE GIMPS... NOT HACKERS... IT WAS SUPOSED TO BE A BIG JOKE...
NOT ANOTHER DEFACED SITE TO ADD TO YOUR ATTRITION SHIZM...
AND SEEIN' AS I WAS A MEMBER OF gH, GH IS DEAD, YOU STUPID COCK SUCKIN' MUTHER FUCKER..
GO BACK TO WHERE YOU CAME FROM... AND TRY AND CONVINCE SOMEONE YOU ARE ELITE QUOTE UN-QUOTE SOMEWHERE ELSE!
GOT IT?????
STUPID PIECE OF SHIT...
sSh IS GAY... I KNOW THAT... THAT HAS TO MEAN A LOT COMIN' FROM THE EX-FOUNDER.
GO ./HACK A BOOK.
IDIOTS.
- DAP
sSh/dap interview with Sla5h:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session Start: Sun Nov 28 14:53:06 1999
Session Ident: slash- (slash@ad5-m80.tel.hr)
<slash-> ---start interview---
<dap> sup?
<slash-> sup G
<slash-> well
<dap> nadda.
<slash-> thanx for taking the time for this interview
<dap> pleasure is all mine
<dap> :D
<slash-> Can U tell us who came up with the idea to start sSH ?!?
<dap> well.. the idea came to me while I was a member of gH.
<dap> gH had recently went legit, and a lot of the members still wanted to do penetration
<dap> but seeing as a few of the members got raided..
<dap> hacking under the name of gH was like a death wish.
<slash-> ..so U started sSH
<dap> yes.
<slash-> How many members sSH counts today ?!?
<dap> about 20
<dap> we've grown rapidly since our media hype with ytcracker.
<dap> and fuqrag
<slash-> I heard they got raided ?!
<slash-> is that true !?
<dap> they haven't got raided...
<dap> yet
<slash-> :)
<slash-> U aint afraid to get raided ?!
<dap> I was told that rackmount, ytcracker and fuqrag will be raided soon.
<dap> well... if you look at most of my defacements... only a few are .mil's and .gov's
<dap> I dont target the government as much as the other members do
<dap> seeing as im not into the IIS4 shit.
<dap> only government boxes I hit are running an operating system unix based.
<slash-> Will sSH end like gH ?
<dap> I hope not...
<dap> y'see... sSh is always excepting new members...
<dap> we will always exist...
<dap> if 5 members get raided...
<dap> they'll prolly be another 6 joining.
<dap> within the next month or so
<dap> I dont want the group to be to big... but I dont want it to die out
<slash-> Why do You deface ?
<dap> well...
<dap> hmm...
<dap> :)
<dap> Ok ..
<dap> the thing is...
<dap> most of the systems I deface, I've had root on for a while...
<dap> about a month or so...
<slash-> So they had the time to fix the holes
<dap> and the funny thing is... they didn't even know til I defaced the site...
<dap> they had more then enuf time.
<slash-> but still...
<slash-> Someone once said that hackers do it to satisfy their ego
<dap> I have gotten a few job offers from sites that I have defaced.. and they have contacted me for technical support etc.
<dap> I like that attitude in an admin.
<dap> slash.. thats somewhat true...
<dap> some due it for the media hype. i.e (ytcracker)
<slash-> Yeah
<slash-> yt really hit the media
<dap> yah ...
<slash-> You don't do it for fame !?
<dap> its not really hard to get into the media like that.
<dap> but... ytcracker needs to take a reality check.
<slash-> did real hacking loose sense ?!?
<dap> he is a good friend... and whatever he wants to do, I got his back.
<slash-> is it all about fame these days
<slash-> ?
<dap> but he thinks he is in a dream world and that he wont get raided.
<dap> did real hacking loose sense...
<dap> thats another one of the reasons I started sSh ..
<dap> I have been in the 'scene' for some time now.
<dap> and the ethics sure have changed since 4 years ago.
<dap> (when I was 12)
<dap> nobody did it for the media...
<dap> cept for LOU
<dap> a lot of people just wanna be known...
<dap> now a days
<dap> nobody cares about ethics anymore... it just turned into a big popularity contest
<slash-> U plan to retire some day !?
<dap> well... im sure I will just say fuck it.. and stay off irc for good.
<dap> but..
<dap> seeing as I do penetration testing for a living, I gotta stay ontop of security
<slash-> So we'll be seeing you in the future as an individual or U'll do defacments for sSH ?1
<dap> if you wont see me defacing for sSh, you prolly wont see me at all..
<slash-> Is there anyone in this scene truly the king?
<dap> hold?
<slash-> k
<dap> talking to a fed on the fone...
<dap> ;\
<slash-> :(
<slash-> can we continue now ?
<dap> hold
<dap> hello?
<dap> yah
<dap> sup?
Session Close: Sun Nov 28 15:38:48 1999
Session Start: Mon Nov 29 15:49:30 1999
Session Ident: slash- (slash@ad9-m74.tel.hr)
<slash-> hi
<slash-> sorry about yestrday
<slash-> I got disconnected
<dap> ok
<dap> sup?
<dap> you wanna finish the interview?
Session Close: Mon Nov 29 15:53:17 1999
Session Start: Tue Nov 30 14:37:12 1999
Session Ident: slash- (slash@ad11-m107.tel.hr)
<slash-> what's the key for sesame
<dap> FBEYE
<dap> whats the url for HWA
<dap> and the interview
<slash-> the interview isn't out yet
<slash-> we have to finish it
<dap> ok..
<dap> continue
<slash-> k
<slash-> --------------------------------
<slash-> Is there anyone in this scene truly the king?
<dap> there is people i give mad respect to...
<dap> like
<dap> xdr
<dap> prym
<dap> soupnazi
<dap> not really a king, more like pros
<slash-> In what category do U sort to !?
<dap> I dont possition myself in any category ...
<dap> I like to learn different things...
<dap> I'd rather know a little about everything then a lot about one thing
<slash-> Can U tell us more about sSH members ?
<slash-> like
<slash-> how skilled they are
<slash-> etc.
<dap> sSh members skilled in different areas...
<slash-> like
<slash-> ..
<dap> we got members aging from 12 to the 30's
<slash-> 12 !??!
<slash-> w0w
<dap> we have a female
<slash-> w0000wwww
<slash-> who is she ?!
<dap> Mya
<slash-> She defaces !?
<dap> she defaced 2 sites so far ...
<dap> she just started.
<dap> ;\
<dap> we got about 27 members
<slash-> kewl
<slash-> that's alot
<dap> http://www.sShackers.com/members.html
<dap> site is fucked, but the guy cant do html for shit
<dap> :|
<slash-> (checking the site up)
<dap> ok .
<slash-> it isn't bad
<dap> yes it is
<dap> if you view it in IE
<dap> its ok
<slash-> dap dude
<dap> sup?
<slash-> I'mm be back in 1/2 hour
<slash-> I'll be back
<dap> ok
<dap> whats the url?
<dap> for the HWA site
<dap> or whatever
<dap> it is
<slash-> welcome.to/HWA.hax0r.news
<slash-> l8r
<dap> ok
<dap> bye
<slash-> bye
Session Close: Tue Nov 30 15:22:03 1999
@HWA
39.0 Melissa Creator Pleads Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirb
David L. Smith, who was arrested for creating and
releasing the Melissa virus in April, plead guilty on
Thursday to a second-degree charge of computer theft.
The charge covers intercepting computer
communications and damages to computer systems or
data and is punishable by 5 to 10 years in jail and up to
a $150,000 fine.
"Yes, I admit those events occurred as a result of the
spread of the Melissa virus. But I did not expect or
anticipate the amount of damage that took place. When
I posted the virus, I expected that any financial injury
would be minor and incidental. In fact, I included
features designed to prevent substantial damage. I had
no idea there would be such profound consequences to
others." - David Smith (quote taken from ZD Net)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2406592,00.html?chkpt=zdnntop
Reuters
http://www.nandotimes.com/technology/story/body/0,1634,500140419-500165810-500604970-0,00.html
Associated Press - via ABC News
http://abcnews.go.com/sections/tech/DailyNews/virus_melissa991209.html
Smith pleads guilty to Melissa virus
Melissa infected hundreds of thousands of
computers -- now its creator faces 10 years
in prison and a $150,000 fine.
By Robert Lemos, ZDNet News
UPDATED December 9, 1999 12:40 PM PT
David L. Smith, who was arrested for creating and
releasing the Melissa virus in April, plead guilty on
Thursday to a second-degree charge of computer theft.
The Melissa macro computer virus hit companies on March
26 after being released to a Usenet newsgroup as part of
a list of porn sites contained in a Word document infected
with the virus.
The virus, which mailed itself out to the first 50 addresses
listed in the address book of Microsoft's Outlook e-mail
client, caused a massive spike in e-mail traffic, flooding
corporate e-mail servers. Companies such as Microsoft
Corp. (Nasdaq: MSFT), Intel Corp. (Nasdaq:INTC),
Lockheed Martin Corp. (NYSE: LMT), and Lucent
Technologies Inc. (NYSE:LU) shut down their gateways
to the Internet in the face of the threat.
After Judge John Riccardi outlined the events, a
nervous Smith read the following statement:
"Yes, I admit those events
occurred as a result of the spread of the Melissa virus.
But I did not expect or anticipate the amount of damage
that took place. When I posted the virus, I expected that
any financial injury would be minor and incidental. In fact,
I included features designed to prevent substantial
damage. I had no idea there would be such profound
consequences to others."
'I certainly agree'
When the judge again asked if Smith agreed that it
caused significant damage to computer systems
nationwide, Smith replied, "I certainly agree. It did result
in those consequences, without question."
The crime -- which covers intercepting computer
communications and damages to computer systems or data -- is
punishable by 5 to 10 years in jail and up to a $150,000 fine.
As part of the plea agreement, Smith has
agreed to the maximum penalty for the crime, but the presiding
judge could ignore the recommendation.
Smith appeared in Monmouth County, N.J., Superior Court at 10
a.m. ET. He has another appearance scheduled in the
U.S. District Court in Newark later today to answer to
federal charges in the case.
According to law enforcement sources close to the case,
Smith will enter a guilty plea in federal court as well.
Edward Borden, Smith's attorney in the case, could not
be reached for comment.
Court papers filed in August stated that Smith confessed to
writing the virus. Smith had admitted his guilt at the time
of the arrest, said Paul Loriquet, a spokesman for the
New Jersey Attorney General's office, in a ZDTV interview.
"There was a statement made
at the time of the arrest from Mr. Smith to our
investigator... that, in fact, at the time of the arrest, he
had admitted to creating the virus and had said that he
had destroyed the personal computers that he had used
to post it on the Internet," Loriquet said in the report.
-=-
Reuters/Nandotimes;
Computer programmer pleads guilty to creating 'Melissa' virus
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
By JEFFREY GOLD
NEWARK, N.J. (December 9, 1999 11:59 a.m. EST http://www.nandotimes.com) -
A computer programmer admitted Thursday to creating and distributing the
"Melissa" virus. David L. Smith acknowledged caused millions of dollars of
damage by disrupting e-mail systems worldwide.
Smith pleaded guilty to a state charge of computer theft. He was expected
to plead guilty in federal court in Newark later Thursday.
The virus, believed to be named for a topless dancer Smith knew when he
lived in Florida, wreaked havoc at the end of March.
"I did not expect or anticipate the amount of damage that took place,"
Smith read from a statement after answering a series of questions from his
lawyer. Smith said he believed any damage would be minor.
