Copy Link
Add to Bookmark
Report
Default Newsletter Issue 01
Default, Help Net Security newsletter
issue #1, Friday 13 August 1999
(http://default.net-security.org)
TABLE OF CONTENTS
-----------------
I. Editorial
II. Last weeks news on Help Net Security
a) Help Net Security news headlines
b) Vulnerabilities reported in last week
c) Site News
d) Defaced Pages
III. Y2K: As the millenium approaches
IV. A look into basic cryptography
V. The history of Zero Knowledge Systems
VI. Telecommunications 101
VII. Macintosh security: How to make your mac a babel tower!
VIII. Computing: A closer look at hard- and software
IX. An approach to Linux System Security
X. Infection & Vacination
XI. Spam: The problems with junk e-mail
XII. Freedom of speech - related incidents
XIIV. Meet the underground
XIV. Guest column
I. Editorial
------------
Hi there and welcome to the first edition of Default, the Net Security newsletter.
The idea behind this news letter has several sides to it. On one side we want to
keep you up-to-date regarding news and events from and in the security scene. On
the other hand, we hope this to turn into an interactive medium through which we
could educate and inform you and through interaction with you maybe even ourselves.
We hope to in this way incorporate more of of the different kinds knowledge there
seem to exist between the professional computing/security scene and the underground
and to inform both sides about each sides knowledge base and accomplishments. This
will not be a primary technical source of knowledge though, we start focussing on
basics to get everyone on the same level regarding some of our topics before moving
on to the technically more advanced issues. Most of all we want this to grow, hopefully
through submissions and contributions by you, our readers.
This being the first in hopefully a long series of newsletters, we had some
problems to deal with. One of these is the absence of one of our editors. Due
to his vacation we didn't have the chance to call on Doug Muths' expertise in
the fields of viruses and spam. As soon as he gets back we hope to provide you
with his contributions in a next issue.
Furthermore we think that what lies before you is a pretty decent issue, one of
what we hope many. We have sought (and found) a lot of assistance in both the
underground as the professional security scene. We hope you'll be as pleased
with the results as we are, though feedback is always welcomed. Remember, we can
try to make this good, but we need your comments and contributions to make this
the best.
Well that's it for now, before you lies issue #1 of Default, we hope you enjoy it
as much as we did making it.
For the HNS and HNS Default Crew:
Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org
Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org
II. Latest weeks news on Help Net Security
------------------------------------------
a) Help Net Security news headlines
- Saturday 7th August 1999:
Japan cracks down on unauthorized network access
LinuxPPC crack contest update
LA District Attorney drops Mitnick case
Lockdown 2000
Proposal to ban "unapproved content" linking
Chaos Computer Camp kicking off
Cyberwar: The threat of chaos
- Sunday 8th August 1999:
HWA.Hax0r.News #28 released
CrackTheBox goes a bit further again
Mass hack on german domains
- Monday 9th August 1999:
Hackers take over tv-channel?
Clinton keeps supporting y2k updates
DOD worried
Wired covering CCC
New Melissa style virus
Secure shell installation and configuration
Backwork 2.1 released
Sorting out security
Will hackers make use of y2k confusion?
Belgacom Skynet hacked
- Tuesday 10th August 1999:
Patch for Excel97 coming on August 16th
Kevin Mitnick avoids stiff sentence
IBM supports Linux
Kevin could soon be free
HK mail systems open to abuse
Finalists new encryption standard named
Sentencing hacker no cause for joy
- Wednesday 11th August 1999:
RedHat advisory and new linux kernel
Taiwan strikes back
Taiwan prosecutors probe web site intrusion
Microsoft Office97 flaws
Office harassment
- Thursday 12th August 1999:
Network-centric warfare
Key to crypto success: don't be born in the USA
New IE5 bug exposes passwords
Error in Microsoft patch
New mail attack identified
- Friday 13th August 1999:
Outsmarting the wily computer virus
Startup wants to sell untappable phones
Baltimore Technologies to ship encryption tool for XML
Hacking your way to an IT career
Code-cracking computer causes concern
b) Vulnetabilities reported in last week (our thanks goes out to BugTraq for this list)
6-8 NT Exchange Server Encapsulated SMTP Adress Vulnerability
8-8 CREAR ALMail32 Buffer Overflow Vulnerability
8-8 WebTrends Enterprise Reporting Server Negative Content length DoS Vulnerability
8-8 Microsoft FrontPage Extensions for PWS DoS Vulnerability
9-8 Firewall-1 Port 0 DoS Vulnerability
9-8 Solaris stdcm_convert File Creation Vulnerability
9-8 NT Terminal Server Multiple Connection Request DoS Vulnerability
9-8 Multiple vendor profil(2) Vulnerability
11-8 NT IIS Malformed HTTP Request Header DoS Vulnerability
11-8 Multiple Vendor IRDP Vulnerability
c) Help Net Security site news
- Saturday 7th August 1999:
Mailing list submission form
Study on Linux System Security
- Sunday 8th August 1999:
Connection problems
Mac archive updated
Anonymous submission form back online
- Monday 9th August 1999
Insert HNS headlines in your site
- Wednesday 11th August 1999:
Bookstore update
d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org))
Site: Illinois Institute of Technology (www.iit.edu)
Mirror: http://default.net-security.org/1/www.iit.edu.htm
Site: Santa's Official Page (www.north-pole.net)
Mirror: http://default.net-security.org/1/www.north-pole.net.htm
Site: NorthStarNet (www.northstarnet.org)
Mirror: http://default.net-security.org/1/www.northstarnet.org.htm
Site: Official site of Korn (www.korn.com)
Mirror: http://default.net-security.org/1/www.korn.com.htm
Site: Malaysian Government (www.idhl.gov.my)
Mirror: http://default.net-security.org/1/www.idhl.gov.my.htm
Site: Institute for Telecommunication (elbert.its.bldrdoc.gov)
Mirror: http://default.net-security.org/1/elbert.its.bldrdoc.gov.htm
Site: Federal Energy Regulatory Commission (www.ferc.fed.us)
Mirror: http://default.net-security.org/1/www.ferc.fed.us.htm
Site: State of Michigan Official Site (www.state.mi.us)
Mirror: http://default.net-security.org/1/www.state.mi.us.htm
Site: China Securities Regulatory Commission(CN) (www.csrc.gov.cn)
Mirror: http://default.net-security.org/1/www.csrc.gov.cn.htm
Site: Wired Digital (www.wired.com)
Mirror: http://default.net-security.org/1/www.wired.com.htm
Site: Motorola (TW) (www.motorola.com.tw)
Mirror: http://default.net-security.org/1/www.motorola.com.tw.htm
III. Y2K: As the millenium approaches
-------------------------------------
It is Wednesday 11.08 1999. Less than 4 months divide this and next
millenium. What will happen then? People often think about armageddon,
but it has its translation in the computer world - Y2K (year 2000).
As I was always interested in new regarding sollution of this bug (The
term "computer bug" was coined by Navy computer pioneer Grace Hopper
in the 1950s after a moth got into one of her machines and it went
haywire), I saw that many countries spent billions of dollars into
preparing their systems for the new millenium.
"The two-digit year is a convention as ancient as the feather pen--
writing the date on a personal letter with an apostrophe in the year,
implying a prefix of 17- or 18- or 19-. But reading an apostrophe
requires sentience and judgment. Computers possess neither. They cannot
distinguish an "00" meaning 1900 from an "00" meaning 2000. When asked
, for example, to update a woman's age on Jan. 1, 2000, a computer
might subtract her year of birth (say, '51) from the current year
('00), and conclude she will not be born for another 51 years. A human
would instantly realize the nature of the error, adjust his parameters,
and recalculate"
So we know the problem now, but how did it start? Robert Bemer is the man
who wrote the American Standard Code for Information Interchange, the
language through which different computer systems talk communicate. He
also put in use "backslash" and "escape". In the late 1950s Robert Bemer
helped in writin COBOL (computer language which had commands in plain
English, so it was easy to use by everyone). There was nothing in COBOL
requiring or even encouraging a two-digit year. Bremer blames the programmers
and bosses for this glitch. He pointed out that they were instructed to
cost-save. Now we could set a parallel: if that bosses weren't so
shortsighted and if they invested in this issue, there wouldn't be a
Y2K bug to talk about. So this was the brief history of the Y2K bug. Now
goes the week in Y2K review.
Y2K problem could be used for cyberattacks - United States Department of
Defense concluded. Fixing systems and preparing them for the new millenium
may expose information infrastructure to hack attempts, so DOD adviced all
network managers to advise their men to change all passwords. It is just
a precaution. To make everything easy for their system administrators, US
Navy created three programs for helping automation of password exchange.
Friends of the Earth and Greenpeace International, two "green" organizations
are protesting over the globe and appealing to United States and Russia to
scale down readiness of nuclear weapons to reduce the possibility of Y2K
computer glitch which could really cause Armageddon (just think back in time
what happend to Hiroshima and Nagasaki - this would be 100 times bigger
cathastrophy). We know that United States spent billions of dollars on
preparing every vital part of their infrastructure. But Russia is different
topic, the way of living and social and financial state of Russia is on much
lower level. Just to note, you saw hoe much money USA gives in Y2K sollutions,
and inly two thirds of their nuclear plants are Y2K ready. BTW
Nuclear Regulatory Commission published their guidliness:
* Plants with non-safety systems that affect power operation that are Y2K-ready
or those plants that have incomplete contingency plans for these systems
will be subject to additional regulatory actions which may include issuance
of an order requiring specific actions by the licensee. There are about 12
plants in this category.
* Plants with non-safety, support systems and components that are not Y2K-ready
or plants that have incomplete contingency plans for these systems could
require additional meetings, audits, or requests for additional information.
There are about 10 plants in this category.
And the conclussion:
The plants that have Y2K work remaining are continuing to progress toward
Y2K readiness. As of August 1, five more plants have reported that they are
Y2K-ready bringing the total to 73 operating nuclear power plants that are
fully Y2K-ready. This reduces to 30 the number of plants that have remaining
work on non-safety systems and components to be fully Y2K-ready.
World Bank published Global Commodities Report - report talking about fears
from millenium bug. Report speaks about "Concerns over the potential disruptions
associated with Y2K may cause consumers, processors and distributors to stockpile
crude oil and products. A shortage of ocean tankers may develop if importers rush
to beat the end-of-the-year concerns over Y2K and this could contribute to the
potential for price volatility". The World fears Year 2000. Lot of recent actions
could proof this:
India will stamp more money
US Government got a suggestion to move New Year's Eve celebration on 3rd of January
Japan will halt airplain voyages on the New Year's Eve
Canada's telephone company tested their new Y2K prepared system and it crashed
And a lot of other actions happend, but this is enough for the first issue.
You can read below interesting article about testing your computer for Y2K
written by Atlienz (atlienz@default.net-security.org)
What is it?
The problem is with the real time clock (RTC) in the computer which tells the computer
the current date. When programmers initially established the date issue, they established
the year portion of the date with only two digits instead of four. They chose two digits
instead of four to save storage space, which at that time was very expensive. So any
computer or software that is not Year 2000 compliant will experience problems on
January 1, 2000. Some computers will revert back to a 1900, 1980 or a 1984 date which
will throw off accounting programs that read that date.
Preparation & Timing!
If you feel capable, check your real time clock(RTC). Go to a DOS prompt (C:\>) and
type "DATE". The current date will appear along with an option to change the date.
Change the date to December 31, 1999. Then type "TIME". The current time will appear
and you need to change that to 12:58 P.M.. Next, shutdown or turn off your computer
and wait five minutes. Turn your computer on, and check the current date by again
going to the DOS prompt and typing "DATE". If your computer displays January 1, 2000
then your system is 2000 compliant. If the system displays a year of 1980, 1984,
1900 or anything else besides 2000 then your computer is not 2000 compliant. Be sure
to reset your computer back to the current date!
Next, perform a complete software inventory and verification, including operating
systems, productivity tools, games, etc. Record the Vendor, Title and Version.
Contact each vendor and inquire if your version of the software is 2000 compliant.
If not, ask whether the newer versions are compliant or if the vendor will bring
the software into compliance.
NOW is the time to take action toward finding a solution for the
year 2000 issue. If you wait, resources such as computers, technician support and
even information may be in short supply.
-----------
In the next issue of Default - net security newsletter you can read about Y2K testing
tools and ofcourse latest news from the millenium bug section.
BHZ
Berislav Kucan
bhz@net-security.org
IV. A look into basic cryptography
----------------------------------
Okay, this is Iconoclast, I have been asked to start working with net-security for their
Default newsletter on a cryptography section. First and foremost, I am in no way
qualified for this, and if I am ever wrong, please feel free to contact me and correct
me.
This will basically be YOUR section.
I have been given free reign on how to run it, so this is how things will be. It will be
run via your submissions and weekly news on the cryptography front. Most everything I
hear is over my head, but we will learn together. For this, the first issue I have dug
up an old "HOWTO" I wrote a while ago under another handle, edited it a bit, and added
a lot and then split it into three sections (It was way too big for a single issue).
So here we go, I will delve right into it. We will see how things work out.
First of all, this is strictly to expand ones mind, if you see encryption out there...
do not crack it. It is encrypted for a reason. I in no way claim any responsibility for
anyone's actions other than my own. If you do something stupid, it is your own problem
and fault, not mine, and not net-securities.
I was recently approached by a friend who had been working on some 'indecipherable'
password protection for restricted areas in web sites. He heard I dabbled in
cryptanalysis so he asked me to crack his "indecipherable" code.
First of all, he had no idea what he was doing. He should know that nothing is
indecipherable.
If you want to get into cryptography, the way is NOT to create an algorithm that is
"virtually indecipherable" it's to get into cryptanalysis. Figure out other people's
algorithms, and understand their weaknesses. Once you're already accepted into the
scene (unlike myself) then maybe have a go at creating an algorithm.
First try to identify the method of cryptography. If you see something like the following
within the page source:
xuuv://qqq.eipov.fhe/eizjen/enecnro.xueb
You are in luck. It is a simple method with a simple method of cracking. It is called a
transposition cipher.
You recognize the format to go hand in hand with:
http://www.someserver.ext/directory/site.html
So you first start transposing characters (hence the name, transposition cipher)
x=h
u=t
v=p
q=w
e=m
b=l
Now you now see it as:
http://www.eipov.fhe/eizjen/enecnro.html
Now take the letters that you know and work with them.
You already know (I will put all of the plaintext in caps so you do not accidentally
try to decrypt them later)
HTTP://WWW.Mipov.fhM/MizjMn/MnMc.HTML
Now you see fhM and immediately compare it to extensions that have **m in common.... com
works use that and add the new information to your key.
f=c
h=o
HTTP://WWW.Mipov.COM/MizjMn/MnMcnro.HTML
Okay now you may have drawn a blank. Look at the referring page... Usually the encrypted
page is within the same web server as the unencrypted page... lets say the referring
page is from a web server called www.myisp.com now work with that in your key.
HTTP://WWW.MYISP.COM/MizjMn/MnMcnro.HTML
i=y
p=i
o=s
v=p
You now have:
HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML
Now its time to make educated guesses.
MY**M*.... what can possibly fit in here (think English)
MY**M* could be.... MYHOME
Now check that with your key, one letter unencrypted should NOT correspond with more
than one encrypted letter (in this basic a cipher).
x=h
u=t
v=p
q=w
e=m
b=l
f=c
h=o
i=y
p=i
o=s
v=p
Aha it cannot be MYHOME because h=o and thus j cannot = o too (in this simple type of
encryption) so keep thinking, you wont always get it on your first guess.
MY**M* could be... MYNAME
compare that with your already known key and it could work
So now you have:
HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML
z=n
j=A
n=e
HTTP://WWW.MYISP.COM/MYNAME/MEMcErS.HTML
There are no conflicts as of yet.
Once again, time to make another educated guess and the only word that comes to mind
that could fit
MEM*E*S is MEMBERS .
Plug that in and see if it works, if not think of another word that may fit
You have done it, you've decrypted the encrypted URL to be:
http://www.myisp.com/myname/members.html
This was incredibly basic. No important site will utilize such a basic cipher. They
would use more standard, and field-proven ciphers.
Okay, thats about it for this issue, there is much more to come that wouldnt fit in here
today. Expect more, and expect interactive.
For the time being, if you come across ANYTHING that you think couild be of use to anyone
in the field of cryptography, please, drop me a line at crypt@default.net-security.org.
Its been fun.
Michael G. Komitee
aka Iconoclast
crypt@default.net-security.org
V. The history of Zero Knowledge Systems
----------------------------------------
Austin & Hamnett Hill - the brothers behind Zero-Knowledge Systems, were
involved with the Internet at a very young age. At 21 Austin founded the ISP
Infobahn Online Services with money from his father and a small group of
investors. They soon called upon Hamnett, a 23 year-old reformed Deadhead
studying accounting in Montana, to be CFO.