Smith, 31, is believed to be among the first people ever prosecuted for
creating a computer virus. He was arrested April 1 at his brother's home
in nearby Eatontown in Monmouth County and freed on $100,000 bail the next
day.
Smith said he created the virus on computers in his Aberdeen apartment and
used a stolen screen name, "Skyroket," and password to get into America
Online. In the online service's alt.sex newsgroup, he posted a file called
"list.zip," a listing of adult web sites and passwords, which
contained the virus.
Asked by his lawyer, Edward F. Borden Jr., if that was designed to entice
people to download the file, Smith said, "Yes."
"Melissa" struck thousands of e-mail systems on March 26. Disguised as an
"important message" from a friend or colleague, the virus spread around
the world like an electronic chain letter.
The virus was designed to lower security settings on computers with
Microsoft Word 97 and Microsoft Word 2000, making them vulnerable to other
viruses so that any document created would be infected. It also was
designed to send infected mail to the first 50 names in a computer
user's address book through the Microsoft Outlook e-mail program.
Under his plea bargain, Smith could face five to 10 years on the state charge
and up to five years in prison on a federal charge. Sentencing for the state
charge was tentatively set for Feb. 18.
-=-
Associated Press;
Virus Guilty Plea Entered
Suspected Creator of Melissa in Court
David L. Smith, center, and his attorney Ed Borden, left, talk to a court official in
the courtroom after Smith's hearing at the Monmotuh County Courthouse in
Freehold, N.J., on Thursday, April 8, 1999. (Daniel Hulshizer/AP File Photo)
By Jeffrey Gold
The Associated Press
N E W A R K, N.J., Dec. 9 A computer
programmer admitted today he created and
distributed the Melissa virus that he
acknowledged caused millions of dollars of
damage by disrupting e-mail systems worldwide.
David L. Smith pleaded guilty to a state charge of
computer theft and later to a federal charge of sending a
damaging computer program. In the federal plea, both sides
agreed the damage was greater than $80 million.
The virus, believed to be named for a topless dancer
Smith knew when he lived in Florida, wreaked havoc at the
end of March. However, authorities said today they could
not confirm the origin of the name of the virus.
Claims Did Not Anticipate Effects
I did not expect or anticipate the amount of damage that
took place, Smith read from a statement after answering a
series of questions from his lawyer. Smith said he believed
any damage would be minor.
Smith, 31, is believed to be among the first people ever
prosecuted for creating a computer virus. He was arrested
April 1 at his brothers home in nearby Eatontown in
Monmouth County and freed on $100,000 bail the next day.
Smith said he created the virus on computers in his
Aberdeen apartment and used a stolen screen name,
Skyroket, and password to get into America Online. In
the online services alt.sex newsgroup, he posted a file
called list.zip, a listing of adult web sites and passwords,
which contained the virus.
Downloading was Expected
Asked by his lawyer, Edward F. Borden Jr., if that was
designed to entice people to download the file, Smith said,
Yes.
Melissa struck thousands of e-mail systems on March
26, disguised as an important message from a friend or
colleague, and spread around the world like an electronic
chain letter.
Melissa was designed to lower security settings on
computers with Microsoft Word 97 and Microsoft Word
2000, making them vulnerable to other viruses so that any
document created would be infected. It also was designed
to send infected mail to the first 50 names in a computer
users address book through the Microsoft Outlook e-mail
program.
Under his plea bargain, Smith could face five to 10
years on the state charge and up to five years in prison on a
federal charge. Sentencing for the state charge was
tentatively set for Feb. 18.
@HWA
40.0 Privacy of US Military Officers Breached
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
It has been standard practice of the Department of
Defense to report the names and social security
numbers of officers getting promoted to the US Senate.
This information is then entered into the Federal
Register for all to see. Several of these officers have
become victims of credit card fraud. The Secret Service
is investigating. The Pentagon said it is no longer
providing Social Security numbers to Congress. (Thats
just brillant. Any foriegn power can now run credit
checks on high ranking military personel. Wonderful.)
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500140349-500165712-500603813-0,00.html
Public Sources for SSNs
http://www.glr.com/ssnpub.html
Credit scam hits military officers
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
WASHINGTON (December 9, 1999 8:27 a.m. EST http://www.nandotimes.com) -
The Pentagon said Wednesday that hundreds of military officers, including
some of the nation's top officers, have become victims of credit card
fraud after their names and Social Security numbers were published in the
Congressional Record and on the Internet.
The Secret Service, which has jurisdiction over credit card fraud, has
taken the lead in the investigation.
"It's something the Defense Department has been concerned about for some
time," Pentagon spokesman Bryan Whitman said Wednesday after reports that
one Web site listed the names and Social Security numbers of 4,500
military officers. The information was culled from the pages of the
Congressional Record.
Whitman said the Pentagon no longer provides Social Security numbers to
Congress.
Self-styled Pennsylvania privacy expert Glen L. Roberts, who acknowledges
putting the names and numbers on his Web site, said he was merely trying
to underscore how easy it is to obtain such information.
"People in the Pentagon are outraged that I would be so bold as to quote
the Congressional Record," Roberts said.
In 1968, the military services began using Social Security numbers as
general identification numbers for all military personnel. Until recently,
these numbers were routinely carried in the Congressional Record every
time military promotions were reported to the Senate.
Roberts said he has not posted any new Social Security numbers on his Web
site since the Congressional Record stopped publishing them and that there
is no way to tell whether identity crooks obtained the names from his site,
or from the Congressional Record itself.
@HWA
41.0 Commerce Dept. Introduces New Security Initiative
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Yet another government/industry partnership focusing
on Internet security has been introduced, this time by
the Commerce Department. This one hopes to spread
information security best practices throughout the
private sector. There are 65 companies and associations
from almost every industry segment involved in the
Partnership for Critical Infrastructure Security. (Sounds
familiar. Ummm does Infraguard or FidNET ring a bell?
How many of these taxpayer funded organizations do
we need?)
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/1206/web-security-12-09-99.html
Yahoo News
http://dailynews.yahoo.com/h/nm/19991209/tc/tech_security_2.html
DECEMBER 9, 1999 . . . 14:31 EST
Feds, industry join forces on info security
BY DIANE FRANK (diane_frank@fcw.com)
NEW YORK -- The Commerce Department on Wednesday introduced a
new government/industry partnership that will help spread information security
best practices throughout the private sector and will improve the overall security
of U.S. critical infrastructure.
The Partnership for Critical Infrastructure Security is the latest initiative under
Presidential Decision Directive 63, which requires agencies to protect their
critical information systems and infrastructures against cyberattack. PDD 63
has led to the creation of government security organizations, including the
Critical Infrastructure Assurance Office and the National Infrastructure
Protection Center.
But much of the nation's infrastructure is built and run by industry and not
controlled by government, so the private sector must take an active roll in the
protection, said Commerce Secretary William Daley.
"We are, based on the President's directive, extremely concerned about the
nation's infrastructure...but the federal government alone can't protect it; it's in
the hands of the private sector," he said.
There are 65 companies and associations from almost every industry segment
involved in the partnership. Part of the mission of the partnership will be to
encourage participation by more small businesses and state and local
government groups and to enhance information sharing on security knowledge
and expertise, Daley said.
"This cross-sector work is very important," said Harris Miller, president of the
Information Technology Association of America, a partnership member
organization. "Information security has not yet permeated the consciousness of
boardrooms and suites across the country."
The partnership has set five issues to focus on: education; work force
development; awareness and training; best practices; and research and
development. Another issue that the partnership plans to study is globalization.
Although the Clinton administration mainly is concerned about U.S. national
security issues, many of the companies in the partnership are global, Miller said.
The structure of the partnership is still under development, but Commerce will
be serving in an advisory and enabling role, providing personnel, advice and
other resources when needed, not regulation or federal requirements, Daley
said. And as the leaders for the group, industry sees this as a way to forestall
potential legislation or regulation from Congress, Miller said.
-=-
Thursday December 9 1:29 AM ET
US Companies, Commerce Dept Meet on Tech Security
By Bill Rigby
NEW YORK (Reuters) - Commerce Secretary William Daley met representatives
from major corporations on Wednesday to seek ways to protect America's
banks, electrical grids, phone lines and other key services from
breakdowns caused by computer hackers or technological glitches.
On hand to kick start the new government-private sector forum were
representatives from about 80 companies, including Microsoft Corp.,
(NasdaqNM:MSFT - news) Citigroup, (NYSE:C - news) AT&T Corp. (NYSE:T -
news) and Consolidated Edison Inc. (NYSE:ED - news), among others.
They agreed to hold a summit early next year to find ways federal
government and businesses could work together to guard against major
disruptions from technology breakdowns or security lapses.
The Partnership for Critical Infrastructure Security was created after a
1998 government white paper called for a bridge between federal agencies
and companies in technology-reliant sectors such as finance and banking,
transport, energy and public emergency services.
Daley said Y2K computer problems were not a prime concern of the forum. He
said the government and companies were already in a good position to
counter any inconveniences in services that may follow the millennium date
change, which some computers may not recognize correctly because of
outdated software.
Daley told reporters after the meeting that the federal government alone
could not protect privately controlled technology infrastructure systems
such as the Internet or utility power grids.
He said there was a close tie between economic and national security which
made a public-private partnership crucial. He said the fast expansion of
business conducted electronically left the country vulnerable to various
threats including hostile computer hackers.
Corporate representatives said they hoped to establish industry standards
for security of electronic data, and increase awareness of
``cyber-ethics''.
Kenneth Watson, representing computer networking giant Cisco Systems
(NasdaqNM:CSCO - news), said the nascent forum had identified education,
workforce development, research and development and the establishment of
best practices in technology security as the key areas the forum
would look at.
Microsoft representative Howard Schmidt said the forum marked an important
shift in which companies would become more proactive in working with
government to ensure security standards.
Harris Miller, representing the Information Technology Association of America
trade group, said one of the forum's chief aims was to get companies to give
information security practices the same priority as physical security.
@HWA
42.0 Attrition Celebrates One Year Birthday
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by hero
Attrition.org is celebrating one year of free service to
the net. Attrition is well known for its
crypto/text/denial/advisory archives as well its errata
sections. It is probably most well known for the
excellent work they do on the Attrition Defacement
mirror.
Attrition.org Birthday Message
http://www.attrition.org/news/content/99-12-10.001.html
ttrition's One Year Birthday Rant
And the folks at Attrition are quite strange. So strange as to run a weird
web site that goes against the grain of all things deemed 'good web
design'. No graphics, use of dark colors, no advertising or self promotion
of services. Everything people associate with an evil hacker site. Despite
this, we offer more information and more services than almost any other
security site out there. Because of the red text on black background, our
ethics and morals are constantly assumed and maligned.
We're quite used to that these days. Let the stuffy dogmatic atavistic
twerps dare to evolve. While they are sitting at home enjoying their
string beans and meat loaf, eating dinner with their significant other and
2.4 kids, we are enjoying our hedonistic lifestyles. Oh yeah!
While it isn't quite that extreme, the staff here are constantly reminded
of this picture. Unfortunate that a few detractors tarnish the picture
painted by millions of viewers of our site. I guess that is the nature of
the pessimistic beast. Onward...
To be honest and up front with you, this article has no real value to the
hardcore info-whore. Instead, we offer nothing more than a fun rant as a
reward to ourselves for a job well done. We'll even include some choice
quotes about Attrition and her staff that should provide a well
rounded view of what type of degenerates run this thing.
Eleven months ago, Attrition was little more than a unix system with a
handful of accounts that provided a stable place for email. Originally a
quick web page with a handful of files carried over from Jericho's
personal web page and not much more. Every day that passed, some new
element of the web page begun. We quickly picked up a few more users and
opted to focus on offering new sources of information.