In late 1995 Infobahn merged with Accent Internet to create TotalNet, Canada's
third largest ISP. At TotalNet, Austin and his partners earned founding investors
more than a 10,000 per cent return on investments in under two years, growing
the company to 150 employees in 18 months.
He and Hamnett left as soon as they could sell the company; cashed in and got
out as the summer of 1997 approached.
"The entire time we were at TotalNet, there was an Internet revolution going on,"
says Austin, now 26 years-old. "Hamnett and I would always talk about what we
could do. Then a month or two later somebody would do it. We realized we needed
to get back out there -- privacy was going to be huge."
But before they could get back in the game, there was work that needed doing:
research to conduct, a business plan to build. An idea was in the back of Austin's
mind, something that grew out of his strong beliefs in personal freedom and the
rights of the individual. The seed was planted by an article in Wired about the
Cypherpunks, Pretty Good Privacy and those building strong encryption tools to
allow individuals to protect their privacy online. He knew this next project would
be successful, but Austin, who never finished high school, wanted more than just
monetary gain.
"The idea of putting basic human rights into a piece of software and giving it to
individuals was something that we felt in the end felt could only do more good
than harm," says Austin. "Free speech isn't there only to protect the good speech."
In short, he wanted freedom for all.
"Both Hamnett and I have always had the sense that we wanted to do something, but
for a long time we just didn't know what," says Austin. "Change is usually
accomplished by a small group of people who believe in something strongly enough
that they can make it happen. One of our basic premises was that it had to be done
with a business."
They were dedicated to giving every Net user an easy, secure way to protect their
privacy -- something no one has been able to do.
"Our biggest concern was how do we could bring this to the average person," explains
Austin. "We wanted to make it absolutely secure so people didn't have to trust us
- Zero-Knowledge: don't trust us."
After a summer of careful research and planning, the Hills had a viable business
plan and an idea for privacy software that would place the individual in complete
control over their personal information and identity on the Internet. Deciding that
venture capital would put too many restrictions on their business at the time, they
put their own money into the project and rented office space. In the ensuing months
they set out recruiting developers to code the software.
"We wanted developers who were young and ambitious enough not to know it couldn't be
done," says Austin. "We went through a whole group of developers, and finally ended
up with a core group. At the same time we made a decision that people were going to
be the most important thing at the company. The whole idea of treating people like
resources just wasn't going to work."
A Cypherpunk arrives
By early 1998, the Hills had a name for their product, something that encompassed what
it represented and what it would bring users: Freedom.
Still, they knew a piece of the puzzle was missing. A big piece. The system they were
trying to build was so complex that they needed one of the top cryptographers in the
world to oversee its design and implementation. And due to US encryption export
restrictions, it couldn't be an American.
All along, Austin had his sights on a Canadian who was pursuing his Ph.D. at USC Berkeley.
His name was Ian Goldberg. By 24 he had exposed security flaws in the Netscape browser,
cracked a 40-bit code in record time (with the help of 250 computers) and written several
seminal cryptography papers describing a system that would give users complete privacy.
Unfortunately, Goldberg only did consulting and charged $10,000 a week in addition to
first class air and accommodations.
Undeterred, Austin tracked him down at his parent's home in Ontario and gave his pitch:
"I told him we were going to build the system he had been talking about," says
Austin. "He said: "OK, I do consulting and there's a long waiting list"."
Austin said: "You don't understand, we want you to join our company."
A few minutes later he hung up, rejected. The next day Austin was on a plane to Toronto
and took Goldberg out to dinner. For four hours, Goldberg fired questions at Austin.
"He wanted to make sure I knew what I was getting into, and not just with the technology
stuff, about the implications of the technology," says Austin. "I felt I aced it. We asked
him to come to Montreal. The first day he met with the developers and he was saying "You
have to do this." By the second day it was "We." By the third day he came in and said,
"You know what? You've got the team"."
At dinner, Goldberg had seen someone with a good grasp of the technology and the political
and social issues surrounding the project; after meeting the developers, he saw the technical
know-how with a business plan to back it up.
"They were going to make this happen," says Goldberg. "I wanted to be a part of it."
With Goldberg on board, the Freedom team was set.
The rest is history in the making...
Jordan Socran
Zero Knowledge Systems (http://www.zks.net)
VI. Telecommunications 101
--------------------------
The current state of this section is yet to be determined. We of Help Net Security
have been trying to contact several people from this field, but because of people
being on vacation and others being too busy filling in for people who are on vacation
we haven't had much luck yet. Untill then I will cover some basic issues here regarding
certain types of telecommunication networks and their flaws. This will however be a
completely theoretical discussion, meant to inform. I will not provide you with a step
by step guide to exploiting your local telecom company nor will I take any responsibility
for utilization of anything you learned from here. I myself have a bit of reading up to
do on the matter of the different phonesystems used all over the world, but to get things
going I'll start here today by explaining a bit about the wonderful world of pager
communications.
To send a message to someone's pager, you have to dial a phone number and leave your
message after which the message is send to the actual paging device by a computer or
operator. This is done through the use of a RIC. A RIC is as a fingerprint for an
individual pager. The computer sending the message to the pager after you left it knows
which phone number corresponds with which RIC, which enables it to deliver the message
at the right pager.
There are three kinds of pagers. First the tone-only, which has no display and just
sounds a single tone to inform someone that a certain action needs to be taken. Then
there's the numeric, which has a display which shows its owner just numeric messages
(hence the name) like phonenumbers and so on. Last but not least we have the type of
pager which is most commonly used nowadays, the alpha-numeric one. This type of pager
displays not only numbers but can also show text-messages.
In the past, most alpha-numeric pagers made use of a proprietary Motorola encoding format
called GOLAY. We however will not discuss this protocol, since nowadays most pagers
use the POCSAG (Post Office Code Standarization Advisory Groupstandard) protocol. You
can tell GOLAY from POCSAG by the baud rate which is used to transmit signals. GOLAY
uses 600 baud, where POCSAG pagers can currently transmit at a much higher rate, although
the original (and still most often used) POCSAG was defined at being able to transmit
512 bytes a second.
Using POCSAG a signal is formatted as one preamble and a minimum of one batch of
codewords. The preamble is used by the receiving device to check wether the signal is
indeed a POCSAG signal and to synchronize with the data-stream. A batch consists of one
synchronization codeword, to mark the beginning of a batch of codewords, and eight frames
which each on their turn contain two codewords. These codewords come in several types
too, these can be two adress codewords, two idle codewords, two message codewords or any
appropiate combination of these three. The synchronization codeword is made up of
32-bits, the eight frames are 64-bits and each contain the two codewords that are
32-bits in length. Pagers are split into 8 groups. The eight frames are used for this by
starting a message to a pager with an adress codeword in the proper two codeword frame
belonging to the group to which the particular pager is assigned. Immediately after this
the codewords containing the actual message are send and then the message is terminated
by either another adress codeword or an idle codeword.
Nowadays there are several pieces of software availble on the Internet which allow anyone
with a computer and a scanner to intercept and decode pager messages (which is illegal
btw, neither I myself nor Help Net Security take no responsibility whatsoever, this is
purely meant as a theoretical discussion). For this purpose, the alpha-numeric type of
message is the most interesting of course because of the ability to send text in messages.
To finish this section off for this week I'll give a general description on where the
actual messages can be found in the strings of beeps.
Within the address space of a pager, 4 different message classes can be found. These are
specified by the function bits which are bits 12 and 11 of a codeword. In the original
21 bit address format, an alpha-numeric message would be indicated by the value 1
contained in both function bits. Furthermore alpha-numeric messages are generally encoded
in 7 bit ASCII characters. When an ASCII message is send, every 20 bits will always be
packed in a new codeword. The 7 bit characters within a codeword are packed from left to
right, from bit 30 to 11, although the latter is sent first, so viewed as bits in a
codeword the characters are reversed.
Hmm that's all for this weeks folks. As I said before this was just a basic overview and
there's a lot I left out in order to give this a pretty basic start. If you'd like a
little more technical approach to the above, I'd recommend you look through the POCSAG
texts by Brett Miller and Brad Dye. Next column I will try to dig a little deeper into
the actual singling out of the message from an intercepted signal from a software point
of view. Any and all suggestions for this section are welcomed and can be send to my
regular e-mail adress at Help Net Security.
Xander Teunissen
aka Thejian, Help Net Security
thejian@net-security.org
VII. Macintosh security: How to make your mac a babel tower!
------------------------------------------------------------
Many people still think that macintosh is just a toy, an Operating System that you could
use even drunk! Well to be more serious it offers many possibilies and can be easily
intagrated in a Wintel or Unix enviroment. One of the thing that most people agree is
the ease of use and the safety of the OS.We could have ten years of discussion about
this. Just a fact: go to bugtraq (new url http://www.securityfocus.com) compare and
count the the vulnerabilities on Linux, Win9* or NT, and Apple. Just a fact... When I
mean safety, I even mean Denial of Service attack.Connecting a mac to the Internet
offers less possility for an attacker to make a DOS or take remotly controle of your
computer. Default configuration much more safe than on wintel. Have ever done a dumpACL
or a dumpREG on windows NT?
How to make a 24/24 safe connection on the web?
The internet is getting wilder and wilder.From leet people to script kiddies the danger
is often close, very close. A "click close" to an attachement.You don't have to be
paranoiac, but we never know.Actually it depends which site you browse, and what you
download!So get prepared to the worst and get those gears on your computer:
- Against DOS and connections attempt: one of the best tools are 2 sharewares from
sustworks:
/IP NetMonitor: is a all in one tool (ping, traceroute, whois etc...)
The most usefull are the network monitor (showing usage on incoming
and outgoing bytes/sec) and the monitoring of connexions.It shows
you're local ports and the remote ip and ports.You'll be able to
look all the connexions in real time, plus it allows you to kill any
of them! You can test that by simply browsing a site, then switch ip
NetMonitor and kill the connection. Netscape will show a network
error.It's very usefull if you don't have any firewall installed.
look---> http://www.sustworks.com/products/ipnm/uipreview.html
/IP NetRouter: is a software based router. You don't have to get one of
those really expensive hardware router. Many people from the unix
world use software based router because it very cheaper and very
easy to set up. Let's consider to two computers: phenix and condor.
Both are on the same LAN. Phenix is connected (dynamic, or static ip
are supported)to the Internet(modem, cable, adsl, T1 what ever),
condor isn't. First it'll allow you share this Internet connection,
plus to add features like NAT (Network Address Translation) on condor
or even ip filtering acting like a proxy from certain remote ip or
ports.Another great feature is that we can provide Internet (http;
ftp; pop3 all type of connexions) from the appletalk protocole.
look--->:http://www.sustworks.com/products/ipnr/ppd1.html
- Another kind Denial of service attack are based on javascript, html tags. Just try to
disable javascript if your mail client does.Many mail clients like outlook, eudora are
vulnerable to DOS.Those are not very armfull can easily crash your mail software. I'm
only talking about remote DOS, local are another story.
- Against Virus and other "versatile" intrusions:
Even if the number of virus is growing on mac, approximativily 150 times
less virus than on wintel.To check just count the number of virus in a
wintel anti-virus virus definition and do the same on a mac based A-V,
Norton detects 40 000 virus. It doesn't mean that it happenes only to
the others. The risks remain hight but you won't get any virus like cIh
virus flashing a bios! Always keep in mind that you are the best
anti-virus. Use good sense before downloading, or opening attachement?
Do I know this site, or the sender?This doesn't make you safe but reduce
the risk.If you feel like playing with virus, not creating some but
observing what they're doing try to get MacArmyKnife
( http://www.chaoticsoftware.com/ChaoticSoftware/ProductPages/MacArmyKnife.html).
It's an extensive process manager that gives detailed information and
control of all processes running, including background (hidden)
processes. Like the process manager on NT. It's a basic approach to
virus, you'd better get a real A-V like Norton AV or Virex.Since many
new virus or worms are nothing less than hiden applescript replicating
folders, deleting files it's realy easy to counter.About trojan like BO
or NetBus well yes there're very few like those. Most famous is The
Takedown Suite. It does almost all like a BO but the interface is a
telnet window, it's not very easy to customize like BO2k! Any of those
trojans can be monitored, and with few tools you can discover them if
try to find hidden extensions, process or if you in IP NetMonitor any
connection attempt a another ip (smtp gateway for exemple). AntiGax is
one of the only free antivirus. Most inconvenient of those is that most
of time focus one one kind of virus. They don't with virus signatures
that you can get evry 2 weeks or every month.On the other hand Agax work
with a plugin architecture creating heuristic-like mode
(http://www.cse.unsw.edu.au/~s2191331/agax/agax.html). That means that
if Antigax suspect a "Deja vu" activity it considers that as virus. Well
there's a lot to say about heuristic mode in Anti-Virus. Sometimes it
just makes you very crazy because any changes of the system folder, or
download is a suspected activity.
Having few tools like this will provide you a basic and cheap security.If you have few
bucks to spend get a real antivirus, if you run a webserver as bastion host you get a
shareware solution or a real mac based firewall like DoorStop (www.opendoor.com). Always
keep in mind that no systems are safe.. There're only safer than other. Yes MacOS is not
built to support 10 millions of hit a day but keep in mind that NO platforms offers you
the choice of using so many other operating system (up to 4 os at the same time):
LinuxPPC, Beos, Win95, Win98,Win NT, BSD, NetBSD, OS/2, MacOsX...
"We don't need windows, to open gates.Just think different"
/eot
by Deepquest
deepquest@netscape.net
All rights not reserved- Serving since 1994
http://www.deepquest.pf
VIII. Computing: A closer look at hard- and software
----------------------------------------------------
Win98 getting greedy..
1. Give me some air to breathe
You probably have more applications running than you think: Press Ctrl+Alt+Del to bring
up the Close Program box. Even with all the obvious, top-level apps shut down, chances
are you'll still see a bunch of invisible background applications running. Each running
app eats a little of your CPU time, with a net result of slowing things down. Some apps
are worse than others. Microsoft Office's Find Fast is a notorious CPU hog, as are many
anti-virus and "disk doctor" apps that run constantly in the background. For programs
like these, use the Custom option in each program's Setup applet to control what runs
in the background. Use Win98's System Configuration Utility (\WINDOWS\SYSTEM\MSCONFIG.EXE)
to control which system-level tasks load at startup.
2. Put it together
Defragging is always a good idea, but it's triply beneficial in Win98. The Defrag applet
(\WINDOWS\ DEFRAG.EXE) performs three tasks to enhance performance: It places the pieces
of all your files into fast-loading contiguous areas of your hard disk, moves your most
frequently used files to the front of the disk where they'll load fastest, and groups
your applications' separate pieces into the most efficient load-order. Defrag often.
3. Aligning your files
Win98's WAlign (\WINDOWS\SYSTEM\WALIGN. EXE) can restructure programs on your hard drive
for the fastest-possible access once they're loaded into RAM and your CPU's cache: You
can see load times improve by 20% or more. But on its own, WAlign only works on
Microsoft Office programs. To align other apps, you either need to spend $70 for the
full Win98 Resource Kit (which has a more powerful version called WinAlign) or you can
download it at net-security.org/dload/wmalign.zip
4. Garbage can
Win98 is a packrat. As you work, it collects a prodigious number of temporary files, and
it does so for good reason: The \WINDOWS\TEMP, \WINDOWS\TEMPORARY INTERNET FILES and
Recycle Bin files all exist to give you fast access to items you might need again. But
there's a point of diminishing returns. And you can end up with hundreds of megabytes
of these files, wasting space and decreasing performance as the operating system tries
to wade through the rubbish. To keep the trash to a manageable minimum, periodically run
Disk Cleanup from Start/Programs/Accessories/System Tools.
5. Swap what?!
Win98 wants to manage your swap file (virtual memory) on its own. Windows is good at
doing that for routine use: The swap file can grow or shrink as needed, and it doesn't
have to be all in one place. But Win98 will work faster if the file is all in one place,
and if the operating system doesn't have to constantly take time to enlarge or reduce
the swap file area as you work. Right click on
My Computer/Properties/Performance/Virtual Memory and select "Let me specify my own
virtual memory settings." If you have more than one hard drive, place the swap file on
the fastest drive you have. Now choose a minimum size for the swap file; a good starting
point is to specify at least 2.5 times your system's RAM. Setting a large minimum size
means the swap file will usually be large enough for your needs. Reboot when asked, and
run Defrag to ensure the swap file's all in one piece. After you're done, you should
experience noticeably less disk-thrashing.