Early on, there were ten to fifteen users on the system. You were either a
shell user, or not. Eventually, questions were asked about who ran the
system, who owned it, the meaning of life and more. At that point the
designation 'staff' was brought about. 'Staff' is probably not the
best word as it implies some greater sense of responsibility or
obligation. What it really means is the person has the ability to change
things (root), or is trusted to speak on behalf of the system. Not much
more.
With the advent of the Attrition Mirror, the site has grown in exposure
considerably. At first, mirrors were taken using wget followed by half a
dozen commands to make them accessable to viewers. The past few weeks have
seen considerable development in a custom tool called aget
(Attrition Get) that automates about 90% of the mirroring tasks. It is our
hopes that the next few months will see a finished version of aget that
automates everything, including doing the laundry.
Perhaps the most consistant but low-key sections of Attrition are the text
archive and crypto library. Receiving attention on a near daily basis,
Modify and Wrlwnd spend considerable time and effort to bring viewers a
well organized and comprehensive collection. Utilized by thousands
of people a day, these two sections bring utilities and information to the
masses.
Today, Attrition is udpated by less than ten people, in their spare time.
A labor of love so to speak, Attrition is not a business or a requirement.
Where it goes tomorrow is uncharted territory.
Voila! Here we are. Yes, that is the short history of things.
Technically and statistically, what is Attrition, and what does it do?
Wonders. The main system is a P166 with 64 megs of RAM. The simple fact
that the machine has not been reduced to a smoldering pile of plastic and
circuits is simply amazing. 'forced' handles a considerable amount
of traffic each day. Our busiest days see over 100,000 pieces of mail
transfered and over 750,000 HTTP requests served. This makes for over 5
million hits per month on the web server, serving over 4 million different
people. Not bad for a little pentium hosting a hobby site.
Things I Learned From Attrition
For the most part, net users are stupid, shallow, and petty. I know I
know, that is not a nice thing to say, but being the negative person I am
combined with the assault of stupidity we receive, it is difficult to
think otherwise.
Net etiquette is dead. People can't seem to deal with their problems any
more. Even hiding behind their monitor and keyboard, they still refuse to
confront someone they think they have a problem with. Nine out of ten
complaints about Attrition were sent to our upstream provider
without even copying us on the mail as a general courtesy. Our upstream
dutifully forwards the mail to us to get our side of things and goes on
from there. Eight of those nine complaints are unfounded or we deal with
them without the aid of our upstream. People could save so much time by at
least giving us a chance to address any issues.
If I didn't know better, I would swear the net consists of almost fifty
percent of cheap bastard lawyers that know as much law as they read on the
back of a cereal box. We have been threatened with almost two dozen
lawsuits so far. Not a single one made it to a phone call or
paperwork. Each and every time it takes a few minutes to quote some
relevant law, or explain things very clearly and the ignorant/hostile
party backs down without much to say. In case it isn't clear, a threat of
lawsuit will only make us treat you like shit. Grow up.
To the handful of people who have written in thanking us for our work, we
thank you in return. It is those few shreds of appreciation that make us
realize our work is appreciated. To the rest of you primates, if you don't
like something about the site, you have two things you can do. The
first is to give constructive criticism so that we may try to improve if
we agree with you. To clue you in, constructive criticism does not include
"fucking stupid", "wtf is that", or like comments. The second thing you
can do is kindly fuck off and quit viewing our site. Don't like it? Don't
look. End of story. We are not a business, we do not make money off you
visiting, we do not need you.
Future
One of the most often asked questions these days is something akin to
"Where is Attrition going next?" To answer this once and for all, without
equivocation, We do not know! Attrition has no grand plan or well defined
map. Day to day we make decisions or brainstorm new ideas that lead
to an overall picture of what the site is. We believe it is this lack of
plans that helps construct what Attrition is.
Attrition exists for the users and viewers. Anyone who has contacted
attrition staff in the past should realize this. We respond to almost
every piece of email, regardless of content. If nothing else, we send
acknowledgement that we received the email so that readers know we
care about their comments. Pointers to typos or errors go answered in
hours. Features or suggestions are almost always implemented, sometimes in
a day or less. Thanks to our readers, serious refinement has been done to
several pages. Our aget utility has receied many enhancements at the
suggestions of our readers, and we thank you for it.
On top of the staff and viewers of Attrition, there exists another special
group of degenerates that deserve special thanks and recognition. These
are the individuals that have helped bring our name to the masses. First
and foremost, we thank the Hacker News Network (HNN) for being the
first to give daily links to our mirror, as well as special segments
devoted to other sections of Attrition. Yes, that blue haired freak of
nature Space Rogue is constantly helping us out in many ways. We love you!
Others like the 'skinhead' degenerate Netmask at Mindsec, our 'media
darling' (barf) Ender at OSALL, and the foreign folks at Net-Security and
403 Security all deserve a round of thanks/beer. In recent months,
professional sites like SecurityFocus and NTSecurity.net have also
begun linking to us. Their links add a sort of professional validation to
the work we do.
To finish this piece, we look to readers, detractors and staff for final
comments. We asked people what they thought of Attrition, or what came to
mind when they thought of it. To be fair, we sort of encouraged more
obscure or esoteric answers. No, we can't be normal.
We'll start with the true foundation of Attrition. Asking the mothers of
the staff members. What do you think of Attrition, or what does it mean
to you?
"The first time I looked at it, I thought you were
all disturbed." - Punkis' Mother
"Attrition.org has changed my life - not in the way you
might think - you see, attrition.org is my grandchild in a
bizarre sort of way. Attrition.org was conceived by my son
and just as for any mother the journey into the role of
grandmother is quite unique. This grandchild, attrition.org.,
has opened many doors for me. This child shows me things I
have never seen. Sometimes it scares me with where it goes in
the world of cyberspace. Sometimes it brings me to tears with
laughter. It never ceases to amaze me. Like any one year old
I believe it is still finding its way. Attrition.org is the
image of its father. It is a brilliant star, a myriad of emotions,
a wealth of knowledge, a whirlwind of activity. I hope I am
around for many years to come to enjoy attrition.org., this one
of a kind offspring who has come so far in just 365 days.
Happy Birthday!!!" - Jericho's Mother
Turning to the Attrition staff, we get the most.. disturbing answers.
"'What does attrition mean to me....' I was recently asked to
comment on this by cult_hero for attrition's 1 year aniversary
piece and I have been racking my brains as to how I wanted to
answer that, in my usual smart ass fashion or actually being a
little serious for once. Mabey I will try a little of both.
Attrition means a lot of things to me. For example ever since
we have started mirroring web page defacements I have found myself
saying "punkis, you picked the wrong year to quit sniffing glue..."
Although it can be a giant pain in the ass to maintain I have
always beleived it is a good resource. I guess thats a good way
to sum up what attrition is all about, a great resource covering
a very broad range of topics. Where else can you go to read
security advisories, browse en excellent text archive, read
music reviews, even read calimari reviews. We now even have
pages demonstsrating how to properly and safely clean a variety
of weapons.
Attrition is a strange mix of freeks, geeks, hippies, poets,
drunks, gun nuts, computer crime advocates (snicker) and generally
unruly and rude people. Considering the site has always been a
"hobby site" I think we have done a pretty good job of keeping
the content fresh which can't be said about many sites. Like
sites that have venture capital. I don't think I need to name names
here...We have a lot of ideas on where we'd like to see attrition
go so I think the site will grow to be more and more diverse as
time goes on.
We are the ones our parents warned us about. At night when you
can't sleep and hear someone scratching on the wall, its us.
Remember that time you went camping and saw those wierd lights
in the sky? Yes, it was us. Read about that small government that
was recently overthrown? We were probably involved. Roswell? We
aren't that old....well except for cancer omega."
- punkis
Being with Attrition is like being in a rock band. We have a tendency
to cause a stir whereever we go, even though we're trying to be
inconspicuous. We travel a great deal and always have our equipment in
tow. Our best work is when we all sit down together, just pickin' and
grinnin' like the old times. Seems like someone's always trying to spy on
us so they can get some kind of inside scoop on us; like they're trying to
figure us out and can't quite wrap their brain around what we really are.
People either absolutely love us or absolutely hate us. The people who
love us sometimes hate us for the different things we do, and those who
already hate us will continue to hate us no matter what we do. The only
difference is we don't have roadies or near as many groupies. And at last
count, nobody's rushed the stage when we gave a show.
That being said, there is nothing more to say. Viva Attrition!
- Cancer Omega
"I wish I could explain in words what Attrition has meant to
me but that's rather impossible. However I've never been involved
in a project that allowed me to immerse myself in a culture in
less than 10 months.
Being involved with Attrition is quite an experience. I love
how none of the staff take any shit and each person adds their
own perspective to the site.
Of course, the minute I send this I'll have the Pulitzer-winning
speech of a lifetime.
Suffice it to say that I'm proud and honored to have some great
friends like you guys, it really is great."
- McIntyre
The quasi-grandfather of Attrition (so said because he is two days older
than dirt) came up with a few great quotes to mock the rest of staff.
"Before I found attrition, I was all messed up on drugs. Now
that I've found attrition, I'm all messed up on attrition."
- McIntyre
"Since I joined attrition, I'm my own hero. And hers, too!"
- cOmega
"I didn't know what to make of attrition until I visited Jericho
and he showed me that he'd spelled out 'Have a Nice Day' with
the skulls of Happy Hackers he'd decapitated. Now I'm sold."
- Punkis
"Attri-what?" - Modify
"Go AWAY! I'm BUSY!" - Jericho
Some of those seem to be quite accurate once you get to know the staff
members! What are other members of Attrition saying?
"Attrition.org is turning a year old....my my my...what can one
say about such an occasion? Well, from the beginning....wait..
hold up..Attrition.org turning a year old and the millennium
approaches? Is there a connection? Oh *cripes*....there must be.
Why else would the government hold mal_vu hostage? They're
working TOGETHER!! Okay...this information must get out into
the general populas...wait...there's a knock at the door....
*bang*" - WrlWnd
"Attrition is a [joke/comedy] [played on/performed before]
an audience too afraid to laugh."
- Munge
"Where people with no friends hangout, doing weird shit, from
warped minds and not giving a toss what others think. Where we
get whipped and you get shit. The folks at Attrition once had
social lives, were once popular, even had potential. Now they
have minds of their own. Like we really care what you think?
One year on: and getting stranger by the day. As time goes on the
voice of attrition only gets loder, conforming to no society,
having no real direction, just going with the flow of daily life.
Finding a new freedom, pushing the boundries of each path it
choses to partake in." - Blaise
Yes, they seem more thoughtful and well read than we do! How about
our affiliates? What kind words can they bestow upon us?
"Attrition.org? One of us owes the other beer I think."
- Space Rogue [HNN]
"Attrition.org? Blergh. It's esoteric, it's prostate,
lamentable and regrettable. In a word? Love. I love it."
- Ender Wiggin [OSALL]
"Even though attrition uses the letters "FUCK" on its main
page, i still link it from my "try to be" professional site.
So maybe I am a hypocrite. whatever. Attrition has given me
data to use as a filler on my main site, something to do when
my boss says I should be working. Some of the staff members make
me realise that EverQuest is an evil game, and will eat your
life away. This is why when I talk to jericho, he is always
talking about killing spammers with his sword, and how they
should know not to mess with any level 21 player. Honestly,
Attrition went from a 'whats the point' type of thing to me, to
a site that i respect, after I started to understand the actual
point. It has also lead me to remember that some people, no matter
how much you shit on them, and how many times you stabbed them in
the back, they can throw together a "one more chance" type
of deal (Yes.. It is true.. Jericho and I haven't always been so
intimate^H^H^H^H^H^H^H^H friendly. Either way, ill end with.. The
site rocks, the work is good, these people are just like me, they
have no lives.. and they are doing something without pay or profit."