6. LOW FAT?
Many systems that came with Win98 or were upgraded from Win95 still run the old-style
16-bit File Allocation Table, or FAT16. Win98 also supports FAT32, which is better for
several reasons. It makes far more efficient use of large hard drives. It can recover
from some kinds of damage to the root directory or to other critical data structures on
your disk. It allows programs to load up to 50% faster due to its better use of disk
space. And it allows Defrag to relocate portions of your applications and their
supporting files in the actual order they're called, for the fastest possible loading.
If you're still running FAT16, select Start/Programs/Accessories/System Tools/Drive Converter(FAT32)
and follow the on-screen directions. If you're not sure which FAT you're using, launch
the Driver Converter and click on Next.
7. Yes, my lord..
Windows retains some internal performance settings carried over from the days when RAM
was expensive. Today they're obsolete and even counterproductive. For example, in
My Computer/Properties/Performance/File System, the Typical role is usually Desktop
Computer. But if your PC has more than 32MB of RAM, it'll operate slightly faster if you
select Network Server even if it isn't really a server. (The Network Server setting uses
a little more RAM for various disk buffers and caches to speed disk operations.) For
most systems with abundant RAM, it makes sense to use the server setting.
8. Dial up Networking
By default, Windows' networking protocols are optimized for LAN-based communication. If
you connect to the Web via a LAN, you're probably fine. But not if you use Dial-Up
Networking. LANs and the Internet use different packet sizes, so the resulting packet
fragmentation slows you down. Other default settings may slow you down as well, but all
can be fixed by changing several Registry settings. The freeware application EasyMTU
(available at most download sites) can do it all for you in seconds, and get your
dial-up sessions operating at top speed.
9. Tweak on, babe.
TweakUI lets you improve your PC's responsiveness by setting faster menu speeds,
adjusting your mouse's double-click sensitivity, turning off time- and CPU-cycle-wasting
animations, and much more. On most Win98 CDs, you'll find TweakUI in the
\TOOLS\RESKIT\POWERTOY directory. Right-click on TWEAKUI.INF and select Install. After
it installs, open Control Panel, click on the TweakUI icon and tweak away.
Damir Kvajo
aka Atlienz
atlienz@default.net-security.org
IX. An approach to Linux System Security
----------------------------------------
Since this is the first ``Default'', I think of it as of an informal
chat with the readers in the local beer-house.
The Linux section of Net-security.org (net-security.org/linux) is ment
to be a source of technology information for both beginners and advanced
users. Also, it will not be strictly Linux-oriented.
With the growing number of Internet attacks, administrators who don't
take proper care of the system may pay dearly. As we go further, standards
for security are becoming higher and higher. There is no universal
security system that can be installed on the server to offer ultimate
security and protection. And that is good, because the general protection
system just has to have security holes. But, having Linux as a server
OS makes a good starting point for our custom security system. When
the administrator manually secures his network(s)/host(s), he knows
exactly how the system works, how it should be mantained and how it
can be exploited.
Recently I wrote a special report for Net-Security.Org, ``The Study
on Linux System Security''. You can see it on http://www.net-security.org/linux/.
Because of the deadline I already crossed, I had to relase the paper
sooner than I actually wanted to, and I considered my work quite unfinished.
Since it covered passive security issues (configuration files, access
regulation etc..), the next paper I am already preparing to write
will discuss only custom security implementations.
Last time I was setting up a Linux system, I got portscanned and probed
for exploits and system misconfiguration in less than 10 minutes that
I was connected to the Internet on random IP, given by the ISP. However,
since most of the people would never expect an intruder to visit them
in such a short time, they wouldn't be actually prepared for him.
But this time, I noticed the intruder before he even tried to do something
malicious, just because I did some simple modifications in the configuration
files.
My next ``default'' article: Setting up a Linux Firewall.
dev
dev@net-security.org
X. Infection & vacination
--------------------------
This week in the trojan section. I looked at 2 well known trojans, and a smaller
one. Plus there is a small list of commonly used ports for trojans and VirusScanner's
cryptic language in English. For anyone who knows my site well they know most of this
info can be found on my website. Well this is all here so you don't go find help, it
comes to you.
Vampire 1.0 is a new trojan horse with common features. The server comes in two
different exe files. One copies and writes to the registry so it autoloads, the other
just runs once. Both servers were made in Visual Basic so you will need runtime files.
While there are rumors that Delphi versions are being made currently. This version has
about 37 features. Some of these features include destructive ones (Format, delete
certain files). Vampire 1.0 listens on port 6669 TCP, sending and receiving plain text
commands. There is a low chance of infection on most computers due to the Visual Basic
runtime files needed. But if you are here is the 3 step manual removal info:
1. Assuming you have been infected with the registry writing version, open regedit
(Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Then delete the: Sockets key.
2. Either close the Sockets that's running in the memory or simply reboot your machine.
3. Finally browse on your computer to the c:\windows\system directory. Then find and
delete Sockets.exe. There all clean and happy.
SubSeven A was released recently. This version has a brand new client. The client
is totally configurable and pleasing to the eye. MobMan really spent a lot of time making
SubSeven easy to use for anyone. While on the server side nothing new except a few bug
fixes. One fix is a more secure password authentication when logging on a SubSeven server.
Previous versions(1.9 and below) had fallen to the same problem NetBus had: passwords
that could be hacked remotely. Will with the dawn of a new SubSeven this problem appears,
for now at least, to be fixed. Okay we have here 3 different ways to remove SubSeven 1.9
and 2.0. Of course this can be changed but here it is:
Method 1: Out of the box(Sending without configuring it):
1. Open the system.ini(Usually c:\windows\system.ini) and remove the key: shell=Error
mtmtask.dl under [boot]. This can be done with any text editing program, such as NotePad
2. Then reboot the computer or close mtmtask.dl
3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
find and delete mtmtask.dl
Method 2: Customized to load using the win.ini:
1. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=mtmtask.dl under
[Windows], this can be done with any text editing program
2. Then reboot the computer or close mtmtask.dl
3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
find and delete mtmtask.dl
Method 3: Customized to load using the registry:
1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and remove
KERNEL32 key
2. Then reboot the computer or close mtmtask.dl
3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
find and delete mtmtask.dl
Unless you have been sleeping for a long long time then you know Back Orifice 2000
has been released. Will after getting by the infected copies they handed out some plugins
have been released. L0pht has a whole line of BO2K plugins in development. Their first
BOTool is now available. This brings a point and click interface to file and registry
managing. Fusion Solutions made a BlowFish encryption module also. While both the
CAST-256 and IDEA plugins have been re-released with bug fixes. Removing Back Orifice
2000 can be some what troublesome. I suggest trying Antigen 2000(http://fs.arez.com/antigen)
if your on a windows 95 or 98 computer. If you are a Delphi programmer with NT knowledge
please contact FreshMan to help him make Antigen 2000 NT compatible. If you would rather
manually remove it, then here is my 3 step removal for the one version of Back Orifice
2000 I found:
1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and remove the UMG32.EXE key
2. Reboot the computer, or close UMG32.EXE
3. Finally browse on your computer to the windows system directory(Usually c:\windows\system).
Then find and delete UMG32.EXE
Here is my list of default trojan ports so far. Yes there are more, but patience
is a good thing. I'll add more and more once I get around to testing the trojans. I am
not about to steal (or accept) a pre-made list. Well here it is 30 so far:
[Port] [Protocol] [Trojan Name(s)]
25 (TCP) Antigen, Kuang2 0.17 - 0.30
555 (TCP) Ini-Killer, Phase-0, Stealth Spy
666 (TCP) Attack FTP
1243 (TCP) SubSeven 1.0 - 2.0
1349 (UDP) Back Orifice DLL version
1492 (FTP) FTP99CMP
1999 (TCP) BackDoor 2.00 - 2.03
2115 (TCP) BUGS
4567 (TCP) File Nail
5000 (TCP) Bubbel
5400 (TCP) Blade Runner 0.80 Alpha
5401 (TCP) Blade Runner 0.80 Alpha
5402 (TCP) Blade Runner 0.80 Alpha
6669 (TCP) Vampire
7789 (TCP) ICQ Killer
10607 (TCP) Coma
12345 (TCP) NetBus 1.20 - 1.70
20034 (TCP) NetBus 2.0 Beta - 2.01
21544 (TCP) GirlFriend 1.0 Beta - 1.35
23456 (FTP) EvilFTP
30100 (TCP) NetSphere
30101 (TCP) NetSphere
30102 (TCP) NetSphere
31337 (UDP) Back Orifice 1.20
31338 (UDP) Deep BO
34324 (TCP) BigGluck
54321 (TCP) SchoolBus .69 - 1.11
65000 (TCP) Devil
69123 (TCP) ShitHeep
After that lovely list here we have something useful to VirusScan users. This
list has the name VirusScan uses and what it really is in English. The purpose of this
is to help people infected that know they are infected. VirusScan is nice enough to tell
you your infected, but tells you with a weird name and does not let you remove it.
[Weird name] [English version]
Acid.Shiver.c - Acid Shivers
Antigen.a - Antigen
BackDoor-C.dr - Excalibur
BackDoor-E.srv - Net Monitor
BackDoor-G.cfg - SubSeven configuration tool(Editserver.exe)
BackDoor-G.srv - SubSeven 1.4 and up
BackDoor-G.cli - SubSeven 1.4 and up client
BackDoor-H.dr - Not sure actually, our infected file is called securewin.exe
BackDoor-J.srv - Any version of Deep Throat or Invasor
BackDoor-J-cli - Any version of Deep Throat client
BackDoor-K.srv - Portal of Doom
BackDoor-K.cli - Portal of Doom client
BackDoor-L.srv - Millenuim or modified version by LeenTech
BackDoor-L.cli - Millenuim client
BackDoor-M.srv - WinCrash 2.0
DUNpws.f - Tapiras
DUNpws.p - Naebi
DUNpws.p.cfg - Naebi configuration tool
DUNpws.r - TailGunner
DUNpws.s - WinPC
FixIt - Evil FTP
GirlFriend.srv.a - GirlFriend 1.35
GirlFriend.srv.b - GirlFriend 1.35
GirlFriend.cli.b - GirlFriend 1.35 client
GirlFriend.srv.c - GirlFriend 1.3
GirlFriend.cli.c - GirlFriend 1.3 client
ICQRev - Gjamer trojan
Justas.b - Shtirlitz
Justas.cfg - Shtirlitz configuration tool
MprMod - Remote Grab
NetBus.srv - Any NetBus server
NetBus.cli - Any NetBus client
NetBus.dll - KeyHook.dll (DLL NetBus installs)
NetBusPro.svr - NetBus Pro server
Orifice - Naebi 2.18
Orifice.addon.a - Not sure but the Sheep.exe was infected with it(Assuming some plugin)
Orifice.srv - BackOrifice 1.20, BackOrifice DLL
Orifice.srv.b - Phineas Phucker(Copy of Back Orifice 1.20)
Orifice.srv.c - BackOrifice 1.20 modifeid by LeenTech
Orifice.dr - NetBus 1.7 in a fake picture program, ICQ Trojan modified by LeenTech,
NetBus 2.0 pro modified by HackCity
Orifice.cli.a - BackOrifice 1.20 console client
Orifice.cli.b - BackOrifice 1.20 GUI client
Orifice.config - BackOrifice 1.20 configuration tool
Paradise Agent.srv.b - Masters/Hackers paradise 98
Paradise Agent.srv.c - Masters/Hackers paradise 98 9.7 Beta
Paradise Agent.srv.d - Masters/Hackers paradise modified by LeenTech
PSW.Kuang2 - Kuang
SecretAgentDat2 - Hackers Paradise
SPing - ICQ Trogen
SpySender - Not sure
TeleCommando.cli - TeleCommando client
Trojan Sockets.svr - Blazer 5
Trojan Sockets.cli - Blazer 5 client
Trojan Sockets.svr.a - Control du socket
Trojan Sockets.cli.a - Control du Socket client
Trojan Sockets.cli.b - Sockets 2.3 client
W32/Cheval.gen - Sockets 2.3 trojan(Infects like a virus)
WinCrash.svr - Any WinCrash below 2.0
WinCrash.cli.a - Any WinCrash client below 2.0
Zemac
zemac@dark-e.com
http://www.dark-e.com
XI. Spam: The problems with junk e-mail
---------------------------------------
For the virus and spam sections, we have enlisted the help of Doug Muth (http://claws-and-paws.com).
As mentioned in our editorial however, he's on vacation at the moment. He will write on
some of the social as well as technical issues regarding these sections when he gets
back, but untill then we'd like to quote something on the issue of spam, taken from one
of the projects his involved in, CAUCE.ORG.
We all get junk mail at home. It's an accepted fact of life, at least in the U.S.
So why is Unsolicited Commercial Email (UCE) -- a/k/a "spam" or "junk
email" -- a problem?
To understand the problem of UCE, you must first understand what is most
often advertised via UCE. There are many places on the Internet where copies
of UCE are reposted by recipients and system administrators in order to help
notify the Internet community about where UCE is originating. Surveying
mailing lists like SPAM-L@EVA.DC.LSOFT.COM and USENET
newsgroups in the news.admin.net-abuse.* hierarchy, you will see that there
are very few reputable marketers using UCE to advertise goods and services.
To the contrary, the most commonly seen UCEs advertise:
Chain letters
Pyramid schemes (including Multilevel Marketing, or MLM)
Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes
Offers of phone sex lines and ads for pornographic web sites
Offers of software for collecting e-mail addresses and sending UCE
Offers of bulk e-mailing services for sending UCE
Stock offerings for unknown start-up corporations
Quack health products and remedies
Illegally pirated software ("Warez")
So why is this such a problem?
Cost-Shifting. Sending bulk email is amazingly cheap. With a 28.8
dialup connection and a PC, a spammer can send hundreds of
thousands of messages per hour. Sounds great, huh? Well, it is for the
spammer. However, every person receiving the spam must help pay
the costs of dealing with it. And the costs for the recipients are much
greater than the costs of the sender.
Some junk emailers say, "Just hit the Delete key!" Unfortunately, the problem is
much bigger than the time and effort of one person deleting a couple of emails.
There are many different places along the process of transmitting and delivering
email where costs are incurred. In the Internet world, "time" equals many different
things besides the hourly rate that many people are still charged.
For example, for an Internet Service Provider, "time" includes the load on the
processor in their mail servers; "CPU time" is a precious commodity and
processor performance is a critical issue for ISPs. When their CPUs are tied up
processing spam, it creates a drag on all of the mail in that queue -- wanted and
unwanted alike. This is also a problem with "filtering" schemes; filtering email
consumes vast amounts of CPU time and is the primary reason most ISPs cannot
implement it as a strategy for eliminating junk email.
The problem is also compounded by the fact that ISPs purchase bandwidth -- their
connection to the rest of the Internet -- based on their projected usage by their
prospective user base. For most small to mid-sized ISPs, bandwidth costs are among
one of the greatest portions of their budget and contributes to the reason why many
ISPs have a tiny profit margin. Without junk email, greater consumption of bandwidth
would normally track with increased numbers of customers. However, when an outside
entity (e.g., the junk emailer) begins to consume an ISP's bandwidth, the ISP has
few choices: 1) let the paying customers cope with slower internet access, 2) eat
the costs of increasing bandwidth, or 3) raise rates. In short, the recipients are
still forced to bear costs that the advertiser has avoided.
"Time" also makes for some other interesting problems, especially coupled with volume.
Recent public comments by AOL are a useful point of reference: of the estimated 30
million email messages each day, about 30% on average was unsolicited commercial email.
With volumes such as that, it's a tremendous burden shifted to the ISP to process and
store that amount of data. Volumes like that may undoubtedly contribute to many of the
access, speed, and reliability problems we've seen with lots of ISPs. Indeed, many
large ISPs have suffered major system outages as the result of massive junk email
campaigns. If huge outfits like Netcom and AOL can barely cope with the flood, it is
no wonder that smaller ISPs are dying under the crush of spam.
Fraud. Spammers know that in survey after survey, the overwhelming majority (often
approaching 95%) of recipients don't want to receive their messages. As a result, many
junk emailers use tricks to get you to open their messages. For instance, they make the
mail "subject" look like it is anything other than an advertisement.
In many cases, ISPs and consumers have set up "filters" to help dispose of the crush
of UCE. While filters often consume more resources at the ISP, making mail delivery and
web surfing slower, they can sometimes help end-users cope a little bit better. Spammers
know this, so as they see that mail is being blocked or filtered, the use tricks that
help disguise the origin of their messages. One of the most common tricks is to relay
their messages off the mail server of an innocent third party. This tactic doubles the
damages: both the receiving system, and the innocent relay system are flooded with junk
email. And for any mail that gets through, often times the flood of complaints goes back
to the innocent site because they were made to look like the origin of the spam.
Another common trick that spammers use is to forge the headers of messages, making it
appear as though the message originated elsewhere, again providing a convenient target.