- Erik Parker [Mindsec]
"If this is Attrition at one year, I can't wait till it
reaches the 'terrible two' stage"
- C. Fennelly
"Screw Attrition, them fools still owe me $50 for that
last rock!" - Bronc Buster
"Your site is unique in its own right, and despite
what other egotisticle, idiotic, narrow-minded fools out
there think, sites like yours are wonderful for the folks
out there like me... who dont neccessarily take what we
learn from your site and use it to our personal gain or
anything else, but just for the simple reason of the
knowledge of it all." - Nan
"Because of the high dollar lobbyist donations to undisclosed
members of the Senate, we are still non profit!"
- Mal Vu
Spammers have quickly learned that unsolicted commercial email is frowned upon.
How anti-spam are we?
"People who send spam to Attrition Staff, beware!
They say that there's a room where they keep the skulls
of spammers, lined up in a row on a shelf. They say
that, late at night, they go there, and talk to them...
They say the members of the Attrition Staff ask them,
"Now tell us again, how *do* you make money fast?"
- Jay Dyson, de-spammer for NASA JPL
In conclusion, in case it wasn't readily apparent and beating you senseless...
if you don't like what you see, don't look. Expect less and you will be
disappointed less. That and a million other
cliches.
As Mcintyre always says, "keep your sheep warm at night."
That is it. Until next year...
ATTRITION Staff (staff@attrition.org)
Copyright 1999
About Attrition: http://www.attrition.org/attrition/about.html
Attrition Staff: http://www.attrition.org/attrition/staff/
Why (quasi-faq): http://www.attrition.org/attrition/why.html
What's Attrition: http://www.attrition.org/news/content/99-09-10.001.html
Our Disclaimer: http://www.attrition.org/attrition/warn.html
@HWA
43.0 Russian Echelon?
~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by AlienPlaque
The successor to the KGB, the Federal Security Service
(FSB), has set up a network of data links connected to
every major Russian Internet service provider that
allows unlimited monitoring of private emails and
electronic banking. The System for Operational
Investigative Activities (SORM) was introduced quietly
late last year by government regulations that needed no
parliamentary approval.
The Times
http://www.the-times.co.uk/news/pages/tim/99/12/08/timfgnrus01004.html?1124027
December 8 1999
RUSSIA
Now Big Brother keeps eye on e-mail
BY GILES WHITTELL
BIG BROTHER is no longer watching Russia's citizens at
every turn, but many of them fear he is reading their
e-mails. The successor to the KGB has set up a network of
data links connected to every major Russian Internet
service provider that allows unlimited monitoring of private
e-mails and electronic banking.
Activists claim that the network is already being abused for
profit, theft and blackmail. The System for
OperationalInvestigative Activities (SORM in Russian) was
introduced quietly late last year by government regulations
that needed no parliamentary approval. Considered one of
Russia's most ambitious internal espionage programmes
since the fall of the Soviet Union, it is now in full force,
according to an investigation in yesterday's Moscow Times.
It allegedly has the co-operation of 350 Internet companies,
who had to pay for its construction .
Russia's unloved Federal Security Service (FSB), which
took over the KGB's domestic duties, is able to monitor
electronic communication without the need for search
warrants.The FSB and its defenders in parliament insist
that this is merely a cost-effective means of surveillance on
crime in cyberspace, but few doubt that the FSB is not
above selling its information to the highest bidder.
Westerners and middle-class Russians in Moscow who
increasingly rely on e-mail for cheap long-distance
communication were alarmed by yesterday's report.
@HWA
44.0 Russian Bug Did Frequency-Hopping
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The technical details of the listening device recently
found at the US State Department is starting to
beavailable. The devices was battery operated and
voice activated. It was about the size of a quarter, and
used a frequency-hopping mechanism to which made it
harder to detect. The device was located inside the
chair rail, a piece of molding mounted on the walls at
waist level. (Wow, thats pretty neat.)
ABC News
http://www.abcnews.go.com/sections/world/DailyNews/russia991209.html
Russian Suspected of Spying
Diplomat Allegedly Caught Monitoring a Bug in State Department
A listening device was found in the State Department building, near
U.S. Secretary of State Madeleine Albright's office.
Federal authorities have ordered the expulsion of a Russian diplomat
suspected of monitoring the device. (State Department)
ABCNEWS.com
W A S H I N G T O N, Dec. 9 A Russian diplomat
suspected of listening to a bug planted in a
sensitive State Department conference room will
be expelled from the United States, officials said
today.
The diplomat, attaché Stanislav
Borisovich Gusev, was apprehended by
agents of the FBI and the State
Departments Diplomatic Security
Service at 11:39 a.m. Wednesday, while
smoking a cigarette on a park bench a
few blocks away from the State
Department, according to Neil Gallagher,
assistant director for national security at
the FBI.
Nearby was his car, in which agents found equipment
apparently used to monitor the listening device planted
within a seventh-floor conference room of the building,
officials said.
The conference room belongs to the bureau of Oceans
and International Environmental Scientific Affairs. It is
located on the opposite side of the building from the
executive offices. Today, the wooden door to the room was
locked, and the hallway nearby was quiet.
The conference room
is within a few steps of
the office of Newly
Independent States, which
covers Russia, and the
office of Special Middle
East Coordinator Dennis
Ross, as well as the
Office of Nuclear Energy
Affairs. The seventh floor
houses all major
department heads at
State, including Secretary
of State Madeleine
Albright, as well as the
24-hour Operations
Center, a communications
hub connected via secure satellite to all American
embassies. U.S. officials said that an investigation is still
ongoing as to who may have used that room, but they said
that sensitive conversations certainly took place there. It
isnt clear if officials from any of these offices used this
conference room, but it is certainly available for their use.
The Associated Press reports that security officials are
interviewing hundreds of department employees to
produce a damage assessment.
Tracking the Device
It was not clear who may have planted the bug. There is no
record that Gusev was ever in the State Department
headquarters.
The device was detected over the summer and located
several weeks ago, but it was kept in place during the
inquiry to avoiding tipping off the Russian diplomat, said
Gallagher. Security teams swept the department for other
devices and were careful to make sure sensitive
conversations didnt take place near the bug, he added.
The bug was removed Wednesday.
A number of surveillance specialists said it wasnt a
very powerful device. It was about the size of a quarter,
they said, and it was voice-activated, which saves on
battery time. They added the device had a
frequency-hopping mechanism, which made it harder to
detect.
A senior official told ABCNEWS the device was
located inside the chair rail, a piece of molding mounted on
the walls at waist level. The molding is used to keep chairs
from scuffing the wall.
There was no sign of inspections at the State
Department today. Officials said in a briefing that there had
been an aggressive sweep and there were no other bugs
found.
Hit the Road
Gusev, who had been in the United States since March,
was temporarily detained by the FBI but, because he
claimed diplomatic immunity, was not charged with a crime.
He was turned over to Russian officials almost three hours
after being seized, Gallagher said.
Gusev was declared persona non grata by the State
Department and handed over to the Russian Embassy for
expulsion within 10 days, State Department spokesman Jim
Foley said in a statement.
Undersecretary of State Thomas Pickering called on
Russian Ambassador Yuriy Ushakov Wednesday afternoon
to firmly protest Gusevs actions, Foley said.
Other Russian diplomats were also being investigated,
officials said.
Gusev came under suspicion when officials noted his
unusual movement patterns, the official said. Then the FBI
used sophisticated technological gear to figure out what he
was doing. (See related story.)
FBI Was Eager to Act
FBI officials were keen on acting Wednesday because they
felt their catch might slip away, leaving them unable to
locate the bug.
The bug was activated by the sensitive gear seized from
the diplomats car and it could only be found when
activated, sources said.
FBI officials feared the diplomat would be pulled back
from his alleged eavesdropping duties and the bug would
soon go dormant, because the Russians felt there would be
American retaliation for the detainment last week in
Moscow of the U.S. Embassy staffer.
Now, with the monitoring equipment in hand, officials
said they can home in on other possible bugs.
ABCNEWS Martha Raddatz, Beverly Lumpkin and Eric
Wagner, ABCNEWS.coms David Ruppe and the
Reuters news service contributed to this report.
Tit for Tat?
Russias Foreign Intelligence Service reacted with
indignation at the allegations.
I think there is a certain sequence here, Boris
Labusov, spokesman for SVR Foreign Intelligence
Service, told Reuters. It is extremely unusual for the SVR
to comment on spying cases and Labusov was careful
not to confirm or deny Gusov was an agent.
We think this detention and the further expulsion of
the Russian diplomat from the United States can be
regarded as a reaction of the American side to the latest
events in Moscow connected with the detention and
expulsion of an American diplomat, Labusov said.
If it is a reaction
we can only be sorry about it, he
said. As far as the Russian side is concerned, we gave
up the principle of an eye for an eye long ago.
On Nov. 30, Russian authorities said they caught a
U.S. diplomat in the act of trying to obtain sensitive
military information from a Russian citizen.
Russian security officials said the U.S. diplomat,
Cheri Leberknight, a second secretary in the U.S.
Embassys political section, was a CIA agent and was
caught carrying invisible ink and a pocket-sized
electronic spy device to prevent eavesdropping when she
was detained.
Leberknight, who claimed diplomatic immunity, was
turned over to the embassy and asked to leave within 10
days.
Gusevs expulsion is the latest in what has become a
series of seemingly tit-for-tat spy allegations. (See
interactive graphic, above, for some incidents involving
Russia and the West.)
I do hope all these incidents will not hamper progress
in bilateral relations, Labusov said.
RIA news agency quoted an unnamed senior
government official as saying there could be more
expulsions of Russians.
The clear and crude fabrication of allegations against
a Russian diplomat is reminiscent of the Cold War era,
RIA quoted the source as saying.