Waste of Others' Resources. When a spammer sends an email message to a million people,
it is carried by numerous other systems en route to its destination, once again shifting
cost away from the originator. The carriers in between are suddenly bearing the burden
of carrying advertisements for the spammer. The number of spams sent out each day is
truly remarkable, and each one must be handled by other systems; there is no
justification for forcing third parties to bear the load of unsolicited advertising.
The methods employed by spammers to avoid being held responsible for their actions are
very often fraudulent and tortious. Numerous court cases are underway between spammers
and innocent victims who have been subjected to such floods. Unfortunately, while major
corporations can afford to fight these cutting edge cyberlaw battles, small "mom-and-pop"
ISPs and their customers are left to suffer the floods.
There's a long tradition in this country of making commercial enterprises bear the costs
of what that do to make money. For example, it would be far cheaper for chemical
manufacturers to dump their waste into the rivers and lakes... however "externalities"
(as the economists call it) are bad because they allow one person to profit at another's
-- or everyone's -- expense.
The great economist Ronald Coase won a Nobel Prize talking about exactly this kind of
situation. He said that it is particularly dangerous for the free market when an
inefficient business (one that can't bear the costs of its own activities) distributes
its costs across a greater and greater numbers of victims. What makes this situation so
dangerous is that when millions of people only suffer a small amount of damage, it is
often more costly for the victims to go out and hire lawyers to recover the few bucks
in damages they suffer. That population will likely continue to bear those unnecessary
and detrimental costs unless and until their indivudual damage becomes so great that
those costs outweigh the transaction costs of uniting and fighting back. And the
spammers are counting on that: they hope that if they steal only a tiny bit from
millions of people, very few people will bother to fight back.
In economic terms, this is a prescription for disaster. Because when inefficiencies
are allowed to continue, the free market no longer functions at peak efficiency. As
you learn in college Microeconomics, the "invisible hands" normally balance the market
and keep it efficient, but inefficiencies tip everything out of balance. And in the
context of the Internet, these invisible marketplace forces aren't invisible anymore.
The inefficiencies can be seen every time you have trouble accessing a web site, or
whenever your email takes 3 hours to travel from AOL to Prodigy, or when your ISP's
server is crashed by a flood of spam.
CAUCE believes that stealing is stealing, whether you take a penny or a dollar or a
thousand dollars. Remember, you only need to steal a penny from 4 million people in
order to have enough to buy yourself a brand new Mercedes Benz.
Displacement of Normal Email. Email is increasingly becoming a critical business tool.
In the late 1980s, as more and more businesses began to use Fax machines, the marketers
decided that they could Fax you their advertisements. For anyone in a busy office in
the late 1980s, you will remember the piles and piles of office supply advertisements
and business printing ads that came pouring out of your Fax machine... making it
impossible to get the Fax that you were expecting from your East Coast office.
This problem spawned the original Anti-Junk-Fax law that CAU
CE is seeking to amend. In
the first major court challenge to that law, a junk fax company called Destination
Ventures lost their suit. The 9th Circuit Court of Appeals said that the law was
constitutional because the imposition of such high costs and inconvenience onto
businesses and consumers made the law a reasonable restriction. By extension, we
argue that junk email isn't very different from junk faxes in the way it consumes the
resources of others.
Spam can and will overwhelm your electronic mail box if it isn't fought. Over time,
unless the growth of UCE isn't stopped, it will destroy the usefulness and effectiveness
of email as a communication tool.
Annoyance Factor. Your email address is not the public domain! It is yours, you paid
for it, and you should have control over what it is used for. If you wish to receive
tons of unsolicited advertisements, you should be able to. But you shouldn't be forced
to suffer the flood unless and until you actually request it. This is the heart of the
"Opt In" approach supported by CAUCE.
But what about junk mail makes it so annoying? In part, it's because accessing email for
many people is still a bit of a struggle. For example, try as they may, many of the
major online services are still hard to connect into. Their software doesn't always
configure very easily. After a few calls to customer support, you finally got it
installed. So, after being away for a few days, you try to get your email. Of course,
you have to keep dialing, dialing, dialing... busy signals. Finally you connect --
only it might be a 9600 baud connection, because all of their 28.8 modems are busy.
Still, you're finally connected and you see that "You've got mail!"
But when you try to retrieve your email, the "System Is Not Responding. Please Try
Again Later." After five or ten more minutes of this, you finally get your email to
start downloading. You were only out of town for four days; there must be a lot of
mail, because it takes you about 10 minutes to get it all downloaded. Once you've
retrieved it all, you open it up, and what do you see? Five pornographic web site
spams, three letters from some guy named Dave Rhodes and his cousin Christohper
Erickson telling you how to make $50,000 in a week, somebody telling you that you're
too fat and you need Pyruvate (sprinkled with Blue Green Algae), and two offers to
buy stock in a "New Startup Company"...only the broker is a really bad speller and
can't decide whether he's selling "stock" or "stork." Oh, and there was an email from
the "Postmaster" telling you that when you tried to "Remove" yourself from a junk
email list, the address: "Work.At.Home@noreply.org" was of course "Unknown."
So after a half hour of delays and frustration, all you've got to show for your efforts
is a box full of spam. Is it any wonder people are annoyed?
Ethics. Spam is based on theft of service, fraud and deceit as well as cost shifting to
the recipient. The great preponderance of products and services marketed by UCE are of
dubious legality. Any business that depends on stealing from its customers, preying on
the innocent, and abusing the open standards of the Internet is -- and should be --
doomed to failure.
PLEASE NOTE: Non-profit, non-commercial publications may reprint this information if
full credit is given. Others please contact CAUCE.ORG
XII. Freedom of speech - related incidents
------------------------------------------
*******************************************************************
"Make men wise, and by that very operation you make them free. Civil liberty follows
as a consequence of this; no usurped power can stand against the artillery of opinion."
- William Godwin
*******************************************************************
Every day the battle between freedom and repression rages through the global ether.
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):
- Weekend Edition:
China's crackdown on democracy activists gets harsher still:
<http://www.insidechina.com/news.php3?id=83774>
Liu Xianbin, who was also DENIED legal representation, gets 13 YEARS for 'subverting
the state'
Other recent sentences given out for 'subverting the state':
Qin Yongmin, 12 years, Crime: seeking official recognition for China Democracy Party
Wang Youcai, 11 years, Crime: seeking official recognition for China Democracy Party
Xu Wenli, 12 years, Crime: founder of China Democracy Party
She Wanbao, 12 years, Crime: member of China Democracy Party
Gao Hongming, 8 years, Crime: chairman of China Democracy Party- Beijing
Zha Jianguo , 9 years, Crime: chairman of China Democracy Party- Beijing
Yue Tianxiang, 10 years, Crime: setting up an organization to protect the rights of
laid-off workers
Zhang Shanguang, 10 years, Crime: attempting to organize a workers rights group and
reporting rural protests to a U.S. radio station.
Fang Jue, 4 years, Crime: calling for democratic reforms in an essay
Li Zhiyou, 3 years, Crime: scrawling anti-government graffiti, member of China
Democracy Party
Liu Xianli, 4 years, trying to interview China's best-known dissidents and publish a
book on their activities
Wang Ce, 4 years, Crime: "endangering state security" after sneaking back into the
country last November.
Peng Ming, 18 months re-education with no trial, Crime: founder of the China Development
Union (CDU) environmental movement
Lin Hai, 2 years, Crime: inciting the overthrow of the state through the Internet
- Monday:
In America, the strange bedfellows of Democrat Feinstein and Republican Hatch draft
the Methamphetamine Anti-Proliferation Act which, if passed, would ban
<http://www.wired.com/news/news/politics/story/21152.html>
Internet discussions and links to unapproved drugs...
From the Wired article:
"If the measure becomes law, it will create a new federal felony -- punishable by a
fine and three years in prison -- that covers Web pages that link to sites with
information about where to buy "drug paraphernalia" such as roach clips, bowls, and
bongs. Even editors of news organizations that publish articles about drug culture and
link to related sites will be subject to arrest and prosecution."
- Tuesday:
The journalists' rights group Reporters Sans Frontieres (RSF) brand countries
<http://news.bbc.co.uk/hi/english/world/newsid_415000/415870.stm>
Enemies of The Internet for controlling access and censuring websites.
The list includes China, North Korea, Cuba, Iraq, Iran, Libya, Saudi Arabia, Syria,
Sierra Leone, Sudan, Tunisia, Vietnam, Myanmar, Azerbaijan, Kazakhstan, Uzbekistan,
Kyrgyzstan, Tajikistan, Turkmenistan, Belarus and others
- Wednesday:
While everyone else was occupied with Kosovo, Clinton signed a directive creating
<http://search.washingtonpost.com/wp-srv/WAPO/19990808/V000744-080899-idx.html>
the International Public Information group that will control the flow of
US government news overseas.