@HWA
45.0 Security Focus Newsletter #18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus Newsletter #18
Table of Contents:
I. INTRODUCTION
1. Announcing the new Microsoft Focus area
II. BUGTRAQ SUMMARY
1. SCO UnixWare 'xauto' Buffer Overflow Vulnerability
2. Symantec Mail-Gear Directory Traversal Vulnerability
3. Microsoft IE5 Offline Browsing Pack Task Scheduler
Vulnerability
4. qpop Remote Buffer Overflow Vulnerability
5. Microsoft Windows 9x Plaintext Credential Cache Vulnerability
6. Solaris kcms_configure
7. Multiple Vendor CDE dtmail/mailtool Buffer Overflow
Vulnerability
8. NT Subst.exe Vulnerability
9. FreeBSD gdc Buffer Overflow Vulnerability
10. FreeBSD gdc Symlink Vulnerability
11. Solaris arp/chkprm Vulnerabilities
12. FreeBSD Seyon setgid dialer Vulnerability
13. FreeBSD xmindpath Buffer Overflow Vulnerability
14. FreeBSD angband Buffer Overflow Vulnerability
15. RSAREF Buffer Overflow Vulnerability
16. IBM Websphere Installation Permissions Vulnerability
17. Endymion Mailman Default Configuration Vulnerability
18. Microsoft IE5 WPAD Spoofing Vulnerability
19. Netscape Enterprise & FastTrack Authentication Buffer Overflow
Vulnerability
20. SCO UnixWare '/var/mail' permissions Vulnerability
21. SCO UnixWare 'pkg' commands Vulnerability
22. SCO UnixWare 'coredump' Symlink Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Symantec Mail-Gear Directory Traversal
2. Vulnerability Patched: Microsoft IE5 Offline Browsing Pack Task
Scheduler
3. Vulnerability Patched: qpop Remote Buffer Overflow
4. Vulnerability Patched: Microsoft Windows 9x Plaintext
Credential Cache
5. Vulnerability Patched: RSAREF Buffer Overflow
6. Vulnerability Patched: Endymion Mailman Default Configuration
7. Vulnerability Patched: Microsoft IE5 WPAD Spoofing
8. Vulnerability Patched: Netscape Enterprise & FastTrack
Authentication Buffer Overflow
9. Vulnerability Patched: Multiple BIND Vulnerabilities
(Slackware)
10. Vulnerability Patched: Linux nfsd Remote Buffer Overflow
(Slackware)
11. Vulnerability Patched: Linux syslogd DoS (Slackware)
12. Vulnerability Patched: Multithreaded SSL ISAPI Filter
13. Vulnerability Patched: RSAREF Buffer Overflow (OpenBSD)
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. NSA Spies Running dry? (November 29, 1999)
2. Staples files suit against Web hacker. (November 30, 1999)
3. Worm Virus Cripples Corporate Computers (December 1, 1999)
4. Novell chief's credit card stolen online (December 2, 1999)
5. Court upholds hacker's death sentence (December 3, 1995)
6. Suspect in huge computer fraud case faces court (December 5, 1995)
V. INCIDENTS SUMMARY
1. Port 98 scans & new 3128/8080 scans (Thread)
2. Strange Web Traffic (Thread)
3. Smurf / "ICMP Echo Reply" logs (Thread)
4. BIND Scanning (Thread)
5. problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread)
6. Port scanning (Thread)
7. Network security monitoring tools (Thread)
8. How to Report Internet-Related Crime (Thread)
9. rpc scans and nfs attacks from 210.217.26.15 (Thread)
10. New named attack or what? (Thread)
11. Traffic from 210.163.117.209 (Thread)
12. RunOnceEx
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Cisco NAT DoS (VD#1) (Thread)
2. PHP (Thread)
3. WordPad exploit development: executing arbitary code on Win98
(fin) (Thread)
4. Idiocy "exploit" (Thread)
5. Norton AntiVirus 2000 POProxy.exe (Thread)
VII. SECURITY JOBS
Seeking Staff:
1. Corporate Information Security Officer
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. SecurityFocus.com Pager (Win95/98/NT)
2. SuperScan 2.0.5 (Windows 2000, Windows 95/98 and Windows NT)
3. IDS Alert Script for FW-1 (Solaris)
4. NTInfoScan 4.2.2 (Windows NT)
5. Fragrouter 1.6 (BSDI, FreeBSD, Linux, NetBSD, OpenBSD and
Solaris)
6. Snort 1.3.1 (FreeBSD, HP-UX, IRIX, Linux, MacOS, OpenBSD and
Solaris)
X. SPONSOR INFORMATION - CORE SDI
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the Security Focus 'week in review' newsletter issue 18
sponsored by CORE SDI.
http://www.core-sdi.com
1. Introducing the new Focus on Microsoft area
The Focus Area idea was born out of a realization, reinforced by comments
from our users, that there is an overwhelming amount of security
information "out there" and a limited number of ways to filter and
organize it. Under the 'Focus' umbrella we will be hosting a number of
technology or platform-specific areas, each designed to offer
well-ordered, timely content to those interested in that particular
subject. More than just a new way of presenting the data we already have,
each Focus Area will also include new original content, written by both SF
staff and outside experts on a regular basis.
I am happy to announce the opening of our first Focus Area, one devoted to
all aspects of Microsoft security. The majority of our users are involved
with MS security issues in one way or another, and the demand for an
MS-centric subsection made it an obvious choice for our first Focus.
Others will follow. In the meantime, have a look for yourself, at:
http://www.securityfocus.com/focus/
II. BUGTRAQ SUMMARY 1999-11-27 to 1999-12-05
---------------------------------------------
1. SCO UnixWare 'xauto' Buffer Overflow Vulnerability
BugTraq ID: 848
Remote: No
Date Published: 1999-12-03
Relevant URL:
http://www.securityfocus.com/bid/848
Summary:
Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto
which is vulnerable to a buffer overflow attack which may result in an
attacker gaining root privileges.
This is exploitable to gain root privileges even though /usr/X/bin/xauto
is not setuid root. This is due to a system design issue with SCO Unixware
which is discussed in an attached message in the 'Credit' section titled
"UnixWare 7 uidadmin exploit + discussion".
2. Symantec Mail-Gear Directory Traversal Vulnerability
BugTraq ID: 827
Remote: Yes
Date Published: 1999-11-29
Relevant URL:
http://www.securityfocus.com/bid/827
Summary:
Mail-Gear, a multi-purpose filtering email server, includes a webserver
for remote administration and email retrieval. This webserver is
vulnerable to the '../' directory traversal attack. By including the
string '../' in the URL, remote attackers can gain read access to all
files on the filesystem that the server has read access to.
3. Microsoft IE5 Offline Browsing Pack Task Scheduler Vulnerability
BugTraq ID: 828
Remote: Yes
Date Published: 1999-11-29
Relevant URL:
http://www.securityfocus.com/bid/828
Summary:
The Internet Explorer 5 Offline Browsing Pack includes the Task Scheduler
utility. This program is similar to the NT AT service, and on NT systems,
it replaces the AT service. The Task Scheduler will allow unauthorized
users to create AT jobs by modifying an existing, administrator-owned file
and placing it into the %systemroot%\tasks folder.
This vulnerability could only be exploited remotely if the tasks folder
was specifically shared, or through the default C$ share on NT. Task
Scheduler can be made to use any other arbitrary folder by editing the
following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent\TasksFolder (Changes
will not take effect until after the target has been rebooted.)
The IE5 Offline Browsing Pack ships with IE5, but is not installed by default.
4. qpop Remote Buffer Overflow Vulnerability
BugTraq ID: 830
Remote: Yes
Date Published: 1999-11-30
Relevant URL:
http://www.securityfocus.com/bid/830
Summary:
There is a buffer overflow vulnerability present in current (3.x) versions
of Qualcomm popper daemon. These vulnerabilities are remotely exploitable
and since the daemon runs as root, the host running qpopper can be
completely compromised anonymously. The problem is in pop_msg.c, around
line 68 and is the result of vsprintf() or sprintf() calls without bounds
checking.
5. Microsoft Windows 9x Plaintext Credential Cache Vulnerability
BugTraq ID: 829
Remote: No
Date Published: 1999-11-29
Relevant URL:
http://www.securityfocus.com/bid/829
Summary:
Windows 95 and 98 cache a user's name and password in plaintext in RAM.
This feature was included for backwards compatibility with Windows for
Workgroups, which implemented this mechanism for use with the 'net'
program, which handled most network configuration requirements for the WfW
OS. This feature can be exploited via specific function calls to retrieve
another user's credentials. In order for this to work , the attacker must
have console access to the target machine, and it must not have been
rebooted since the last logout. Only the most recent user's credentials
can be retrieved.
6. Solaris kcms_configure
BugTraq ID: 831
Remote: No
Date Published: 1999-11-30
Relevant URL:
http://www.securityfocus.com/bid/831
Summary:
The binary kcms_configure, part of the Kodak Color Management System
package shipped with OpenWindows (and ultimately, Solaris) is vulnerable
to a local buffer overflow. The buffer which the contents of the
environment variable NETPATH are copied into has a predetermined length,
which if exceeded can corrupt the stack and cause aribtrary code hidden
inside of the oversized buffer to be executed. kcms_configure is installed
setuid root and exploitation will result in a local root compromise.
7. Multiple Vendor CDE dtmail/mailtool Buffer Overflow Vulnerability
BugTraq ID: 832
Remote: No
Date Published: 1999-11-30
Relevant URL:
http://www.securityfocus.com/bid/832
Summary:
There are three buffer overflow vulnerabilities in the CDE mail utilities,
all of which are installed sgid mail by default.
The first is exploited through overrunning a buffer in the Content-Type:
field, which would look something like this:
Content-Type: image/aaaaaaaa long 'a' aaaaaa; name="test.gif"
Mailtool will overflow when email is selected which has a content-type
field like that. It may be possible for an attacker to obtain root
priviliges if shellcode is written appropriately and root selects the
malicious email message.
The second vulnerability is in dtmail, which will crash (and possibly
execute arbitrary code) if a long paramater is passed argumenting the -f
command-line option.
The third is in mailpr, which is vulnerable to a long -f paramater as
well.
The most basic consequence of these being exploited is a compromise of
local email, since all mail data is set mode 660, read and write
permissions granted for members of group mail.
As of November 30, 1999, Solaris 7 is the only known vulnerable platform.
8. NT Subst.exe Vulnerability
BugTraq ID: 833
Remote: No
Date Published: 1999-11-30
Relevant URL:
http://www.securityfocus.com/bid/833
Summary:
The SUBST command is used to map a drive letter to a folder on an existing
drive. This command can be run by any user. After it is run, the mapping
stays in effect until it is deleted, by issuing the subst command again
with the /d option, or until the machine is rebooted. Loggin off does not
remove the mapping. Therefore, it is possible for one console user to map
a drive letter to a a folder of their choosing, and then log off, leaving
the mapping intact for the next user. If the next user tries to manually
map a differnt location to that letter, they will get an error 85, "The
local device name is already in use." However, if the drive letter used is
the same as their network-mapped home drive, the operation will fail
without any error message. From the user's perspective, nothing obvious
will happen to let them know that their 'home drive' is not their usual
home drive t all. This opens the possibility of getting a user to run
trojaned or malicious programs, as well as the possibility of having them
write potentially confidential documents to a publicly-accessible or even
network shared location.
9. FreeBSD gdc Buffer Overflow Vulnerability
BugTraq ID: 834
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/834
Summary:
There is a buffer overflow vulnerability known to be present in the
version of gdc shipped with the 3.3-RELEASE version of FreeBSD. By
default, only users in group wheel have execute access to gdc. The
overflow occurs when the argument passed along with the -t flag (time)
exceeds its predefined buffer length. It is possible to then corrupt the
stack and alter the flow of execution (and execute arbitrary code). With
gdc setuid root by default, this can lead to a local root compromise if
exploited by users who have or gain access of or belong to the wheel group
(or trusted gated group).
10. FreeBSD gdc Symlink Vulnerability
BugTraq ID: 835
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/835
Summary:
It is possible to write debug ouput from gdc to a file
(/var/tmp/gdb_dump). Unfortunately, gdc follows symbolic links which can
be created in tmp and will overwrite any file on the system thanks to it
being setiud root. This does not cause any immediate compromises and is
more of a denial of service attack since it does not change the
permissions of the overwritten files (to say, world writeable or group
writeable). Local users are required to be in group wheel (or equivelent)
to execute gdc.
11. Solaris arp/chkprm Vulnerabilities
BugTraq ID: 837
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/837
Summary:
It is possible to read bin owned files to which read access is not
permitted to local users through exploiting subtle vulnerabilities in arp
and chkperm.
With arp, this is done through specifying a file with the -f parameter .
When arp tries to interpret the contents of this file (opening and reading
it just fine being sgid/suid bin), it will fail and print the "erroneous
lines" of the file along with its error messages. Those "erroneous lines"
are the contents of the file to which you do not normally have read access
(and belong to the user/group bin).
For chkperm, exploitation would be through setting an environment variable
to which chkperm references where to write a file with a known name
(making it possible to supply arbitrary, places - where an attacker would
have write access). The hacker would then make a lib subdirectory beneath
the specified VMSYS path, and a file in lib/ called .facerc, which would
be a symlink to whatever file you wanted to read. chkperm w ould then be
run with the -l flag and the contents of the file pointed to will be
displayed (as seen by bin).
Solaris 2.x are known to be vulnerable.
12. FreeBSD Seyon setgid dialer Vulnerability
BugTraq ID: 838
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/838
Summary:
FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is
known to have several vulnerabilities which can allow for a malicious user
to elevate priviliges. The vulnerability, however, is that seyon is still
installed setgid dialer in FreeBSD. When seyon is exploited, a local user
can grant him/herself priviliges which allow access to the communications
devices or anything else accessable by the group dialer.
13. FreeBSD xmindpath Buffer Overflow Vulnerability
BugTraq ID: 839
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/839
Summary:
The version of xmindpath shipped with FreeBSD 3.3 can be locally exploited
via overrunning a buffer of predefined length. It is possible to gain the
effective userid of uucp through this vulnerability. It may be possible,
after attaining uucp priviliges, to modify binaries to which uucp has
write access to and trojan them to further elevate priviliges), ie: modify
minicom so that when root runs it, drops a suid shell somewhere.
14. FreeBSD angband Buffer Overflow Vulnerability
BugTraq ID: 840
Remote: No
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/840
Summary:
The version angband shipped with FreeBSD 3.3-RELEASE is vulnerable to a
local buffer overflow attack. Since it is setgid games, a compromise of
files and directories owned by group games is possible.
15. RSAREF Buffer Overflow Vulnerability
BugTraq ID: 843
Remote: Yes
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/843
Summary:
A buffer overflow vulnerability exists in the RSAREF cryptographic library
which may possibly make any software using the library vulnerable.
The vulnerability exists in four functions in the rsa.c source file. The
functions are:
int RSAPublicEncrypt()
int RSAPrivateEncrypt()
int RSAPublicDecrypt()
int RSAPrivateDecrypt()
All these function define a local variable called pkcsBlock of 128 byte
length which can be overflowed making it possible to execute arbitrary
code.
This vulnerability, in conbination with BUGTRAQ ID 797, allows versions of
SSHD linked against the RSAREF2 library to be vulnerable to a remote
exploit.
16. IBM Websphere Installation Permissions Vulnerability
BugTraq ID: 844
Remote: No
Date Published: 1999-12-02
Relevant URL:
http://www.securityfocus.com/bid/844
Summary:
The IBM Websphere application server, when installed on Solaris (or
possibly AIX), will create an deinstallation shellscript which is mode 777
in /usr/bin. The script is called by pkgmgr, which is run by root. This
means that an attacker can modify the script and add malicious code to it,
leading to a root compromise once it is run. IBM Websphere also installs
many of its data files with mode 777 permissions.
17. Endymion Mailman Default Configuration Vulnerability
BugTraq ID: 845
Remote: No
Date Published: 1999-12-02
Relevant URL:
http://www.securityfocus.com/bid/845
Summary:
Endymion mailman is a commercial www email suite which is written in perl.
When it is installed, by default it sets permissions which make it
vulnerable to local compromise (666 for files, 777 for directories).
Because of this it is possible for local, unprivileged users to read and
write to aribtrary users email (who use the mailman system) as well as to
files owned by uid webmaster.
18. Microsoft IE5 WPAD Spoofing Vulnerability
BugTraq ID: 846
Remote: Yes
Date Published: 1999-12-02
Relevant URL:
http://www.securityfocus.com/bid/846
Summary:
IE5's automatic proxy configuration feature, WPAD, (Web Proxy
Auto-Discovery) can be fooled into using or attempting to use a
non-authorized server as a proxy server. An attacker on a different
network could use this to read web traffic from the IE5 client.
IE5 will search for a WPAD server by looking for machines named wpad.x.x.x
in the current domain. If none is found, it will proceed up the domain
name structure, until it gets to the third-level domain name.
For example, IE5 running on host a.b.c.d.net would first look for
wpad.b.c.d.net, then wpad.c.d.net, then wpad.d.net.
In certain network configurations, the third-level domain is not
neccessarily a trusted part of the network, and an attacker could set up a
server to cause IE5 clients to use a hostile machine as proxy.
19. Netscape Enterprise & FastTrack Authentication Buffer Overflow Vulnerability
BugTraq ID: 847
Remote: Yes
Date Published: 1999-12-01
Relevant URL:
http://www.securityfocus.com/bid/847
Summary:
Certain versions of the Netscape FastTrack and Enterprise servers for both
Unix and NT contain a remotely exploitable buffer overflow vulnerability.
This vulnerability is present in both the Application and Administration
servers shipped with the respective packages.The problem lies in the HTTP
Basic Authentication procedure for both servers has a buffer overflow
condition when a long username or password (over 508 characters) are
provided. This may result in an attacker gaining root privileges under
UNIX and SYSTEM privileges under NT.
20. SCO UnixWare '/var/mail' permissions Vulnerability
BugTraq ID: 849
Remote: No
Date Published: 1999-12-03
Relevant URL:
http://www.securityfocus.com/bid/849
Summary:
Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the
/var/mail/ directory with permission 777(-rwxrwxrwx) . This in effect
allows malicious users to read incoming mail for users who do not yet have
a mail file (/var/mail/username) present. This may be done by simply
creating the file in question with a permission mode which is readable to
the attacker.
21. SCO UnixWare 'pkg' commands Vulnerability
BugTraq ID: 850
Remote: No
Date Published: 1999-12-03
Relevant URL:
http://www.securityfocus.com/bid/850
Summary:
Certain versions of SCO's Unixware (only version 7.1 was tested) ship with
a series of package install/removal utilities which due to design issues
under the SCO UnixWare operating system may read any file on the system
regardless of their permission set. This is due to the package commands
(pkginfo, pkgcat, pkgparam, etc.) having extended access due to
Discretionary Access Controls (DAC) via /etc/security/tcb/privs. This
mechanism is explained more thoroughly in the original message to Bugtraq
which is listed in full in the 'Credit' section of this vulnerability
entry.
22. SCO UnixWare 'coredump' Symlink Vulnerability
BugTraq ID: 851
Remote: No
Date Published: 1999-12-03
Relevant URL:
http://www.securityfocus.com/bid/851
Summary:
Under certain versions of SCO UnixWare if a user can force a program with
SGID (Set Group ID) to dump core they may launch a symlink attack by
guessing the PID (Process ID) of the SGID process which they are calling.
This is required because the coredump file will be dumped to the directory
in which it is being executed from as './core.pid'. The program dumping
core does not check for the existence of a symlinked file and will happily
overwrite any file which it has permission to do so to. Many SGID binaries
under Unixware are in the group 'sgid-sys' a group which has write
permission to a large number of system critical files.
This attack will most likely result in a denial of service attack, however
if the attacker can provide some provide data to the core file she may be
able to leverage root access. For example is the intruder were able to get
'+ +' into a line of it's own in the core file the intruder could then
overwrite root's .rhosts file.
III. PATCH UPDATES 1999-11-27 to 1999-12-05
-------------------------------------------
1. Vendor: Symantec
Product: Symantec Mail-Gear 1.0
Vulnerability Patched: Symantec Mail-Gear Directory Traversal Vulnerability
BugTraq ID: 827
Relevant URLS:
http://www.securityfocus.com/bid/827
Patch Location:
http://www.symantec.com/urlabs/public/download/download.html
2. Vendor: Microsoft
Product: IE5
Vulnerability Patched: Microsoft IE5 Offline Browsing Pack Task Scheduler
BugTraq ID: 828
Relevant URLS:
http://www.securityfocus.com/bid/828
Patch Location:
IE 5.01 is not susceptible to this vulnerability. The task Scheduler that is
included with 5.01 uses signature verification to check that all scheduled tasks
were created by the administrator of the local machine.
It can be downloaded at:
http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm
3. Vendor: Qualcomm
Product: qpop
Vulnerability Patched: qpop Remote Buffer Overflow
BugTraq ID: 830
Relevant URLS:
http://www.securityfocus.com/bid/830
Patch Location:
The newest version, qpopper3.0b22 (which is patched), is available at:
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/
4. Vendor: Microsoft
Product: Microsoft Windows 9x
Vulnerability Patched: Microsoft Windows 9x Plaintext Credential Cache
BugTraq ID: 829
Relevant URLS:
http://www.securityfocus.com/bid/829
Patch Location:
Microsoft has released a patch to deal with this issue. It is available at:
Windows 95:
http://download.microsoft.com/download/win95/update/168115/w95/en-us/168115us5.exe
Windows 98:
http://download.microsoft.com/download/win98/update/168115/w98/en-us/168115us8.exe
5. Vendor: RSA Data Security
Product: RSAREF
Vulnerability Patched: RSAREF Buffer Overflow
BugTraq ID: 843
Relevant URLS:
http://www.securityfocus.com/bid/843
Patch Location:
RSA Security is no longer support the RSAREF library.
CORE SDI has developed the following fix for RSAREF:
http://www.securityfocus.com/bid/843
6. Vendor: Endymion
Product: Endymion Mailman
Vulnerability Patched: Endymion Mailman Default Configuration Vulnerability
BugTraq ID: 845
Relevant URLS:
http://www.securityfocus.com/bid/845
Patch Location:
Endymion does warn customers to change permissions on software. A
fix for this is to change the permissions to 0600 for the files and 0700
for the directories.
7. Vendor: Microsoft
Product: IE5
Vulnerability Patched: Microsoft IE5 WPAD Spoofing
BugTraq ID: 846
Relevant URLS:
http://www.securityfocus.com/bid/846
Patch Location:
Microsoft has released IE5.01, which is not vulnerable to this attack. IE5.01
can be downloaded from:
http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm
8. Vendor: Netscape
Product: Netscape Enterprise & FastTrack Servers
Vulnerability Patched: Netscape Enterprise & FastTrack Authentication Buffer Overflow
BugTraq ID: 847
Relevant URLS:
http://www.securityfocus.com/bid/847
http://www.iss.net/xforce
Patch Location:
As taken from the ISS Advisory which is listed in full in the 'Credit' secion
of this advisory.
Affected users should upgrade their systems immediately. This
vulnerability affects systems running Administration Server with
password protected areas that rely on Basic Authentication. If you run
any of the affected servers on any platform, upgrade to iPlanet Web
Server 4.0sp2 at:
http://www.iplanet.com/downloads/testdrive/detail_161_243.html.
Netscape has stated that FastTrack will not be patched. Although
Netscape released service pack 3 for Enterprise Server 3.6 that fixes
the vulnerability in the web server, the Administration Server remains
vulnerable.
9. Vendor: Slackware
Product: Linux (Slackware)
Vulnerability Patched: Multiple BIND Vulnerabilities
BugTraq ID: 788
Relevant URLS:
http://www.securityfocus.com/bid/788
Patch Location:
ftp.cdrom.com:/pub/linux/slackware-4.0/patches/bind.tgz
10. Vendor: Slackware
Product: Linux (Slackware)
Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability
BugTraq ID: 782
Relevant URLS:
http://www.securityfocus.com/bid/782
Patch Location:
ftp.cdrom.com:/pub/linux/slackware-4.0/patches/nfs-server.tgz
11. Vendor: Slackware
Product: Linux (Slackware)
Vulnerability Patched: Linux syslogd Denial of Service Vulnerability
BugTraq ID: 809
Relevant URLS:
http://www.securityfocus.com/bid/802
Patch Location:
ftp.cdrom.com:/pub/linux/slackware-4.0/patches/sysklogd.tgz
12. Vendor: Microsoft
Product:
- Microsoft IIS 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0
Vulnerability Patched: Multithreaded SSL ISAPI Filter
BugTraq ID: NONE
Relevant URLS:
http://www.microsoft.com/security/bulletins/MS99-053faq.asp
Patch Location:
- x86:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16186
- Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16187
NOTE: This and other patches are available from the Microsoft
Download Center (http://www.microsoft.com/downloads/search.asp?