From the Washington Post article:
"The group came about partly in response to the spread of unflattering or erroneous
information about the United States received abroad via electronic mail, the Internet,
cellular telephones and other communications advances...President Clinton signed a
directive April 30, in the thick of the Kosovo war, that set out plans for IPI,
although the White House did not formally announce the group's existence or role."
- Thursday:
Japan's Parlaiment passes the
<http://www.yomiuri.co.jp/newse/0813po03.htm>
<http://www.sjmercury.com/breaking/docs/020020.htm>
Wiretapping Bill
From the San Jose Mercury article:
"The wiretapping law is similar to those in other countries. But many Japanese,
remembering secret police brutality during World War II and crackdowns on radical
students and labor unions in the 1950s and 1960s, have long been reluctant to hand
police greater powers. ``We cannot but feel the sense of danger that people's freedom
and privacy are being violated,'' the national Asahi newspaper said in an editorial
today."
In just one week...
diva aka Pasty Drone
NewsTrolls, Inc. , http://www.newstrolls.com
pastydrone@newstrolls.com
XIIV. Meet the underground
--------------------------
This section of our newsletter will be especially dedicated to the people defacing Web
sites. For this first release of Default, I think there are first a few issues that need
to be discussed regarding the subject of defacing and on wether or not we should give
these people this kind of attention. I'll try to make my point of view on why we do give
them the attention a bit clearer in this column. This means you will have a week more to
get to "the good stuff" of this section, but untill then I hope you'll bear with me on
this one for a moment.
There always has been, and there will probably always be, a lot of argueing as to what
real "hacking" is, if the people defacing sites are in reality "hackers" or "crackers"
or nothing more than "script kiddies". I think we all have different opinions on that.
To me personally this whole stereotyping thing is pretty stupid in itself. A while ago
someone told me this: "There is no such thing as a "cracker", not really. A Cracker is
something that somebody came up with for a hacker that does damage. Thats like saying
"Bee's that don't sting aren't bee's". " I tend to agree on that, but would like to
take this a bit further. All these names for each other are, once again in MY personal
opinion, nothing more than stereotypes. Let's look at the concept of hacking for a
moment as it being a learning experience, more specifically a learning experience
regarding computers. We're not even going into the security part of it at the moment,
I consider people like Dennis Ritchie and Ken Thompson or Linus Torvalds at least as
much "hackers" as a lot of other people I know from the "underground" nowadays, though
I've yet to see my first web page claiming "LINUS WAS HERE!".
In my case, this learning experience is achieved through doing the stuff you read, I
wouldn't know of any other or better way of learning than by trying things out yourself.
But when you look at it like that, you might find some may want to try out what they've
learned in the real world. I don't condone web site attacks, but I don't condemn them
either.
There are a lot of new developments in the wonderful world of computers, especially in
the security scene. From a learning point of view, the best way to find out about these
new developments is through encountering them in that same real world. With these
"hackers" coming across new things and learning how they work, they inevitably come
across flaws in those same systems. "Ok," you might say, "but they don't have to deface
sites for it, just let them find the flaw and notify the vendor, even maybe help them
try correct it." But what if you notify the vendors but they give you the impression
to be dragging their feet, not being too interested in having to come out with yet
another flaw in their beloved products, while this vulnerability could easily be
exploited on a type of system that's widely used all over the Internet? (IIS bug
springs to mind)
And what if the vendor did fix it and the it hasn't reached one of the administrators
who uses this product or the admin just hasn't got a clue. What if you come across a
site which is vulnerable to this same problem? "Well, then report it to the admin.."
While I personally might agree on that, that still doesn't mean it solves the problem.
The US Army website incident springs to mind. That web site got defaced a month or so
ago using the well-known Cold Fushion vulnerability. Two months before that, the
administrator of that site was warned by the security-group L0pht Heavy Industries that
his site was indeed vulnerable to this exploit. And that was the official main site of
the US army in a period of time where the US government already had been embarrassed by
several defacements on other sites! So I think we've established that this approach
might not always work.
Now I have to note that I altough I took this point of view to distance, it is not one
which occurs very often. A lot of hacks are done by what might be called "script kiddies",
who read about an exploit (yes "script kiddies" read bugtraq too you know) and use it
for their own purposes, which mostly include fame and attention. But that doesn't mean
that someone who comes across such an exploit on a page and uses it has to be a script
kiddie, nor does it mean that when you come across such an exploit you should use it.
Another thing that you might say is that by giving these groups attention in our
newsletter, they might feel encouraged by the attention. And I must admit that even
Help Net Security didn't even report hacks for a small period of time this year because
of this view. But we are here to try and bring you the news. That means we have to
report on things from an objective point of view. We can't just shut our eyes and
pretend it isn't there. It's there allright and we won't make it go away by ignoring
it. Maybe not by giving it even more attention either, but I feel there are a lot of
people out there who actually deserve some attention and actually have something usefull
to say. We want to give them the oppertunity to say it through a different type of
medium, which will be this column.
It all is a little game between vendors and administrators on one hand and the
"hackers"/"crackers"/"script kiddies" on the other. You may not like it, but what if
full disclosure would vanish? What if flaws weren't reported at all anymore? On which
side would the problem be then? I've said it once and I'll say it again: You don't have
to like hackers and what they do, you certainly don't have to condone but don't condemn
it either. The "underground" is not nearly as big a problem as it would be when it would
actually go underground. An extremely small part of defaced sites is actually erased by
the attackers, defacements are mostly an embarrasement but that's it, a more mature
reply than immediately calling for prosecution might be in order. Most hackers are of
nature not as much malicious, but more curious, which helps out a lot more when it comes
to discovering and fixing flaws then you see covered in the main-stream media. And to
all you hackers out there, try maintaining some kind of ethics? And remember, it IS
illegal, so if you don't want to do the time, don't do the crime.
Heh, give me some replies and opinions on this people. Next week the interviews!
Thejian
Help Net Security
thejian@net-security.org
XIV. Guest column
-----------------
This weeks guest column is by Natasha Grigori of the ACPO, a cause which Help Net
Security supports fully.
The mission of ACPO, and our goals:
ACPO is a non-profit Group formed to actively seek out and stop the
exploitation of children on the Internet. Our focus is to protect our
children from the predatory and perverse criminal elements that seek to
destroy their innocence. While we are firmly in favor of free speech in
all its forms, especially on the Internet, we are opposed to the active
sexual exploitation of children. We have chosen to act against the
dissemination of child pornography over the Internet. Our motivation is
the fact that there is a genuine connection between the distribution and
acceptance of pedophile pornography and actual incidents of sexually
abused children. Not to mention that all-existing hardcore pedophile
pornographic material is the result of very real abuse. Our children are
our future, as such we must protect them as we would our own lives and
in doing so ensure a better future for us all.
Our secondary focus is to educate. We want to provide individuals and
organizations training about the Internet and its associated risks. We
will counsel law enforcement on the Internet aspects of gathering
information and evidence. We pursue all of our goals with the ethical
and moral values of most anybody confronted with this abhorrent
practice. We will tolerate only approaches, and condone no illegal
activities. Failure to abide by the ACPO operations standards is ground
enough for revocation of ACPO membership.
Our goals can be broken down as follows:
1. Provide a maximum of information to concerned law enforcement
authorities, including activity hotspots on the Internet and the results
of our own investigations into the activities of online child
pornographers.
2. Put a halt to sensationalism and hype regarding the Internet while
promoting quality investigative journalism on pedophile pornography.
3. Create enough public pressure to bring authorities to the point of
action.
4. Form a cooperative with other Internet groups with similar goals,
which will benefit us all and increase our impact. We are working to
provide a website to which our members will be able to turn for
information and resources, and will add other means of communication.
Our approach is somewhat different from other organizations, in that we
are combining the drive for wide public support with the knowledge of
Internet experts.
This is our first public description of our mission. We view this as a
work in progress that will continue to be refined.
If you have any questions or concerns about our Mission Statement,
please feel free to mail me at Natasha@infovlad.net You should get a
response from me with in a week, possibly less. And BTW look for our
exciting news next Friday.
============================
Thanks for being 'Child-Friendly'
Natasha Grigori Founder
ACPO http://www.antichildporn.org/
http://www.infovlad.net/antichildpornorg/
mailto:natasha@infovlad.net
============================