Search=Keyword&Value='security_patch'&OpSysID=1)
13. Vendor: OpenBSD
Product: OpenBSD
Vulnerability Patched: RSAREF Buffer Overflow
BugTraq ID: 843
Relevant URLS:
http://www.securityfocus.com/bid/843/
Patch Location:
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/i386/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/sparc/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/hp300/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mvme68k/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mac68k/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/amiga/sslUSA26.tar.gz
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
Due to popular demand we have added a 'Top Six Stories' section to the newsletter. SecurityFocus.com
actually gathers over 100 news articles a week, these 6 before you are those which were the most
read through our site, or those we thought were of special interest.
1. NSA Spies Running dry? (November 29, 1999)
Excerpt:
Spies at the US National Security Agency may be having trouble eavesdropping
on information transmitted through the Internet and fiber optic cables.
URL:
http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html
2. Staples files suit against Web hacker. (November 30, 1999)
Excerpt:
Officials at Staples Inc. filed a lawsuit in US District Court in Boston
yesterday charging that ''John Doe,'' the unidentified hacker, illegally accessed
the company's Web site and damaged the company by stealing e-commerce
business.
URL:
http:
//www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html
3. Worm Virus Cripples Corporate Computers (December 1, 1999)
Excerpt:
A deadly new version of a destructive computer
worm has crippled e-mail systems among
Fortune 500 companies and others, chewed
up files and created havoc among the
corporations that sought to limit the damage
URL:
http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.apbnews.com%2fnewscenter%2finternetcrime%2f1999%2f12%2f01%2fvirus1201_01.html
4. Novell chief's credit card stolen online (December 2, 1999)
Excerpt:
Speaking at San Francisco's Digital Economy conference Thursday, Schmidt informed the crowd
that his credit card number had been stolen over the Internet in the past.
Although he isn't sure exactly how his card number was lifted, Schmidt says he believes it was
through a mechanism that reads the cookies-files sitting on a user's desktop and storing personal
information, such as passwords and preferences.
URL:
http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html
5. Court upholds hacker's death sentence (December 3, 1995)
Excerpt:
A Chinese court has upheld the death sentence for a man who hacked into the computer system of
a state bank to steal money, the Financial News reported on Saturday.
The Yangzhou Intermediate People's Court in eastern Jiangsu province rejected the appeal of Hao
Jingwen, upholding a death sentence imposed last year, the newspaper said.
URL:
http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.wired.com%2fnews%2fpolitics%2f0,1283,32770,00.html
6. Suspect in huge computer fraud case faces court (December 5, 1995)
Excerpt:
He called himself "The Gatsby."
And like F. Scott Fitzgerald's fictional character, he inhabited a world of
power, money and cunning.
That fantasy world abruptly ended Feb, 22, 1995, when FBI agents raided
the bedroom of Jonathan Bosanac, aka The Gatsby, who lived in his parents'
million-dollar home in Rancho Santa Fe.
Federal law enforcers said Bosanac was a ringleader in one of the biggest
computer hacking schemes in U.S. history.
URL:
http://www.securityfocus.com/templates/frame.html?adgroup=secnews&url=/external/http%3a%2f%2fwww.uniontrib.com%2fnews%2funiontrib%2fsun%2fnews%2fnews_1n5hacker.html
V. INCIDENTS SUMMARY 1999-11-27 to 1999-12-05
---------------------------------------------
1. Port 98 scans & new 3128/8080 scans (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=14401.22457.121945.823373@cap-ferrat.albourne.com
2. Strange Web Traffic (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=31933968789DD111BEAB0080C81D384C200F6A@CT_NT
3. Smurf / "ICMP Echo Reply" logs (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991129075230.6919.qmail@securityfocus.com
4. BIND Scanning (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991129165821.19627.qmail@securityfocus.com
5. problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=SIMEON.9911291006.E470@bluebottle.itss
6. Port scanning (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.05.9911301616040.1748-100000@marvin.junknet
7. Network security monitoring tools (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.BSF.4.10.9911302011220.9473-100000@ns1.host.qc.ca
8. How to Report Internet-Related Crime (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991201134808.B14851@securityfocus.com
9. rpc scans and nfs attacks from 210.217.26.15 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.05.9912020844320.24774-100000@grace.speakeasy.org
10. New named attack or what? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=Pine.LNX.4.21.9912020737001.12556-100000@ns.ldc.ro
11. Traffic from 210.163.117.209 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=19991202110508.3958.qmail@securityfocus.com
12. RunOnceEx
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-29&msg=357a2b90036f8275f8cc9d935e7020e238481ac3@tripwiresecurity.com
VI. VULN-DEV RESEARCH LIST SUMMARY 1999-11-27 to 1999-12-05
----------------------------------------------------------
1. Cisco NAT DoS (VD#1) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=199911290435.XAA20460@rooster.cisco.com
2. PHP (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=Pine.GSO.4.10.9911301431530.16932-100000@kenny.intranet.csupomona.edu
3. WordPad exploit development: executing arbitary code on Win98 (fin) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=19991130191759.43230.qmail@hotmail.com
4. Idiocy "exploit" (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=199912011302.IAA22031@mailhost.squonk.net
5. Norton AntiVirus 2000 POProxy.exe (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-29&msg=Pine.BSF.4.10.9912011816320.12955-100000@shell20.ba.best.com
VII. SECURITY JOBS SUMMARY 1999-11-27 to 1999-12-05
---------------------------------------------------
Seeking Staff:
1. Corporate Information Security Officer
Reply to: Neal Fisher <fishern@ppsinfo.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-29&thread=19991129174646.21886.qmail@securityfocus.com
VIII. SECURITY SURVEY 1999-11-15 to 1999-11-27
----------------------------------------------
The question for 1999-11-15 to 1999-11-27 was:
Whose responsibility is it to notify vendors of security flaws in their products?
1. The person/group who discovered and posted the flaw
2. The resource where the information is published (ie Bugtraq, NTBugtraq, etc)
3. Vendors should be responsible for keeping up to date on discoveries about their software.
Results:
1. 40% / 36 votes
2. 1% / 1 votes
3. 56% / 50 votes
Total Votes: 88 votes
IX. SECURITY FOCUS TOP 6 TOOLS 1999-11-27 to 1999-12-05
--------------------------------------------------------
1. SecurityFocus.com Pager
by SecurityFocus.com
URL: http://www.securityfocus.com/pager/sf_pgr20.zip
Platforms: Win95/98/NT
Number of downloads: 1759
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
2. SuperScan 2.0.5
by Robin Keir <robin@keir.net>
URL: http://members.home.com/rkeir/software.html
Platforms: Windows 2000, Windows 95/98 and Windows NT
Number of downloads: 1624
This is a powerful connect-based TCP port scanner, pinger and hostname resolver.
Multithreaded and asynchronous techniques make this program extremely fast and
versatile. Perform ping scans and port scans using any IP range or specify a text file to
extract addresses from. Scan any port range from a built in list or any given range. Resolve
and reverse-lookup any IP address or range. Modify the port list and port descriptions using
the built in editor. Connect to any discovered open port using user-specified "helper"
applications (e.g. Telnet, Web browser, FTP) and assign a custom helper application to any
port. Save the scan list to a text file. Transmission speed control. User friendly interface.
Includes help file
3. IDS Alert Script for FW-1 1.3
by Lance Spitzner
URL: http://www.enteract.com/~lspitz/intrusion.html
Platforms: Solaris
Number of downloads: 1578
Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion
Detection into your firewall. Features include: Automated alerting, logging, and archiving
Automated blocking of attacking source Automated identification and email remote site
Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50%
speed increase.
4. NTInfoScan 4.2.2
by David Litchfield
URL: http://www.infowar.co.uk/mnemonix/ntinfoscan.htm
Platforms: Windows NT
Number of downloads: 1417
NTInfoScan is a security scanner designed specifically for the Windows NT 4.0 operating
system. It's simple to use - you run it from a command line - and when the scan is finished it
produces an HTML based report of security issues found with hyper-text links to vendor
patches and further information. NTInfoScan is currently at version 4.2.2. It tests a number
of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan
will check NetBIOS share security and User account security.
5. Fragrouter 1.6
by Dug Song, Anzen Computing
URL: http://www.anzen.com/research/nidsbench/
Platforms: BSDI, FreeBSD, Linux, NetBSD, OpenBSD and Solaris
Number of downloads: 1043
Fragrouter is a network intrusion detection evasion toolkit. It implements most of the attacks
described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding
Network Intrusion Detection" paper of January 1998.
This program was written in the hopes that a more precise testing methodology might be
applied to the area of network intrusion detection, which is still a black art at best.
6. Snort UPDATE 1.3.1
by Martin Roesch <roesch@clark.net>
URL: http://www.clark.net/~roesch/security.html#Download
Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, OpenBSD and Solaris
Number of downloads: 826
Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network
intrusion detection system. It features rules based logging and can perform protocol
analysis, content searching/matching and can be used to detect a variety of attacks and
probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts
being sent to syslog, a seperate "alert" file, or as a WinPopup message via Samba's
smbclient.
X. SPONSOR INFORMATION -
------------------------------------------
URL: http://www.core-sdi.com
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. CORE SDI also has extensive experiance dealing with financial
and government contracts through out Latin and North America.
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
Alfred Huger
VP of Engineering
SecurityFocus.com
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
0
0
0
o
O O O
0
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG FOR INCLUSION HERE
.
.
............... .
: : . . . . . .
__:________ : : ___________ . . .
\ < /_____:___ : ( < __( :_______
) : )______:___\_ (___( : /
=====/________|_________/ < | : (________________(======
: (__________________) :wd!
. : : :
- / - w w w . h a c k u n l i m i t e d . c o m - / -
: . . . . . : :
. . . . . :...............:
.
.
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
When people ask you "Who is Kevin Mitnick?" do you have an answer?
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
http://www.2600.com/ http://www.kevinmitnick.com
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* http://www.csoft.net" One of our sponsers, visit them now www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
// or cruciphux@dok.org //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
SITE.1
Domain of the week: http://www.icardedthisdomain.com/
No comment.
http://www.nudehackers.com/
Dephile and others
Exploits, tools, zines etc, check it out... - Ed
http://hackadvantage.cjb.net
Run by; SmoG
If you're looking for tips on how to beat the system when it comes to free banners
or paid-to-surf scams this is the place to check out, lots of info, updated
regularily.
http://geekmafia.dynip.com/~xm/
Run by: Ex Machina
I've included the "I was a teenage nmapper" article from this site in this issue
check it out, has some interesting stuff and a security how-to.
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially wsith some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
>Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
* Info supplied by the attrition.org mailing list.
Listed oldest to most recent...
Defaced domain: www.mecafrance-sa.fr
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.mecafrance-sa.fr
Defaced by: bansh33
Operating System: BSDI (Apache 1.2.6)
Defaced domain: www.workplacesolutions.org
Site Title: Wider Opportunities for Women
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.workplacesolutions.org
Defaced by: P Y R O S T O R M 6 6 6
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.10.12 and 99.10.11 by unknown and forpaxe
Defaced domain: www.lapsi.org
Site Title: LAPSI
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.lapsi.org
Defaced by: Hacking for Swedish Chicks
Operating System: Linux (Apache 1.3.3)
Defaced domain: www.activedev.net
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.activedev.net
Defaced by: pyrostorm666
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.wnr.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.wnr.com
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.98fm.ie
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.98fm.ie
Defaced by: FM104
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.98fm.ie
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.98fm.ie
Defaced by: FM104
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.zoemorgan.com
Site Title: Colin McPherson
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.zoemorgan.com
Defaced by: w0lf
Operating System: Irix (Rapidsite/Apa-1.3.4)
Defaced domain: www.sshackers.com
Site Title: Sesame Street Hax0rz
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.sshackers.com
Defaced by: cryptic
Operating System: FreeBSD
Potentially offensive content on defaced page.
HWA note: Dap gave out the ftp info for this site and invite defacers to hit it.
Defaced domain: garfield.ir.ucf.edu
Site Title: GroupWise Support At University of Central Florida
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/garfield.ir.ucf.edu
Defaced by: Algorithm Cracker
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: www.asjainternational.com
Site Title: ASJA International
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.asjainternational.com
Defaced by: hV2k
Operating System: BSD/OS
Potentially offensive content on defaced page.
Defaced domain: www.furbay.com
Site Title: Furbay Electric, Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.furbay.com
Defaced by: r00tabega
Operating System: BSDI 3.0 (Apache/1.2.6)
Potentially offensive content on defaced page.
Defaced domain: www.dwhs.org
Site Title: Desert Winds High School
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.dwhs.org
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.09.08 by Logik Boyz
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.familyheartbeat.org
Site Title: Family Heartbeat Ministries
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.familyheartbeat.org
Defaced by: Uneek Tech
Operating System: BSDI 3.0 (Apache 1.2.6)
Previously defaced on 99.11.30 by electr0n
Potentially offensive content on defaced page.
Defaced domain: www.mj.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/07/www.mj.gov.br
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.bottle-fun.com
Site Title: Comport EDV Service
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.bottle-fun.com
Defaced by: Uneek Tech
Operating System: BSDI 3.0 (Apache 1.2.6)
Potentially offensive content on defaced page.
Defaced domain: garfield.ir.ucf.edu
Site Title: University of Central Florida
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/garfield.ir.ucf.edu
Defaced by: bansh33
Operating System: Solaris
Previously defaced on 99.12.07 by AC
Potentially offensive content on defaced page.
Defaced domain: www.filmworld.com
Site Title: Robert Konop (FILMWORLD-DOM)
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.filmworld.com
Defaced by: #Hack-org Hacking Team
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: www.netsecuresolutions.com
Site Title: NetSecure Solutions
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.netsecuresolutions.com
Defaced by: unknown
Operating System: Linux
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.fightclub.de
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.fightclub.de
Defaced by: kryptek
Operating System: Linux (Apache 1.3.6)
Potentially offensive content on defaced page.
Defaced domain: www.pheta.com
Site Title: pheta.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.pheta.com
Defaced by: RH Crew
Operating System: Linux (Apache 1.3.3)
Potentially offensive content on defaced page.
Defaced domain: www.radicalwheeling.com.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.radicalwheeling.com.br
Defaced by: Death Knights
Operating System: Linux (Apache 1.3.4)
Potentially offensive content on defaced page.
Defaced domain: www.bearland.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.bearland.com
Defaced by: n4rfy/Death Knights
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.11.03 by p4riah
Potentially offensive content on defaced page.
Defaced domain: www.sis.net
Site Title: Strategic Information Solutions
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.sis.net
Defaced by: n4rfy/Death Knights
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.09.10 by 139_r00ted
Potentially offensive content on defaced page.
Defaced domain: www.dprf.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.dprf.gov.br
Defaced by: inferno.br
Operating System: NT
Defaced domain: www.elpublicista.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/08/www.elpublicista.com
Defaced by: TH3 G4L4CT1C C0WB0YS
Operating System: BSD/OS
Potentially offensive content on defaced page.
Defaced domain: www.megaadult.com
Site Title: Empire Communications Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.megaadult.com
Operating System: Windows NT (Netscape-Enterprise/3.6)
Previously defaced on 99.08.27 by Uneek Tech
Potentially offensive content on defaced page.
Defaced domain: www.hawgparts.com
Site Title: P And S, Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.hawgparts.com
Defaced by: Pyrostorm666
Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6)
Previously defaced on 99.11.19 by Devil-C
Potentially offensive content on defaced page.
Defaced domain: www.aba.gov.au
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.aba.gov.au
Defaced by: Ned R
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.11.27 by Ned R
Potentially offensive content on defaced page.
Defaced domain: www.portaldaserra.com.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.portaldaserra.com.br
Defaced by: n4rfy/Death Knights
Operating System: Linux (Apache 1.3.4)
Potentially offensive content on defaced page.
Defaced domain: www.vijya.com
Site Title: Vijya & Associates
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.vijya.com
Defaced by: pr1sm
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.98fm.ie
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.98fm.ie
Defaced by: r4in
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.07 by FM104
Potentially offensive content on defaced page.
Defaced domain: www.sshackers.com
Site Title: SSH TECH
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.sshackers.com
Defaced by: ex1t
Operating System: FreeBSD 2.2.1 - 3.0
Potentially offensive content on defaced page.
Attrition comment: 3 hacks in 2 days, no sign of repair. Likely hoax hacks or domain.
HWA note: carnage continues from dap dropping the ftp info...
Defaced domain: seresc.k12.nh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/seresc.k12.nh.us
Defaced by: bansh33
Operating System: Linux (Apache 1.2.4)
Previously defaced on 99.11.14 by h4p
Potentially offensive content on defaced page.
Defaced domain: www.cccpstc.org
Site Title: Public Safety Training Center
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.cccpstc.org
Defaced by: dhc
Operating System: Linux (Apache 1.2.4)
Potentially offensive content on defaced page.
Defaced domain: www.mautzetal.com
Site Title: Mautz Baum & O'Hanlon LLP
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.mautzetal.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Potentially offensive content on defaced page
Defaced domain: www.petewardtravel.com
Site Title: Pete Ward Travel, Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.petewardtravel.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Potentially offensive content on defaced page.
Defaced domain: www.potatoflakes.com
Site Title: Oregon Potato Company
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/www.potatoflakes.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Potentially offensive content on defaced page.
Defaced domain: mail.wetnet.de
Mirror: http://www.attrition.org/mirror/attrition/1999/12/09/mail.wetnet.de
Defaced by: Beezwax
Operating System: WinNT
Defaced domain: www.mustafakemal.org
Site Title: Stichting Dinaar Aan Islam
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.mustafakemal.org
Defaced by: nikobar
Operating System: Linux (Apache 1.3.3)
Potentially offensive content on defaced page.
Defaced domain: www.melissa.com
Site Title: Melissa Computer Systems
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.melissa.com
Defaced by: BouTsen And Flogher
Operating System: Solaris (Apache 1.3.3)
Previously defaced on 99.11.21 99.11.17 99.11.16 99.11.04 by c0de red clobher p4riah p4riah
Potentially offensive content on defaced page.
Defaced domain: www.seokang.ac.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.seokang.ac.kr
Defaced by: burn0ut
Operating System: DG/UX (NCSA/1.4.2)
Potentially offensive content on defaced page.
Defaced domain: www.americanbevel.com
Site Title: American Bevel
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.americanbevel.com
Defaced by: w0lf
Operating System: Irix (Rapidsite/Apa-1.3.4 FrontPage)
Potentially offensive content on defaced page.
Defaced domain: www.sshackers.com
Site Title: SSH Tech
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.sshackers.com
Defaced by: antichrist
Operating System: FreeBSD (Apache)
Previously defaced on by
Potentially offensive content on defaced page.
Attrition comment: This *has* to be a hoax.
HWA note: see previous notes
Defaced domain: www.policiacivil.pi.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.policiacivil.pi.gov.br
Defaced by: inferno.br
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.bhv.hn
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.bhv.hn
Defaced by: bean0
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.03 by acidklown
Potentially offensive content on defaced page.
Defaced domain: www.usinfo.be
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.usinfo.be
Defaced by: PHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.melissa.com
Site Title: Melissa Computer Systems
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.melissa.com
Operating System: Solaris (Apache 1.3.3)
Previously defaced on 5 previous times by
Potentially offensive content on defaced page.
Defaced domain: www.pira.co.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/12/10/www.pira.co.uk
Defaced by: RoA
Operating System: Solaris 2.5 (Apache 1.2.4)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.hwa.net
Site Title: Hoefer WYSOCKI Architects
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.hwa.net
Defaced by: Asysmptote
Operating System: Windows NT (IIS/4.0)
Previously defaced on 4 previous times by
Potentially offensive content on defaced page.
Defaced domain: www.schoolgirlporn.com
Site Title: Adult Web Products
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.schoolgirlporn.com
Defaced by: Hacking 4 Ponies
Operating System: Solaris 2.6 - 2.7 (Apache 1.3.3)
Previously defaced on 99.10.28 by h4p
Potentially offensive content on defaced page.
Defaced domain: www.girard.lib.oh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.girard.lib.oh.us
Defaced by: f1ber
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.cci-inspection.com
Site Title: CCI Inspection Services, Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.cci-inspection.com
Defaced by: f1ber
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.10.19 by s0ften
Potentially offensive content on defaced page.
Defaced domain: www.pittsburg.k12.ca.us
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.pittsburg.k12.ca.us
Defaced by: protokol
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ntacx.net
Site Title: Ntacx Web-werkes
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.ntacx.net
Defaced by: f1ber
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.10.22 by DHC
Potentially offensive content on defaced page.
Defaced domain: www.useu.be
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.useu.be
Defaced by: PHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.thundercats.co.uk
Site Title: Thundercats UK
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.thundercats.co.uk
Defaced by: DHC
Operating System: Solaris
Defaced domain: www.kingston.com
Site Title: Kingston Technology Corp
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.kingston.com
Defaced by: Einstein
Operating System: Windows NT
Previously defaced on 99.11.25 by fuqrag
FREE KEVIN reference in the HTML
Defaced domain: www.hamilton-university.edu
Site Title: Hamilton University
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.hamilton-university.edu
Defaced by: Einstein
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: mercurius.isics.u-tokyo.ac.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/mercurius.isics.u-tokyo.ac.jp
Defaced by: eTC
Operating System: Solaris 2.5x (Netscape-Enterprise/2.0d)
Potentially offensive content on defaced page.
Defaced domain: www.tenk.com
Site Title: Tenk Machine & Tool Co.
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.tenk.com
Defaced by: mistuh clean
Operating System: Solaris
Potentially offensive content on defaced pageDefaced domain: www.expoente.com.br
Site Title: Expoente Brazil
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.expoente.com.br
Defaced by: Death Knights
Operating System: Windows NT
Previously defaced on 99.10.19 by OHB
Potentially offensive content on defaced page.
Defaced domain: www.lumitex.com
Site Title: Lumitex
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.lumitex.com
Defaced by: pr1sm
Operating System: Solaris
Defaced domain: www.resconet.com
Site Title: Robert Sweeney Co.
Mirror: http://www.attrition.org/mirror/attrition/1999/12/11/www.resconet.com
Defaced by: pr1sm
Operating System: Solaris
Potentially offensive content on defaced page.
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://datatwirl.intranova.net ** NEW **
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/zine/hwa/ *UPDATED*
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
